2017-01-26 - PSEUDO-DARKLEECH RIG-V SENDS CERBER RANSOMWARE

NOTICE:

• The zip archives on this page have been updated, and they now use the new password scheme.  For the new password, see the "about" page of this website.

ASSOCIATED FILES:

• 2017-01-26-pseudoDarkleech-Rig-V-sends-Cerber-ransomware-2-pcaps.zip   1.1 MB (1,136,330 bytes)

• 2017-01-25-pseudoDarkleech-Rig-V-sends-Cerber-ransomware.pcap   (654,112 bytes)
• 2017-01-26-pseudoDarkleech-Rig-V-sends-Cerber-ransomware.pcap   (694,220 bytes)

• 2017-01-26-pseudoDarkleech-Rig-V-artifacts-and-Cerber-ransomware.zip   1.1 MB (1,083,879 bytes)

• 2017-01-25-Cerber-ransomware_HELP_HELP_HELP_VDWTIRGL.hta   (75,787 bytes)
• 2017-01-25-Cerber-ransomware_HELP_HELP_HELP_VDWTIRGL.jpg   (250,972 bytes)
• 2017-01-25-pseudoDarkleech-Rig-V-QTTYUADAF.txt   (1,137 bytes)
• 2017-01-25-pseudoDarkleech-Rig-V-flash-exploit.swf   (14,969 bytes)
• 2017-01-25-pseudoDarkleech-Rig-V-landing-page.txt   (5,243 bytes)
• 2017-01-25-pseudoDarkleech-Rig-V-page-from-wordtemplates_org-with-injected-pseudoDarkleech-script.txt   (54,496 bytes)
• 2017-01-25-pseudoDarkleech-Rig-V-payload-Cerber-ransomware-rad8A3F0.tmp.exe   (252,861 bytes)
• 2017-01-26-Cerber-ransomware_HELP_HELP_HELP_EO3PY5Y.hta   (75,787 bytes)
• 2017-01-26-Cerber-ransomware_HELP_HELP_HELP_EO3PY5Y.jpg   (256,497 bytes)
• 2017-01-26-pseudoDarkleech-Rig-V-QTTYUADAF.txt   (1,137 bytes)
• 2017-01-26-pseudoDarkleech-Rig-V-flash-exploit.swf   (19,230 bytes)
• 2017-01-26-pseudoDarkleech-Rig-V-landing-page.txt   (5,211 bytes)
• 2017-01-26-pseudoDarkleech-Rig-V-page-from-wordtemplates_org-with-injected-pseudoDarkleech-script.txt   (54,521 bytes)
• 2017-01-26-pseudoDarkleech-Rig-V-payload-Cerber-ransomware-rad988C0.tmp.exe   (247,874 bytes)

BACKGROUND ON RIG EXPLOIT KIT:

• Rig-V is what security researchers called Rig EK version 4 when it was only accessible by "VIP" customers, while the old version (Rig 3) was still in use (reference).
• I currently call it "Rig-V" out of habit.  You can probably just call it Rig EK now.
• Before 2017, I used to see Empire Pack (Rig-E) which is a variant of Rig EK with older-style URLs as described by Kafeine here.
• I've onlyt seen Rig-V (Rig 4.0) when looking at Rig EK-based campaigns so far in 2017.

BACKGROUND ON THE PSEUDO-DARKLEECH CAMPAIGN:

• My most recent in-depth write-up on the pseudoDarkleech campaign can be found here.

Shown above:  Flowchart for this infection traffic.

 

TRAFFIC

Shown above:  Injected script from the pseudoDarkleech campaign from the compromised site on Wednesday 2017-01-25.

 

Shown above:  Pcap of the infection traffic from Wednesday 2017-01-25 filtered in Wireshark.

 

Shown above:  Injected script from the pseudoDarkleech campaign from the compromised site on Thursday 2017-01-26.

 

Shown above:  Pcap of the infection traffic from Thursday 2017-01-26 filtered in Wireshark (1st run).

 

ASSOCIATED DOMAINS:

• www.wordtemplates[.]org - Compromised site
• 89.223.29[.]219 port 80 - kuku.medlawpress[.]net - Rig-V from Wednesday 2017-01-25
• 194.87.238[.]222 port 80 - rem.elasu[.]com - Rig-V from Thursday 2017-01-26

• 90.2.1[.]0 to 90.2.1[.]31 (90.2.1[.]0/27) UDP port 6892 - Cerber ransomware post-infection UDP traffic (both days)
• 90.3.1[.]0 to 90.3.1[.]31 (90.3.1[.]0/27) UDP port 6892 - Cerber ransomware post-infection UDP traffic (both days)
• 91.239.24[.]0 to 91.239.25[.]255 (91.239.24[.]0/23) UDP port 6892 - Cerber ransomware post-infection UDP traffic (both days)
• 185.61.149[.]241 port 80 - p27dokhpz2n7nvgr.15nhsf[.]top - HTTP post-infection HTTP traffic from the Wednesday 2017-01-25 infection
• 162.220.244[.]33 port 80 - p27dokhpz2n7nvgr.1plugt[.]top - HTTP post-infection HTTP traffic from the Thursday 2017-01-26 infection

 

FILE HASHES

FLASH EXPLOITS:

• SHA256 hash:  2f85bb24b125ce16298ad9277b8c6f594c595126bfdd4b1112709be21998e0d1   (14,969 bytes)
  File description:  Rig-V Flash exploit seen on Wednesday 2017-01-25

• SHA256 hash:  c51983e60892d0c011339e123f9058c390f8f4bc162e00fa1879db4a76734029   (19,230 bytes)
  File description:  Rig-V Flash exploit seen on Thursday 2017-01-26

PAYLOADS:

• SHA256 hash:  2f1ac05ea0fe4bd365c0de29394515737dfdc7df832ef16088e139e8d68500f9   (252,861 bytes)
  File path example:  C:\Users\[username]\AppData\Local\Temp\rad8A3F.tmp.exe
  File description:  pseudoDarkleech payload from Rig-V on Wednesday 2017-01-25 (Cerber ransomware)

• SHA256 hash:  b7ea1284ba26c1ab31d9ed3d88bd94ed5cf01c7bbe317a1bcb1799c921957645   (247,874 bytes)
  File path example:  C:\Users\[username]\AppData\Local\Temp\rad988C0.tmp.exe
  File description:  pseudoDarkleech payload from Rig-V on Thursday 2017-01-26 (Cerber ransomware)

 

IMAGES

Shown above:  Desktop of the infected Windows host on Thursday 2017-01-26.

 

Click here to return to the main page.