pseudoDarkleech Redirects to Rig-V at Which Drops Cerber


  • – – Compromised website
  • – – Rig-v EK sub-domain
  • Cerber check-in traffic via UDP port 6892:
  • – – Bitcoin block explorer
  • – – Cerber Decryptor site




All UDP check-in traffic not shown


SHA256: df65f65dc15cfa999f07869b587c74c645da66129c009db5d8b8c2c29ae4fadf
File name: Rig-V Flash Exploit.swf

SHA256: 9f93a612da234591aa2645277aa0672ad53cfebe2697bdcf5e38e0920e270d35
File name: OTTYUADAF

SHA256: d6a7f7253e30ffbfddc85c34a905dd9022819df0629c698fe71bec384b041f6d
File name: radE36E2.tmp.exe
Hybrid-Analysis Submission

Infection Chain:

The infection begins with the compromised WordPress site being injected with the pseudoDarkleech script.


pseudoDarkleech script shown above (within the span tags)

The script redirects the host to the Rig-v EK landing page. Once on the landing page the host was sent a Flash exploit, a JS dropper, and finally the Cerber payload. Below is an image of the JS dropper:


We see the JS dropper and then the payload being downloaded to %temp%:


As with the case for pseudoDarkleech lately the compromised site can be refreshed numerous times meaning you are likely going to see multiple downloads of the Flash exploit and payload.

Following the execution of the payload we see the check-in traffic via UDP port 6892. The check-in subnets seen in this infection seem to be new.

I also noticed that during this infection the Cerber Instructions (contained within the .hta files) only had one location for the decryption software whereas it has been giving user’s multiple sub-domains:


Once infected a .jpg of the ransom note “_README_[7 alpha numeric]_” was displayed, as well as the background image of the Desktop is changed to a .bmp of the ransom note (found in %Temp%).

Users will find the Cerber ransomware instructions (.hta files in the format _README_[7 alpha numeric]_) in any folder with encrypted files. Encrypted files are renamed and appended with .ab8b.


Below is an image of the Desktop post-infection:


Leave a Comment

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

%d bloggers like this: