pseudoDarkleech Leads to Rig EK at 194.87.146.233 Which Drops Cerber Ransowmare

IOCs:

  • 209.235.165.201 – cgtiaz.org – Compromised site
  • 194.87.146.233 – rew.artbykimwild.com – Rig EK
  • 31.184.234.0/24 and 31.184.235.0/24 – UDP traffic via destination port 6892
  • 45.59.114.125 and 173.254.231.11 – Cerber Decryptor payment site(s):
    • ffoqr3ug7m726zou.hajw7w.bid
    • ffoqr3ug7m726zou.1nkkem.top
    • ffoqr3ug7m726zou.zn90h4.bid
    • ffoqr3ug7m726zou.5ggovj.bid
    • ffoqr3ug7m726zou.onion
  • 148.251.6.214 – btc.blockr.io – Bitcoin blockchain explorer

Traffic:

iocs-1iocs-2

Hashes:

SHA256: dfa75edd8f2e3d6b85754e73b31e2ce6479dc1fccaee4da1a7fec1a57a2f3112
File name: RigEK Landing Page.html

SHA256: cabb797012864750b80b2942ebfcfdedcb3ef6b4a510b4d28c9389a69f4d010a
File name: RigEK Flash Exploit.swf

SHA256: ecf0e7c5186591046df13e787985f8df6fd32d6d0e8d695ebaca09965b85029c
File name: IIj6sFosp

SHA256: 1bba2047cdbdda797f451aa20748e340a85f5d592c88dfb67d7dc4db14c4e783
File name: rad1647E.tmp.exe

SHA256: 681c3a7b092eb854efa43efb69e7b532db6bdcfe528ca64ac33dbf6677a63119
File name: Arrays.dll

Infection Chain:

Starting around late September 2016 Rig EK began to switch its payload from CryptMIC ransomware to Cerber ransomware. While the payload has changed it is still using the same attack vector and downloader.

Today’s infection began when I visited the compromised site cgtiaz.org. The site never successfully loaded in my browser, which is normal. However, the string “xzby” was displayed. Here is a picture of what I am describing:

compromised-site

Looking at the website’s source code we can see the traditional pseudoDarkleech campaign script as well as the string “xzby” outside of the </span> tag. Below is an image:

pseudodarkleech-script

This same thing happened with my last Cerber compromise. Again, I’m not entirely sure why these extra strings are being added to the script but I feel like it is something worth noting.

The next step of the infection chain would be the malicious iframe causing the host to make a GET request for the Rig EK landing page. Once the host is redirected to the landing page the system is fingerprinted and sent a Flash exploit. Here is the GET for the landing page and the Flash exploit:

After the Flash exploit there is an extension-less JS downloader dropped into the user’s %TEMP% folder. That file was called “IIj6sFosp” and here is the code:

js-downloader

This file self deletes itself after it initiates the GET request for the payload. As I’ve said before this is the same script that was downloading CryptMIC back in September of 2016.

Here is the GET request for the payload:

rigek-payload

The payload (rad1647E.tmp.exe) is then dropped in the user’s %TEMP% folder. Here is an image showing the JS downloader and payload, along with some other Cerber files and folders, in the user’s %TEMP% folder:

temp

There was also the launcher (Arrays.dll) and some other files created in the user’s Roaming folder:

roaming

Encrypted files and folders are appended with a random 4 character file extension. It should be noted that the encrypted files are obfuscated with a random string of 10 characters. This makes it harder for user’s to pinpoint what files have been infected, thus increasing the likelihood of them paying the ransom:

downloads-folder

The Desktop is also changed to display the ransom note. Then, an audible message is played to the user telling them that their files have been encrypted. The README.hta contains all the instructions for the Cerber Decryptor and payment sites:

desktop

If you’re interested in seeing exactly what the README.hta contains you can look at the pictures in this post HERE.

I recommend blocking the Rig EK IP at your perimeter firewall. I would also suggest that the compromised website be blocked (until it is cleaned).

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

%d bloggers like this: