{"id":9042,"date":"2017-08-31T13:10:47","date_gmt":"2017-08-31T21:10:47","guid":{"rendered":"http:\/\/www.palada.net\/index.php\/2017\/08\/31\/news-2815\/"},"modified":"2017-08-31T13:10:47","modified_gmt":"2017-08-31T21:10:47","slug":"news-2815","status":"publish","type":"post","link":"http:\/\/www.palada.net\/index.php\/2017\/08\/31\/news-2815\/","title":{"rendered":"RIG exploit kit distributes Princess Ransomware"},"content":{"rendered":"

Credit to Author: J\u00e9r\u00f4me Segura| Date: Thu, 31 Aug 2017 20:04:32 +0000<\/strong><\/p>\n

We have identified a new drive-by download campaign that distributes the Princess Ransomware, leveraging compromised websites and the RIG exploit kit. This is somewhat of a change for those tracking malvertising campaigns and their payloads.<\/p>\n

We had analyzed <\/a>the Princess Ransomware last November and pointed out that despite similarities with Cerber’s onion page, the actual code was much different. A new payment page<\/a> seemed to have been seen in underground forums and is now being used with attacks in the wild.<\/p>\n

From hacked site to RIG EK<\/h2>\n

We are not so accustomed to witnessing compromised websites pushing exploit kits these days. Indeed, some campaigns have been replaced with tech support scams instead and overall most drive-by activity comes from legitimate publishers and malvertising.<\/p>\n

Yet, here we observed an\u00a0iframe injection which redirected from the hacked site to a temporary gate distinct from the well-known “Seamless gate” which has been dropping copious amounts of the Ramnit Trojan.<\/p>\n

\"\"<\/p>\n

The ultimate call to the RIG exploit kit landing page is done via a standard 302 redirect leading to one of several Internet Explorer (CVE-2013-2551<\/a>,\u00a0CVE-2014-6332<\/a>, CVE-2015-2419<\/a>, CVE-2016-0189<\/a>) or Flash Player (CVE-2015-8651<\/a>) vulnerabilities.<\/p>\n

Princess Ransomware<\/h2>\n

Once the exploitation phase is successful, RIG downloads and runs the Princess Ransomware. The infected user will notice that their files are encrypted and display a new extension. The ransom note is called\u00a0_USE_TO_REPAIR_[a-zA-Z0-9].html<\/em><\/strong> where\u00a0[a-zA-Z0-9] is a random identifier.<\/p>\n

\"\"<\/a><\/p>\n

The payment page can be accessed via several provided links including a ‘.onion<\/em>‘ one. Attackers are asking for 0.0770 BTC, which is about $367 at the time of writing.<\/p>\n

\"\"<\/a><\/p>\n

Down but still kicking<\/h2>\n

The exploit kit landscape is not what it was a year ago, but we may be remiss to disregard drive-by download attacks completely. Malvertising is still thriving and we are noticing increased activity and changes with existing threat actors and newcomers.<\/p>\n

We will update this post with additional information about Princess Locker if there is anything noteworthy to add.<\/p>\n

Indicators of compromise<\/h2>\n

RIG EK gate:<\/p>\n

185.198.164.152<\/pre>\n
RIG EK IP address:<\/p>\n
188.225.84.28<\/pre>\n
Princess Ransomware binary:<\/p>\n
c61f4c072bb1e3c6281a9799c1a3902f35dba652756fe96a97e60d0097a3f9b7<\/pre>\n
Princess Ransomware payment page:<\/p>\n
royall6qpvndxlsj[.]onion<\/pre>\n
The post RIG exploit kit distributes Princess Ransomware<\/a> appeared first on Malwarebytes Labs<\/a>.<\/p>\n
https:\/\/blog.malwarebytes.com\/feed\/<\/a><\/p>\n","protected":false},"excerpt":{"rendered":"
Credit to Author: J\u00e9r\u00f4me Segura| Date: Thu, 31 Aug 2017 20:04:32 +0000<\/strong><\/p>\n\n\n\n
<\/a><\/td>\n<\/tr>\n
A new campaign via the RIG exploit kit is pushing the Princess Ransomware.<\/p>\n
Categories: <\/p>\n