pseudoDarkleech Redirects Host to Rig-V EK at and Drops Cerber


  • – – Compromised site
  • – – Rig-V EK
  • Cerber check-in traffic via UDP port 6892:
  • – – Bitcoin block explorer
  • – – Cerber Decryptor site




SHA256: 948785c8a2c441345317ea80e1fd7c622599932dade375872b9c5b9030a61145
File name: RigV UA check page.html

SHA256: 699fe5529a3a6928717e47300646d18f36a6ce21823228fffdd52d06e9aa9cd5
File name: RigV EK Landing Page.html

SHA256: 103c5613e30c8eb9083ffd47ee439fba726d0fe13de577b30307e4910c0fc68f
File name: RigV EK Flash Exploit.swf

SHA256: 45d8bdd3e6991e6429acbbb8f149ffbd069dca5af4465fbf1071fc3ac73fec22
File name: radF31F1.tmp.exe
Hybrid-Analysis Submission

Infection Chain:

The infection begins when the user visits the compromised website. The compromised website contains injected script known as pseudoDarkleech campaign. This script redirected the host to a Rig-V User-Agent checking page. Below is an image of the HTTP request and response from the web server which returns a page with the script:


The iframe above contains the URL for the Rig-V User-Agent checking page.

The script on the User-Agent check page is designed to identify the browser being used. The page also contains the URL for the Rig-V landing page. If conditions are met then the host makes a POST request to the landing page URL. For more information on the User-Agent checking page please refer to my previous blog post HERE.

The server then returned the landing page which contains more script. Next we see the request for a Flash exploit and the Cerber ransomware payload.


Partial image of the response containing the landing page


Partial image of the response containing the Flash exploit


Partial image of the response containing the Cerber ransomware payload

A JS downloader is dropped in %Temp% followed by the Cerber payload. Both files self-delete themselves.


Notice there are 3 other Cerber payloads in %Temp% (radD3343.tmp.exe, rad032EB.tmp.exe, and rad0D585.tmp.exe). This happened because I refreshed the compromised site 3 additional times and got the full infection chain. The filenames are different but the hash values were identical.

After infection the user would see a ransom note image popup on their screen called _README_[7 alphanumeric characters]_.jpg and a Cerber ransomware instructions page called  _README_[7 alphanumeric characters]_.hta. The instructions contain information about how the user can decrypt their encrypted files.

Encrypted files are renamed and are appended with a 4 character extension. My files were appended with an .ab8b, however, the extensions are being named after your machine GUID.

For example: xxxxxxxx-xxxx-xxxx-ab8b-xxxxxxxxxxxx

This shouldn’t be a surprise since Cerber is also creating and then naming folders and files in %Temp% after partial sections from the machine GUID.

To check your machine GUID you can use regedit.exe and find it in HKEY_LOCAL_MACHINESOFTWAREMicrosoftCryptography.

The Desktop is also changed to a .bmp image of the ransom note. Below are images of the Desktop, ransom notes, and encrypted file.

Until next time!

Leave a Comment

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

%d bloggers like this: