Rig EK at Drops Cerber Ransomware


  • – heathfoodstorenewsmyrna.com – Compromised website
  • – we.jessicaandclayton.com – Rig EK
  • and – UDP traffic via port 6892
  • – btc.blockr.io – Bitcoin block explorer
  • – ffoqr3ug7m726zou.zn90h4.bid – Cerber Decryptor payment site




  1. SHA256: 2c68d7b4f7bb14a8b9f3986360bd351f34565eb0a4029ee01cc8588bcddb8c50
    File name: RigEK Landing Page.html
  2. SHA256: 3474904d1dfd8943d3c779d621aa9767465532f288523bae6b57194b35fb3e6e
    File name: RigEK Flash Exploit.swf
  3. SHA256: 05d0f6625551fc4787430495d8c4f103e00624e7e64eb93b3c3bdbfb789981b2
    File name: IIj6sFosp
  4. SHA256: e14f32bdfbb2dc1117736029677effdedec2f570d73092261ba98f040a1b282f
    File name: rad58011.tmp.exe
  5. SHA256: 74f2aa78e874d215f4a4b27b10ac3cfa2521dc2e9632a9eb13d52e8727e5fa74
    File name: Dialogs.dll

Infection Chain:

The compromised website that I visited was heathfoodstorenewsmyrna.com. It has been injected with a malicious iframe that is associated with the pseudoDarkleech campaign. Below is an image of the iframe in the code:


Once the page loads the host is redirected to the Rig EK landing page. The host is then sent a Flash exploit, JS downloader and the payload. Here you can see the JS downloader (IIj6sFosp) and the payload (rad58011.tmp.exe):


Note it also drops the ransom note bitmap image (tmp140D), the README.hta (user instructions) and creates both folders on the top (551ef835 and ns22EE.tmp).

There were also numerous files created in the Roaming folder including the injector (Dialogs.dll):


Lastly we see the Cerber ransomware instructions (README.hta) dropped on the Desktop and the display image changed. Here is a picture of both the Desktop and a partial image of the instructions:

Here are some images of the Cerber Decryptor instruction pages:


I recommend blocking the Rig EK IP at your perimeter firewall(s). If necessary you can block access to the compromised website.

Leave a Comment

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

%d bloggers like this: