pseudoDarkleech Leads to Rig EK at 107.191.63.102 and Drops Cerber Ransomware

IOCs:

  • 206.188.193.61 – surfsideanimalhospital.com – Compromised site
  • 107.191.63.102 – pop.42-maslak.net – Rig EK
  • 31.184.234.0/24 and 31.184.235.0/24 – UDP traffic via port 6892
  • 148.251.6.214 – btc.blockr.io – Bitcoin blockchain
  • 173.254.231.111:
    • vyohacxzoue32vvk.g0lpn5.bid – Cerber Decryptor site
    • vyohacxzoue32vvk.13uvry.top – Cerber Decryptor site
    • vyohacxzoue32vvk.x8p2m7.bid – Cerber Decryptor site
  • 217.197.83.197 – vyohacxzoue32vvk.onion.to – Cerber Decryptor site

Traffic:

iocs-1iocs-2

Hashes:

  1. SHA256: ab8d6638977e34c0d14f096d02e3a973c1c624845e075c48e696c35f7e35020a
    File name: RigEK Landing Page.html
  2. SHA256: 662ba372c286dcd19d52720052b2f8bb9042d60dea47349974016f39b454d46e
    File name: RigEK Flash Exploit.swf
  3. SHA256: 38f0da482f58291557839d4fd9fd198a77b7ec254351f0e7c2adc68b526afa4e
    File name: radB885F.tmp.exe

Infection Chain:

This was a typical pseudoDarkleech infection chain leading to a Rig EK server. Below is the malicious script that was found on the compromised site:

pseudodarkleech-script

That pseudoDarkleech script redirected the host to the Rig EK server at which point it was sent a Flash exploit and then the Cerber payload. Post-infection traffic following the delivery of the payload included the host making UDP connections to every IP in subnets 31.184.234.0/24 and 31.184.235.0/24 (two times each). We then see traffic to the bitcoin blockchain and the decryptor payment sites.

Below is an image of the Desktop post-infection and the files dropped in %TEMP%:

desktop-and-temp-folder

I recommend blocking the Rig EK IP and your perimeter firewall(s).

malwarebreakdown

Just a normal person who spends their free time infecting systems with malware.

2 thoughts on “pseudoDarkleech Leads to Rig EK at 107.191.63.102 and Drops Cerber Ransomware

  • October 23, 2016 at 6:35 AM
    Permalink

    how to remove this

    Reply
    • October 23, 2016 at 8:41 AM
      Permalink

      If the files are encrypted then you might be out of luck. I don’t think there is a way to decrypt files infected by this version of Cerber. However, sometimes AV companies release decryption tools. My best advice is to keep regular backups handy.

      Reply

Leave a Comment

%d bloggers like this: