pseudoDarkleech Leads to Rig EK at 188.227.75.149 Which Drops Cerber

IOCs:

  • 75.98.175.88 – heytanksla.com – Compromised site
  • 188.227.75.149 – add.projectcollective.com – Rig EK
  • 31.184.234.0/24 and 31.184.235.0/24 – UPD traffic via port 6892
  • 148.251.6.214 – btc.blockr.io – Bitcoin block explorer
  • 107.161.95.138 – ffoqr3ug7m726zou.e6cf2t.bid – Cerber Decryptor payment site

Traffic:

traffic-1traffic-2

Hashes:

  1. SHA256: 9eba65e897e6eba00ffaa3b0639f995f59ddb75df5159565a793a87cc05e4389
    File name: RigEK Landing Page.html
  2. SHA256: 447481e6592cca3a787e823e1b146240ce2b11ac24fbb6ec141e6a1300a6d4fe
    File name: RigEK Flash Exploit.swf
  3. SHA256: 6da39edbd0a1455beaac5ae1c163624519998abd8f3abc74316b73ab98f83a9d
    File name: IIj6sFosp
  4. SHA256: 306b2d18efdfc5254e4623fb63225534ddef7874224948d1c7f62707405c153a
    File name: rad5EC32.tmp.exe

Infection Chain:

Below is an image of me inspecting the compromised website and finding it has been injected with the pseudoDarkleech script:

pseudodarkleech

The URL within the iframe points the host to the Rig EK landing page. Once on the landing page the host is fingerprinted before being sent a Flash exploit and payload. There is the typical extension-less .js downloader (IIj6sFosp) dropped into %TEMP% followed by rad5EC32.tmp.exe.

The host then makes UDP connections to all the IPs in 31.184.234.0/24 and 31.184.235.0/24 via port 6892. The user’s Desktop is then altered to display the Cerber ransom note as well as there is an audio message telling the user that their files have been encrypted.

Below is an image of the Desktop and some Cerber files dropped into %TEMP%:

temp-and-desktop

There is then some “README” hta files dropped on the Desktop and in various folders. This HTML Application contains the Cerber Decryptor payment instructions.

If you’re working in a SOC or have multiple customers you can scan their networks for hosts making UDP connections to the two subnets listed in the IOC section. You can then filter the traffic by UDP port 6892. It should be fairly easy to spot connections to an entire subnet. I would also highly recommend blocking the Rig EK IP address at your perimeter firewall(s).

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

%d bloggers like this: