pseudoDarkleech Points to Rig-V EK at 195.133.48.182 and Drops Cerber

IOCs:

  • 206.188.193.241 – sienahotel.com – Compromised website
  • 195.133.48.182 – new.mulchguystoledo.com – Rig-V EK
  • Cerber check-in traffic via UDP port 6892:
    • 15.49.2.0/27
    • 122.1.13.0/27
    • 194.165.16.0/24
    • 194.165.17.0/24
  • ICMP traffic from 95.141.21.37 via destination port 6892
  • 148.251.6.214 – btc.blockr.io – Bitcoin block explorer
  • 185.44.105.11 – ffoqr3ug7m726zou.16iqt6.top – Cerber Decryptor site
  • 185.100.85.150 – ffoqr3ug7m726zou.onion.to – Cerber Decryptor site
  • 185.69.153.226 – ffoqr3ug7m726zou.tse45f.top – Cerber Decryptor site

Traffic:

traffic-1

traffic-2

only showing partial image of UDP check-in traffic

Hashes:

SHA256: a3a9a34b1cb6a95153038c3f52110e4a4d8e5aa9bbebfff6aaa35ed2ffafda61
File name: RigV Flash Exploit.swf

SHA256: 06837a9b2209459006645507eb895a6f0bb720e62c94dcd6d121ad8fef071229
File name: QXj6sFosp

SHA256: 374444003ba034b649b05fa672deb85465fa6d0fedcaa3802cfaf76a42173ae9
File name: rad3ECBD.tmp.exe
Hybrid-Analysis Submission

SHA256: 5a2c93dfcc07736067e758aa6d7389b001161161309af1b9878f91d5ac215377
File name: rad447D3.tmp.exe (2nd run)
Hybrid-Analysis Submission

Infection Chain:

The infection chain begins with the user browsing to sienahotel.com. This WordPress site was compromised and is being injected with the pseudoDarkleech script:

pseudodarkleech-script-run-1

pseudoDarkleech script

The iframe contains the URL for a Rig-V fingerprinting page. This page checks to see if the UA is IE and if it is it the host makes a POST request for the landing page. After being redirected to the landing page the host is sent a Flash exploit, receives a JS downloader (QXj6sFosp) in %temp%, and finally downloads the Cerber ransomware payload.

In my infection chain I used both a 32bit and 64bit version of Windows 7. Both infection chains returned the same Flash exploit and two different Cerber payloads. Below is an image from the %temp% on both systems after full infection:

There reason why you are seeing three Cerber payloads in %temp% is because I refreshed the compromised website three times on each host.

Processes from both executables:

Once infected the user is presented with Cerber ransomware instructions which contain links to the Cerber Decryptor sites. The ransom note instructions are saved on the Desktop and in various folders.

desktop

You might want to consider blocking the EK sub-domain and IP address to prevent redirections to the EK server. Scanning your network(s) for the Cerber UDP check-in traffic will show you potential compromised hosts.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

%d bloggers like this: