2017-01-19 - PSEUDO-DARKLEECH RIG-V SENDS CERBER RANSOMWARE

ASSOCIATED FILES:

• ZIP archive of the pcaps:  2017-01-19-pseudoDarkleech-Rig-V-sends-Cerber-pcaps.zip   1.6 MB (1,583,798 bytes)

• 2017-01-19-pseudoDarkleech-Rig-V-1st-run-sends-Cerber-ransomware.pcap   (1,031,052 bytes)
• 2017-01-19-pseudoDarkleech-Rig-V-2nd-run-sends-Cerber-ransomware.pcap   (683,690 bytes)

• ZIP archive of the malware and artifacts:  2017-01-19-pseudoDarkleech-Rig-V-sends-Cerber-malware-and-artifacts.zip   829 kB (828,800 bytes)

• 2017-01-19-page-from-joellipman.com-with-injected-pseudoDarkleech-script-1st-run.txt   (67,426 bytes)
• 2017-01-19-page-from-joellipman.com-with-injected-pseudoDarkleech-script-2nd-run.txt   (67,353 bytes)
• 2017-01-19-pseudoDarkleech-Rig-V-1st-run-landing-page.txt   (5,183 bytes)
• 2017-01-19-pseudoDarkleech-Rig-V-2nd-run-landing-page.txt   (5,187 bytes)
• 2017-01-19-pseudoDarkleech-Rig-V-1st-run-payload-Cerber-rad5F054.tmp.exe   (287,839 bytes)
• 2017-01-19-pseudoDarkleech-Rig-V-2nd-run-payload-Cerber-rad50B2A.tmp.exe   (245,169 bytes)
• 2017-01-19-pseudoDarkleech-Rig-V-both-runs-flash-exploit.swf   (38,321 bytes)
• 2017-01-19-pseudoDarkleech-Rig-V-both-runs-artifact-QTTYUADAF.txt   (1,137 bytes)
• 2017-01-19-Cerber_HELP_HELP_HELP_WI2DBQAZ.hta   (75,787 bytes)
• 2017-01-19-Cerber_HELP_HELP_HELP_WI2DBQAZ.jpg   (231,560 bytes)

BACKGROUND ON RIG EXPLOIT KIT:

• Rig-V is what security researchers called Rig EK version 4 when it was only accessible by "VIP" customers, while the old version (Rig 3) was still in use (reference).
• I currently call it "Rig-V" out of habit.  You can probably just call it Rig EK now.
• Before 2017, I used to see Empire Pack (Rig-E) which is a variant of Rig EK with older-style URLs as described by Kafeine here.
• I haven't seen anything other than Rig-V (Rig 4.0) when looking at Rig EK-based campaigns so far in 2017.

BACKGROUND ON THE PSEUDO-DARKLEECH CAMPAIGN:

• My most recent in-depth write-up on the pseudoDarkleech campaign can be found here.

Shown above:  Flowchart for this infection traffic.

 

TRAFFIC

Shown above:  Injected script from the pseudoDarkleech campaign from the compromised site (1st run).

 

Shown above:  Pcap of the infection traffic filtered in Wireshark (1st run).

 

Shown above:  Injected script from the pseudoDarkleech campaign from the compromised site (2nd run).

 

Shown above:  Pcap of the infection traffic filtered in Wireshark (2nd run).

 

ASSOCIATED DOMAINS:

• joellipman.com - Compromised site
• 92.53.119.137 port 80 - 3xwk.sensorispace.net - Rig-V (pseudoDarkleech campaign, 1st run)
• 188.225.32.189 port 80 - 8e5.dresdencowboy.com - Rig-V (pseudoDarkleech campaign, 2nd run)

• 90.2.1.0 to 90.2.1.31 (90.2.1.0/27) UDP port 6892 - Cerber post-infection UDP traffic
• 90.3.1.0 to 90.3.1.31 (90.3.1.0/27) UDP port 6892 - Cerber post-infection UDP traffic
• 91.239.24.0 to 91.239.25.255 (91.239.24.0/23) UDP port 6892 - Cerber post-infection UDP traffic
• 162.220.244.29 port 80 - p27dokhpz2n7nvgr.1kja1j.top - HTTP post-infection traffic caused by Cerber

 

FILE HASHES

FLASH EXPLOIT:

• SHA256 hash:  48b4ead5c286c616d7cb11900ef01b41893aae710c255ffd4b12933d7d5cbcbc   (38,321 bytes)
  File description:  Rig-V Flash exploit seen on 2017-01-19

PAYLOADS:

• SHA256 hash:  86420fc915fd55879e36849d1f5d3eb723b3276371173e1358dcdb4d015ad7f1   (287,839 bytes)
  File path example:  C:\Users\[username]\AppData\Local\Temp\rad5F054.tmp.exe
  File description:  pseudoDarkleech payload from Rig-V (Cerber ransomware) 1st run on 2017-01-19

• SHA256 hash:  25474fa7e4860e765d27a3f1e74588e57988fcb27a8f85db3367de4e945eca4b   (245,169 bytes)
  File path example:  C:\Users\[username]\AppData\Local\Temp\rad50B2A.tmp.exe
  File description:  pseudoDarkleech payload from Rig-V (Cerber ransomware) 2nd run on 2017-01-19

 

IMAGES

Shown above:  Desktop of the infected Windows host.

 

FINAL NOTES

Once again, here are the associated files:

• ZIP archive of the pcaps:  2017-01-19-pseudoDarkleech-Rig-V-sends-Cerber-pcaps.zip   1.6 MB (1,583,798 bytes)
• ZIP archive of the malware and artifacts:  2017-01-19-pseudoDarkleech-Rig-V-sends-Cerber-malware-and-artifacts.zip   829 kB (828,800 bytes)

ZIP files are password-protected with the standard password.  If you don't know it, look at the "about" page of this website.

Click here to return to the main page.