Rig EK at 109.234.35.79 Drops Cerber

IOCs:

  • 67.222.1.229 – creeklinehouse.com – Compromised website
  • 109.234.35.79 – xc.executivegrowth.com – Rig EK
  • 31.184.234.0/24 and 31.184.235.0/24 – UDP traffic via port 6892
  • 148.251.6.214 – btc.blockr.io – Bitcoin block explorer
  • 173.254.231.111:
    • ffoqr3ug7m726zou.zn90h4.bid – Cerber Decryptor payment site
    • ffoqr3ug7m726zou.e6cf2t.bid – Cerber Decryptor payment site
  • 107.161.95.138 – ffoqr3ug7m726zou.19jmfr.top – Cerber Decryptor payment site
  • 185.100.85.150 – ffoqr3ug7m726zou.onion.to – Cerber Decryptor payment site

Traffic:

traffic-1traffic-2

Hashes:

  1. SHA256: ac3bdebfc80bdfbcad406afe41444c7cf5dbe792ac5fb380de603dcf984103a0
    File name: RigEK Landing Page.html
  2. SHA256: 3474904d1dfd8943d3c779d621aa9767465532f288523bae6b57194b35fb3e6e
    File name: RigEK Flash Exploit.swf
  3. SHA256: 05d0f6625551fc4787430495d8c4f103e00624e7e64eb93b3c3bdbfb789981b2
    File name: IIj6sFosp
  4. SHA256: e14f32bdfbb2dc1117736029677effdedec2f570d73092261ba98f040a1b282f
    File name: rad690CD.tmp.exe
  5. SHA256: 74f2aa78e874d215f4a4b27b10ac3cfa2521dc2e9632a9eb13d52e8727e5fa74
    File name: Dialogs.dll

Infection Chain:

The compromised website that I visited was creeklinehouse.com. It has been injected with a malicious iframe that is associated with the pseudoDarkleech campaign. Below is an image of the iframe in the code:

compromised-site

Once the page loads the host is redirected to the Rig EK landing page. The host is then sent a Flash exploit, JS downloader and the final payload. Here you can see the JS downloader (IIj6sFosp) and the payload (rad690CD.tmp.exe):

temp

Note it also drops the ransom note bitmap image (tmpF1FD), the README.hta (user instructions) and creates both folders on the top (551ef835 and nsl36DB.tmp).

There were also numerous files created in the Roaming folder including the injector (Dialogs.dll):

roaming

Lastly we see the Cerber ransomware instructions (README.hta) dropped on the Desktop and the display image changed. Here is a picture of both the Desktop and a partial image of the instructions:

Here are some images of the Cerber Decryptor instruction pages:

cerber-decryptor-1cerber-decryptor-2cerber-decryptor-3cerber-decryptor-4cerber-decryptor-5

I recommend blocking the Rig EK IP at your perimeter firewall(s). If necessary you can block access to the compromised website.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

%d bloggers like this: