pseudoDarkleech Leads to Rig EK at 5.200.55.126 and Drops Cerber

IOCs:

  • 66.147.244.158 – tbcphoenix.org – Compromised website
  • 5.200.55.126 – ew.albanyparklocksmithchicago.com – Rig EK
  • 194.165.16.0/24, 194.165.17.0/24, 194.165.18.0/24, 194.165.19.0/24 – UDP port 6892
  • 148.251.6.214 – btc.blockr.io – Bitcoin block explorer
  • 136.243.157.171 – ffoqr3ug7m726zou.le2brr.bid – Cerber Decryptor site

Traffic:

traffictraffic-2

Hashes:

SHA256: 79cfb143bb59ba051584be153aa1b0669eaa872630ebc647befaf7109a93d3df
File name: RigEK Landing Page.html

SHA256: 4f2936fc74f7982fb450a0edfd0e200c0301b3cba56f3e55cc08cf92d423917d
File name: RigEK Flash Exploit.swf

SHA256: 0601888775c21e42d533e028678b91ad70ed7656a2a7aa68f5d46fad2c1c6fbe
File name: MXj6sFosp

SHA256: 4670062ce62f8f49fc67ab045293290c5657fec8c7a30e9bda592379720c0112
File name: radA5CCD.tmp.exe

SHA256: f1f88c99d09478f1312e47b7dea5c48aa52b2f72787b111af3044f81614abd00
File name: Perl.dll

Infection Chain:

The user would visit the compromised site (tbcphoenix.org) and then be redirected via the pseudoDarkleech iframe that has been injected into the site source code. Below is an image of the malicious iframe in the HTML code:

compromised-site

Once the host is redirected to the Rig EK landing page it is sent a Flash exploit and a extension-less JScript file that acts as a downloader. The downloader in this case was called MXj6sFosp. The downloader then generates a request for the payload. Below is an image of the obfuscated JScript:

js-downloader

This JScript downloads and writes the payload in %TEMP% before executing it. Once it executes the payload it deletes itself. As you can clearly see the payload in this case was an executable (radA5CCD.tmp.exe).

Below is an image of some additional Cerber related files/folders created in %TEMP% as well as an image of the Desktop after the infection:

temp-and-desktop

We can also see that it created some files in the user’s Roaming folder:

roaming

I would recommend blocking the Rig EK IP address at your perimeter firewall(s). You could also scan you network for any host making UDP connections via port 6892 to the following subnets:

  • 194.165.16.0/24
  • 194.165.17.0/24
  • 194.165.18.0/24
  • 194.165.19.0/24

malwarebreakdown

Just a normal person who spends their free time infecting systems with malware.

Leave a Comment

%d bloggers like this: