Rig EK at 212.116.121.122 Drops Cerber Ransomware

IOCs:

  • 50.62.216.150 – heathfoodstorenewsmyrna.com – Compromised website
  • 212.116.121.122 – we.jessicaandclayton.com – Rig EK
  • 31.184.234.0/24 and 31.184.235.0/24 – UDP traffic via port 6892
  • 148.251.6.214 – btc.blockr.io – Bitcoin block explorer
  • 107.161.95.138 – ffoqr3ug7m726zou.zn90h4.bid – Cerber Decryptor payment site

Traffic:

traffic-1traffic-2

Hashes:

  1. SHA256: 2c68d7b4f7bb14a8b9f3986360bd351f34565eb0a4029ee01cc8588bcddb8c50
    File name: RigEK Landing Page.html
  2. SHA256: 3474904d1dfd8943d3c779d621aa9767465532f288523bae6b57194b35fb3e6e
    File name: RigEK Flash Exploit.swf
  3. SHA256: 05d0f6625551fc4787430495d8c4f103e00624e7e64eb93b3c3bdbfb789981b2
    File name: IIj6sFosp
  4. SHA256: e14f32bdfbb2dc1117736029677effdedec2f570d73092261ba98f040a1b282f
    File name: rad58011.tmp.exe
  5. SHA256: 74f2aa78e874d215f4a4b27b10ac3cfa2521dc2e9632a9eb13d52e8727e5fa74
    File name: Dialogs.dll

Infection Chain:

The compromised website that I visited was heathfoodstorenewsmyrna.com. It has been injected with a malicious iframe that is associated with the pseudoDarkleech campaign. Below is an image of the iframe in the code:

compromised-site

Once the page loads the host is redirected to the Rig EK landing page. The host is then sent a Flash exploit, JS downloader and the payload. Here you can see the JS downloader (IIj6sFosp) and the payload (rad58011.tmp.exe):

temp

Note it also drops the ransom note bitmap image (tmp140D), the README.hta (user instructions) and creates both folders on the top (551ef835 and ns22EE.tmp).

There were also numerous files created in the Roaming folder including the injector (Dialogs.dll):

roaming

Lastly we see the Cerber ransomware instructions (README.hta) dropped on the Desktop and the display image changed. Here is a picture of both the Desktop and a partial image of the instructions:

Here are some images of the Cerber Decryptor instruction pages:

cerber-decryptor-1cerber-decryptor-2cerber-decryptor-3cerber-decryptor-4cerber-decryptor-5

I recommend blocking the Rig EK IP at your perimeter firewall(s). If necessary you can block access to the compromised website.

malwarebreakdown

Just a normal person who spends their free time infecting systems with malware.

Leave a Comment

%d bloggers like this: