pseudoDarkleech Script Redirects Host to Rig-V EK at EK Drops Cerber.


  • – – Compromised site
  • – – Rig-V EK
  • Cerber check-in traffic via UDP port 6892:
  • – – Bitcoin block explorer
  • – – Cerber Decryptor site




Only showing partial image of UDP check-in traffic


SHA256: 814d06968bd54aadd13f3e352d5c6b792decdb1c8eeec8d35e7aeaa0cde72b57
File name: RigV UA check.html

SHA256: 7e285aee3f54b9a289d03f8a6904eeed8dd88c3028f92ce9d62d8f2c333a52d7
File name: RigV EK Landing Page.html

SHA256: 6a086bff1c7bf29cb73a6433de4efc138dbcda01f11fb2d966e69d1ebd05d3f8
File name: RigV EK Flash Exploit.swf

SHA256: 37cd23a7139f22ba04c2888674ed1fbee67167d2e36e53de3065ad907b65f870
File name: OTTYUADAF

SHA256: b435fabf06d866d6292d17edbada63f685b0d5b3dc3d5a6f471d4432b3e0efe8
File name: mortise.dll
Hybrid-Analysis Submission

SHA256: 738fab7450ad2078905bf11b0cdd170a9c2c95fd60b36e5c5df87a6e76b21373
File name: rad03A66.tmp.exe
Hybrid-Analysis Submission

Infection Chain:

The infection begins when the user visits the compromised website. The compromised website contains injected script known as pseudoDarkleech campaign. This script redirected the host to a Rig-V User-Agent checking page. Below is an image of the HTTP request and response from the web server which returns a page with the script:


The iframe above contains the URL for the Rig-V User-Agent checking page.

The script on the User-Agent check page is designed to identify the browser being used. The page also contains the URL for the Rig-V EK landing page. If the UA conditions are right then the host makes a POST request to the landing page URL.

For more information on the User-Agent checking page please refer to my previous blog post HERE.

The server then returned the landing page which contains more script. Next we see the request for a Flash exploit and the Cerber ransomware payload.


Partial image of the server returning the landing page


Partial image of the server returning the Flash exploit


Partial image of the server returning the payload

A JS downloader is dropped in %Temp% followed by the Cerber payload. Both files self-delete themselves. There are also some files created in the Roaming folder. Here is an image of the JS downloader, Cerber executable, and additional files:

Notice there is one other Cerber executable in %Temp% (rad53B1C.tmp.exe). This happened because I refreshed the compromised site an additional time and got the full infection chain. The filenames are different but the hash values were identical.

After infection the user would see a ransom note image popup on their screen called _README_[5-8 alphanumeric characters]_.jpg and a Cerber ransomware instructions page called _README_[5-8 alphanumeric characters]_.hta. The instructions contain information about how the user can decrypt their encrypted files.

Encrypted files are renamed and are appended with a 4 character extension. My files were appended with an .ab8b, however, the extensions are being named after your machine GUID.

Example: xxxxxxxx-xxxx-xxxx-ab8b-xxxxxxxxxxxx

Cerber is also creating a folder in %Temp% and naming it after the first 8 characters in your machine GUID.

Example: xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx

Contained within that folder are two additional files named after the next 8 characters of the GUID.

Example: xxxxxxxx-xxxxxxxx-xxxx-xxxxxxxxxxxx

To check your machine GUID you can use regedit.exe and find it in HKEY_LOCAL_MACHINESOFTWAREMicrosoftCryptography.

The Desktop is also changed to a .bmp image of the ransom note. Below are images of the Desktop, ransom notes, and encrypted file.

My IDS also alerted on the malicious traffic:


Until next time!

Leave a Comment

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

%d bloggers like this: