pseudoDarkleech Redirects Host to Rig-V EK at 81.177.6.49 and Drops Cerber

IOCs:

  • 162.255.161.10 – luckystavern.com – Compromised site
  • 81.177.6.49 – will.warondoctors.info – Rig-V EK
  • Cerber check-in traffic via UDP port 6892:
    • 37.15.20.0/27
    • 77.1.12.0/27
    • 91.239.24.0/24
    • 91.239.25.0/24
  • 148.251.6.214 – btc.blockr.io – Bitcoin block explorer
  • 23.152.0.137 – ffoqr3ug7m726zou.13inb1.top – Cerber Decryptor site

Traffic:

traffic-1traffic-2

Hashes:

SHA256: 948785c8a2c441345317ea80e1fd7c622599932dade375872b9c5b9030a61145
File name: RigV UA check page.html

SHA256: 699fe5529a3a6928717e47300646d18f36a6ce21823228fffdd52d06e9aa9cd5
File name: RigV EK Landing Page.html

SHA256: 103c5613e30c8eb9083ffd47ee439fba726d0fe13de577b30307e4910c0fc68f
File name: RigV EK Flash Exploit.swf

SHA256: 45d8bdd3e6991e6429acbbb8f149ffbd069dca5af4465fbf1071fc3ac73fec22
File name: radF31F1.tmp.exe
Hybrid-Analysis Submission

Infection Chain:

The infection begins when the user visits the compromised website. The compromised website contains injected script known as pseudoDarkleech campaign. This script redirected the host to a Rig-V User-Agent checking page. Below is an image of the HTTP request and response from the web server which returns a page with the script:

pseudodarkleech-script

The iframe above contains the URL for the Rig-V User-Agent checking page.

The script on the User-Agent check page is designed to identify the browser being used. The page also contains the URL for the Rig-V landing page. If conditions are met then the host makes a POST request to the landing page URL. For more information on the User-Agent checking page please refer to my previous blog post HERE.

The server then returned the landing page which contains more script. Next we see the request for a Flash exploit and the Cerber ransomware payload.

landing-page
Partial image of the response containing the landing page
flash-exploit
Partial image of the response containing the Flash exploit
payload
Partial image of the response containing the Cerber ransomware payload

A JS downloader is dropped in %Temp% followed by the Cerber payload. Both files self-delete themselves.

temp

Notice there are 3 other Cerber payloads in %Temp% (radD3343.tmp.exe, rad032EB.tmp.exe, and rad0D585.tmp.exe). This happened because I refreshed the compromised site 3 additional times and got the full infection chain. The filenames are different but the hash values were identical.

After infection the user would see a ransom note image popup on their screen called _README_[7 alphanumeric characters]_.jpg and a Cerber ransomware instructions page called  _README_[7 alphanumeric characters]_.hta. The instructions contain information about how the user can decrypt their encrypted files.

Encrypted files are renamed and are appended with a 4 character extension. My files were appended with an .ab8b, however, the extensions are being named after your machine GUID.

For example: xxxxxxxx-xxxx-xxxx-ab8b-xxxxxxxxxxxx

This shouldn’t be a surprise since Cerber is also creating and then naming folders and files in %Temp% after partial sections from the machine GUID.

To check your machine GUID you can use regedit.exe and find it in HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography.

The Desktop is also changed to a .bmp image of the ransom note. Below are images of the Desktop, ransom notes, and encrypted file.

Until next time!

malwarebreakdown

Just a normal person who spends their free time infecting systems with malware.

Leave a Comment

%d bloggers like this: