- 220.127.116.11 – dunlogginvet.com – Compromised website
- 18.104.22.168 – art.thinleadermd.com – Rig-v EK sub-domain
- Cerber check-in traffic via UDP port 6892:
- 22.214.171.124 – btc.blockr.io – Bitcoin block explorer
- 126.96.36.199 – avsxrcoq2q5fgrw2.1gaje2.top – Cerber Decryptor site
File name: Rig-V Flash Exploit.swf
File name: OTTYUADAF
File name: radE36E2.tmp.exe
The infection begins with the compromised WordPress site being injected with the pseudoDarkleech script.
The script redirects the host to the Rig-v EK landing page. Once on the landing page the host was sent a Flash exploit, a JS dropper, and finally the Cerber payload. Below is an image of the JS dropper:
We see the JS dropper and then the payload being downloaded to %temp%:
As with the case for pseudoDarkleech lately the compromised site can be refreshed numerous times meaning you are likely going to see multiple downloads of the Flash exploit and payload.
Following the execution of the payload we see the check-in traffic via UDP port 6892. The check-in subnets seen in this infection seem to be new.
I also noticed that during this infection the Cerber Instructions (contained within the .hta files) only had one location for the decryption software whereas it has been giving user’s multiple sub-domains:
Once infected a .jpg of the ransom note “_README_[7 alpha numeric]_” was displayed, as well as the background image of the Desktop is changed to a .bmp of the ransom note (found in %Temp%).
Users will find the Cerber ransomware instructions (.hta files in the format _README_[7 alpha numeric]_) in any folder with encrypted files. Encrypted files are renamed and appended with .ab8b.
Below is an image of the Desktop post-infection: