EITest Leads to Sundown EK at 93.190.143.82 and Drops Cerber

IOCs:

  • 93.190.143.82 – cfx.hvb.mobi – Sundown EK
  • 93.190.143.82 – hxrheg.fve.mobi – Sundown EK
  • Cerber check-in traffic via UDP port 6892:
    • 90.2.1.0/27
    • 90.3.1.0/27
    • 91.239.24.0/23 (CIDR Address Range: 91.239.24.0 – 91.239.25.255)
  • 162.220.244.29 – p27dokhpz2n7nvgr.onion – Cerber Decryptor page
  • 162.220.244.29 – p27dokhpz2n7nvgr.1kja1j.top – Cerber Decryptor page
  • 162.220.244.29 – p27dokhpz2n7nvgr.1dlcbk.top – Cerber Decryptor page
  • 162.220.244.29 – p27dokhpz2n7nvgr.15l2ub.top – Cerber Decryptor page

HTTP Method and URIs:

  • GET /index.php?uErVBXqo2eo=5yi3Mj-n06JRTyrU0aJPqVnSgpo29BVq_FX5nwdkfgyiksTml74nFDUb
  • GET /7/?9643522803
  • GET /7/?947545190441&id=265
  • GET /7/?78493521
  • GET /bvfhjgejhfrg.png
  • GET /@@@.php?id=265

Traffic:

traffic

Hashes:

SHA256: 85c6e214e0d0c33a001c1096a6e03231ea3b3fbbf4a9afbd58a1230735e2ff73
File name: SundownEK Landing Page.html

SHA256: 0744ba67c5f8210fcdcf4acb328df68780e96d10f2c68b8eddbb9a355bca213e
File name: SundownEK Flash Exploit.swf

SHA256: f4845a817b7b777972ceb292b62103b296a002577884b952e4726e419a7f1df6
File name: SundownEK Flash Exploit 2.swf

SHA256: 67d598c6acbd6545ab24bbd44cedcb825657746923f47473dc40d0d1f122abb6
File name: SundownEK Flash Exploit 3.swf

SHA256: e93f568ecd22e351cc3f0d8f8b3177fa7af812300cbb259a84b80013301a2601
File name: bvfhjgejhfrg.png

SHA256: 40f67e693b44cb973c914fdf8defb3bdc7df852c4f37a0a4344022923ded0aef
File name: OTTYUADAF

SHA256: 0a684fba47e55e140460d2e6ef62c7b6a378b204cc85c1086da8d6e2fa7c28ca
File name: radE76F1.tmp.exe
Hybrid-Analysis Report

Infection Chain:

The infection chain starts off when the user visits the compromised website. Injected in the source code of the page was the EITest script:

eitest

The URL within the script shown above redirects the host to a Sundown EK landing page. Below is a partial image of that landing page.

sundownek-landing-page

For anyone wanting to see the full text of the landing page you can download the file here: sundownek-landing. The password is the same used by other security researchers. If you need the password send me an email or contact me on Twitter.

I then saw the EK deliver 3 Flash exploits:

first-flash-exploit-requestsecond-flash-exploitthird-flash-exploit

I’ve seen some of these Flash exploits before. For example, the first Flash exploit was uploaded to VT on 2016-12-21 13:36:19 UTC and was from RIG-v EK.

We also see the EK retrieve a white PNG image which is used to obtain additional malicious code:

sundownek-png-exploit

To read more about the steganography technique being used by Sundown see the following TrendMicro blog post http://blog.trendmicro.com/trendlabs-security-intelligence/updated-sundown-exploit-kit-uses-steganography/.

The first file we see being created in %Temp% is a called “OTTYUADAF,” which is script used to download the payload. As a side note, the file hash was identical to one that I first submitted to VT 4 weeks ago (2016-12-22 04:58:45 UTC):

You can also see the Cerber payload being dropped in %Temp% under the name radE76F1.tmp.exe. One folder and two files within that folder are partially named after the machine’s GUID. Following the execution of the executable we see the Cerber check-in traffic via UDP port 6892 (see IOCs above for CIDR ranges).

Below is an image of the Desktop showing it has been changed to display the ransom note, as well as the .hta and .jpg ransom notes being dropped:

The naming convention of the Cerber ransom notes was recently changed to _HELP_HELP_HELP_<random 1-9 A-Z>.hta and .jpg.

As always, block the EK IP and your perimeter firewall(s).

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

%d bloggers like this: