pseudoDarkleech Redirects to Rig-V at 195.133.49.182 Which Drops Cerber

IOCs:

  • 166.62.25.210 – dunlogginvet.com – Compromised website
  • 195.133.49.182 – art.thinleadermd.com – Rig-v EK sub-domain
  • Cerber check-in traffic via UDP port 6892:
    • 37.15.20.0/27
    • 77.1.12.0/27
    • 91.239.24.0/24
    • 91.239.25.0/24
  • 148.251.6.214 – btc.blockr.io – Bitcoin block explorer
  • 185.82.200.167 – avsxrcoq2q5fgrw2.1gaje2.top – Cerber Decryptor site

Traffic:

traffic-1

traffic-2
All UDP check-in traffic not shown

Hashes:

SHA256: df65f65dc15cfa999f07869b587c74c645da66129c009db5d8b8c2c29ae4fadf
File name: Rig-V Flash Exploit.swf

SHA256: 9f93a612da234591aa2645277aa0672ad53cfebe2697bdcf5e38e0920e270d35
File name: OTTYUADAF

SHA256: d6a7f7253e30ffbfddc85c34a905dd9022819df0629c698fe71bec384b041f6d
File name: radE36E2.tmp.exe
Hybrid-Analysis Submission

Infection Chain:

The infection begins with the compromised WordPress site being injected with the pseudoDarkleech script.

pseudodarkleech-script
pseudoDarkleech script shown above (within the span tags)

The script redirects the host to the Rig-v EK landing page. Once on the landing page the host was sent a Flash exploit, a JS dropper, and finally the Cerber payload. Below is an image of the JS dropper:

js-dropper

We see the JS dropper and then the payload being downloaded to %temp%:

temp

As with the case for pseudoDarkleech lately the compromised site can be refreshed numerous times meaning you are likely going to see multiple downloads of the Flash exploit and payload.

Following the execution of the payload we see the check-in traffic via UDP port 6892. The check-in subnets seen in this infection seem to be new.

I also noticed that during this infection the Cerber Instructions (contained within the .hta files) only had one location for the decryption software whereas it has been giving user’s multiple sub-domains:

cerber-instructions-page

Once infected a .jpg of the ransom note “_README_[7 alpha numeric]_” was displayed, as well as the background image of the Desktop is changed to a .bmp of the ransom note (found in %Temp%).

Users will find the Cerber ransomware instructions (.hta files in the format _README_[7 alpha numeric]_) in any folder with encrypted files. Encrypted files are renamed and appended with .ab8b.

encrypted-files

Below is an image of the Desktop post-infection:

desktop

malwarebreakdown

Just a normal person who spends their free time infecting systems with malware.

Leave a Comment

%d bloggers like this: