2016-12-02 - PSEUDO-DARKLEECH RIG-V FROM 109.234.34.24 SENDS CERBER RANSOMWARE

ASSOCIATED FILES:

• ZIP archive of the pcap:  2016-12-02-pseudoDarkleech-Rig-V-sends-Cerber-ransomware.pcap.zip   397 kB (396,542 bytes)

• 2016-12-02-pseudoDarkleech-Rig-V-sends-Cerber-ransomware.pcap   (525,203 bytes)

• ZIP archive of the malware:  2016-12-02-pseudoDarkleech-Rig-V-sends-Cerber-malware-and-artifacts.zip   576 kB (576,385 bytes)

• 2016-12-02-Cerber-decryption-instructions.bmp   (1,920,054 bytes)
• 2016-12-02-Cerber-decryption-instructions_README_NLKQ49Z_.hta   (67,748 bytes)
• 2016-12-02-page-from-paracordtutorials.com-with-injected-script.txt   (92,328 bytes)
• 2016-12-02-pseudoDarkleech-Rig-V-artifact-MXj6sFosp.txt   (1,137 bytes)
• 2016-12-02-pseudoDarkleech-Rig-V-flash-exploit.swf   (10,096 bytes)
• 2016-12-02-pseudoDarkleech-Rig-V-landing-page.txt   (90,277 bytes)
• 2016-12-02-pseudoDarkleech-Rig-V-payload-Cerber-radEB1A6.tmp.exe   (293,656 bytes)

BACKGROUND ON RIG EXPLOIT KIT:

• I'm currently tracking 3 versions of Rig EK as classified in an October 2016 blog post by Kafeine.
• Rig-V: a "VIP version" with new URL patterns, different landing page obfuscation, and RC4 encryption for the payload.  Used by the Afraidgate & pseudoDarkleech campaigns.
• Rig-E: a variant with old URL patterns, now with with RC4 encryption for the payload.  Also known as Empire Pack.  I often see Rig-E used by the pseudoDarkleech campaign.
• Rig standard: uses new URL patterns introduced by Rig-V, but old obfuscation (ASCII string to XOR the payload binary).  The pseudoDarkleech campaign formerly used Rig standard to send CryptFile2 (CryptoMix) ransomware before switching to Rig-V for that purpose.

BACKGROUND ON THE PSEUDO-DARKLEECH CAMPAIGN:

• Something I wrote on exploit kit (EK) fundamentals:  link
• 2016-03-22 - PaloAlto Networks Unit 42 blog:  Campaign Evolution: Darkleech to Pseudo-Darkleech and Beyond
• 2016-07-02 - SANS ISC diary:  Change in patterns for the pseudoDarkleech campaign
• 2016-09-14 - Malware-traffic-analysis.net:  The pseudoDarkleech campaign starts using Rig EK instead of Neutrino EK
• 2016-10-03 - Malware-traffic-analysis.net:  The pseudoDarkleech campaign stops sending CryptXXX, starts sending Cerber ransomware

CERBER UPDATED:

• Looks like Cerber ransomware got a facelift since the last time I checked.  No more version numbers in the instructions.
• At first glance, there's no fundamental changes, but this version of Cerber is no longer version 5.0.1.
• @Oddly_Normal has also seen this and posted an example of the infection traffic. (link).

Shown above:  Add some green, and you'll have a Christmas-themed ransomware screen!

 

Shown above:  Flowchart for this infection traffic.

 

TRAFFIC

Shown above:  Injected script from the pseudoDarkleech campaign from the compromised site.

 

Shown above:  Pcap of the infection traffic filtered in Wireshark.

 

ASSOCIATED DOMAINS:

• www.paracordtutorials.com - Compromised site
• 109.234.34.24 port 80 - f6pv.canadasmartplan.com - Rig-V
• 15.49.2.0 to 15.49.2.31 (15.49.2.0/27) UDP port 6892 - Cerber post-infection UDP traffic
• 122.1.13.0 to 122.1.1331 (122.1.13.0/27) UDP port 6892 - Cerber post-infection UDP traffic
• 194.165.16.0 to 194.165.17.255 (194.165.16.0/23) UDP port 6892 - Cerber post-infection UDP traffic
• 104.36.83.121 port 80 - ffoqr3ug7m726zou.zh5mu9.bid - Cerber post-infection HTTP traffic

 

FILE HASHES

FLASH EXPLOIT:

• SHA256 hash:  1f593737d5850d0b854d6f1f3fd8977b56bef479c14558339b0dad4a1d466647   (10,096 bytes)
  File name:  2016-12-02-pseudoDarkleech-Rig-V-flash-exploit.swf

PAYLOAD (CERBER RANSOMWARE):

• SHA256 hash:  51939ec8bc405cddcbf4f8762c4da5d54d4be7a20bf60cd5ef8971dd80e70c67   (293,656 bytes)
  File name:  C:\Users\[Username]\AppData\Local\Temp\radEB1A6.tmp.exe

 

IMAGES

Shown above:  Desktop of an infected Windows host after checking the decryption instructions.

 

Shown above:  .8637 was the extension for the files encrypted during this infection.

 

FINAL NOTES

Once again, here are the associated files:

• ZIP archive of the pcap:  2016-12-02-pseudoDarkleech-Rig-V-sends-Cerber-ransomware.pcap.zip   397 kB (396,542 bytes)
• ZIP archive of the malware:  2016-12-02-pseudoDarkleech-Rig-V-sends-Cerber-malware-and-artifacts.zip   576 kB (576,385 bytes)

ZIP files are password-protected with the standard password.  If you don't know it, look at the "about" page of this website.

Click here to return to the main page.