Malware-Traffic-Analysis.net - 2016-12-11 - pseudoDarkleech Rig-V from 195.133.48.182 sends Cerber ransomware

2016-12-11 - PSEUDO-DARKLEECH RIG-V FROM 195.133.48.182 SENDS CERBER RANSOMWARE

ASSOCIATED FILES:

ZIP archive of the pcap: 2016-12-11-pseudoDarkleech-Rig-V-sends-Cerber-ransomware.pcap.zip 642 kB (642,326 bytes)

2016-12-11-pseudoDarkleech-Rig-V-sends-Cerber-ransomware.pcap (790,508 bytes)

ZIP archive of the malware: 2016-12-11-pseudoDarkleech-Rig-V-sends-Cerber-malware-and-artifacts.zip 505 kB (504,550 bytes)

2016-12-11-Cerber-decryption-instructions.bmp (1,920,054 bytes)

2016-12-11-Cerber-decryption-instructions_README_.hta (67,727 bytes)

2016-12-11-page-from-igcusa.com-with-injected-pseudoDarkleech-script.txt (30,030 bytes)

2016-12-11-pseudoDarkleech-Rig-V-artifact-QXj6sFosp.txt (1,137 bytes)

2016-12-11-pseudoDarkleech-Rig-V-flash-exploit.swf (13,529 bytes)

2016-12-11-pseudoDarkleech-Rig-V-landing-page.txt (5,378 bytes)

2016-12-11-pseudoDarkleech-Rig-V-payload-Cerber-rad168FD.tmp.exe (276,726 bytes)

BACKGROUND ON RIG EXPLOIT KIT:

I'm currently tracking 3 versions of Rig EK as classified in an October 2016 blog post by Kafeine.
Rig-V: a "VIP version" with new URL patterns, different landing page obfuscation, and RC4 encryption for the payload. Used by the Afraidgate & pseudoDarkleech campaigns.
Rig-E: a variant with old URL patterns, now with with RC4 encryption for the payload. Also known as Empire Pack. I often see Rig-E used by the pseudoDarkleech campaign.
Rig standard: uses new URL patterns introduced by Rig-V, but old obfuscation (ASCII string to XOR the payload binary). The pseudoDarkleech campaign formerly used Rig standard to send CryptFile2 (CryptoMix) ransomware before switching to Rig-V for that purpose.

BACKGROUND ON THE PSEUDO-DARKLEECH CAMPAIGN:

Something I wrote on exploit kit (EK) fundamentals: link
2016-03-22 - PaloAlto Networks Unit 42 blog: Campaign Evolution: Darkleech to Pseudo-Darkleech and Beyond
2016-07-02 - SANS ISC diary: Change in patterns for the pseudoDarkleech campaign
2016-09-14 - Malware-traffic-analysis.net: The pseudoDarkleech campaign starts using Rig EK instead of Neutrino EK
2016-10-03 - Malware-traffic-analysis.net: The pseudoDarkleech campaign stops sending CryptXXX, starts sending Cerber ransomware

CERBER UPDATED:

Looks like Cerber ransomware shed its previous red-themed facelift and went back to version 5.0.1, at least for this infection.
Thanks to Chris for emailing me about the compromised website.

Shown above: Flowchart for this infection traffic.

TRAFFIC

Shown above: Injected script from the pseudoDarkleech campaign from the compromised site.

Shown above: Pcap of the infection traffic filtered in Wireshark.

ASSOCIATED DOMAINS:

www.igcusa.com - Compromised site
195.133.48.182 port 80 - acc.xrossflex.com - Rig-V
192.168.0.0 to 192.168.0.31 (192.168.0.0/27) UDP port 6892 - Cerber post-infection UDP traffic
194.165.16.0 to 194.165.17.255 (195.165.16.0/23) UDP port 6892 - Cerber post-infection UDP traffic
185.69.153.226 port 80 - ffoqr3ug7m726zou.uld7hk.top - Cerber post-infection HTTP traffic

FILE HASHES

FLASH EXPLOIT:

SHA256 hash: d55711ca0cf4e78e097632dad05d9772bf351d12203f02e614c313b1e5d61bcc (13,529 bytes)
File description: Flash exploit used by Rig-V on 2016-12-11

PAYLOAD (CERBER RANSOMWARE):

SHA256 hash: 294d565987165a3258eda3ebca0b0d0d44ce83230c866dd69d7e597c92c7bbf7 (276,726 bytes)
File path: C:\Users\[Username]\AppData\Local\Temp\rad168FD.tmp.exe

IMAGES

Shown above: Desktop of an infected Windows host after checking the decryption instructions.

FINAL NOTES

Once again, here are the associated files:

ZIP archive of the pcap: 2016-12-11-pseudoDarkleech-Rig-V-sends-Cerber-ransomware.pcap.zip 642 kB (642,326 bytes)
ZIP archive of the malware: 2016-12-11-pseudoDarkleech-Rig-V-sends-Cerber-malware-and-artifacts.zip 505 kB (504,550 bytes)

ZIP files are password-protected with the standard password. If you don't know it, look at the "about" page of this website.

Click here to return to the main page.