pseudoDarkleech Leads to Rig-V EK at 194.87.238.148 and Drops Cerber

IOCs:

  • 142.147.9.32 – carrollgymnastics.com – Compromised website
  • 194.87.238.148 – new.ehrlichusedautos.com – Rig-V EK
  • Cerber checkin UDP traffic via port 6892 (3 times for all IPs in each subnet listed below):
    • 15.49.2.0/27
    • 122.1.13.0/27
    • 194.165.16.0/24
    • 194.165.17.0/24
  • 148.251.6.214 – btc.blockr.io – Bitcoin block explorer
  • 54.91.45.162 – ffoqr3ug7m726zou.41c920.top – Cerber Decryptor site
  • 54.91.45.162 – ffoqr3ug7m726zou.rovr6i.top – Cerber Decryptor site
  • 192.157.248.209 – ffoqr3ug7m726zou.1hkmxu.top – Cerber Decryptor site
  • 185.100.85.150 – ffoqr3ug7m726zou.onion.top – Cerber Decryptor site

Traffic:

traffictraffic-2traffic-3

Hashes:

SHA256: aba6cf28484e85ee238077ad85d00a82f67e2cc45c4dbe9a4bf1f938e1638276
File name: Rig-V EK Landing Page.html

SHA256: 3f1cad5d97184d4a090182cc7bc952c939545bc7291f4dbc96ac121e29ba3236
File name: Rig-V EK Flash Exploit.swf

SHA256: 284a9869c421fe562d98c04dc0c4c51973e10c39570a21c9547562ff59f90bfc
File name: MXj6sFosp

SHA256: 96297e59f7e92c282c46b39fe7edbcab85d9e820b9e280c3ec38c520f00105fc
File name: rad82735.tmp.exe
Hybrid-Analysis Link

Infection Chain:

The infection started off with the host being redirected from a pseudoDarkleech script to the EK landing page. Below is an image of the script:

compromised-site

Once on the landing page the host was sent a Flash exploit and then a Cerber ransomware payload. Images of each step (landing page, Flash exploit, and payload) are shown below:

lpfepayload

The payload is downloaded by the following script, which is dropped in %Temp%:

js-downloader

The downloaded payload is then dropped in %Temp% under the name rad82735.tmp.exe. The executable deletes itself after the infection.

Below is an image of files created in %Temp%:

temp

The Desktop background then changes to the Cerber ransom note and there is an .hta ransom note dropped as well:

desktop

If you work in a SOC I would recommend scanning the networks that you monitor for Cerber’s UDP checkin traffic listed in the IOCs section. I would also block the EK IP address.

malwarebreakdown

Just a normal person who spends their free time infecting systems with malware.

Leave a Comment

%d bloggers like this: