pseudoDarkleech Leads to Rig EK at and Drops Cerber Ransomware


  • – – Compromised site
  • – – Rig EK
  • and – UDP traffic via port 6892
  • – – Bitcoin blockchain
    • – Cerber Decryptor site
    • – Cerber Decryptor site
    • – Cerber Decryptor site
  • – – Cerber Decryptor site




  1. SHA256: ab8d6638977e34c0d14f096d02e3a973c1c624845e075c48e696c35f7e35020a
    File name: RigEK Landing Page.html
  2. SHA256: 662ba372c286dcd19d52720052b2f8bb9042d60dea47349974016f39b454d46e
    File name: RigEK Flash Exploit.swf
  3. SHA256: 38f0da482f58291557839d4fd9fd198a77b7ec254351f0e7c2adc68b526afa4e
    File name: radB885F.tmp.exe

Infection Chain:

This was a typical pseudoDarkleech infection chain leading to a Rig EK server. Below is the malicious script that was found on the compromised site:


That pseudoDarkleech script redirected the host to the Rig EK server at which point it was sent a Flash exploit and then the Cerber payload. Post-infection traffic following the delivery of the payload included the host making UDP connections to every IP in subnets and (two times each). We then see traffic to the bitcoin blockchain and the decryptor payment sites.

Below is an image of the Desktop post-infection and the files dropped in %TEMP%:


I recommend blocking the Rig EK IP and your perimeter firewall(s).


Just a normal person who spends their free time infecting systems with malware.

2 thoughts on “pseudoDarkleech Leads to Rig EK at and Drops Cerber Ransomware

  • October 23, 2016 at 6:35 AM

    how to remove this

    • October 23, 2016 at 8:41 AM

      If the files are encrypted then you might be out of luck. I don’t think there is a way to decrypt files infected by this version of Cerber. However, sometimes AV companies release decryption tools. My best advice is to keep regular backups handy.


Leave a Comment

%d bloggers like this: