- 22.214.171.124 – northrivercommission.org – Compromised site
- 126.96.36.199 – add.medlucency.info – RIG-v EK
- Cerber check-in traffic via UDP port 6892:
- 188.8.131.52 – btc.blockr.info – Bitcoin block explorer
- 184.108.40.206 – ffoqr3ug7m726zou.17vj7b.top – Cerber Decryptor site
File name: RIGV EK UA Gate.html
File name: RIGV EK Landing Page.html
File name: RIGV EK Flash Exploit.swf
File name: rad6519B.tmp.exe
The infection chain begins with the user browsing to a compromised website. In this sample we can see that I was browsing the website northrivercommission.org. The picture above shows the pseudoDarkleech script being injected into the sites code. The iframe within that script causes the host to make a GET request to the URL.
On December 4th, 2016, I noticed that RIG-v was using a gate of sorts before redirecting the host to the landing page. The URL contained within the pseudoDarkleech script is pointing to that same gate which is checking the User-Agent before redirecting the host to the landing page. Read more about this HERE.
Once on the landing page the host was served a Flash exploit and a script that caused the host to make a request for the payload. Below are images of the host requests and server responses for the landing page, Flash exploit, and Cerber payload.
The JS downloader and payload are dropped in %Temp%. These files self-delete themselves. There are also some files created in the user’s Roaming folder. Below are images of the Cerber executable and additional files created during the infection:
After infection the user would see a ransom note in the form of an image popup on their screen called _README_[5-8 alphanumeric characters]_.jpg. This is followed by Cerber ransomware instructions page called _README_[5-8 alphanumeric characters]_.hta being loaded on the screen. The instructions contain information about how the user can decrypt their files.
Encrypted files are being renamed and are appended with a 4 character extension. For example, my files were appended with an .ab8b, however, each infection will be different as the extensions are being named after a part of your machine’s GUID.
It should also be noted that Cerber is also creating a folder in %Temp% and naming it after the first 8 characters in your machine GUID.
Contained within that folder are two additional .tmp files named after the next 8 characters of the GUID.
To check your machine GUID you can use regedit.exe and find it in HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography.
The Desktop is also changed to a .bmp image of the ransom note (contained within %Temp%). Below are images of the Desktop, ransom notes, and encrypted files.
As of this writing I don’t believe there is a Cerber decryption tool for this version. If anyone knows of one leave a comment below or contact me on Twitter.