IOCs:
- 162.255.161.10 – luckystavern.com – Compromised site
- 81.177.6.49 – will.warondoctors.info – Rig-V EK
- Cerber check-in traffic via UDP port 6892:
- 37.15.20.0/27
- 77.1.12.0/27
- 91.239.24.0/24
- 91.239.25.0/24
- 148.251.6.214 – btc.blockr.io – Bitcoin block explorer
- 23.152.0.137 – ffoqr3ug7m726zou.13inb1.top – Cerber Decryptor site
Traffic:
Hashes:
SHA256: 948785c8a2c441345317ea80e1fd7c622599932dade375872b9c5b9030a61145
File name: RigV UA check page.html
SHA256: 699fe5529a3a6928717e47300646d18f36a6ce21823228fffdd52d06e9aa9cd5
File name: RigV EK Landing Page.html
SHA256: 103c5613e30c8eb9083ffd47ee439fba726d0fe13de577b30307e4910c0fc68f
File name: RigV EK Flash Exploit.swf
SHA256: 45d8bdd3e6991e6429acbbb8f149ffbd069dca5af4465fbf1071fc3ac73fec22
File name: radF31F1.tmp.exe
Hybrid-Analysis Submission
Infection Chain:
The infection begins when the user visits the compromised website. The compromised website contains injected script known as pseudoDarkleech campaign. This script redirected the host to a Rig-V User-Agent checking page. Below is an image of the HTTP request and response from the web server which returns a page with the script:
The iframe above contains the URL for the Rig-V User-Agent checking page.
The script on the User-Agent check page is designed to identify the browser being used. The page also contains the URL for the Rig-V landing page. If conditions are met then the host makes a POST request to the landing page URL. For more information on the User-Agent checking page please refer to my previous blog post HERE.
The server then returned the landing page which contains more script. Next we see the request for a Flash exploit and the Cerber ransomware payload.
Partial image of the response containing the landing page
Partial image of the response containing the Flash exploit
Partial image of the response containing the Cerber ransomware payload
A JS downloader is dropped in %Temp% followed by the Cerber payload. Both files self-delete themselves.
Notice there are 3 other Cerber payloads in %Temp% (radD3343.tmp.exe, rad032EB.tmp.exe, and rad0D585.tmp.exe). This happened because I refreshed the compromised site 3 additional times and got the full infection chain. The filenames are different but the hash values were identical.
After infection the user would see a ransom note image popup on their screen called _README_[7 alphanumeric characters]_.jpg and a Cerber ransomware instructions page called _README_[7 alphanumeric characters]_.hta. The instructions contain information about how the user can decrypt their encrypted files.
Encrypted files are renamed and are appended with a 4 character extension. My files were appended with an .ab8b, however, the extensions are being named after your machine GUID.
For example: xxxxxxxx-xxxx-xxxx-ab8b-xxxxxxxxxxxx
This shouldn’t be a surprise since Cerber is also creating and then naming folders and files in %Temp% after partial sections from the machine GUID.
To check your machine GUID you can use regedit.exe and find it in HKEY_LOCAL_MACHINESOFTWAREMicrosoftCryptography.
The Desktop is also changed to a .bmp image of the ransom note. Below are images of the Desktop, ransom notes, and encrypted file.
Until next time!
Malware breakdown 