2017-01-19 - PSEUDO-DARKLEECH RIG-V SENDS CERBER RANSOMWARE
NOTICE:
- The zip archives on this page have been updated, and they now use the new password scheme. For the new password, see the "about" page of this website.
ASSOCIATED FILES:
- 2017-01-19-pseudoDarkleech-Rig-V-sends-Cerber-ransomware-2-pcaps.zip 1.6 MB (1,584,316 bytes)
- 2017-01-19-pseudoDarkleech-Rig-V-sends-Cerber-ransomware-1st-run.pcap (1,031,052 bytes)
- 2017-01-19-pseudoDarkleech-Rig-V-sends-Cerber-ransomware-2nd-run.pcap (683,690 bytes)
- 2017-01-19-pseudoDarkleech-Rig-V-artifacts-and-Cerber-ransomware.zip 830.4 kB (830,446 bytes)
- 2017-01-19-Cerber-ransomware_HELP_HELP_HELP_WI2DBQAZ.hta (75,787 bytes)
- 2017-01-19-Cerber-ransomware_HELP_HELP_HELP_WI2DBQAZ.jpg (231,560 bytes)
- 2017-01-19-page-from-joellipman_com-with-injected-pseudoDarkleech-script-1st-run.txt (67,426 bytes)
- 2017-01-19-page-from-joellipman_com-with-injected-pseudoDarkleech-script-2nd-run.txt (67,353 bytes)
- 2017-01-19-pseudoDarkleech-Rig-V-1st-run-landing-page.txt (5,183 bytes)
- 2017-01-19-pseudoDarkleech-Rig-V-1st-run-payload-Cerber-ransomware-rad5F054.tmp.exe (287,839 bytes)
- 2017-01-19-pseudoDarkleech-Rig-V-2nd-run-landing-page.txt (5,187 bytes)
- 2017-01-19-pseudoDarkleech-Rig-V-2nd-run-payload-Cerber-ransomware-rad50B2A.tmp.exe (245,169 bytes)
- 2017-01-19-pseudoDarkleech-Rig-V-both-runs-artifact-QTTYUADAF.txt (1,137 bytes)
- 2017-01-19-pseudoDarkleech-Rig-V-both-runs-flash-exploit.swf (38,321 bytes)
BACKGROUND ON RIG EXPLOIT KIT:
- Rig-V is what security researchers called Rig EK version 4 when it was only accessible by "VIP" customers, while the old version (Rig 3) was still in use.
- I currently call it "Rig-V" out of habit. You can probably just call it Rig EK now.
- Before 2017, I used to see Empire Pack (Rig-E) which is a variant of Rig EK with older-style URLs as described by Kafeine here.
- I haven't seen anything other than Rig-V (Rig 4[.]0) when looking at Rig EK-based campaigns so far in 2017.
BACKGROUND ON THE PSEUDO-DARKLEECH CAMPAIGN:
- My most recent in-depth write-up on the pseudoDarkleech campaign can be found here.
Shown above: Flowchart for this infection traffic.
TRAFFIC
Shown above: Injected script from the pseudoDarkleech campaign from the compromised site (1st run).
Shown above: Pcap of the infection traffic filtered in Wireshark (1st run).
Shown above: Injected script from the pseudoDarkleech campaign from the compromised site (2nd run).
Shown above: Pcap of the infection traffic filtered in Wireshark (2nd run).
ASSOCIATED TRAFFIC:
- joellipman[.]com - Compromised site
- 92.53.119[.]137 port 80 - 3xwk.sensorispace[.]net - Rig-V (pseudoDarkleech campaign, 1st run)
- 188.225.32[.]189 port 80 - 8e5.dresdencowboy[.]com - Rig-V (pseudoDarkleech campaign, 2nd run)
- 90.2.1[.]0 to 90.2.1[.]31 (90.2.1[.]0/27) UDP port 6892 - Cerber ransomware post-infection UDP traffic
- 90.3.1[.]0 to 90.3.1[.]31 (90.3.1[.]0/27) UDP port 6892 - Cerber ransomware post-infection UDP traffic
- 91.239.24[.]0 to 91.239.25[.]255 (91.239.24[.]0/23) UDP port 6892 - Cerber post-infection UDP traffic
- 162.220.244[.]29 port 80 - p27dokhpz2n7nvgr.1kja1j[.]top - HTTP post-infection traffic caused by Cerber ransomware
FILE HASHES
FLASH EXPLOIT:
- SHA256 hash: 48b4ead5c286c616d7cb11900ef01b41893aae710c255ffd4b12933d7d5cbcbc (38,321 bytes)
File description: Rig-V Flash exploit seen on 2017-01-19
PAYLOADS:
- SHA256 hash: 86420fc915fd55879e36849d1f5d3eb723b3276371173e1358dcdb4d015ad7f1 (287,839 bytes)
File path example: C:\Users\[username]\AppData\Local\Temp\rad5F054.tmp.exe
File description: pseudoDarkleech payload from Rig-V (Cerber ransomware) 1st run on 2017-01-19
- SHA256 hash: 25474fa7e4860e765d27a3f1e74588e57988fcb27a8f85db3367de4e945eca4b (245,169 bytes)
File path example: C:\Users\[username]\AppData\Local\Temp\rad50B2A.tmp.exe
File description: pseudoDarkleech payload from Rig-V (Cerber ransomware) 2nd run on 2017-01-19
IMAGES
Shown above: Desktop of the infected Windows host.
Click here to return to the main page.