pseudoDarkleech Leads to Rig EK at Which Drops Cerber


  • – – Compromised site
  • – – Rig EK
  • and – UPD traffic via port 6892
  • – – Bitcoin block explorer
  • – – Cerber Decryptor payment site




  1. SHA256: 9eba65e897e6eba00ffaa3b0639f995f59ddb75df5159565a793a87cc05e4389
    File name: RigEK Landing Page.html
  2. SHA256: 447481e6592cca3a787e823e1b146240ce2b11ac24fbb6ec141e6a1300a6d4fe
    File name: RigEK Flash Exploit.swf
  3. SHA256: 6da39edbd0a1455beaac5ae1c163624519998abd8f3abc74316b73ab98f83a9d
    File name: IIj6sFosp
  4. SHA256: 306b2d18efdfc5254e4623fb63225534ddef7874224948d1c7f62707405c153a
    File name: rad5EC32.tmp.exe

Infection Chain:

Below is an image of me inspecting the compromised website and finding it has been injected with the pseudoDarkleech script:


The URL within the iframe points the host to the Rig EK landing page. Once on the landing page the host is fingerprinted before being sent a Flash exploit and payload. There is the typical extension-less .js downloader (IIj6sFosp) dropped into %TEMP% followed by rad5EC32.tmp.exe.

The host then makes UDP connections to all the IPs in and via port 6892. The user’s Desktop is then altered to display the Cerber ransom note as well as there is an audio message telling the user that their files have been encrypted.

Below is an image of the Desktop and some Cerber files dropped into %TEMP%:


There is then some “README” hta files dropped on the Desktop and in various folders. This HTML Application contains the Cerber Decryptor payment instructions.

If you’re working in a SOC or have multiple customers you can scan their networks for hosts making UDP connections to the two subnets listed in the IOC section. You can then filter the traffic by UDP port 6892. It should be fairly easy to spot connections to an entire subnet. I would also highly recommend blocking the Rig EK IP address at your perimeter firewall(s).

Leave a Comment

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

%d bloggers like this: