Summary:

It’s always interesting to find different malwares from Rig EK. This campaign was found from malvertising. There did not appear to be a compromised site as such so it could be a possible TDS. The landing page and flash/payload appeared to be hosted on different IP addresses which is unusual.

The initial payload was Pony loader which loaded a ransomware known as Philadelphia ransomware. This ransomware is created from a builder. The instructions are here.

It encrypted files with a .locked extension and demanded a 0.3 Bitcoin ransom. It is not known to be a particularly sophisticated malware.

I requested the help of @Antelox again who quickly identified it as Pony/Philadelphia just from my description.

Background Information:

• A few articles on Rig exploit kit and it’s evolution:

https://www.uperesia.com/analyzing-rig-exploit-kit
http://malware.dontneedcoffee.com/2016/10/rig-evolves-neutrino-waves-goodbye.html
http://securityaffairs.co/wordpress/55354/cyber-crime/rig-exploit-kit-cerber.html

• Articles regarding Philadelphia ransomware.

https://www.proofpoint.com/us/threat-insight/post/philadelphia-ransomware-customization-commodity-malware

https://www.bleepingcomputer.com/news/security/the-philadelphia-ransomware-offers-a-mercy-button-for-compassionate-criminals/

Downloads

(in password protected zip: (infected))

• 15-May-2017-Rig-Pony-Ransom -> Pcap
• 15-May-2017-Rig-Pony-Ransom-CSV -> CSV of the traffic for IOC’s
• 15-May-2017-Pony-Philadelphia -> Pony loader and Philadelphia ransomware

Details of infection chain:

(click to enlarge!)

Full Details:

A malvertising chain (possible Keitaro TDS) leads to a 302 to Rig EK.

The Rig Landing Page is 69.61.66.226 however the Flash file and Payload comes from 185.158.112.49 which also appears to have no domain. The landing page displayed the text “Hehe nuclear” in the browser.

The payload dropped was Pony loader which made a POST request to  89.45.67.99
/ppp/gate.php

SHA256:	82a363d6e60ec002b7d76f05970292b993f9ef72192e1db552b1f32b907cd466
File name:	oeloatd4.exe
Detection ratio:	22 / 61

Pony downloads a large executable which is a Philadelphia ransomware variant.

SHA256:	661133c3848e57c4541a54b094c1b7124986872c4ce475ceda02440b48c823c1
File name:	2223607.exe
Detection ratio:	41 / 61

The ransomware appeared to be very noisy. The CnC used the user agent string “AutoIt” and the URL’s were self explanatory such as “de/de.php?p=Ping&id=5918651572eb6&s=Encrypting+%280+files%29”. The ransomware is written in the AutoIT scripting language.

Finally a window is created with a red ransom demand. A ransom note is created and all files are encrypted using the .locked extension. It also appeared to lock me out of accessing common folders such as Pictures. The ransomware demands 0.3 Bitcoin.

 

This is a list of files that were dropped (You can download these):