pseudoDarkleech to RIG-v EK’s

IOCs:

  • 107.181.172.103 – lovlose.com – Compromised site
  • 109.234.37.178 – new.buttock.toys – RIG-v EK
  • Cerber check-in traffic via UDP port 6892
    • 1.22.15.0/27
    • 2.23.16.0/27
    • 91.239.24.0/24
    • 91.239.25.0/24

IOCs:

  • 184.168.136.128 – tarboushgrill.com – Compromised site
  • 81.177.139.86 – see.soulartspublishing.com – RIG-v EK
  • Cerber check-in traffic via UDP port 6892
    • 77.4.1.0/27
    • 77.15.1.0/27
    • 91.239.24.0/24
    • 91.239.25.0/24

IOCs:

  • 141.138.168.111 – hoolhoevebriards.com – Compromised site
  • 195.133.201.10 – try.soulassistance.com – RIG-v EK
  • Cerber check-in traffic via UDP port 6892
    • 77.4.1.0/27
    • 77.15.1.0/27
    • 91.239.24.0/24
    • 91.239.25.0/24

Traffic:

lovlose-com-traffictarboushgrill-dot-com-traffichoolhoevebriards-dot-com-traffic

Hashes:

LovLose.com
SHA256: a5aa6a0d3a245380ca18c8beb994f00271e5a9ee19c107749473b5092620e81e
File name: RIG-v EK Flash Exploit.swf

SHA256: aefc908768c38cc411c9f354c4e884b610409033d71bfefc5a1fe2f3278d26ad
File name: OTTYUADAF

SHA256: 384b89f1cf6cddeda7a5c05c23ac5709588bd341f329d48dae6eab228b444ef3
File name: radDEA7C.tmp.exe
Hybrid-Analysis Submission

TarboushGrill.com and HoolhoeveBriards.com
SHA256: 151778e132753186eb8bb0dd5b6563a3d919af7e6bbdc4395e17442556021741
File name: RIG-v EK Flash Exploit.swf

Infection Chain:

These infections started with me visiting the compromised sites. All the sites contained the pseudoDarkleech script. Often times there is adequate warning for user’s to avoid hacked sites. For example:

warning

Below is an example of the script being injected into LovLose.com:

pseudodarkleech-lovlose-dot-com

The URL within the iframe tags will redirect hosts to the RIG-v “pre-landing” page where there is a script designed to check the user’s User-Agent. If the User-Agent is IE then the hosts are redirected to the RIG-v EK landing page. As of late the request for the landing page is coming in the form of a POST request.

Once on the landing page the host is fed more script and downloads the Flash exploit and then the payload. Below is an image of the script being used to download the payload:

script-downloader

The malware payload is then dropped in %Temp% along with other files:

The reason why you are seeing multiple Cerber payloads is because the page error-ed out multiple times and then auto-refreshed. This caused the host to go through the entire infection chain over and over again.

My machine was never fully compromised due to the files never ended up getting encrypted. This seemed to be somewhat of a trend for me over the holiday weekend.

As always I recommend blocking EK IPs since the sub-domains change so frequently.

malwarebreakdown

Just a normal person who spends their free time infecting systems with malware.

Leave a Comment

%d bloggers like this: