Summary:

I finally sorted out my lab and successful  got Cerber infection which encrypted everything with a .ba89 extension. Interestingly this Cerber did not send the standard HTTP request you would expect from Cerber. I did see a lot of Nbstat responses however from several of the IP addresses that sent data over UDP port 6892. I’m presuming these responses is what has allowed Cerber proceed with encryption.

Background Information:

• A few articles on Rig exploit kit and it’s evolution:

https://www.uperesia.com/analyzing-rig-exploit-kit
http://malware.dontneedcoffee.com/2016/10/rig-evolves-neutrino-waves-goodbye.html
http://securityaffairs.co/wordpress/55354/cyber-crime/rig-exploit-kit-cerber.html

• Article on the PseudoDarkleech campaign and its history:

http://researchcenter.paloaltonetworks.com/2016/12/unit42-campaign-evolution-pseudo-darkleech-2016/

Downloads

• 300117-rigcerber -> Contains pcapng and payload  in password protected zip.

Notable Details:

• 192.185.91.202 – sewellwilson.co[.]nz – COMPROMISED WEBSITE
• 195.133.147.212 – guv.mobilevcilhayvan[.]com – RIG-V
• 91.117.40.0 -> 91.117.40.31 UDP port 6892 – Cerber Check In IP Range
• 91.119.40.0 -> 91.119.40.31 – UDP port 6892 – Cerber Check In IP Range
• 91.121.40.0 -> 91.121.40.255 – UDP port 6892 – Cerber Check In IP Range
• 91.121.41.0 -> 91.121.41.255 – UDP port 6892 – Cerber Check In IP Range
• 91.121.42.0 -> 91.121.42.255 – UDP port 6892 – Cerber Check In IP Range
• 91.121.43.0 -> 91.121.43.255 – UDP port 6892 – Cerber Check In IP Range
• Payload was rad14017.tmp.exe -> VirusTotal
• I also put it into HybridAnalysis which failed to deliver Cerber indicating that Cerber might be able to detect a sand boxed environment.
• Created several additional files.

Details of infection chain:

Full Details:

• Compromised site redirects to Rig-V EK via PseudoDarkleech iframe.
• guv.mobilevcilhayvan[.]com is Rig EK, from top to bottom -> Pre-Landing -> Landing Page -> Flash  -> Payload
• UDP traffic port 6892 all contained the data”9d5b5326527fd5“
• Dropped payload “rad14017.tmp.exe “.

• SHA256:	f62b4a1a3dbe7b0cf7e4b1fe55255d74655b96e5d143925d108be1f63f429df1
  File name:	rad14017.tmp.exe
  Detection ratio:	8 / 56

• Payload encrypted files with a  “.ba89” extension.
• I did not see the usual HTTP request of Cerber. It is likely the Nbstat responses are giving Cerber the go ahead.
• Emerging Threat signatures for Cerber and NBTStat query response.
• Even though I see the Conficker emerging threat signature I can now safely rule this out.
• Cerber changes the background and loads a HTA file containing instructions on how to decrypt your files. It also plays an eerie audio stating that your files have been encrypted in the Windows 7 female USA voice.

Summary:

I had previously done analysis on the compromised website on 2nd January. I thought I would try it again to see if there were any differences. The website still contains the PseudoDarkleech gate which is delivering Cerber.

My setup did not deliver Cerber ransomware however the Cerber Check In UDP traffic was observed again. I put the payload through an online sandbox to see what would happen and found the exact same result. The payload did not create a file with a strange extension as I have previously seen so the function of that file is unknown.

I have been unable to find an answer as to why Cerber creates the UDP traffic. It is possible the payload has other functionality such as commands to a bot net to perform DDoS or the Emerging Threat signature is a not a false positive and it is an action of the infamous Conficker.

Interestingly an article regarding Sage Ransomware mentions a similar UDP traffic:

When the callback domains for Sage didn’t resolve in DNS, the infected host sent UDP packets sent to over 7,000 IP addresses.  I think this could be UDP-based peer-to-peer (P2P) traffic, and it appears to be somehow encoded or encrypted.  BleepingComputer’s September 2016 write-up on CryLocker shows the same type of UDP post-infection traffic, but CryLocker’s traffic was not encrypted.

Background Information:

• A few articles on Rig exploit kit and it’s evolution:

https://www.uperesia.com/analyzing-rig-exploit-kit
http://malware.dontneedcoffee.com/2016/10/rig-evolves-neutrino-waves-goodbye.html
http://securityaffairs.co/wordpress/55354/cyber-crime/rig-exploit-kit-cerber.html

• Article on the PseudoDarkleech campaign and its history:

http://researchcenter.paloaltonetworks.com/2016/12/unit42-campaign-evolution-pseudo-darkleech-2016/

Downloads

• 250117-rigcerber -> Contains pcap and payload  in password protected zip.

Notable Details:

• 50.87.146.184 – crowsrunrecycling.com – COMPROMISED WEBSITE
• 92.53.120.151 – cast[.]rednationrising[.]tv  – RIG-V
• 91.239.25.0/24 – UDP port 6892 – Cerber Check In IP Range
• 91.239.24.0/24 – UDP port 6892 – Cerber Check In IP Range
• 17.35.12.0 -> 17.35.12.31 – UDP port 6892 – Other UDP Traffic
  
• 11.56.22.0 -> 11.56.22.31 – UDP port 6892 – Other UDP Traffic
• Payload was radC873.tmp.exe -> VirusTotal
• Conscious that I did not receive Cerber I also put it into HybridAnalysis which reported the exact same result.
• Did not create any other file with unusual extension like previous attempts

Details of infection chain:

Full Details:

• Compromised site redirects to Rig-V EK via PseudoDarkleech iframe.
• cast[.]rednationrising[.]tv  is Rig EK, from top to bottom -> Pre-Landing -> Landing Page -> Flash  -> Payload
• I included the shellcode that is run after the successful exploit.
• UDP traffic port 6892 all contained the data”7c1cf9fa1c20008c1700000ec“
• Dropped payload “radC873.tmp.exe“. Payload did not create any unusual files like I have seen previously.

• SHA256:	346aa416f048b2733b0971f3ae02ad353f7d3b22f447c372b16bab16af5a290a
  File name:	radC8973.tmp.exe
  Detection ratio:	9 / 56

• Payload terminated itself, did a Ping – n 127.0.0.1 and then deleted itself.
• Emerging Threat signatures for Cerber and Conficker.  
• Malwarebytes detects it as Cerber Ransomware.
• I have not ruled out that this could be an action of Conficker but many other researchers have received Cerber following the UDP traffic observed. I have also seen the same in the past and received Cerber.

Overview

I received this email  on several email accounts. You can read about more specific details on Dynamoo’s Blog which is a great site for malspam. This is my first attempt at reporting on malspam it in this manner.

My sample was slightly different. Different domains and when I ran it through Hybrid Analysis there was a POST request which  triggered the signature “ET TROJAN Ursnif Variant CnC Data Exfil”. There is some indication that it could be ransomware (Cerber or Nemucod) but the POST request does not match either of these. I was unable to run the sample in my lab (although i did do it in another lab) so unfortunately no PCAP is available.

In short the link in the email redirects to a domain that appears to be from the UK government and is fairly convincing. There a CAPTCHA code required to download the file and you do actually have to input the correct code. This downloads a ZIP and in the ZIP is a JS file called “Case Details.js”. When executed this script downloads a “PDF” which is actually an executable.

Downloads

zeroursnifmalspa – This ZIP contains the JS downloader and the “PDF” in a password protected ZIP.

Notable Details:

• 35.166.113.223 -> XXXX.gbinsolvencydirect[.]com -> All initial links redirect to this domain (random subdomain).
• 104.238.71.250 -> http://handsthatcreate[.]com/wp-content/ev7npohd26gjy/inv1086[.]pdf -> Payload from the JS downloader
• 213.111.163.37 -> POST /images/qqO4c7m7K0o1v1WaOVqlM3/gaduzOaWDj2Ej/dky1oD5G/b6eIbElkyYDazgJD9EVZGDf/1dS_2FD7Gk/dXjVvDWW8rFW6kynB/Q1JBt76ghIE7/J3wvFgJCKkr/IoK2klRrS mJw07/d9ga1urO7Np7wV2dbnEiH/uj5TnbCyo8_2FAIv/a0CVotDtB13_2FX/1b5vIlIROvQI1IjtGB/_2FRlkFQIOb97/D3hcwhDN/Q.bmp -> Ursnif CnC

Details of infection chain:

Further Details:

• SHA256:	8d2bd198ca268762b9e429f44c68f8953e1dce60bc1bc820ff82c87ebd3e4eb6
  File name:	Case_Details.js
  Detection ratio:	7 / 53

• SHA256:	98c939c7a2406055ad0c000c6c27b46a2cba29eaf5f8a9eafd93c8bf573f309b
  File name:	inv1086.pdf
  Detection ratio:	30 / 55

• Result of inv1086.pdf on Hybrid Analysis which shows Urnsif CnC.

Summary:

I found this website through someone mentioning Rig EK so decided to analyse it to look for any new changes. The website contains the PseudoDarkleech gate.

My setup did not deliver Cerber ransomware however the Cerber Check In UDP traffic was observed again. I decided this time to save the payload before it terminated itself. I then put it through an online sandbox to see what would happen and found the exact same result.

The payload also created a strange “.8H” file which was not readable. I have been unable to find an answer as to why Cerber creates the UDP traffic. It is possible the payload has other functionality such as commands to a bot net to perform DDoS or the Emerging Threat signature is a not a false positive and it is an action of the infamous Conficker.

Background Information:

• A few articles on Rig exploit kit and it’s evolution:

https://www.uperesia.com/analyzing-rig-exploit-kit
http://malware.dontneedcoffee.com/2016/10/rig-evolves-neutrino-waves-goodbye.html
http://securityaffairs.co/wordpress/55354/cyber-crime/rig-exploit-kit-cerber.html

• Article on the PseudoDarkleech campaign and its history:

http://researchcenter.paloaltonetworks.com/2016/12/unit42-campaign-evolution-pseudo-darkleech-2016/

Downloads

• zerorigek190117  -> Contains Pcap, payload and interesting files in password protected zip.

Notable Details:

• 94.23.51.27 – lacaze-tarn[.]com – COMPROMISED WEBSITE
• 188.255.32.189 – 4wx[.]leecrismanradio[.]com  – RIG-V
• 91.239.25.0/24 – UDP port 6892 – Cerber Check In IP Range
• 91.239.24.0/24 – UDP port 6892 – Cerber Check In IP Range
• 90.2.1.0 -> 90.2.1.31 – UDP port 6892 – Other UDP Traffic
  
• 90.3.1.0 -> 90.3.1.31 – UDP port 6892 – Other UDP Traffic
• Payload was rad92106.tmp.exe -> VirusTotal
• Conscious that I did not receive Cerber I also put it into HybridAnalysis which reported the exact same result.
• Also created a “.8H” file called “clearance“.

Details of infection chain:

Full Details:

• Compromised site redirects to Rig-V EK via PseudoDarkleech iframe.
• 4wx[.]leecrismanradio[.]com is Rig EK, from top to bottom -> Pre-Landing -> Landing Page -> Flash exploit -> Payload
• UDP traffic port 6892 to 91.239.25.0/24 all contained the data”0ca5ea83d2eb008c170000026“
• Dropped payload “rad4DE50.tmp.exe“
• Payload terminated itself and then deleted itself but also created a “.8H” file called “clearance“.
• Emerging Threat signatures for Cerber and Conficker
• I have not ruled out that this could be an action of Conficker but many other researchers have received Cerber following the UDP traffic observed. I have also seen the same in the past and received Cerber.

Summary:

I found this website through someone mentioning Rig EK patterns so decided to see what it was all about. The website actually contained two redirects. One looked for a mobile user agent and redirected to a website  and the other was the PseudoDarkleech gate.

My setup did not deliver Cerber ransomware however the Cerber Check In UDP traffic was observed and I believe an issue with my setup was to blame. I observed the payload terminating and deleting itself. It will be interesting to find out why this was the case.

