pseudoDarkleech Leads to Rig EK at 108.61.167.148 and Drops Cerber

IOCs:

  • 69.195.124.241 – injuryphysicians.com – Compromised site
  • 108.61.167.148 – try.maslakkiralikofis.com – Rig EK
  • UDP traffic to 31.184.234.0/24 and 31.184.235.0/24 via port 6892
  • 148.251.6.214 – btc.blockr.io – Bitcoin blockchain
  • 173.254.231.111:
    •  ffoqr3ug7m726zou.13uvry.top – Cerber Decryptor payment site
    • ffoqr3ug7m726zou.rbrkng.bid – Cerber Decryptor payment site
  • 210.16.101.69:
    • ffoqr3ug7m726zou.yjy5dr.bid – Cerber Decryptor payment site
    • ffoqr3ug7m726zou.rbrkng.bid – Cerber Decryptor payment site
  • 185.100.85.150 – ffoqr3ug7m726zou.onion.to – Cerber Decryptor payment site

Traffic:

iocs1iocs2

Hashes:

  1. SHA256: 11e0f5e4e4fd4f8c9004618a3028435857e430686f6cfbd72a342da0123d9490
    File name: RigEK Landing Page.html
  2. SHA256: 117b65e553c16d86d9af1a6796d1378de8c5489b070c4db8df75af3bd50e6671
    File name: RigEK Flash Exploit.swf
  3. SHA256: c9fec51ee8c39f2afaab3421bf23ca116a9d049f6f29bcb202abf7199a313e11
    File name: IIj6sFosp
  4. SHA256: 6e7845352b35318b34f7ec988214815a405845e97bf7ab3b8be1bfc7f08c6aed
    File name: radB4AC7.tmp.exe

Infection Chain:

The infection starts with the user browsing to the compromised website. Below is the pseudoDarkleech script found in the code:

compromised-site

The URL in the iframe points the host to the Rig EK landing page. Once on the landing page the host is sent a Flash exploit and then a payload.

Before the payload is dropped in %TEMP% there is an extension-less .js file dropped there which self-deletes itself prior to downloading radB4AC7.tmp.exe.

Here are some of the files created in %TEMP% and the user’s Roaming folder:

temproaming

Here is an image of the Desktop after the infection. Notice that the ransom note, which contains the instructions for the Cerber Decryptor, is dropped on the Desktop via an HTML Application:

desktop

If you’re protecting your home network I recommend blocking the Rig EK IP address. If you’re working in a SOC or have multiple customers you can scan their networks for hosts making UDP connections to the two subnets listed in the IOC section. You can then filter the traffic by UDP port 6892. It should be fairly easy to spot connections to an entire subnet. I would also highly recommend blocking the Rig EK IP address at your perimeter firewall(s).

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

%d bloggers like this: