2016-10-28 - EITEST RIG EK SENDS CRYPTFILE2 RANSOMWARE & CHTHONIC BANKING TROJAN

ASSOCIATED FILES:

• ZIP archive of the pcap:  2016-10-28-EITest-Rig-EK-both-pcaps.zip   538 kB (538,198 bytes)

• 2016-10-28-EITest-Rig-EK-first-run-sends-CryptFile2-ransomware.pcap   (213,010 bytes)
• 2016-10-28-EITest-Rig-EK-second-run-sends-Chthonic.pcap   (581,344 bytes)

• ZIP archive of the malware:  2016-10-28-EITest-Rig-EK-malware-and-artifacts.zip   294 kB (294,062 bytes)

• 2016-10-28-CryptFile2-HELP_DECRYPT_YOUR_FILES.TXT   (3,219 bytes)
• 2016-10-28-EITest-Rig-EK-flash-exploit-first-run.swf   (52,558 bytes)
• 2016-10-28-EITest-Rig-EK-flash-exploit-second-run.swf   (52,558 bytes)
• 2016-10-28-EITest-Rig-EK-landing-page-first-run.txt   (3,341 bytes)
• 2016-10-28-EITest-Rig-EK-landing-page-second-run.txt   (3,276 bytes)
• 2016-10-28-EITest-Rig-EK-payload-first-run-CryptFile2.exe   (89,088 bytes)
• 2016-10-28-EITest-Rig-EK-payload-second-run-Chthonic.exe   (184,320 bytes)
• 2016-10-28-page-from-activaclinics.com-with-injected-EITest-script-first-run.txt   (59,236 bytes)
• 2016-10-28-page-from-activaclinics.com-with-injected-EITest-script-second-run.txt   (58,130 bytes)

 

NOTES:

• There are currently at least 2 versions of Rig EK being used in the wild by different campaigns.
• One is an updated/evolving "VIP version" version of Rig EK that @kafeine has described as RIG-v here.
• The other version of Rig EK is "regular Rig" that generally looks the same as it has for a while now.
• RIG-v is currently being used by the Afraidgate and pseudoDarkleech campaigns.
• Regular Rig EK is still being used by the EITest campaign.

• Thanks to Baber for sending me info about the compromised site used in this blog entry.

 

BACKGROUND ON THE EITEST CAMPAIGN:

• Something I wrote on exploit kit (EK) fundamentals:  link
• 2016-10-03 - Palo Alto Networks Unit 42 blog:  EITest Campaign Evolution: From Angler EK to Neutrino and Rig.
• 2016-10-03 - Broadanalysis.com:  EITest campaign stopped using a gate.
• 2016-10-15 - Broadanalysis.com:  EITest campaing stops using obfuscation for injected script in pages from compromised websites.

 

Shown above:  Flowchart for this infection traffic.

 

TRAFFIC

Shown above:  Injected script from the EITest campaign in a page from the compromised site (first run).

Shown above:  Injected script from the EITest campaign in a page from the compromised site (second run).

Shown above:  Traffic from the infection filtered in Wireshark (first run).

Shown above:  Traffic from the infection filtered in Wireshark (second run).

 

ASSOCIATED DOMAINS:

• activaclinics.com - Compromised site
• 195.133.48.171 port 80 - new.pyramidparadox.com - Rig EK (first run that sent CryptFile2)
• 89.45.67.193 port 80 - fkj655.kc3y9zc.top - Rig EK (second run that sent Chthonic)
• 5.39.84.236 port 80 - 5.39.84.236 - CryptFile2 post-infection traffic from the first run
• 107.181.187.178 port 80 - belonaratojolemerakew.com - Chthonic post-infection callback from the second run

 

FILE HASHES

FLASH EXPLOITS:

• SHA256 hash:  2708663dafea6f9fc5f5549b2f69771178c172dcfc6ce6e3366c6a517f4449a0
  File name:  2016-10-28-EITest-Rig-EK-flash-exploit-first-run.swf   (52,558 bytes)
  File name:  2016-10-28-EITest-Rig-EK-flash-exploit-second-run.swf   (52,558 bytes)

PAYLOADS:

• SHA256 hash:  730c76b5761c02c65956dbd4afb6b44a946c76f51b0f8e039a0076ff098bc9b5
  File name:  C:\Users\[username]\AppData\Local\Temp\E3E8.tmp   (89,088 bytes) - CryptFile2

• SHA256 hash:  a1bd2638a30a176e35800752d00e74ee220d480d82ab0b707381293054e34e32
  File name:  C:\Users\[username]\AppData\Local\Temp\1390.tmp   (184,320 bytes) - Chthonic

 

IMAGES

Shown above:  Desktop af a Windows host infected with today's CryptFile2 sample (and associated Registry entries).

 

Shown above:  Chthonic banking trojan and the associated registry entries for persistence (I ran it twice).

 

FINAL NOTES

Once again, here are the associated files:

• ZIP archive of the pcap:  2016-10-28-EITest-Rig-EK-both-pcaps.zip   538 kB (538,198 bytes)
• ZIP archive of the malware:  2016-10-28-EITest-Rig-EK-malware-and-artifacts.zip   294 kB (294,062 bytes)

ZIP files are password-protected with the standard password.  If you don't know it, look at the "about" page of this website.

Click here to return to the main page.