pseudoDarkleech Redirects to Rig-V at 195.133.49.182 Which Drops Cerber

malwarebreakdown on December 16, 2016

IOCs:

  • 166.62.25.210 – dunlogginvet.com – Compromised website
  • 195.133.49.182 – art.thinleadermd.com – Rig-v EK sub-domain
  • Cerber check-in traffic via UDP port 6892:
    • 37.15.20.0/27
    • 77.1.12.0/27
    • 91.239.24.0/24
    • 91.239.25.0/24
  • 148.251.6.214 – btc.blockr.io – Bitcoin block explorer
  • 185.82.200.167 – avsxrcoq2q5fgrw2.1gaje2.top – Cerber Decryptor site

Traffic:

traffic-1

traffic-2

All UDP check-in traffic not shown

Hashes:

SHA256: df65f65dc15cfa999f07869b587c74c645da66129c009db5d8b8c2c29ae4fadf
File name: Rig-V Flash Exploit.swf

SHA256: 9f93a612da234591aa2645277aa0672ad53cfebe2697bdcf5e38e0920e270d35
File name: OTTYUADAF

SHA256: d6a7f7253e30ffbfddc85c34a905dd9022819df0629c698fe71bec384b041f6d
File name: radE36E2.tmp.exe
Hybrid-Analysis Submission

Infection Chain:

The infection begins with the compromised WordPress site being injected with the pseudoDarkleech script.

pseudodarkleech-script

pseudoDarkleech script shown above (within the span tags)

The script redirects the host to the Rig-v EK landing page. Once on the landing page the host was sent a Flash exploit, a JS dropper, and finally the Cerber payload. Below is an image of the JS dropper:

js-dropper

We see the JS dropper and then the payload being downloaded to %temp%:

temp

As with the case for pseudoDarkleech lately the compromised site can be refreshed numerous times meaning you are likely going to see multiple downloads of the Flash exploit and payload.

Following the execution of the payload we see the check-in traffic via UDP port 6892. The check-in subnets seen in this infection seem to be new.

I also noticed that during this infection the Cerber Instructions (contained within the .hta files) only had one location for the decryption software whereas it has been giving user’s multiple sub-domains:

cerber-instructions-page

Once infected a .jpg of the ransom note “_README_[7 alpha numeric]_” was displayed, as well as the background image of the Desktop is changed to a .bmp of the ransom note (found in %Temp%).

Users will find the Cerber ransomware instructions (.hta files in the format _README_[7 alpha numeric]_) in any folder with encrypted files. Encrypted files are renamed and appended with .ab8b.

encrypted-files

Below is an image of the Desktop post-infection:

desktop

Published by malwarebreakdown

Just a normal person who spends their free time infecting systems with malware.

Leave a Comment

Fill in your details below or click an icon to log in:

Gravatar
WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Cancel

Connecting to %s

%d bloggers like this: