IOCs:
- 142.147.9.32 – carrollgymnastics.com – Compromised website
- 194.87.238.148 – new.ehrlichusedautos.com – Rig-V EK
- Cerber checkin UDP traffic via port 6892 (3 times for all IPs in each subnet listed below):
- 15.49.2.0/27
- 122.1.13.0/27
- 194.165.16.0/24
- 194.165.17.0/24
- 148.251.6.214 – btc.blockr.io – Bitcoin block explorer
- 54.91.45.162 – ffoqr3ug7m726zou.41c920.top – Cerber Decryptor site
- 54.91.45.162 – ffoqr3ug7m726zou.rovr6i.top – Cerber Decryptor site
- 192.157.248.209 – ffoqr3ug7m726zou.1hkmxu.top – Cerber Decryptor site
- 185.100.85.150 – ffoqr3ug7m726zou.onion.top – Cerber Decryptor site
Traffic:
Hashes:
SHA256: aba6cf28484e85ee238077ad85d00a82f67e2cc45c4dbe9a4bf1f938e1638276
File name: Rig-V EK Landing Page.html
SHA256: 3f1cad5d97184d4a090182cc7bc952c939545bc7291f4dbc96ac121e29ba3236
File name: Rig-V EK Flash Exploit.swf
SHA256: 284a9869c421fe562d98c04dc0c4c51973e10c39570a21c9547562ff59f90bfc
File name: MXj6sFosp
SHA256: 96297e59f7e92c282c46b39fe7edbcab85d9e820b9e280c3ec38c520f00105fc
File name: rad82735.tmp.exe
Hybrid-Analysis Link
Infection Chain:
The infection started off with the host being redirected from a pseudoDarkleech script to the EK landing page. Below is an image of the script:
Once on the landing page the host was sent a Flash exploit and then a Cerber ransomware payload. Images of each step (landing page, Flash exploit, and payload) are shown below:
The payload is downloaded by the following script, which is dropped in %Temp%:
The downloaded payload is then dropped in %Temp% under the name rad82735.tmp.exe. The executable deletes itself after the infection.
Below is an image of files created in %Temp%:
The Desktop background then changes to the Cerber ransom note and there is an .hta ransom note dropped as well:
If you work in a SOC I would recommend scanning the networks that you monitor for Cerber’s UDP checkin traffic listed in the IOCs section. I would also block the EK IP address.
Malware breakdown 