Rig EK drops Pony, leads to Philadelphia Ransomware

Summary:

It’s always interesting to find different malwares from Rig EK. This campaign was found from malvertising. There did not appear to be a compromised site as such so it could be a possible TDS. The landing page and flash/payload appeared to be hosted on different IP addresses which is unusual.

The initial payload was Pony loader which loaded a ransomware known as Philadelphia ransomware. This ransomware is created from a builder. The instructions are here.

PonyBadge

It encrypted files with a .locked extension and demanded a 0.3 Bitcoin ransom. It is not known to be a particularly sophisticated malware.

I requested the help of @Antelox again who quickly identified it as Pony/Philadelphia just from my description.

Background Information:

  • A few articles on Rig exploit kit and it’s evolution:

https://www.uperesia.com/analyzing-rig-exploit-kit
http://malware.dontneedcoffee.com/2016/10/rig-evolves-neutrino-waves-goodbye.html
http://securityaffairs.co/wordpress/55354/cyber-crime/rig-exploit-kit-cerber.html

  • Articles regarding Philadelphia ransomware.

https://www.proofpoint.com/us/threat-insight/post/philadelphia-ransomware-customization-commodity-malware

https://www.bleepingcomputer.com/news/security/the-philadelphia-ransomware-offers-a-mercy-button-for-compassionate-criminals/

Downloads

(in password protected zip: (infected))

Details of infection chain:

(click to enlarge!)

RigPonyRansom

Rig EK drops Pony loader which loads Philadelphia Ransomware

Full Details:

A malvertising chain (possible Keitaro TDS) leads to a 302 to Rig EK.

The Rig Landing Page is 69.61.66.226 however the Flash file and Payload comes from 185.158.112.49 which also appears to have no domain. The landing page displayed the text “Hehe nuclear” in the browser.

Hehenuclear

The payload dropped was Pony loader which made a POST request to  89.45.67.99
/ppp/gate.php

SHA256: 82a363d6e60ec002b7d76f05970292b993f9ef72192e1db552b1f32b907cd466
File name: oeloatd4.exe
Detection ratio: 22 / 61

Pony downloads a large executable which is a Philadelphia ransomware variant.

SHA256: 661133c3848e57c4541a54b094c1b7124986872c4ce475ceda02440b48c823c1
File name: 2223607.exe
Detection ratio: 41 / 61

The ransomware appeared to be very noisy. The CnC used the user agent string “AutoIt” and the URL’s were self explanatory such as “de/de.php?p=Ping&id=5918651572eb6&s=Encrypting+%280+files%29”. The ransomware is written in the AutoIT scripting language.

noisy

Finally a window is created with a red ransom demand. A ransom note is created and all files are encrypted using the .locked extension. It also appeared to lock me out of accessing common folders such as Pictures. The ransomware demands 0.3 Bitcoin.

ransom

RansomNote

Locked

 

This is a list of files that were dropped (You can download these):

Dropped

One thought on “Rig EK drops Pony, leads to Philadelphia Ransomware

  1. Pingback: Rig EK via TDS drops Smoke Loader, leads to TeamViewer. | Zerophage Malware

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s