2016-11-13 - PSEUDO-DARKLEECH RIG-V FROM 109.234.35.232 SENDS CERBER RANSOMWARE

ASSOCIATED FILES:

• ZIP archive of the pcap:  2016-11-13-pseudoDarkleech-RIGv-sends-Cerber-ransomware.pcap.zip   968 kB (968,274 bytes)

• 2016-11-13-pseudoDarkleech-RIGv-sends-Cerber-ransomware.pcap   (1,228,927 bytes)

• ZIP archive of the malware:  2016-11-13-pseudoDarkleech-RIGv-sends-Cerber-malware-and-artifacts.zip   552 kB (552,382 bytes)

• 2016-11-13-Cerber-ransomware-decryption-instructions-README.hta   (67,712 bytes)
• 2016-11-13-Cerber-ransomware-decryption-instructions.bmp   (1,920,054 bytes)
• 2016-11-13-page-from-joellipman.com-with-injected-script.txt   (68,127 bytes)
• 2016-11-13-pseudoDarkleech-RIGv-flash-exploit.swf   (51,776 bytes)
• 2016-11-13-pseudoDarkleech-RIGv-landing-page.txt   (30,325 bytes)
• 2016-11-13-pseudoDarkleech-RIGv-payload-Cerber.exe   (259,903 bytes)

BACKGROUND:

• I'm currently tracking 3 versions of Rig EK as classified in an October 2016 blog post by Kafeine.
• RIG-v: a "VIP version" with new URL patterns, different landing page obfuscation, and RC4 encoding for the payload.  Used by the Afraidgate & pseudoDarkleech campaigns.
• RIG-E: a variant with old URL patterns, landing page structure, and payload obfuscation.  Also known as Empire Pack.  I often see RIG-E used by the EITest campaign.
• RIG standard: a standard version (like RIG-E) but uses new URL patterns introduced by RIG-v.  The EITest campaign uses RIG standard to send CryptFile2 ransomware.

BACKGROUND ON THE PSEUDO-DARKLEECH CAMPAIGN:

• Something I wrote on exploit kit (EK) fundamentals:  link
• 2016-03-22 - PaloAlto Networks Unit 42 blog:  Campaign Evolution: Darkleech to Pseudo-Darkleech and Beyond
• 2016-07-02 - SANS ISC diary:  Change in patterns for the pseudoDarkleech campaign
• 2016-09-14 - Malware-traffic-analysis.net:  The pseudoDarkleech campaign starts using Rig EK instead of Neutrino EK
• 2016-10-03 - Malware-traffic-analysis.net:  The pseudoDarkleech campaign stops sending CryptXXX, starts sending Cerber ransomware

 

Shown above:  Flowchart for this infection traffic.

 

TRAFFIC

Shown above:  Injected script from the pseudoDarkleech campaign in a page from the compromised site.

Shown above:  Traffic from the infection filtered in Wireshark.

 

ASSOCIATED DOMAINS:

• joellipman.com - Compromised site
• 109.234.35.232 port 80 - new.vividsydney.live - RIG-v
• 65.55.50.0 - 65.55.50.31 (65.55.50.0/27) port 6892 - UDP traffic caused by Cerber
• 192.42.118.0 - 192.42.118.31 (192.42.118.0/27)port 6892 - UDP traffic caused by Cerber
• 194.165.16.0 - 194.165.19.255 (194.165.16.0/22) port 6892 - UDP traffic caused by Cerber
• 104.238.215.11 port 80 - lfdachijzuwx4bc4.p7k7t4.top - HTTP traffic caused by Cerber

 

OTHER DOMAINS FROM THE DECRYPT INSTRUCTIONS:

• lfdachijzuwx4bc4.tjdup0.top
• lfdachijzuwx4bc4.onion.to

 

FILE HASHES

FLASH EXPLOIT:

• SHA256 hash:  4d7917b18cdef500a952fdcfbe12bbf41114e84e249bc4956c485d3ce231eae3
  File name:  2016-11-13-pseudoDarkleech-RIGv-flash-exploit.swf   (51,776 bytes)

PAYLOAD (CERBER RANSOMWARE):

• SHA256 hash:  2c44743634ebff20bcd5991f21cdfdebbade87c184453aef5882a363c9019b40
  File name:  C:\Users\[username]\AppData\Local\Temp\rad6953C.tmp.exe   (259,903 bytes)

 

IMAGES

Shown above:  Windows desktop of an infected host after rebooting.

 

FINAL NOTES

Once again, here are the associated files:

• ZIP archive of the pcap:  2016-11-13-pseudoDarkleech-RIGv-sends-Cerber-ransomware.pcap.zip   968 kB (968,274 bytes)
• ZIP archive of the malware:  2016-11-13-pseudoDarkleech-RIGv-sends-Cerber-malware-and-artifacts.zip   552 kB (552,382 bytes)

ZIP files are password-protected with the standard password.  If you don't know it, look at the "about" page of this website.

Click here to return to the main page.