2016-11-13 - PSEUDO-DARKLEECH RIG-V FROM 109.234.35[.]232 SENDS CERBER RANSOMWARE

NOTICE:

• The zip archives on this page have been updated, and they now use the new password scheme.  For the new password, see the "about" page of this website.

ASSOCIATED FILES:

• 2016-11-13-pseudoDarkleech-RIGv-sends-Cerber-ransomware.pcap.zip   968.3 kB (968,274 bytes)

• 2016-11-13-pseudoDarkleech-RIGv-sends-Cerber-ransomware.pcap   (1,228,927 bytes)

• 2016-11-13-pseudoDarkleech-RIGv-and-Cerber-ransomware-files.zip   553.4 kB (553,372 bytes)

• 2016-11-13-Cerber-ransomware-decryption-instructions-README.hta   (67,712 bytes)
• 2016-11-13-Cerber-ransomware-decryption-instructions.bmp   (1,920,054 bytes)
• 2016-11-13-page-from-joellipman_com-with-injected-script.txt   (68,127 bytes)
• 2016-11-13-pseudoDarkleech-RIGv-flash-exploit.swf   (51,776 bytes)
• 2016-11-13-pseudoDarkleech-RIGv-landing-page.txt   (30,325 bytes)
• 2016-11-13-pseudoDarkleech-RIGv-payload-Cerber-ransomware.exe   (259,903 bytes)

BACKGROUND:

• I'm currently tracking 3 versions of Rig EK as classified in an October 2016 blog post by Kafeine.
• Rig-V: a "VIP version" with new URL patterns and RC4 encryption for the payload.  Used by the Afraidgate, EITest, and pseudoDarkleech campaigns.
• Rig-E: a variant with old URL patterns, but uses with RC4 encryption for the payload.  Also known as Empire Pack.  I often see Rig-E used by the EITest campaign.
• RIG standard: a standard version (like RIG-E) but uses new URL patterns introduced by RIG-v.  The EITest campaign uses RIG standard to send CryptFile2 ransomware.

BACKGROUND ON THE PSEUDO-DARKLEECH CAMPAIGN:

• Something I wrote on exploit kit (EK) fundamentals:  link
• 2016-03-22 - PaloAlto Networks Unit 42 blog:  Campaign Evolution: Darkleech to Pseudo-Darkleech and Beyond
• 2016-07-02 - SANS ISC diary:  Change in patterns for the pseudoDarkleech campaign
• 2016-09-14 - Malware-traffic-analysis.net:  The pseudoDarkleech campaign starts using Rig EK instead of Neutrino EK
• 2016-10-03 - Malware-traffic-analysis.net:  The pseudoDarkleech campaign stops sending CryptXXX, starts sending Cerber ransomware

 

Shown above:  Flowchart for this infection traffic.

 

TRAFFIC

Shown above:  Injected script from the pseudoDarkleech campaign in a page from the compromised site.

Shown above:  Traffic from the infection filtered in Wireshark.

 

ASSOCIATED DOMAINS:

• joellipman[.]com - Compromised site
• 109.234.35[.]232 port 80 - new.vividsydney[.]live - RIG-v
• 65.55.50[.]0 - 65.55.50[.]31 (65.55.50[.]0/27) port 6892 - UDP traffic caused by Cerber
• 192.42.118[.]0 - 192.42.118[.]31 (192.42.118[.]0/27)port 6892 - UDP traffic caused by Cerber
• 194.165.16[.]0 - 194.165.19[.]255 (194.165.16[.]0/22) port 6892 - UDP traffic caused by Cerber
• 104.238.215[.]11 port 80 - lfdachijzuwx4bc4.p7k7t4[.]top - HTTP traffic caused by Cerber

 

OTHER DOMAINS FROM THE DECRYPT INSTRUCTIONS:

• lfdachijzuwx4bc4.tjdup0[.]top
• lfdachijzuwx4bc4.onion[.]to

 

FILE HASHES

FLASH EXPLOIT:

• SHA256 hash:  4d7917b18cdef500a952fdcfbe12bbf41114e84e249bc4956c485d3ce231eae3
  File name:  2016-11-13-pseudoDarkleech-RIGv-flash-exploit.swf   (51,776 bytes)

PAYLOAD (CERBER RANSOMWARE):

• SHA256 hash:  2c44743634ebff20bcd5991f21cdfdebbade87c184453aef5882a363c9019b40
  File name:  C:\Users\[username]\AppData\Local\Temp\rad6953C.tmp.exe   (259,903 bytes)

 

IMAGES

Shown above:  Windows desktop of an infected host after rebooting.

 

Click here to return to the main page.