- 18.104.22.168 – sienahotel.com – Compromised website
- 22.214.171.124 – new.mulchguystoledo.com – Rig-V EK
- Cerber check-in traffic via UDP port 6892:
- ICMP traffic from 126.96.36.199 via destination port 6892
- 188.8.131.52 – btc.blockr.io – Bitcoin block explorer
- 184.108.40.206 – ffoqr3ug7m726zou.16iqt6.top – Cerber Decryptor site
- 220.127.116.11 – ffoqr3ug7m726zou.onion.to – Cerber Decryptor site
- 18.104.22.168 – ffoqr3ug7m726zou.tse45f.top – Cerber Decryptor site
File name: RigV Flash Exploit.swf
File name: QXj6sFosp
File name: rad3ECBD.tmp.exe
File name: rad447D3.tmp.exe (2nd run)
The infection chain begins with the user browsing to sienahotel.com. This WordPress site was compromised and is being injected with the pseudoDarkleech script:
The iframe contains the URL for a Rig-V fingerprinting page. This page checks to see if the UA is IE and if it is it the host makes a POST request for the landing page. After being redirected to the landing page the host is sent a Flash exploit, receives a JS downloader (QXj6sFosp) in %temp%, and finally downloads the Cerber ransomware payload.
In my infection chain I used both a 32bit and 64bit version of Windows 7. Both infection chains returned the same Flash exploit and two different Cerber payloads. Below is an image from the %temp% on both systems after full infection:
There reason why you are seeing three Cerber payloads in %temp% is because I refreshed the compromised website three times on each host.
Processes from both executables:
Once infected the user is presented with Cerber ransomware instructions which contain links to the Cerber Decryptor sites. The ransom note instructions are saved on the Desktop and in various folders.
You might want to consider blocking the EK sub-domain and IP address to prevent redirections to the EK server. Scanning your network(s) for the Cerber UDP check-in traffic will show you potential compromised hosts.