Rig EK at 109.234.37.218 Drops Cerber

IOCs:

  • 162.144.210.253 – armyaviationmagazine.com – Compromised Site
  • 109.234.37.218 – re.flighteducationfinancecompany.com – Rig EK
  • 31.184.234.0/24 and 31.184.235.0/24 – UDP traffic via port 6892

Traffic Associated With Cerber Compromise:

  • 148.251.6.214 – btc.blockr.io – Bitcoin blockchain explorer
  • 173.254.231.111 – ffoqr3ug7m726zou.fwzxnb.bid – Page for Cerber Decryptor
  • 173.254.231.111 – ffoqr3ug7m726zou.ywoi5n.bid – Page for Cerber Decryptor
  • 173.254.231.111 – ffoqr3ug7m726zou.8dlgyg.bid – Page for Cerber Decryptor
  • 173.254.231.111 – ffoqr3ug7m726zou.1nkkem.top – Page for Cerber Decryptor

Traffic:

iocsiocs-2

Hashes:

SHA256: 49ff728c9c7cab6e3bbd31e78df4cdb12ee6d7f206e540f90349bf6d9401f760
File name: RigEK Landing Page.html

SHA256: 744744db513250c8ddeef12d4998d339beac5cabc02a1d10f304e105462d4008
File name: RigEK Flash Exploit.swf

SHA256: 46135b461cc62f23aa83edf9ed62c41cbde490ebbcd89e324a03b3320643aca9
File name: radF3B48.tmp.exe

Infection Chain:

Browsing to the compromised site shows it was injected with a malicious script. The page failed to completely load. Below is a picture of the source code:

compromised-site

That script contains the URL for the Rig EK landing page. The host then makes a GET request for the landing page, Flash exploit, and payload (in that order). Pictures of the GET requests and responses are shown below:

rigek-lprigek-flash-exploitrigek-payload

The payload was dropped in %TEMP% along with other folders and files. The Desktop background also changed to display a ransom note along with an audio announcement to the user that their files have been encrypted. Below is an image of the Desktop and some of the files dropped in %TEMP%:

temp-desktop

You can see the payload, radF3B48.tmp.exe, as well as an HTML Application containing the Cerber ransomware instructions in %TEMP%. Here is an image of the README.hta once opened:

instructions

Clicking on any of the links shown in the picture above will cause the browser to to load the decryptor payment site. Here is the source code for the instructions:

CERBER RANSOMWARE
Instructions
Select your language

English

Can't you find the necessary files?
Is the content of your files not readable?

It is normal because the files' names and the data in your files have been encrypted by "Cerber Ransomware".

It means your files are NOT damaged! Your files are modified only. This modification is reversible.
From now it is not possible to use your files until they will be decrypted.

The only way to decrypt your files safely is to buy the special decryption software "Cerber Decryptor".

Any attempts to restore your files with the third-party software will be fatal for your files!


--------------------------------------------------------------------------------

You can proceed with purchasing of the decryption software at your personal page:


Please wait...

http://ffoqr3ug7m726zou.1nkkem.top/[redacted]
--------------------------------------------------------------------------------
http://ffoqr3ug7m726zou.ywoi5n.bid/[redacted]
--------------------------------------------------------------------------------
http://ffoqr3ug7m726zou.8dlgyg.bid/[redacted]

If this page cannot be opened  click here  to generate a new address to your personal page.

At this page you will receive the complete instructions how to buy the decryption software for restoring all your files.

Also at this page you will be able to restore any one file for free to be sure "Cerber Decryptor" will help you.


--------------------------------------------------------------------------------

If your personal page is not available for a long period there is another way to open your personal page - installation and use of Tor Browser:

run your Internet browser (if you do not know what it is run the Internet Explorer);
enter or copy the address https://www.torproject.org/download/download-easy.html.en into the address bar of your browser and press ENTER;
wait for the site loading;
on the site you will be offered to download Tor Browser; download and run it, follow the installation instructions, wait until the installation is completed;
run Tor Browser;
connect with the button "Connect" (if you use the English version);
a normal Internet browser window will be opened after the initialization;
type or copy the address http://ffoqr3ug7m726zou.onion/[redacted] in this browser address bar;
press ENTER;
the site should be loaded; if for some reason the site is not loading wait for a moment and try again.
If you have any problems during installation or use of Tor Browser, please, visit https://www.youtube.com and type request in the search bar "Install Tor Browser Windows" and you will find a lot of training videos about Tor Browser installation and use.


--------------------------------------------------------------------------------

Additional information:

You will find the instructions ("*.hta") for restoring your files in any folder with your encrypted files.

The instructions ("*.hta") in the folders with your encrypted files are not viruses, the instructions ("*.hta") will help you to decrypt your files.

Remember the worst situation already happened and now the future of your files depends on your determination and speed of your actions.

Once on the payment site the user must select a language and confirm that they are a human by selecting similar images. Once the user selects all the similar images they are redirected to the payment site. Below are screenshots of each step:

select-languageconfirm-humanpayment-screen-1payment-screen-2

I recommend blocking the compromised site (until it has been cleaned) and the Rig EK IP

malwarebreakdown

Just a normal person who spends their free time infecting systems with malware.

Leave a Comment

%d bloggers like this: