- 220.127.116.11 – chicago.fdmaps.com – Compromised site
- 18.104.22.168 – new.underinsuredamerican.org – Rig-V EK
- Cerber check-in traffic via UDP port 6892:
- 22.214.171.124 – btc.blockr.io – Bitcoin block explorer
- 126.96.36.199 – ffoqr3ug7m726zou.1mstqg.top – Cerber Decryptor site
File name: RigV UA check.html
File name: RigV EK Landing Page.html
File name: RigV EK Flash Exploit.swf
File name: OTTYUADAF
File name: mortise.dll
File name: rad03A66.tmp.exe
The infection begins when the user visits the compromised website. The compromised website contains injected script known as pseudoDarkleech campaign. This script redirected the host to a Rig-V User-Agent checking page. Below is an image of the HTTP request and response from the web server which returns a page with the script:
The iframe above contains the URL for the Rig-V User-Agent checking page.
The script on the User-Agent check page is designed to identify the browser being used. The page also contains the URL for the Rig-V EK landing page. If the UA conditions are right then the host makes a POST request to the landing page URL.
For more information on the User-Agent checking page please refer to my previous blog post HERE.
The server then returned the landing page which contains more script. Next we see the request for a Flash exploit and the Cerber ransomware payload.
A JS downloader is dropped in %Temp% followed by the Cerber payload. Both files self-delete themselves. There are also some files created in the Roaming folder. Here is an image of the JS downloader, Cerber executable, and additional files:
Notice there is one other Cerber executable in %Temp% (rad53B1C.tmp.exe). This happened because I refreshed the compromised site an additional time and got the full infection chain. The filenames are different but the hash values were identical.
After infection the user would see a ransom note image popup on their screen called _README_[5-8 alphanumeric characters]_.jpg and a Cerber ransomware instructions page called _README_[5-8 alphanumeric characters]_.hta. The instructions contain information about how the user can decrypt their encrypted files.
Encrypted files are renamed and are appended with a 4 character extension. My files were appended with an .ab8b, however, the extensions are being named after your machine GUID.
Cerber is also creating a folder in %Temp% and naming it after the first 8 characters in your machine GUID.
Contained within that folder are two additional files named after the next 8 characters of the GUID.
To check your machine GUID you can use regedit.exe and find it in HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography.
The Desktop is also changed to a .bmp image of the ransom note. Below are images of the Desktop, ransom notes, and encrypted file.
My IDS also alerted on the malicious traffic:
Until next time!