pseudoDarkleech Leads to Rig-V EK at 46.30.46.210 and Drops Cerber

IOCs:

  • 74.220.207.74 – neilfoote.com – Compromised website
  • 46.30.46.210 – new.toyotaoflaramie.com – Rig-V EK
  • Cerber check-in traffic via UDP port 6892:
    • 15.49.2.0/27
    • 122.1.13.0/27
    • 194.165.16.0/24
    • 194.165.17.0/24
  • ICMP traffic from 95.141.21.37 via destination port 6892
  • 185.98.87.153 – ffoqr3ug7m726zou.zgyua4.top
  • 148.251.6.214 – btc.blockr.io – Bitcoin block explorer
  • ffoqr3ug7m726zou.162egg.top – Cerber Decryptor site
  • ffoqr3ug7m726zou.rssh31.bid – Cerber Decryptor site
  • ffoqr3ug7m726zou.onion.to – Cerber Decryptor site

Traffic (GET and POST):

traffic

Cerber Check-in traffic via UDP port 6892 and ICMP traffic:

udp-and-icmp-traffic

Hashes:

SHA256: 4cdc8733acda1c748e384fd7c3c185a1249e4c4cb47d9b510dad42287c408c50
File name: RigV Landing Page.html

SHA256: d0000aeae613ca0b19b19029fb7d57eddf3c02b39061468fd3597da04f85ecf7
File name: Rig-V Flash Exploit Second Run.swf

SHA256: 8e42da9daf16eca265fbe0d91cf4843212518fd930f212569a1100895f9b390b
File name: rad912D5.tmp.exe, rad421EE.tmp.exe (Hybrid-Analysis Link)

SHA256: 3a9a8c275a89beef4ee352af685cfaa71e6f6545273717fd89da227454dd983f
File name: radC8936.tmp.exe

Infection Chain:

The infection begins with the familiar pseudoDarkleech code being found on the compromised website:

compromised-site

As I first noted on 12/05/16, Rig-V is now using a fingerprinting technique prior to redirecting the host to the landing page. The URL shown in the image above points to that fingerprinting page. Here is a sample of the code:

ua-check

There are a lot of checks being done on this page but as you can see it boils down to if the User-Agent string is IE and if it is the NormalURL (the landing page) is requested via the POST method.

In other words, if you’re not a bot and not using IE then it would give you a benign page. If you’re a bot then you get a 404 page. On the other hand, if you’re not a bot and are using IE then you get the landing page.

If you want to see the full write up on the code shown above visit my post HERE.

Next we see the POST using the URL contained in “NormalURL”, followed by the server delivering the encoded landing page:

landing-page

The decoded landing page contains the URL for both the Flash exploit and the Cerber payload. A JS/Downloader is responsible for downloading the payload and dropping it in the %Temp% folder (1st, 2nd, and 3rd run):

Once infected there are numerous ransomware notes (.hta) created in various folders and dropped on the Desktop. The background image is also changed to a bitmap showing some ransom information:

desktop

Below is an image of alerts generated by my IDS:

ids-alerts

Block the EK sub-domain and IP address.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

%d bloggers like this: