- 220.127.116.11 – luckystavern.com – Compromised site
- 18.104.22.168 – will.warondoctors.info – Rig-V EK
- Cerber check-in traffic via UDP port 6892:
- 22.214.171.124 – btc.blockr.io – Bitcoin block explorer
- 126.96.36.199 – ffoqr3ug7m726zou.13inb1.top – Cerber Decryptor site
File name: RigV UA check page.html
File name: RigV EK Landing Page.html
File name: RigV EK Flash Exploit.swf
File name: radF31F1.tmp.exe
The infection begins when the user visits the compromised website. The compromised website contains injected script known as pseudoDarkleech campaign. This script redirected the host to a Rig-V User-Agent checking page. Below is an image of the HTTP request and response from the web server which returns a page with the script:
The iframe above contains the URL for the Rig-V User-Agent checking page.
The script on the User-Agent check page is designed to identify the browser being used. The page also contains the URL for the Rig-V landing page. If conditions are met then the host makes a POST request to the landing page URL. For more information on the User-Agent checking page please refer to my previous blog post HERE.
The server then returned the landing page which contains more script. Next we see the request for a Flash exploit and the Cerber ransomware payload.
A JS downloader is dropped in %Temp% followed by the Cerber payload. Both files self-delete themselves.
Notice there are 3 other Cerber payloads in %Temp% (radD3343.tmp.exe, rad032EB.tmp.exe, and rad0D585.tmp.exe). This happened because I refreshed the compromised site 3 additional times and got the full infection chain. The filenames are different but the hash values were identical.
After infection the user would see a ransom note image popup on their screen called _README_[7 alphanumeric characters]_.jpg and a Cerber ransomware instructions page called _README_[7 alphanumeric characters]_.hta. The instructions contain information about how the user can decrypt their encrypted files.
Encrypted files are renamed and are appended with a 4 character extension. My files were appended with an .ab8b, however, the extensions are being named after your machine GUID.
For example: xxxxxxxx-xxxx-xxxx-ab8b-xxxxxxxxxxxx
This shouldn’t be a surprise since Cerber is also creating and then naming folders and files in %Temp% after partial sections from the machine GUID.
To check your machine GUID you can use regedit.exe and find it in HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography.
The Desktop is also changed to a .bmp image of the ransom note. Below are images of the Desktop, ransom notes, and encrypted file.
Until next time!