2016-10-23 - AFRAIDGATE RIG EK FROM 194.87.144.48 SENDS LOCKY RANSOMWARE

ASSOCIATED FILES:

• ZIP archive of the pcaps:  2016-10-23-Afraidgate-Rig-EK-sends-Locky.pcap.zip   95.8 kB (295,756 bytes)

• 2016-10-23-Afraidgate-Rig-EK-sends-Locky.pcap   (333,410 bytes)

• ZIP archive of the malware:  2016-10-23-Afraidgate-Rig-EK-sends-Locky-malware-and-artifacts.zip   338.7 kB (338,710 bytes)

• 2016-10-23-Afraidgate-Rig-EK-flash-exploit.swf   (51,789 bytes)
• 2016-10-23-Afraidgate-Rig-EK-landing-page.txt   (30,302 bytes)
• 2016-10-23-Afraidgate-Rig-EK-payload-Locky-downloader.exe   (96,768 bytes)
• 2016-10-23-Locky-decryptor-page-style.css   (3,602 bytes)
• 2016-10-23-Locky-decryptor-page.html   (6,011 bytes)
• 2016-10-23-Locky_HOWDO_text.bmp   (4,006,594 bytes)
• 2016-10-23-Locky_HOWDO_text.html   (9,696 bytes)
• 2016-10-23-club.panduan-ngeblog.com-jquery.file.js.txt   (414 bytes)
• 2016-10-23-follow-up-download-Locky.exe   (229,376 bytes)
• 2016-10-23-page-from-ardenne.org-with-injected-script.txt   (18,656 bytes)

NOTES:

• I found today's compromised website in a blog post by @felixw3000 published yesterday titled Analyzing Rig Exploit Kit.  (Take a look, it's a good read.)
• There are currently at least 2 versions of Rig EK being used in the wild by different campaigns.
• This version of Rig EK is a "VIP version" that @kafeine has been calling RIG-v as described here.
• RIG-v is currently being used by the Afraidgate campaign and the pseudoDarkleech campaign.
• Regular Rig EK (the older version) is still being used by the EITest campaign.

 

Shown above:  Flowchart for this infection traffic.

 

TRAFFIC

Shown above:  Page from the compromised website with injected script leading to an Afraidgate redirect URL.

 

Shown above:  Afraidgate redirect URL leading to Rig EK landing page.

 

Shown above:  Traffic from the pcap filtered in Wireshark.

 

ASSOCIATED DOMAINS:

• ardenne.org - Compromised website
• 138.68.135.94 port 80 - club.panduan-ngeblog.com - GET /jquery.file.js - Afraidgate redirect
• 194.87.144.48 port 80 - ds.lincolnparklocksmithchicago.net - Rig EK
• 192.227.164.149 port 80 - dromatom.com - GET /forum.php?g=&k=EbOessVfWZ10Bw1XgHGtQ8F1P - Rig EK payload (Locky downloader) retrieving Locky
• 185.102.136.77 port 80 - 185.102.136.77 - POST /apache_handler.php - Locky post-infection callback

DOMAINS FROM THE DECRYPT INSTRUCTIONS:

• jhomitevd2abj3fk.tor2web.org
• jhomitevd2abj3fk.onion.to

 

FILE HASHES

RIG EK (RIG-v) FLASH EXPLOIT:

• SHA256 hash:  4f2936fc74f7982fb450a0edfd0e200c0301b3cba56f3e55cc08cf92d423917d
  File name:  2016-10-23-Afraidgate-Rig-EK-flash-exploit.swf   (51,789 bytes)

RIG EK PAYLOAD (DOWNLOADER FOR LOCKY):

• SHA256 hash:  5d75cf1b675a216ee0ccf3bece9fda40a2d64dac40b34830e51f2952dc4855d1
  File name:  C:\Users\[username]\AppData\Local\Temp\radFFA59.tmp.exe   (96,768 bytes)

FOLLOW-UP MALWARE (LOCKY):

• SHA256 hash:  1d2e56b4160510a977d504a2767a5bad255a0e5a01f1b37d48a1cc628fb7bda6
  File name:  C:\Users\[username]\AppData\Local\Temp\Zc5PC8cdpiKtXskicdosu6rSK.exe   (229,376 bytes)

 

IMAGES

Shown above:  Desktop of an infected Windows host after rebooting.  This is the most recent variant of Locky (the "Odin" variant).

 

Shown above:  Checking the Locky Decryptor page to find the ransom payment (1.5 bitcoin).

 

FINAL NOTES

Once again, here are the associated files:

• ZIP archive of the pcaps:  2016-10-23-Afraidgate-Rig-EK-sends-Locky.pcap.zip   95.8 kB (295,756 bytes)
• ZIP archive of the malware:  2016-10-23-Afraidgate-Rig-EK-sends-Locky-malware-and-artifacts.zip   338.7 kB (338,710 bytes)

ZIP files are password-protected with the standard password.  If you don't know it, look at the "about" page of this website.

Click here to return to the main page.