Background Information:

• A few articles on Rig exploit kit and it’s evolution:

https://www.uperesia.com/analyzing-rig-exploit-kit
http://malware.dontneedcoffee.com/2016/10/rig-evolves-neutrino-waves-goodbye.html
http://securityaffairs.co/wordpress/55354/cyber-crime/rig-exploit-kit-cerber.html

• Article on the PseudoDarkleech campaign and its history:

http://researchcenter.paloaltonetworks.com/2016/12/unit42-campaign-evolution-pseudo-darkleech-2016/

Downloads

• zerorigek150117 -> PCAP of the traffic.

Notable Details:

• 107.180.41.47 – tlcbarandgrill[.]com – COMPROMISED WEBSITE
• 92.53.127.208 – seo[.]marketingactivo[.]club  – RIG-V
• 91.239.25.0/24 – UDP port 6892 – Cerber Check In IP Range
• 185.93.187.41   – No domain – Mobile malware re-director

Details of infection chain:

Full Details:

• Compromised site redirects to Rig-V EK via PseudoDarkleech iframe.
• seo[.]marketingactivo[.]club GET /?br_fl=5730&oq=CelSA9KIuKLUBbArphEyCcgZjnt9aUwtC9ampjESEy0Ob1MbR9CW9U U4HupE&q=z3bQMvXcJwDQDoTCMvrESLtEMU_OHkKK2OH_783VCZn9JHT1vvHPRAP 2tgW&tuif=2014&yus=Vivaldi.99zf91.406v4o7r8&biw=Vivaldi.107xr110.406u4n4a9&ct=Vivaldi  – Pre-Landing Page
• seo[.]marketingactivo[.]club POST /?ct=SeaMonkey&oq=2aCm3YpPcsfLFXbFLoik2JcgdonoxdA10SpvisjkHXzEee1ZDW- 0TeUTp1&tuif=1830&yus=SeaMonkey.124zw109.406n6g1m6&biw=SeaMonkey.102pl5 8.406w0o3q4&br_fl=3934&q=wXbQMvXcJwDQDobGMvrESLtANknQA0KK2Ib2_dqyEo H9eGnihNzUSkr76B – seo[.]marketingactivo[.]club GET /? q=wHjQMvXcJwDKFYbGMvrERqNbNknQA0KPxpH2_drSdZqxKGni0eb5UUSk6F6CEh3 h_&ct=Microsoft_Edge&yus=Microsoft_Edge.91fh110.406b7f1a2&tuif=3751&oq=KIkL ONTOlKwjUyIcgxjlYdfUAsU9vio30PVyxPNhZXX- kHcMg51_ZKTFLIy6B6ymQ&br_fl=4546&biw=Microsoft_Edge.99ue70.406l7h6j3 – Flash exploit
• seo[.]marketingactivo[.]club GET /? tuif=5613&ct=Mozilla&br_fl=2142&biw=Mozilla.109db100.406y5d8m0&oq=xfIkfLMBP gvm3BSJcwxolYxUUF0Rpq6v30CEyxaehZTT_0CKNQgUrKKTE7ALhR32&yus=Mozilla.9 8lg70.406z1b0j8&q=w3vQMvXcJx7QFYbGMvvDSKNbNkjWHViPxouG9MildZeqZGX_k 7vDfF-qoVzcCgWR – Payload
• UDP traffic port 6892 to 91.239.25.0/24 all contained the data “400cd244ca0f008c170000034“
• Dropped payload “rad92106.tmp.exe“UDP traffic port 6892 to 91.239.25.0/24 all contained the data “400cd244ca0f008c170000034“
• Payload terminated itself and then deleted itself.
• Emerging Threat signatures for Cerber, Conficker and Mobile Malware re-director.
• I have not ruled out that this could be Conficker but many other researchers have received Cerber following the UDP traffic observed. I have also seen the same in the past.
• Mobile malware URL link was dead but here is the Virus Total link which suggest it could be Kryptik:  https://www.virustotal.com/en/url/16036f676ae68af394551bef757b828985d1f1f805cd3561e851fca8b6c0179a/analysis/

When I began analysing I did not save any files (doh!). From now on I will save files for the community to view.

Below is a set of older analysis from my Twitter:

Hello World

I’ve decided to setup a blog site in order to provide a bit more information than what Twitter will allow. I can also upload malware artifacts, pcaps and list hashes.

The design of this site may change as well as the format of the posts. If you have any ideas then feel free to contact me.

If you want to know more about what this blog is about then click the About section.