2017-01-19 - PSEUDO-DARKLEECH RIG-V SENDS CERBER RANSOMWARE
ASSOCIATED FILES:
- ZIP archive of the pcaps: 2017-01-19-pseudoDarkleech-Rig-V-sends-Cerber-pcaps.zip 1.6 MB (1,583,798 bytes)
- 2017-01-19-pseudoDarkleech-Rig-V-1st-run-sends-Cerber-ransomware.pcap (1,031,052 bytes)
- 2017-01-19-pseudoDarkleech-Rig-V-2nd-run-sends-Cerber-ransomware.pcap (683,690 bytes)
- ZIP archive of the malware and artifacts: 2017-01-19-pseudoDarkleech-Rig-V-sends-Cerber-malware-and-artifacts.zip 829 kB (828,800 bytes)
- 2017-01-19-page-from-joellipman.com-with-injected-pseudoDarkleech-script-1st-run.txt (67,426 bytes)
- 2017-01-19-page-from-joellipman.com-with-injected-pseudoDarkleech-script-2nd-run.txt (67,353 bytes)
- 2017-01-19-pseudoDarkleech-Rig-V-1st-run-landing-page.txt (5,183 bytes)
- 2017-01-19-pseudoDarkleech-Rig-V-2nd-run-landing-page.txt (5,187 bytes)
- 2017-01-19-pseudoDarkleech-Rig-V-1st-run-payload-Cerber-rad5F054.tmp.exe (287,839 bytes)
- 2017-01-19-pseudoDarkleech-Rig-V-2nd-run-payload-Cerber-rad50B2A.tmp.exe (245,169 bytes)
- 2017-01-19-pseudoDarkleech-Rig-V-both-runs-flash-exploit.swf (38,321 bytes)
- 2017-01-19-pseudoDarkleech-Rig-V-both-runs-artifact-QTTYUADAF.txt (1,137 bytes)
- 2017-01-19-Cerber_HELP_HELP_HELP_WI2DBQAZ.hta (75,787 bytes)
- 2017-01-19-Cerber_HELP_HELP_HELP_WI2DBQAZ.jpg (231,560 bytes)
BACKGROUND ON RIG EXPLOIT KIT:
- Rig-V is what security researchers called Rig EK version 4 when it was only accessible by "VIP" customers, while the old version (Rig 3) was still in use (reference).
- I currently call it "Rig-V" out of habit. You can probably just call it Rig EK now.
- Before 2017, I used to see Empire Pack (Rig-E) which is a variant of Rig EK with older-style URLs as described by Kafeine here.
- I haven't seen anything other than Rig-V (Rig 4.0) when looking at Rig EK-based campaigns so far in 2017.
BACKGROUND ON THE PSEUDO-DARKLEECH CAMPAIGN:
- My most recent in-depth write-up on the pseudoDarkleech campaign can be found here.
Shown above: Flowchart for this infection traffic.
TRAFFIC
Shown above: Injected script from the pseudoDarkleech campaign from the compromised site (1st run).
Shown above: Pcap of the infection traffic filtered in Wireshark (1st run).
Shown above: Injected script from the pseudoDarkleech campaign from the compromised site (2nd run).
Shown above: Pcap of the infection traffic filtered in Wireshark (2nd run).
ASSOCIATED DOMAINS:
- joellipman.com - Compromised site
- 92.53.119.137 port 80 - 3xwk.sensorispace.net - Rig-V (pseudoDarkleech campaign, 1st run)
- 188.225.32.189 port 80 - 8e5.dresdencowboy.com - Rig-V (pseudoDarkleech campaign, 2nd run)
- 90.2.1.0 to 90.2.1.31 (90.2.1.0/27) UDP port 6892 - Cerber post-infection UDP traffic
- 90.3.1.0 to 90.3.1.31 (90.3.1.0/27) UDP port 6892 - Cerber post-infection UDP traffic
- 91.239.24.0 to 91.239.25.255 (91.239.24.0/23) UDP port 6892 - Cerber post-infection UDP traffic
- 162.220.244.29 port 80 - p27dokhpz2n7nvgr.1kja1j.top - HTTP post-infection traffic caused by Cerber
FILE HASHES
FLASH EXPLOIT:
- SHA256 hash: 48b4ead5c286c616d7cb11900ef01b41893aae710c255ffd4b12933d7d5cbcbc (38,321 bytes)
File description: Rig-V Flash exploit seen on 2017-01-19
PAYLOADS:
- SHA256 hash: 86420fc915fd55879e36849d1f5d3eb723b3276371173e1358dcdb4d015ad7f1 (287,839 bytes)
File path example: C:\Users\[username]\AppData\Local\Temp\rad5F054.tmp.exe
File description: pseudoDarkleech payload from Rig-V (Cerber ransomware) 1st run on 2017-01-19
- SHA256 hash: 25474fa7e4860e765d27a3f1e74588e57988fcb27a8f85db3367de4e945eca4b (245,169 bytes)
File path example: C:\Users\[username]\AppData\Local\Temp\rad50B2A.tmp.exe
File description: pseudoDarkleech payload from Rig-V (Cerber ransomware) 2nd run on 2017-01-19
IMAGES
Shown above: Desktop of the infected Windows host.
FINAL NOTES
Once again, here are the associated files:
- ZIP archive of the pcaps: 2017-01-19-pseudoDarkleech-Rig-V-sends-Cerber-pcaps.zip 1.6 MB (1,583,798 bytes)
- ZIP archive of the malware and artifacts: 2017-01-19-pseudoDarkleech-Rig-V-sends-Cerber-malware-and-artifacts.zip 829 kB (828,800 bytes)
ZIP files are password-protected with the standard password. If you don't know it, look at the "about" page of this website.
Click here to return to the main page.