pseudoDarkleech Leads to Rig EK at & Drops Cerber Ransomware


  • – – Compromised website
  • – – Rig EK
  • and – UDP traffic via port 6892
  • – – Bitcoin block explorer
  • – – Cerber Decryptor payment site




  1. SHA256: 2cfbbe508cdfe85767c4ad9f097adce52bb8a630598f9b2d191b7dc82f195069
    File name: RigEK Landing Page.html
  2. SHA256: 3474904d1dfd8943d3c779d621aa9767465532f288523bae6b57194b35fb3e6e
    File name: RigEK Flash Exploit.swf
  3. SHA256: 05d0f6625551fc4787430495d8c4f103e00624e7e64eb93b3c3bdbfb789981b2
    File name: IIj6sFosp
  4. SHA256: e14f32bdfbb2dc1117736029677effdedec2f570d73092261ba98f040a1b282f
    File name: rad18B1D.tmp.exe
  5. SHA256: 74f2aa78e874d215f4a4b27b10ac3cfa2521dc2e9632a9eb13d52e8727e5fa74
    File name: Dialogs.dll

Infection Chain:

The compromised website that I visited was It has been injected with a malicious iframe that is associated with the pseudoDarkleech campaign. Below is an image of the iframe found within the code:


Once the page loads the host is redirected to the Rig EK landing page. The host is then sent a Flash exploit, an extension-less JS downloader and the payload. Here you can see the JS downloader (IIj6sFosp) and the payload (rad18B1D.tmp.exe):


Note it also drops the ransom note bitmap image (tmp9740), the README.hta (user instructions) and creates both folders on the top (551ef835 and nskC8DC.tmp).

There were also numerous files created in the Roaming folder including the injector (Dialogs.dll):


Lastly we see the Cerber ransomware instructions (README.hta) dropped on the Desktop and the display image changed. Here is a picture of both the Desktop and a partial image of the instructions:

Here are some images of the Cerber Decryptor instruction pages:


I recommend blocking the Rig EK IP at your perimeter firewall(s). If necessary you can block access to the compromised website.

Leave a Comment

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

%d bloggers like this: