2017-02-14 - EITEST RIG EK SENDS CRYPTOSHIELD RANSOMWARE

ASSOCIATED FILES:

• ZIP archive of the pcaps:  2017-02-14-EITest-Rig-EK-sends-CryptoShield-pcaps.zip   648 kB (648,283 bytes)
• ZIP archive of the malware:  2017-02-14-EITest-Rig-EK-sends-CryptoShield-malware-and-artifacts.zip   273 kB (272,632 bytes)

BACKGROUND ON RIG EXPLOIT KIT:

• I haven't seen Empire Pack (also known as Rig-E) so far in 2017.
• Rig-V is actually the current version of Rig EK (Rig 4.0), so I've stopped calling it "Rig-V."
• Now I'm just calling it "Rig EK."

BACKGROUND ON THE EITEST CAMPAIGN:

• My most recent write-up on the EITest campaign can be found here.

BACKGROUND ON CRYPTOSHIELD RANSOMWARE:

• On 2017-01-31, CryptFile2/CryptoMix got a facelift and is now calling itself CryptoShield.
• BleepingComputer posted a great writeup of CryptoShield ransomware (link).
• I also did an ISC diary recently about CryptoShield from Rig EK here.
• On 2017-02-14, CryptoShield ransomware changed from version 1.2 to version 2.0.
• Doesn't seem to be much difference between the two versions.

OTHER NOTES:

• As always, thanks to everyone who tweets about these compromised sites or emails me directly.  It's always appreciated!

Shown above:  Flowchart for this infection traffic.

 

TRAFFIC

Shown above:  Example of injected script from the EITest campaign in a page from the compromised site.

 

Shown above:  Another xample of injected script from the EITest campaign in a page from the compromised site.

 

Shown above:  Pcap of the infection traffic filtered in Wireshark.

 

Shown above:  Another pcap of the infection traffic filtered in Wireshark.

 

Shown above:  Another pcap of the infection traffic filtered in Wireshark.

 

ASSOCIATED DOMAINS:

• www.caltech.fr - Compromised site
• www.stephanemalka.com - Compromised site
• 92.53.97.102 port 80 - wer.datinguppercrust.com - Rig EK
• 217.107.34.154 port 80 - new.theagingbusiness.com - Rig EK
• 217.107.34.154 port 80 - ex.twittergrandma.com - Rig EK
• 107.191.62.136 port 80 - 107.191.62.136 - CryptoShield post-infection traffic

• res_sup@india.com - first email from CryptoShield decryption instructions
• res_sup@computer4u.com - second email from CryptoShield decryption instructions
• res_reserve@india.com - third email from CryptoShield decryption instructions

 

FILE HASHES

FLASH EXPLOIT:

• 37f7e78080f85e6f98136e927a69a72ea7d619f230b476b5d6826ebc1eee29a0 (38,003 bytes) - Rig EK flash exploit

PAYLOADS:

• 2996308540b6848fbf2d8b1f1a6865ebf717cd61990aabb9975c28d570f12537 - EITest Rig EK payload (CryptoShield 1.2)
• 2b658da052076ae93ffd1ffa967aaa2663f0d91bdfdc3dd617557e9a4607daa4 - EITest Rig EK payload (CryptoShield 2.0)
• 330be928a66930ef78513c8e464828eb146083e4110ce452969fedb5c44400a4 - EITest Rig EK payload (CryptoShield 2.0)

 

IMAGES

Shown above:  Desktop of an infected Windows host very early on 2017-02-14 (still 2017-02-13 in the US).

 

Shown above:  Desktop of an infected Windows host much later on 2017-02-14.

 

FINAL NOTES

Once again, here are the associated files:

• ZIP archive of the pcaps:  2017-02-14-EITest-Rig-EK-sends-CryptoShield-pcaps.zip   648 kB (648,283 bytes)
• ZIP archive of the malware:  2017-02-14-EITest-Rig-EK-sends-CryptoShield-malware-and-artifacts.zip   273 kB (272,632 bytes)

ZIP files are password-protected with the standard password.  If you don't know it, look at the "about" page of this website.

Click here to return to the main page.