pseudoDarkleech Leads to Rig EK at and Drops Cerber Ransomware


  • – – Compromised site
  • – – Rig EK
  • and – UDP traffic via port 6892
  • – – Bitcoin blockchain
    • – Cerber Decryptor site
    • – Cerber Decryptor site
    • – Cerber Decryptor site
  • – – Cerber Decryptor site




  1. SHA256: ab8d6638977e34c0d14f096d02e3a973c1c624845e075c48e696c35f7e35020a
    File name: RigEK Landing Page.html
  2. SHA256: 662ba372c286dcd19d52720052b2f8bb9042d60dea47349974016f39b454d46e
    File name: RigEK Flash Exploit.swf
  3. SHA256: 38f0da482f58291557839d4fd9fd198a77b7ec254351f0e7c2adc68b526afa4e
    File name: radB885F.tmp.exe

Infection Chain:

This was a typical pseudoDarkleech infection chain leading to a Rig EK server. Below is the malicious script that was found on the compromised site:


That pseudoDarkleech script redirected the host to the Rig EK server at which point it was sent a Flash exploit and then the Cerber payload. Post-infection traffic following the delivery of the payload included the host making UDP connections to every IP in subnets and (two times each). We then see traffic to the bitcoin blockchain and the decryptor payment sites.

Below is an image of the Desktop post-infection and the files dropped in %TEMP%:


I recommend blocking the Rig EK IP and your perimeter firewall(s).

  1. how to remove this



    1. If the files are encrypted then you might be out of luck. I don’t think there is a way to decrypt files infected by this version of Cerber. However, sometimes AV companies release decryption tools. My best advice is to keep regular backups handy.



Leave a Reply to vyshnavi net Cancel reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

%d bloggers like this: