Tag: Cerber

p

pseudoDarkleech Leads to Rig-V EK at 194.87.238.148 and Drops Cerber

IOCs: 142.147.9.32 – carrollgymnastics.com – Compromised website 194.87.238.148 – new.ehrlichusedautos.com – Rig-V EK Cerber checkin UDP traffic via port 6892 (3 times for all IPs in each subnet listed below): 15.49.2.0/27 122.1.13.0/27 194.165.16.0/24 194.165.17.0/24 148.251.6.214 – btc.blockr.io – Bitcoin block explorer 54.91.45.162 – ffoqr3ug7m726zou.41c920.top – Cerber Decryptor site 54.91.45.162 – ffoqr3ug7m726zou.rovr6i.top – Cerber Decryptor site ...

p

pseudoDarkleech Leads to Rig EK at 5.200.55.126 and Drops Cerber

IOCs: 66.147.244.158 – tbcphoenix.org – Compromised website 5.200.55.126 – ew.albanyparklocksmithchicago.com – Rig EK 194.165.16.0/24, 194.165.17.0/24, 194.165.18.0/24, 194.165.19.0/24 – UDP port 6892 148.251.6.214 – btc.blockr.io – Bitcoin block explorer 136.243.157.171 – ffoqr3ug7m726zou.le2brr.bid – Cerber Decryptor site Traffic: Hashes: SHA256: 79cfb143bb59ba051584be153aa1b0669eaa872630ebc647befaf7109a93d3df File name: RigEK Landing Page.html SHA256: 4f2936fc74f7982fb450a0edfd0e200c0301b3cba56f3e55cc08cf92d423917d File name: RigEK Flash Exploit.swf SHA256: 0601888775c21e42d533e028678b91ad70ed7656a2a7aa68f5d46fad2c1c6fbe File name: ...

p

pseudoDarkleech Leads to Rig EK at 212.116.121.122 & Drops Cerber Ransomware

IOCs: 192.185.28.237 – eureka-resources.com – Compromised website 212.116.121.122 – try.jessicajw.com – Rig EK 31.184.234.0/24 and 31.184.235.0/24 – UDP traffic via port 6892 148.251.6.214 – btc.blockr.io – Bitcoin block explorer 107.161.95.138 – ffoqr3ug7m726zou.zn90h4.bid – Cerber Decryptor payment site Traffic: Hashes: SHA256: 2cfbbe508cdfe85767c4ad9f097adce52bb8a630598f9b2d191b7dc82f195069 File name: RigEK Landing Page.html SHA256: 3474904d1dfd8943d3c779d621aa9767465532f288523bae6b57194b35fb3e6e File name: RigEK Flash Exploit.swf SHA256: 05d0f6625551fc4787430495d8c4f103e00624e7e64eb93b3c3bdbfb789981b2 ...

R

Rig EK at 212.116.121.122 Drops Cerber Ransomware

IOCs: 50.62.216.150 – heathfoodstorenewsmyrna.com – Compromised website 212.116.121.122 – we.jessicaandclayton.com – Rig EK 31.184.234.0/24 and 31.184.235.0/24 – UDP traffic via port 6892 148.251.6.214 – btc.blockr.io – Bitcoin block explorer 107.161.95.138 – ffoqr3ug7m726zou.zn90h4.bid – Cerber Decryptor payment site Traffic: Hashes: SHA256: 2c68d7b4f7bb14a8b9f3986360bd351f34565eb0a4029ee01cc8588bcddb8c50 File name: RigEK Landing Page.html SHA256: 3474904d1dfd8943d3c779d621aa9767465532f288523bae6b57194b35fb3e6e File name: RigEK Flash Exploit.swf SHA256: 05d0f6625551fc4787430495d8c4f103e00624e7e64eb93b3c3bdbfb789981b2 ...

R

Rig EK at 109.234.35.79 Drops Cerber

IOCs: 67.222.1.229 – creeklinehouse.com – Compromised website 109.234.35.79 – xc.executivegrowth.com – Rig EK 31.184.234.0/24 and 31.184.235.0/24 – UDP traffic via port 6892 148.251.6.214 – btc.blockr.io – Bitcoin block explorer 173.254.231.111: ffoqr3ug7m726zou.zn90h4.bid – Cerber Decryptor payment site ffoqr3ug7m726zou.e6cf2t.bid – Cerber Decryptor payment site 107.161.95.138 – ffoqr3ug7m726zou.19jmfr.top – Cerber Decryptor payment site 185.100.85.150 – ffoqr3ug7m726zou.onion.to – Cerber ...

p

pseudoDarkleech Leads to Rig EK at 188.227.75.149 Which Drops Cerber

IOCs: 75.98.175.88 – heytanksla.com – Compromised site 188.227.75.149 – add.projectcollective.com – Rig EK 31.184.234.0/24 and 31.184.235.0/24 – UPD traffic via port 6892 148.251.6.214 – btc.blockr.io – Bitcoin block explorer 107.161.95.138 – ffoqr3ug7m726zou.e6cf2t.bid – Cerber Decryptor payment site Traffic: Hashes: SHA256: 9eba65e897e6eba00ffaa3b0639f995f59ddb75df5159565a793a87cc05e4389 File name: RigEK Landing Page.html SHA256: 447481e6592cca3a787e823e1b146240ce2b11ac24fbb6ec141e6a1300a6d4fe File name: RigEK Flash Exploit.swf SHA256: 6da39edbd0a1455beaac5ae1c163624519998abd8f3abc74316b73ab98f83a9d ...

p

pseudoDarkleech Leads to Rig EK at 108.61.167.148 and Drops Cerber

IOCs: 69.195.124.241 – injuryphysicians.com – Compromised site 108.61.167.148 – try.maslakkiralikofis.com – Rig EK UDP traffic to 31.184.234.0/24 and 31.184.235.0/24 via port 6892 148.251.6.214 – btc.blockr.io – Bitcoin blockchain 173.254.231.111:  ffoqr3ug7m726zou.13uvry.top – Cerber Decryptor payment site ffoqr3ug7m726zou.rbrkng.bid – Cerber Decryptor payment site 210.16.101.69: ffoqr3ug7m726zou.yjy5dr.bid – Cerber Decryptor payment site ffoqr3ug7m726zou.rbrkng.bid – Cerber Decryptor payment site 185.100.85.150 – ...

p

pseudoDarkleech Leads to Rig EK at 107.191.63.102 and Drops Cerber Ransomware

IOCs: 206.188.193.61 – surfsideanimalhospital.com – Compromised site 107.191.63.102 – pop.42-maslak.net – Rig EK 31.184.234.0/24 and 31.184.235.0/24 – UDP traffic via port 6892 148.251.6.214 – btc.blockr.io – Bitcoin blockchain 173.254.231.111: vyohacxzoue32vvk.g0lpn5.bid – Cerber Decryptor site vyohacxzoue32vvk.13uvry.top – Cerber Decryptor site vyohacxzoue32vvk.x8p2m7.bid – Cerber Decryptor site 217.197.83.197 – vyohacxzoue32vvk.onion.to – Cerber Decryptor site Traffic: Hashes: SHA256: ab8d6638977e34c0d14f096d02e3a973c1c624845e075c48e696c35f7e35020a ...

p

pseudoDarkleech Leads to Rig EK at 194.87.146.233 Which Drops Cerber Ransowmare

IOCs: 209.235.165.201 – cgtiaz.org – Compromised site 194.87.146.233 – rew.artbykimwild.com – Rig EK 31.184.234.0/24 and 31.184.235.0/24 – UDP traffic via destination port 6892 45.59.114.125 and 173.254.231.11 – Cerber Decryptor payment site(s): ffoqr3ug7m726zou.hajw7w.bid ffoqr3ug7m726zou.1nkkem.top ffoqr3ug7m726zou.zn90h4.bid ffoqr3ug7m726zou.5ggovj.bid ffoqr3ug7m726zou.onion 148.251.6.214 – btc.blockr.io – Bitcoin blockchain explorer Traffic: Hashes: SHA256: dfa75edd8f2e3d6b85754e73b31e2ce6479dc1fccaee4da1a7fec1a57a2f3112 File name: RigEK Landing Page.html SHA256: cabb797012864750b80b2942ebfcfdedcb3ef6b4a510b4d28c9389a69f4d010a File ...

R

Rig Exploit Kit Switches From CryptMIC to Cerber

IOCs: 50.63.43.8 – thekingstreetgrille.com – Compromised site 194.87.146.233 – rew.usaviatorfinancing.com – Rig EK 31.184.234.0/24 and 31.184.235.0/24 – UDP traffic via dst. port 6892 45.59.114.125 and 173.254.231.11 – Cerber Decryptor payment site(s): ffoqr3ug7m726zou.5ggovj.bid ffoqr3ug7m726zou.1nkkem.top ffoqr3ug7m726zou.d4u711.bid ffoqr3ug7m726zou.y7603i.bid ffoqr3ug7m726zou.onion 148.251.6.214 – btc.blockr.io – Bitcoin blockchain explorer Traffic: Hashes: SHA256: bd0fd45d9424075870b108526f18db71ce7f7e5e741336c056c08c13ba40693a File name: RigEK Landing Page.html SHA256: cabb797012864750b80b2942ebfcfdedcb3ef6b4a510b4d28c9389a69f4d010a File ...