2017-01-31 - EITEST RIG EK FROM 195.133.144.228 SENDS CRYPTOSHIELD RANSOMWARE
ASSOCIATED FILES:
- ZIP archive of the pcap: 2017-01-31-EITest-Rig-EK-sends-CryptoShield.pcap.zip 180 kB (180,014 bytes)
- 2017-01-31-EITest-Rig-EK-sends-CryptoShield.pcap (245,030 bytes)
- ZIP archive of the malware: 2017-01-31-EITest-Rig-EK-sends-CryptoShield-malware-and-artifacts.zip 104 kB (103,860 bytes)
- 2017-01-31-CryptoShield-decryption-instructions.html (3,052 bytes)
- 2017-01-31-CryptoShield-decryption-instructions.txt (1,810 bytes)
- 2017-01-31-EITest-Rig-EK-artifact-QTTYUADAF.txt (1,137 bytes)
- 2017-01-31-EITest-Rig-EK-flash-exploit.swf (17,015 bytes)
- 2017-01-31-EITest-Rig-EK-landing-page.txt (5,241 bytes)
- 2017-01-31-EITest-Rig-EK-payload-CryptoShield-rad6BF31.tmp.exe (95,744 bytes)
- 2017-01-31-page-from-activaclinics.com-with-injected-EITest-script.txt (118,682 bytes)
BACKGROUND ON RIG EXPLOIT KIT:
- I haven't seen Empire Pack (also known as Rig-E) so far in 2017.
- Since Rig-V is actually the current version of Rig EK (Rig 4.0), I'll stop using calling it "Rig-V."
- From now on, I'm just calling it "Rig EK."
BACKGROUND ON THE EITEST CAMPAIGN:
- My most recent write-up on the EITest campaign can be found here.
BACKGROUND ON CRYPTOSHIELD RANSOMWARE:
- CryptFile2 is the term I've seen in EmergingThreats alerts triggering on callback traffic from this family of ransomware.
- On 2016-11-28, I saw a version that called itself CryptoMix (link), so I'd been calling it that until now.
- In today's sample, it appears CryptFile2/CryptoMix got a facelift and is now calling itself CryptoShield.
- CryptoShield currently uses .CRYPTOSHIELD as the file extension for any files it encrypts.
- There are changes in the callback traffic, too, but it acts quite a bit like CryptFile2/CryptoMix, so it appears to be an update for this ransomware family.
- Earlier today, BleepingComputer posted a great writeup of CryptoShield ransomware (link).
Shown above: Flowchart for this infection traffic.
TRAFFIC
Shown above: Injected script from the EITest campaign from the compromised site.
Shown above: Pcap of the infection traffic filtered in Wireshark.
ASSOCIATED DOMAINS:
- activaclinics.com - Compromised site
- 195.133.144.228 port 80 - koko.yoncaliaparts.com - Rig EK
- 45.76.81.110 port 80 - 45.76.81.110 - CryptoShield post-infection traffic
- restoring_sup@india.com - first email from CryptoShield decryption instructions
- restoring_sup@computer4u.com - second email from CryptoShield decryption instructions
- restoring_reserve@india.com - third email from CryptoShield decryption instructions
FILE HASHES
FLASH EXPLOIT:
- SHA256 hash: 04fb00bdd3d2c0667b18402323fe7cf495ace5e35a4562e1a30e14b26384f41c (17,015 bytes)
File description: Rig EK Flash exploit seen on 2017-01-31
PAYLOAD (CRYPTOSHIELD):
- SHA256 hash: 2d100eaab9afe1c84ee5a642603cbd5ee5a12246a08466b5fea84924b918be26 (95744 bytes)
File path example: C:\Users\[username]\AppData\Local\Temp\rad6BF31.tmp.exe
IMAGES
Shown above: Desktop of an infected Windows host.
Shown above: Example of some encrypted files.
Shown above: The ransomware staying persistent on an infected Windows host.
FINAL NOTES
Once again, here are the associated files:
- ZIP archive of the pcap: 2017-01-31-EITest-Rig-EK-sends-CryptoShield.pcap.zip 180 kB (180,014 bytes)
- ZIP archive of the malware: 2017-01-31-EITest-Rig-EK-sends-CryptoShield-malware-and-artifacts.zip 104 kB (103,860 bytes)
ZIP files are password-protected with the standard password. If you don't know it, look at the "about" page of this website.
Click here to return to the main page.