2016-11-10 - PSEUDO-DARKLEECH RIG-V FROM 109.234.34.91 SENDS CERBER RANSOMWARE

ASSOCIATED FILES:

• ZIP archive of the pcap:  2016-11-10-pseudoDarkleech-RIGv-sends-Cerber-ransomware.pcap.zip   643 kB (643,032 bytes)

• 2016-11-10-pseudoDarkleech-RIGv-sends-Cerber-ransomware.pcap   (875,983 bytes)

• ZIP archive of the malware:  2016-11-10-pseudoDarkleech-RIGv-sends-Cerber-malware-and-artifacts.zip   657 kB (656,742 bytes)

• 2016-11-10-Cerber-ransomware-decrypt-instructions-README.hta   (67,712 bytes)
• 2016-11-10-Cerber-ransomware-decrypt-instructions.bmp   (1,920,054 bytes)
• 2016-11-10-page-from-aulaestudio.com-with-injected-script.txt   (22,540 bytes)
• 2016-11-10-pseudoDarkleech-RIGv--artifact-MXj6sFosp.txt   (1,137 bytes)
• 2016-11-10-pseudoDarkleech-RIGv-flash-exploit.swf   (51,794 bytes)
• 2016-11-10-pseudoDarkleech-RIGv-landing-page.txt   (5,221 bytes)
• 2016-11-10-pseudoDarkleech-RIGv-payload-Cerber.exe   (535,934 bytes)

NOTE:

• Thanks to @FreeBSDfan for emailing me about the compromised website used for this blog entry (I'm still working through the list he sent me).

BACKGROUND:

• I'm currently tracking 3 versions of Rig EK as classified in an October 2016 blog post by Kafeine.
• RIG-v: a "VIP version" with new URL patterns, different landing page obfuscation, and RC4 encoding for the payload.  Used by the Afraidgate & pseudoDarkleech campaigns.
• RIG-E: a variant with old URL patterns, landing page structure, and payload obfuscation.  Also known as Empire Pack.  I often see RIG-E used by the EITest campaign.
• RIG standard: a standard version (like RIG-E) but uses new URL patterns introduced by RIG-v.  The EITest campaign uses RIG standard to send CryptFile2 ransomware.

BACKGROUND ON THE PSEUDO-DARKLEECH CAMPAIGN:

• Something I wrote on exploit kit (EK) fundamentals:  link
• 2016-03-22 - PaloAlto Networks Unit 42 blog:  Campaign Evolution: Darkleech to Pseudo-Darkleech and Beyond
• 2016-07-02 - SANS ISC diary:  Change in patterns for the pseudoDarkleech campaign
• 2016-09-14 - Malware-traffic-analysis.net:  The pseudoDarkleech campaign starts using Rig EK instead of Neutrino EK
• 2016-10-03 - Malware-traffic-analysis.net:  The pseudoDarkleech campaign stops sending CryptXXX, starts sending Cerber ransomware

 

Shown above:  Flowchart for this infection traffic.

 

TRAFFIC

Shown above:  Injected script from the pseudoDarkleech campaign in a page from the compromised site.

Shown above:  Traffic from the infection filtered in Wireshark.

 

ASSOCIATED DOMAINS:

• www.aulaestudio.com - Compromised site
• 109.234.34.91 port 80 - add.allthingsentrepreneurship.com - RIG-v
• 65.55.50.0 - 65.55.50.31 (65.55.50.0/27) port 6892 - UDP traffic caused by Cerber
• 192.42.118.0 - 192.42.118.31 (192.42.118.0/27)port 6892 - UDP traffic caused by Cerber
• 194.165.16.0 - 194.165.19.255 (194.165.16.0/22) port 6892 - UDP traffic caused by Cerber
• 190.123.45.169 port 80 - vyohacxzoue32vvk.13983z.top - HTTP traffic caused by Cerber

 

OTHER DOMAINS FROM THE DECRYPT INSTRUCTIONS:

• vyohacxzoue32vvk.ph4lu4.top
• vyohacxzoue32vvk.onion.to

 

FILE HASHES

FLASH EXPLOIT:

• SHA256 hash:  7d9f963c8584b87a78b3d173697729dc28f0a35f769dbca68379fd4e7d82b0c2
  File name:  2016-11-10-pseudoDarkleech-RIGv-flash-exploit.swf   (51,794 bytes)

PAYLOAD (CERBER RANSOMWARE):

• SHA256 hash:  614226a7646cfb2a4a6ead18238a175eedbc3d89227d1540f59892397371a938
  File name:  C:\Users\[username]\AppData\Local\Temp\rad4E1FD.tmp.exe   (535,934 bytes)

 

IMAGES

Shown above:  Windows desktop of an infected host after rebooting.

 

FINAL NOTES

Once again, here are the associated files:

• ZIP archive of the pcap:  2016-11-10-pseudoDarkleech-RIGv-sends-Cerber-ransomware.pcap.zip   643 kB (643,032 bytes)
• ZIP archive of the malware:  2016-11-10-pseudoDarkleech-RIGv-sends-Cerber-malware-and-artifacts.zip   657 kB (656,742 bytes)

ZIP files are password-protected with the standard password.  If you don't know it, look at the "about" page of this website.

Click here to return to the main page.