Rig EK drops GandCrab Ransomware Via CVE-2018-4878

Summary:

After some absence, I have returned to blog on Rig EK’s inclusion of CVE-2018-4878. This was reported by @nao_sec and then @kafeine. Initially I had planed to blog about a maldoc. I had obtained a sample of a #ThreadKit document that had recently included this Flash exploit and so I updated my lab in order to display it and give me something to blog about. That’s when I saw the Twitter posts and went hunting for Rig EK instead.

Using a fully patched Win 7 64 bit machine with IE 11 and Flash player 28,0,0,126 I found a malvertising chain which in itself is very interesting. No more simple iframes and long 302 redirects, this one used multiple JavaScripts. The payload was GandCrab ransomware which encrypted my files with .CRAB.

The blog is not so detailed I’m afraid but hopefully the PCAP will be useful to some.

 

Background Information:

Downloads

(in password protected zip)

Details of infection chain:

(click to enlarge!)

 

RigEKGandCrab.png

Win 7 64 bit, IE 11 and Flash 28,0,0,126 – Rig EK drops GandCrab ransomware via CVE-2018-4878

 

Full Details:

 The infection chain begins with malvertising. Compared to past infection chains that used old techniques such as iframes and 302 redirects, this flow appears to use a series of JavaScripts to direct the user to Rig EK. There is a lot going on here but the end result is a redirect to Rig EK.
It’s been a while since I actually looked at Rig in detail but at a glance I can see the obfuscation has changed somewhat from the older regex. I had heard it changed to a simple base64 encoding.
RigEkLandingPAge
 Testing that base64 idea reveals two URL’s which together download the Flash file along with the RC4 key “P6L5N93wsds“.
Flashpart.PNG
For this run I was using a fully patched Win 7 64 bit machine with an up to date IE 11. My Flash version was 28,0,0,126. CVE-2018-4878 is described as “A use-after-free vulnerability was discovered in Adobe Flash Player before 28.0.0.161.”
 FlashExploit
The flash object was already on VirusTotal.
ESET-NOD32 a variant of SWF/Exploit.CVE-2018-4878.J
SHA256: 437520117f4deb7691bc0975e413b72c862aef8b18851930f515a385a6a3d54f
File name: 177_.swf
Detection ratio: 9 / 59
The payload was GandCrab ransomware which encrypted files with the .CRAB extension and left a ransom note. However it also continually restarted my PC so I was forced to suspend the process. This also meant I lost some analysis due to the way I have things setup.
GandCrab2
This is the payment page for GandCrab which states that the cost will double if I don’t pay up soon.
GandCrab

 

 

I found this flow relatively quickly after hearing about the implementation of this CVE into Rig EK. Time will tell if this exploit will evolve Rig EK or not.

That is all for now!

zerophageicon2

 

3 thoughts on “Rig EK drops GandCrab Ransomware Via CVE-2018-4878

  1. Pingback: ランサムウェア「GandCrab」、Flashの脆弱性で拡散開始か – ITC

  2. Pingback: Week 15 – 2018 – This Week In 4n6

  3. Pingback: Rig EK via Malvertising drops Smoke Loader | Zerophage Malware

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google+ photo

You are commenting using your Google+ account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s