‘Tis the Season for Cerber: Rig-V EK at 195.133.201.249 and Drops, you guessed it, Cerber Ransomware

IOCs:

  • 205.251.140.114 – northrivercommission.org – Compromised site
  • 195.133.201.249 – add.medlucency.info – RIG-v EK
  • Cerber check-in traffic via UDP port 6892:
    • 93.223.40.0/27
    • 92.145.32.0/27
    • 91.239.24.0/24
    • 91.239.25.0/24
  • 148.251.6.214 – btc.blockr.info – Bitcoin block explorer
  • 84.200.4.130 – ffoqr3ug7m726zou.17vj7b.top – Cerber Decryptor site

Traffic:

traffic

traffic-2
Pictures don’t show all the Cerber check-in traffic. For full Cerber check-in traffic click on the Hybrid-Analysis Submission link found in the Hashes section

Hashes:

SHA256: a309461e89391f4432949d391d8ba4bcc8fee4f1def2bf01bf439da1c11e21dd
File name: RIGV EK UA Gate.html

SHA256: 052d05cbca3b82357ccd8d19fe4c2ed2207ba8286d57b0d4f24f88dce8ce6611
File name: RIGV EK Landing Page.html

SHA256: c84c182f81f9fc8abab0b7955015890e61a613647aa6870a953b720c92838562
File name: RIGV EK Flash Exploit.swf

SHA256: df9a24db2844eb2b4b4c06a762888b1331d4d87d3bcbb481c8f00fc6e12332fe
File name: rad6519B.tmp.exe
Hybrid-Analysis Submission

PseudoDarkleech Script:

pseudodarkleech-script

Infection Chain:

The infection chain begins with the user browsing to a compromised website. In this sample we can see that I was browsing the website northrivercommission.org. The picture above shows the pseudoDarkleech script being injected into the sites code. The iframe within that script causes the host to make a GET request to the URL.

On December 4th, 2016, I noticed that RIG-v was using a gate of sorts before redirecting the host to the landing page. The URL contained within the pseudoDarkleech script is pointing to that same gate which is checking the User-Agent before redirecting the host to the landing page. Read more about this HERE.

Once on the landing page the host was served a Flash exploit and a script that caused the host to make a request for the payload. Below are images of the host requests and server responses for the landing page, Flash exploit, and Cerber payload.

landing-page
Image only shows partial part of the return traffic for the landing page
flash-exploit
Image only shows partial part of the return traffic for the Flash exploit
payload
Image only shows partial part of the return traffic for the payload

The JS downloader and payload are dropped in %Temp%. These files self-delete themselves. There are also some files created in the user’s Roaming folder. Below are images of the Cerber executable and additional files created during the infection:

After infection the user would see a ransom note in the form of an image popup on their screen called _README_[5-8 alphanumeric characters]_.jpg. This is followed by Cerber ransomware instructions page called _README_[5-8 alphanumeric characters]_.hta being loaded on the screen. The instructions contain information about how the user can decrypt their files.

Encrypted files are being renamed and are appended with a 4 character extension. For example, my files were appended with an .ab8b, however, each infection will be different as the extensions are being named after a part of your machine’s GUID.

Example: xxxxxxxx-xxxx-xxxx-ab8b-xxxxxxxxxxxx

It should also be noted that Cerber is also creating a folder in %Temp% and naming it after the first 8 characters in your machine GUID.

Example: xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx

Contained within that folder are two additional .tmp files named after the next 8 characters of the GUID.

Example: xxxxxxxx-xxxxxxxx-xxxx-xxxxxxxxxxxx

To check your machine GUID you can use regedit.exe and find it in HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography.

The Desktop is also changed to a .bmp image of the ransom note (contained within %Temp%). Below are images of the Desktop, ransom notes, and encrypted files.

As of this writing I don’t believe there is a Cerber decryption tool for this version. If anyone knows of one leave a comment below or contact me on Twitter.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s