pseudoDarkleech Points to Rig-V EK at and Drops Cerber


  • – – Compromised website
  • – – Rig-V EK
  • Cerber check-in traffic via UDP port 6892:
  • ICMP traffic from via destination port 6892
  • – – Bitcoin block explorer
  • – – Cerber Decryptor site
  • – – Cerber Decryptor site
  • – – Cerber Decryptor site




only showing partial image of UDP check-in traffic


SHA256: a3a9a34b1cb6a95153038c3f52110e4a4d8e5aa9bbebfff6aaa35ed2ffafda61
File name: RigV Flash Exploit.swf

SHA256: 06837a9b2209459006645507eb895a6f0bb720e62c94dcd6d121ad8fef071229
File name: QXj6sFosp

SHA256: 374444003ba034b649b05fa672deb85465fa6d0fedcaa3802cfaf76a42173ae9
File name: rad3ECBD.tmp.exe
Hybrid-Analysis Submission

SHA256: 5a2c93dfcc07736067e758aa6d7389b001161161309af1b9878f91d5ac215377
File name: rad447D3.tmp.exe (2nd run)
Hybrid-Analysis Submission

Infection Chain:

The infection chain begins with the user browsing to This WordPress site was compromised and is being injected with the pseudoDarkleech script:


pseudoDarkleech script

The iframe contains the URL for a Rig-V fingerprinting page. This page checks to see if the UA is IE and if it is it the host makes a POST request for the landing page. After being redirected to the landing page the host is sent a Flash exploit, receives a JS downloader (QXj6sFosp) in %temp%, and finally downloads the Cerber ransomware payload.

In my infection chain I used both a 32bit and 64bit version of Windows 7. Both infection chains returned the same Flash exploit and two different Cerber payloads. Below is an image from the %temp% on both systems after full infection:

There reason why you are seeing three Cerber payloads in %temp% is because I refreshed the compromised website three times on each host.

Processes from both executables:

Once infected the user is presented with Cerber ransomware instructions which contain links to the Cerber Decryptor sites. The ransom note instructions are saved on the Desktop and in various folders.


You might want to consider blocking the EK sub-domain and IP address to prevent redirections to the EK server. Scanning your network(s) for the Cerber UDP check-in traffic will show you potential compromised hosts.

Leave a Comment

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

%d bloggers like this: