IOCs:
- 205.251.140.114 – northrivercommission.org – Compromised site
- 195.133.201.249 – add.medlucency.info – RIG-v EK
- Cerber check-in traffic via UDP port 6892:
- 93.223.40.0/27
- 92.145.32.0/27
- 91.239.24.0/24
- 91.239.25.0/24
- 148.251.6.214 – btc.blockr.info – Bitcoin block explorer
- 84.200.4.130 – ffoqr3ug7m726zou.17vj7b.top – Cerber Decryptor site
Traffic:
Pictures don’t show all the Cerber check-in traffic. For full Cerber check-in traffic click on the Hybrid-Analysis Submission link found in the Hashes section
Hashes:
SHA256: a309461e89391f4432949d391d8ba4bcc8fee4f1def2bf01bf439da1c11e21dd
File name: RIGV EK UA Gate.html
SHA256: 052d05cbca3b82357ccd8d19fe4c2ed2207ba8286d57b0d4f24f88dce8ce6611
File name: RIGV EK Landing Page.html
SHA256: c84c182f81f9fc8abab0b7955015890e61a613647aa6870a953b720c92838562
File name: RIGV EK Flash Exploit.swf
SHA256: df9a24db2844eb2b4b4c06a762888b1331d4d87d3bcbb481c8f00fc6e12332fe
File name: rad6519B.tmp.exe
Hybrid-Analysis Submission
PseudoDarkleech Script:
Infection Chain:
The infection chain begins with the user browsing to a compromised website. In this sample we can see that I was browsing the website northrivercommission.org. The picture above shows the pseudoDarkleech script being injected into the sites code. The iframe within that script causes the host to make a GET request to the URL.
On December 4th, 2016, I noticed that RIG-v was using a gate of sorts before redirecting the host to the landing page. The URL contained within the pseudoDarkleech script is pointing to that same gate which is checking the User-Agent before redirecting the host to the landing page. Read more about this HERE.
Once on the landing page the host was served a Flash exploit and a script that caused the host to make a request for the payload. Below are images of the host requests and server responses for the landing page, Flash exploit, and Cerber payload.
Image only shows partial part of the return traffic for the landing page
Image only shows partial part of the return traffic for the Flash exploit
Image only shows partial part of the return traffic for the payload
The JS downloader and payload are dropped in %Temp%. These files self-delete themselves. There are also some files created in the user’s Roaming folder. Below are images of the Cerber executable and additional files created during the infection:
After infection the user would see a ransom note in the form of an image popup on their screen called _README_[5-8 alphanumeric characters]_.jpg. This is followed by Cerber ransomware instructions page called _README_[5-8 alphanumeric characters]_.hta being loaded on the screen. The instructions contain information about how the user can decrypt their files.
Encrypted files are being renamed and are appended with a 4 character extension. For example, my files were appended with an .ab8b, however, each infection will be different as the extensions are being named after a part of your machine’s GUID.
Example: xxxxxxxx-xxxx-xxxx-ab8b-xxxxxxxxxxxx
It should also be noted that Cerber is also creating a folder in %Temp% and naming it after the first 8 characters in your machine GUID.
Example: xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx
Contained within that folder are two additional .tmp files named after the next 8 characters of the GUID.
Example: xxxxxxxx-xxxx–xxxx-xxxx-xxxxxxxxxxxx
To check your machine GUID you can use regedit.exe and find it in HKEY_LOCAL_MACHINESOFTWAREMicrosoftCryptography.
The Desktop is also changed to a .bmp image of the ransom note (contained within %Temp%). Below are images of the Desktop, ransom notes, and encrypted files.
As of this writing I don’t believe there is a Cerber decryption tool for this version. If anyone knows of one leave a comment below or contact me on Twitter.
Malware breakdown 