- 126.96.36.199 – cgtiaz.org – Compromised site
- 188.8.131.52 – rew.artbykimwild.com – Rig EK
- 184.108.40.206/24 and 220.127.116.11/24 – UDP traffic via destination port 6892
- 18.104.22.168 and 22.214.171.124 – Cerber Decryptor payment site(s):
- 126.96.36.199 – btc.blockr.io – Bitcoin blockchain explorer
File name: RigEK Landing Page.html
File name: RigEK Flash Exploit.swf
File name: IIj6sFosp
File name: rad1647E.tmp.exe
File name: Arrays.dll
Starting around late September 2016 Rig EK began to switch its payload from CryptMIC ransomware to Cerber ransomware. While the payload has changed it is still using the same attack vector and downloader.
Today’s infection began when I visited the compromised site cgtiaz.org. The site never successfully loaded in my browser, which is normal. However, the string “xzby” was displayed. Here is a picture of what I am describing:
Looking at the website’s source code we can see the traditional pseudoDarkleech campaign script as well as the string “xzby” outside of the </span> tag. Below is an image:
This same thing happened with my last Cerber compromise. Again, I’m not entirely sure why these extra strings are being added to the script but I feel like it is something worth noting.
The next step of the infection chain would be the malicious iframe causing the host to make a GET request for the Rig EK landing page. Once the host is redirected to the landing page the system is fingerprinted and sent a Flash exploit. Here is the GET for the landing page and the Flash exploit:
After the Flash exploit there is an extension-less JS downloader dropped into the user’s %TEMP% folder. That file was called “IIj6sFosp” and here is the code:
This file self deletes itself after it initiates the GET request for the payload. As I’ve said before this is the same script that was downloading CryptMIC back in September of 2016.
Here is the GET request for the payload:
The payload (rad1647E.tmp.exe) is then dropped in the user’s %TEMP% folder. Here is an image showing the JS downloader and payload, along with some other Cerber files and folders, in the user’s %TEMP% folder:
There was also the launcher (Arrays.dll) and some other files created in the user’s Roaming folder:
Encrypted files and folders are appended with a random 4 character file extension. It should be noted that the encrypted files are obfuscated with a random string of 10 characters. This makes it harder for user’s to pinpoint what files have been infected, thus increasing the likelihood of them paying the ransom:
The Desktop is also changed to display the ransom note. Then, an audible message is played to the user telling them that their files have been encrypted. The README.hta contains all the instructions for the Cerber Decryptor and payment sites:
If you’re interested in seeing exactly what the README.hta contains you can look at the pictures in this post HERE.
I recommend blocking the Rig EK IP at your perimeter firewall. I would also suggest that the compromised website be blocked (until it is cleaned).