Compromised site with PseudoDarkleech (Rig EK and Cerber Ransomware) and Mobile Malware redirect.

Summary:

I found this website through someone mentioning Rig EK patterns so decided to see what it was all about. The website actually contained two redirects. One looked for a mobile user agent and redirected to a website  and the other was the PseudoDarkleech gate.

My setup did not deliver Cerber ransomware however the Cerber Check In UDP traffic was observed and I believe an issue with my setup was to blame. I observed the payload terminating and deleting itself. It will be interesting to find out why this was the case.

Background Information:

  • A few articles on Rig exploit kit and it’s evolution:

https://www.uperesia.com/analyzing-rig-exploit-kit
http://malware.dontneedcoffee.com/2016/10/rig-evolves-neutrino-waves-goodbye.html
http://securityaffairs.co/wordpress/55354/cyber-crime/rig-exploit-kit-cerber.html

  • Article on the PseudoDarkleech campaign and its history:

http://researchcenter.paloaltonetworks.com/2016/12/unit42-campaign-evolution-pseudo-darkleech-2016/

Downloads

Notable Details:

  • 107.180.41.47 – tlcbarandgrill[.]com – COMPROMISED WEBSITE
  • 92.53.127.208 – seo[.]marketingactivo[.]club  – RIG-V
  • 91.239.25.0/24 – UDP port 6892 – Cerber Check In IP Range
  • 185.93.187.41   – No domain – Mobile malware re-director

Details of infection chain:

mobilemalware

Compromised site with PseudoDarkleech (Rig EK and Cerber Ransomware) and Mobile Malware redirect.

Full Details:

  • Compromised site redirects to Rig-V EK via PseudoDarkleech iframe.
  • seo[.]marketingactivo[.]club GET /?br_fl=5730&oq=CelSA9KIuKLUBbArphEyCcgZjnt9aUwtC9ampjESEy0Ob1MbR9CW9U U4HupE&q=z3bQMvXcJwDQDoTCMvrESLtEMU_OHkKK2OH_783VCZn9JHT1vvHPRAP 2tgW&tuif=2014&yus=Vivaldi.99zf91.406v4o7r8&biw=Vivaldi.107xr110.406u4n4a9&ct=Vivaldi  – Pre-Landing Page
  • seo[.]marketingactivo[.]club POST /?ct=SeaMonkey&oq=2aCm3YpPcsfLFXbFLoik2JcgdonoxdA10SpvisjkHXzEee1ZDW- 0TeUTp1&tuif=1830&yus=SeaMonkey.124zw109.406n6g1m6&biw=SeaMonkey.102pl5 8.406w0o3q4&br_fl=3934&q=wXbQMvXcJwDQDobGMvrESLtANknQA0KK2Ib2_dqyEo H9eGnihNzUSkr76B – seo[.]marketingactivo[.]club GET /? q=wHjQMvXcJwDKFYbGMvrERqNbNknQA0KPxpH2_drSdZqxKGni0eb5UUSk6F6CEh3 h_&ct=Microsoft_Edge&yus=Microsoft_Edge.91fh110.406b7f1a2&tuif=3751&oq=KIkL ONTOlKwjUyIcgxjlYdfUAsU9vio30PVyxPNhZXX- kHcMg51_ZKTFLIy6B6ymQ&br_fl=4546&biw=Microsoft_Edge.99ue70.406l7h6j3 – Flash exploit
  • seo[.]marketingactivo[.]club GET /? tuif=5613&ct=Mozilla&br_fl=2142&biw=Mozilla.109db100.406y5d8m0&oq=xfIkfLMBP gvm3BSJcwxolYxUUF0Rpq6v30CEyxaehZTT_0CKNQgUrKKTE7ALhR32&yus=Mozilla.9 8lg70.406z1b0j8&q=w3vQMvXcJx7QFYbGMvvDSKNbNkjWHViPxouG9MildZeqZGX_k 7vDfF-qoVzcCgWR – Payload
  • UDP traffic port 6892 to 91.239.25.0/24 all contained the data “400cd244ca0f008c170000034
  • Dropped payload “rad92106.tmp.exe“UDP traffic port 6892 to 91.239.25.0/24 all contained the data “400cd244ca0f008c170000034
  • Payload terminated itself and then deleted itself.
  • Emerging Threat signatures for Cerber, Conficker and Mobile Malware re-director.
  • I have not ruled out that this could be Conficker but many other researchers have received Cerber following the UDP traffic observed. I have also seen the same in the past.
  • Mobile malware URL link was dead but here is the Virus Total link which suggest it could be Kryptik:  https://www.virustotal.com/en/url/16036f676ae68af394551bef757b828985d1f1f805cd3561e851fca8b6c0179a/analysis/

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s