- 220.127.116.11 – neilfoote.com – Compromised website
- 18.104.22.168 – new.toyotaoflaramie.com – Rig-V EK
- Cerber check-in traffic via UDP port 6892:
- ICMP traffic from 22.214.171.124 via destination port 6892
- 126.96.36.199 – ffoqr3ug7m726zou.zgyua4.top
- 188.8.131.52 – btc.blockr.io – Bitcoin block explorer
- ffoqr3ug7m726zou.162egg.top – Cerber Decryptor site
- ffoqr3ug7m726zou.rssh31.bid – Cerber Decryptor site
- ffoqr3ug7m726zou.onion.to – Cerber Decryptor site
Traffic (GET and POST):
Cerber Check-in traffic via UDP port 6892 and ICMP traffic:
File name: RigV Landing Page.html
File name: Rig-V Flash Exploit Second Run.swf
File name: rad912D5.tmp.exe, rad421EE.tmp.exe (Hybrid-Analysis Link)
File name: radC8936.tmp.exe
The infection begins with the familiar pseudoDarkleech code being found on the compromised website:
As I first noted on 12/05/16, Rig-V is now using a fingerprinting technique prior to redirecting the host to the landing page. The URL shown in the image above points to that fingerprinting page. Here is a sample of the code:
There are a lot of checks being done on this page but as you can see it boils down to if the User-Agent string is IE and if it is the NormalURL (the landing page) is requested via the POST method.
In other words, if you’re not a bot and not using IE then it would give you a benign page. If you’re a bot then you get a 404 page. On the other hand, if you’re not a bot and are using IE then you get the landing page.
If you want to see the full write up on the code shown above visit my post HERE.
Next we see the POST using the URL contained in “NormalURL”, followed by the server delivering the encoded landing page:
The decoded landing page contains the URL for both the Flash exploit and the Cerber payload. A JS/Downloader is responsible for downloading the payload and dropping it in the %Temp% folder (1st, 2nd, and 3rd run):
Once infected there are numerous ransomware notes (.hta) created in various folders and dropped on the Desktop. The background image is also changed to a bitmap showing some ransom information:
Below is an image of alerts generated by my IDS:
Block the EK sub-domain and IP address.