Radamant Ransomware distributed via Rig EK

January 4, 2016 by Paul Kimayong

A new ransomware called Radamant has been discovered in early December 2015. On December 31, we found compromised websites redirecting to Rig Exploit Kit and downloading this ransomware. The following sites have been infected:

  • www.yatra.com
  • www.herbeauty.co
Infection Chain on yatra.com
Infection Chain on yatra.com
Infection Chain on herbeauty.co
Infection Chain on herbeauty.co

On the affected page, a malicious html code was injected at the end of the page. The code displays a malicious flash file that redirects to Rig EK landing page.

Injected Code
Injected Code

As of this writing the said websites are now free from infection.

Flash Exploit

The Rig EK on both sites uses the same flash exploit and also delivers the same payload. The flash exploit targets the following vulnerability:

  • CVE-2015-5560

This is an old exploit which affects versions 18.0.0.209 and below. The exploit was patched on August 15, 2015 via Adobe flash player update 18.0.0.232. After exploitation, it will download its payload.

 

Radamant Ransomware

This is a new breed of ransomware that encrypts files using AES-256 encryption. Bleepingcomputer.com provides an excellent coverage of this ransomware. This malware was also found to be leased as a kit on private  malicious sites. It costs $1,000 to rent it for one month or potential buyers can test it for 48 hours for $100 USD.

Source:http://www.bleepingcomputer.com/news/security/radamant-ransomware-kit-for-sale-on-exploit-and-malware-sites/
Source: http://www.bleepingcomputer.com/news/security/radamant-ransomware-kit-for-sale-on-exploit-and-malware-sites/

As early as December 14, people have been complaining  on bleepingcomputer forum that  their files encrypted and renamed with .RDM or .RRK extension. This malware scans all files that match certain extensions and encrypts them using a unique AES-256 key for each file. The  generated AES-256 key is then encrypted with a Master key which is then embedded into the target file.

 

Network Connections:

The malware will first issue a POST request to its CnC server http://cutenaskare.com/domains.php to get possible domain/s

             POST http://cutenaskare.com/domains.php

             Server Reply: [7:cutenaskare.com]

Then it will POST to http://cutenaskare.com/API.php together with its ID and IP address to check if it is already registered in the server

              POST http://cutenaskare.com/API.php  id={machine fingerprint}&ip={victims IP address}

               Server Reply: [0:unknownID][6:{IP region e.g., RU}]

If the victim is new it will reply with [0:unknownID] which instructs the bot to register and post additional system information.

               POST http://cutenaskare.com/API.php   id={machine fingerprint}&apt=0&os={OS version}&ip={victims IP address}&bits={32 or 64 bit}&discs={Drive Letters}&pub={public key}&prv={private key}

               Server Reply:[r:good]

The server will send its public key and the malware will POST to:

              POST http://cutenaskare.com/mask.php

The server replies with a list of extensions to encrypt which also triggers the start of encryption. After the malware is finished encrypting files, it will show the following page informing the user that files have been encrypted and instructing the victim to pay .5 Bitcoin (approx 220 USD).

radamant_ransom_page

radamant_ransom_page2

 

Luckily the malware’s encryption had some flaws which allows  Fabian Wosar to recover the encrypted files without paying the ransom. 

Fabian’s tool can be downloaded from the following link:

  • emsi.at/DecryptRadamant

The tool has been updated to support the latest version known. It is also evident that the malware author/s aren’t pleased with Fabian as they placed some cursed strings on their code in the latest version.

The first version of radamant was first seen on virustotal.com on Dec 3, 2015 and we have identified 3 versions to date.

 

Version MD5 Mutex Name Extension of Encrypted Files
1 e62d58a48f3aca29acd535c3ae4b7ce1 Radamant_v1_Klitschko_number_one .RDM
2 a40f1a7d3c1db966bbabdeb965697c1b Radamant_v2_Klitschko_number_one .RDM
2.1 72c71e4c78af74f4e500f1422a2f9092 \Sessions\1radamantv2_emisoft_fucked .RRK

 

Indicators of Compromise

 

Mutex Names:

Radamant_v1_Klitschko_number_one

Radamant_v2_Klitschko_number_one

\Sessions\1radamantv2_emisoft_fucked

 

Install Path:

C:\Windows\DirectX.exe

 

Registry Keys:

HKCU\Software\Microsoft\Windows\CurrentVersion\Run

      Value:svchost or DirectX

      Data: C:\Windows\directx.exe

HKLM\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run

      Value: svchost or DirectX

      Data: C:\Windows\directx.exe