It’s always interesting to find different malwares from Rig EK. This campaign was found from malvertising. There did not appear to be a compromised site as such so it could be a possible TDS. The landing page and flash/payload appeared to be hosted on different IP addresses which is unusual.
The initial payload was Pony loader which loaded a ransomware known as Philadelphia ransomware. This ransomware is created from a builder. The instructions are here.
It encrypted files with a .locked extension and demanded a 0.3 Bitcoin ransom. It is not known to be a particularly sophisticated malware.
I requested the help of @Antelox again who quickly identified it as Pony/Philadelphia just from my description.
- A few articles on Rig exploit kit and it’s evolution:
- Articles regarding Philadelphia ransomware.
(in password protected zip: (infected))
- 15-May-2017-Rig-Pony-Ransom -> Pcap
- 15-May-2017-Rig-Pony-Ransom-CSV -> CSV of the traffic for IOC’s
- 15-May-2017-Pony-Philadelphia -> Pony loader and Philadelphia ransomware
Details of infection chain:
(click to enlarge!)
A malvertising chain (possible Keitaro TDS) leads to a 302 to Rig EK.
The Rig Landing Page is 18.104.22.168 however the Flash file and Payload comes from 22.214.171.124 which also appears to have no domain. The landing page displayed the text “Hehe nuclear” in the browser.
The payload dropped was Pony loader which made a POST request to 126.96.36.199
|Detection ratio:||22 / 61|
Pony downloads a large executable which is a Philadelphia ransomware variant.
|Detection ratio:||41 / 61|
The ransomware appeared to be very noisy. The CnC used the user agent string “AutoIt” and the URL’s were self explanatory such as “de/de.php?p=Ping&id=5918651572eb6&s=Encrypting+%280+files%29”. The ransomware is written in the AutoIT scripting language.
Finally a window is created with a red ransom demand. A ransom note is created and all files are encrypted using the .locked extension. It also appeared to lock me out of accessing common folders such as Pictures. The ransomware demands 0.3 Bitcoin.
This is a list of files that were dropped (You can download these):