- 220.127.116.11 – heytanksla.com – Compromised site
- 18.104.22.168 – add.projectcollective.com – Rig EK
- 22.214.171.124/24 and 126.96.36.199/24 – UPD traffic via port 6892
- 188.8.131.52 – btc.blockr.io – Bitcoin block explorer
- 184.108.40.206 – ffoqr3ug7m726zou.e6cf2t.bid – Cerber Decryptor payment site
- SHA256: 9eba65e897e6eba00ffaa3b0639f995f59ddb75df5159565a793a87cc05e4389
File name: RigEK Landing Page.html
- SHA256: 447481e6592cca3a787e823e1b146240ce2b11ac24fbb6ec141e6a1300a6d4fe
File name: RigEK Flash Exploit.swf
- SHA256: 6da39edbd0a1455beaac5ae1c163624519998abd8f3abc74316b73ab98f83a9d
File name: IIj6sFosp
- SHA256: 306b2d18efdfc5254e4623fb63225534ddef7874224948d1c7f62707405c153a
File name: rad5EC32.tmp.exe
Below is an image of me inspecting the compromised website and finding it has been injected with the pseudoDarkleech script:
The URL within the iframe points the host to the Rig EK landing page. Once on the landing page the host is fingerprinted before being sent a Flash exploit and payload. There is the typical extension-less .js downloader (IIj6sFosp) dropped into %TEMP% followed by rad5EC32.tmp.exe.
The host then makes UDP connections to all the IPs in 220.127.116.11/24 and 18.104.22.168/24 via port 6892. The user’s Desktop is then altered to display the Cerber ransom note as well as there is an audio message telling the user that their files have been encrypted.
Below is an image of the Desktop and some Cerber files dropped into %TEMP%:
There is then some “README” hta files dropped on the Desktop and in various folders. This HTML Application contains the Cerber Decryptor payment instructions.
If you’re working in a SOC or have multiple customers you can scan their networks for hosts making UDP connections to the two subnets listed in the IOC section. You can then filter the traffic by UDP port 6892. It should be fairly easy to spot connections to an entire subnet. I would also highly recommend blocking the Rig EK IP address at your perimeter firewall(s).