Sign Me Up For
The Free Assessment


CryptoShield Infections from RIG EK Slowly Growing

It has been said that the RIG Exploit Kit remains fairly active. Although there is an overall decline on their activities. However it has been spreading a fairly new variant of ransomware called CryptoShield.

Malware researchers have identified that the the attack group uses EITEST to deliver the malware. They infect victims machines via malvertising campaigns and infected websites and behold, CryptoShield is its primary payload.

According to SANS Institute Internet Storm Center said EITest activity has grown.

Brad Duncan of SANS said that “I’m seeing a fair amount of the traffic,” Duncan said of EITest, which has been a known offender since 2014. “EITest is known to distribute other types of malware, but I’ve been seeing a lot of CryptoShield ransomware from it during the past week or so.”

CryhptoShield is an evolved version of CryptoMix and discovered by researcher Kafeine and has been spreading via EITest campaigns. Basically EITest injects JavaScript into sites or advertisements, and that code calls out to the attacker for the ransomware payload.

There has been an analysis published by security outfit BleepingComputer last January. They have determined how it works. Once a computer is infected by CryptoShield a unique ID and encryption key is created for that said machine and encrypts the files on the machine and the .CRYPTOSHIELD extension is added as per security researcher Lawrence Abrams.

This happens when the victim browses on the compromised website or one hosting the malicious ad, the host machine gets infected.

The victim would receive 2 pop-ups. One would be an application error and the other one would be a User Account Control prompt. Once both of them are clicked, the victim would see a text file containing payment instructions.

See images below for reference:

Duncan identified two RIG Exploit Kit IP addresses and domains (194[.]87[.]93[.]53 for need[.]southpadreforsale[.]com, and 194[.]87[.]93[.]53 for star[.]southpadrefishingguide[.]com), as well as 45[.]63[.]115[.]214 for post-infection communication from CryptoShield. Duncan said that IPs and domains associated with RIG traffic change daily, sometimes more frequently, and that these IPs have likely been changed.

Duncan and Abrams said that victims are likely exclusively infected over the web and spread via RIG, rather than email-based campaigns. RIG, meanwhile, continues to assert itself as one of the busiest exploit kits in circulation. With monster kits such as Angler put out of commission as recently as last summer, along with a number of others, the reliance on exploit kits for malware propagation has noticeably diminished.

“Rig EK is the most prevalent exploit kits I’m seeing at the moment. It’s definitely not the only one,” Duncan said. “Other exploit kits like Magnitude and Sundown are still active, and I see indicators of those on a daily basis. But volume-wise, I see more indicators for Rig EK. The majority (50 percent or more) of all exploit kit indicators I’m finding are for Rig.”

Below are the file extensions targeted by CryptoShield


Written by

No Comments Yet.

Leave a Reply


[contact-form-7 id="5555" title="Mobile Form"]