pseudoDarkleech Script Redirects Host to Rig-V EK at 195.161.62.232. EK Drops Cerber.

IOCs:

  • 184.172.50.36 – chicago.fdmaps.com – Compromised site
  • 195.161.62.232 – new.underinsuredamerican.org – Rig-V EK
  • Cerber check-in traffic via UDP port 6892:
    • 37.15.20.0/27
    • 77.1.12.0/27
    • 91.239.24.0/24
    • 91.239.25.0/24
  • 148.251.6.214 – btc.blockr.io – Bitcoin block explorer
  • 84.200.4.130 – ffoqr3ug7m726zou.1mstqg.top – Cerber Decryptor site

Traffic:

traffic

traffic-2
Only showing partial image of UDP check-in traffic

Hashes:

SHA256: 814d06968bd54aadd13f3e352d5c6b792decdb1c8eeec8d35e7aeaa0cde72b57
File name: RigV UA check.html

SHA256: 7e285aee3f54b9a289d03f8a6904eeed8dd88c3028f92ce9d62d8f2c333a52d7
File name: RigV EK Landing Page.html

SHA256: 6a086bff1c7bf29cb73a6433de4efc138dbcda01f11fb2d966e69d1ebd05d3f8
File name: RigV EK Flash Exploit.swf

SHA256: 37cd23a7139f22ba04c2888674ed1fbee67167d2e36e53de3065ad907b65f870
File name: OTTYUADAF

SHA256: b435fabf06d866d6292d17edbada63f685b0d5b3dc3d5a6f471d4432b3e0efe8
File name: mortise.dll
Hybrid-Analysis Submission

SHA256: 738fab7450ad2078905bf11b0cdd170a9c2c95fd60b36e5c5df87a6e76b21373
File name: rad03A66.tmp.exe
Hybrid-Analysis Submission

Infection Chain:

The infection begins when the user visits the compromised website. The compromised website contains injected script known as pseudoDarkleech campaign. This script redirected the host to a Rig-V User-Agent checking page. Below is an image of the HTTP request and response from the web server which returns a page with the script:

pseudodarkleech-script

The iframe above contains the URL for the Rig-V User-Agent checking page.

The script on the User-Agent check page is designed to identify the browser being used. The page also contains the URL for the Rig-V EK landing page. If the UA conditions are right then the host makes a POST request to the landing page URL.

For more information on the User-Agent checking page please refer to my previous blog post HERE.

The server then returned the landing page which contains more script. Next we see the request for a Flash exploit and the Cerber ransomware payload.

landing-page
Partial image of the server returning the landing page
flash-exploit
Partial image of the server returning the Flash exploit
payload
Partial image of the server returning the payload

A JS downloader is dropped in %Temp% followed by the Cerber payload. Both files self-delete themselves. There are also some files created in the Roaming folder. Here is an image of the JS downloader, Cerber executable, and additional files:

Notice there is one other Cerber executable in %Temp% (rad53B1C.tmp.exe). This happened because I refreshed the compromised site an additional time and got the full infection chain. The filenames are different but the hash values were identical.

After infection the user would see a ransom note image popup on their screen called _README_[5-8 alphanumeric characters]_.jpg and a Cerber ransomware instructions page called _README_[5-8 alphanumeric characters]_.hta. The instructions contain information about how the user can decrypt their encrypted files.

Encrypted files are renamed and are appended with a 4 character extension. My files were appended with an .ab8b, however, the extensions are being named after your machine GUID.

Example: xxxxxxxx-xxxx-xxxx-ab8b-xxxxxxxxxxxx

Cerber is also creating a folder in %Temp% and naming it after the first 8 characters in your machine GUID.

Example: xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx

Contained within that folder are two additional files named after the next 8 characters of the GUID.

Example: xxxxxxxx-xxxxxxxx-xxxx-xxxxxxxxxxxx

To check your machine GUID you can use regedit.exe and find it in HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography.

The Desktop is also changed to a .bmp image of the ransom note. Below are images of the Desktop, ransom notes, and encrypted file.

My IDS also alerted on the malicious traffic:

ids-alerts

Until next time!

malwarebreakdown

Just a normal person who spends their free time infecting systems with malware.

Leave a Comment

%d bloggers like this: