pseudoDarkleech Leads to Rig-V EK at and Drops Cerber


  • – – Compromised website
  • – – Rig-V EK
  • Cerber checkin UDP traffic via port 6892 (3 times for all IPs in each subnet listed below):
  • – – Bitcoin block explorer
  • – – Cerber Decryptor site
  • – – Cerber Decryptor site
  • – – Cerber Decryptor site
  • – – Cerber Decryptor site




SHA256: aba6cf28484e85ee238077ad85d00a82f67e2cc45c4dbe9a4bf1f938e1638276
File name: Rig-V EK Landing Page.html

SHA256: 3f1cad5d97184d4a090182cc7bc952c939545bc7291f4dbc96ac121e29ba3236
File name: Rig-V EK Flash Exploit.swf

SHA256: 284a9869c421fe562d98c04dc0c4c51973e10c39570a21c9547562ff59f90bfc
File name: MXj6sFosp

SHA256: 96297e59f7e92c282c46b39fe7edbcab85d9e820b9e280c3ec38c520f00105fc
File name: rad82735.tmp.exe
Hybrid-Analysis Link

Infection Chain:

The infection started off with the host being redirected from a pseudoDarkleech script to the EK landing page. Below is an image of the script:


Once on the landing page the host was sent a Flash exploit and then a Cerber ransomware payload. Images of each step (landing page, Flash exploit, and payload) are shown below:


The payload is downloaded by the following script, which is dropped in %Temp%:


The downloaded payload is then dropped in %Temp% under the name rad82735.tmp.exe. The executable deletes itself after the infection.

Below is an image of files created in %Temp%:


The Desktop background then changes to the Cerber ransom note and there is an .hta ransom note dropped as well:


If you work in a SOC I would recommend scanning the networks that you monitor for Cerber’s UDP checkin traffic listed in the IOCs section. I would also block the EK IP address.

Leave a Comment

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

%d bloggers like this: