pseudoDarkleech Leads to Rig-V EK at 194.87.232.99 and Drops Cerber. New Fingerprinting Technique / Gate?

IOCs:

  • 178.248.39.186 – innovatemyschool.com – Compromised website
  • 194.87.232.99 – add.smartpettags.org – Rig-V EK
  • Cerber checkin UDP traffic via port 6892:
    • 15.49.2.0/27
    • 122.1.13.0/27
    • 194.165.16.0/24
    • 194.165.17.0/24
  • 148.251.6.214 – btc.blockr.io – Bitcoin block explorer
  • 104.36.83.52 – avsxrcoq2q5fgrw2.4vona2.top
  • 103.232.215.140 – avsxrcoq2q5fgrw2.17rmvr.top – Cerber Decryptor site
  • 104.36.83.52 – avsxrcoq2q5fgrw2.wiaikl.top – Cerber Decryptor site
  • 217.197.83.197 – avsxrcoq2q5fgrw2.onion.to – Cerber Decryptor site

Traffic:

get-and-post-request-rigv-cerber

Sample of Cerber UDP Checkin Traffic (2 of the 4 subnets):
udp-cerber-checkin-trafficudp-cerber-checkin-traffic-2

Hashes:

SHA256: 22d46b8b93959c5703142f2520c11be6f405855c37304b466cc7d7222c8c3194
File name: RigV Exploit Kit Landing Page.html

SHA256: 701affbbe7769f422186d810ef42ed99103d279b990bd18ade5536c17a062882
File name: RigV Flash Exploit.swf

SHA256: 30c32c766f28e1cc64e94629ef30b1e30a8332c6e77337134276c940bfdab790
File name: MXj6sFosp

SHA256: 80655edc715a630b96021e65bd6aaedd567aace81b74ba0ca37ddaebd50c0dfc
File name: rad97CAA.tmp.exe, rad89D21.tmp, rad2C8A6.tmp
Hybrid-Analysis sample

Infection Chain:

The infection begins with the familiar pseudoDarkleech code being found on the compromised website:

compromised-site

In the picture above you can see that the iframe tag contains the malicious URL. Note: in the “Traffic” section above you can also see that I refreshed the compromised web page four times. This resulted in me getting four different URLs.

The first three times I refreshed the web page I got a full infection chain all delivering the same payload (file names are different but the hashes were all the same).

The URL shown in the compromised site image comes from the 4th attempt (circled in pink in the Traffic image), which failed. To be clear I will be using the first infection chain (circled in red in the Traffic image) throughout the rest of this blog post.

In a typical EK infection chain the user would visit the compromised site and the URL contained within the injected script would generate a GET request which would return the encoded landing page.

However, this was the first time that I’ve ever seen an infection chain use a GET for fingerprinting and then a POST to return the landing page. Below is the GET request generated by the URL in the iframe, as well as the response from the server:

fingerprinting-page

Normally the server would return an encoded landing page, however, this time the server returned a page which is meant to fingerprint the system. For the sake of our own clarity we are calling it the “fingerprinting page” but it basically is performing the function of a gate.

Below is the entire code returned by the server (comments added by my friend, pseudonym “elf”):

script-1script-2script-3

There are a lot of checks shown above but as you can see it boils down to if the User-Agent string is IE and if it is the NormalURL (the landing page) is requested via the POST method. In other words, if you’re not a bot and not using IE then it would give you a benign page. If you’re a bot then you get a 404 page. On the other hand, if you’re not a bot and are using IE then you get the landing page.

Below is the TCP stream showing the POST method being used for the request and the response from the server containing the landing page (partial image):

post-request-returns-landing-page

And here is the decoded landing page (provided by my friend “elf”):

landing-page

At the bottom of the image shown above you can see the URLs for the Flash exploit and Cerber ransomware payload.

Here are partial images of the Flash exploit and payload being requested and returned:

flash-exploitpayload

The payload is downloaded by a small script that is dropped in %Temp%:

js-downloader

We then see the .exe’s (rad97CAA.tmp.exe, rad89D21.tmp.exe, rad2C8A6.tmp.exe) dropping in %Temp% after each refresh of the browser:

temp

Also interesting to note that one of the folders is being named (partially) by my GUID.

After the host is successfully infected the Cerber ransom note is displayed on the desktop via a bitmap image and there are .hta ransom note files dropped in various locations:

desktop

Here is an image of the .hta ransomware Cerber instructions file:

cerber-ransomware-instructions-hta-file

My suggestion would be to block the EK IP and or sub-domain. Updated IDS rules can also help to detect Cerber’s UDP checkin traffic. Unfortunately my IDS did not detect the traffic:

ids-events

Until next time!

malwarebreakdown

Just a normal person who spends their free time infecting systems with malware.

Leave a Comment

%d bloggers like this: