Tag: Rig-V
pseudoDarkleech Points to Rig-V EK at 195.133.48.182 and Drops Cerber
IOCs: 206.188.193.241 – sienahotel.com – Compromised website 195.133.48.182 – new.mulchguystoledo.com – Rig-V EK Cerber check-in traffic via UDP port 6892: 15.49.2.0/27 122.1.13.0/27 194.165.16.0/24 194.165.17.0/24 ICMP traffic from 95.141.21.37 via destination port 6892 148.251.6.214 – btc.blockr.io – Bitcoin block explorer 185.44.105.11 – ffoqr3ug7m726zou.16iqt6.top – Cerber Decryptor site 185.100.85.150 – ffoqr3ug7m726zou.onion.to – Cerber Decryptor site 185.69.153.226 – ...
pseudoDarkleech Leads to Rig-V EK at 46.30.46.210 and Drops Cerber
IOCs: 74.220.207.74 – neilfoote.com – Compromised website 46.30.46.210 – new.toyotaoflaramie.com – Rig-V EK Cerber check-in traffic via UDP port 6892: 15.49.2.0/27 122.1.13.0/27 194.165.16.0/24 194.165.17.0/24 ICMP traffic from 95.141.21.37 via destination port 6892 185.98.87.153 – ffoqr3ug7m726zou.zgyua4.top 148.251.6.214 – btc.blockr.io – Bitcoin block explorer ffoqr3ug7m726zou.162egg.top – Cerber Decryptor site ffoqr3ug7m726zou.rssh31.bid – Cerber Decryptor site ffoqr3ug7m726zou.onion.to – Cerber ...
pseudoDarkleech Leads to Rig-V EK at 194.87.232.99 and Drops Cerber. New Fingerprinting Technique / Gate?
IOCs: 178.248.39.186 – innovatemyschool.com – Compromised website 194.87.232.99 – add.smartpettags.org – Rig-V EK Cerber checkin UDP traffic via port 6892: 15.49.2.0/27 122.1.13.0/27 194.165.16.0/24 194.165.17.0/24 148.251.6.214 – btc.blockr.io – Bitcoin block explorer 104.36.83.52 – avsxrcoq2q5fgrw2.4vona2.top 103.232.215.140 – avsxrcoq2q5fgrw2.17rmvr.top – Cerber Decryptor site 104.36.83.52 – avsxrcoq2q5fgrw2.wiaikl.top – Cerber Decryptor site 217.197.83.197 – avsxrcoq2q5fgrw2.onion.to – Cerber Decryptor site ...
pseudoDarkleech Leads to Rig-V EK at 194.87.238.148 and Drops Cerber
IOCs: 142.147.9.32 – carrollgymnastics.com – Compromised website 194.87.238.148 – new.ehrlichusedautos.com – Rig-V EK Cerber checkin UDP traffic via port 6892 (3 times for all IPs in each subnet listed below): 15.49.2.0/27 122.1.13.0/27 194.165.16.0/24 194.165.17.0/24 148.251.6.214 – btc.blockr.io – Bitcoin block explorer 54.91.45.162 – ffoqr3ug7m726zou.41c920.top – Cerber Decryptor site 54.91.45.162 – ffoqr3ug7m726zou.rovr6i.top – Cerber Decryptor site ...
302 Redirects from Traffic Distribution System Led to RIG-V EK at 194.87.238.156. Dropped Downloader & “XKeyScore” Keylogger
IOCs: GET /in/traf/ – 302 redirect via port 18001 (BossTDS port) GET /boom/mix.php – 302 redirect via port 18001 (BossTDS port) 194.87.238.156 – try.uludan.com – Rig-V EK (landing page, Flash exploit, and payload) 111.221.47.162 – POST /faa38820fa/dd6c45917a/d23d3e97c0/chat.php – Base64 encoded data being POSTed back 188.40.248.71 – GET /~mysuperp/crypt2_7038.exe – Additional malware downloaded 91.107.108.124 – POST ...
Malware breakdown 