I had previously done analysis on the compromised website on 2nd January. I thought I would try it again to see if there were any differences. The website still contains the PseudoDarkleech gate which is delivering Cerber.
My setup did not deliver Cerber ransomware however the Cerber Check In UDP traffic was observed again. I put the payload through an online sandbox to see what would happen and found the exact same result. The payload did not create a file with a strange extension as I have previously seen so the function of that file is unknown.
I have been unable to find an answer as to why Cerber creates the UDP traffic. It is possible the payload has other functionality such as commands to a bot net to perform DDoS or the Emerging Threat signature is a not a false positive and it is an action of the infamous Conficker.
Interestingly an article regarding Sage Ransomware mentions a similar UDP traffic:
When the callback domains for Sage didn’t resolve in DNS, the infected host sent UDP packets sent to over 7,000 IP addresses. I think this could be UDP-based peer-to-peer (P2P) traffic, and it appears to be somehow encoded or encrypted. BleepingComputer’s September 2016 write-up on CryLocker shows the same type of UDP post-infection traffic, but CryLocker’s traffic was not encrypted.
- A few articles on Rig exploit kit and it’s evolution:
- Article on the PseudoDarkleech campaign and its history:
- 250117-rigcerber -> Contains pcap and payload in password protected zip.
- 126.96.36.199 – crowsrunrecycling.com – COMPROMISED WEBSITE
- 188.8.131.52 – cast[.]rednationrising[.]tv – RIG-V
- 184.108.40.206/24 – UDP port 6892 – Cerber Check In IP Range
- 220.127.116.11/24 – UDP port 6892 – Cerber Check In IP Range
- 18.104.22.168 -> 22.214.171.124 – UDP port 6892 – Other UDP Traffic
- 126.96.36.199 -> 188.8.131.52 – UDP port 6892 – Other UDP Traffic
- Payload was radC873.tmp.exe -> VirusTotal
- Conscious that I did not receive Cerber I also put it into HybridAnalysis which reported the exact same result.
- Did not create any other file with unusual extension like previous attempts
Details of infection chain:
- Compromised site redirects to Rig-V EK via PseudoDarkleech iframe.
- cast[.]rednationrising[.]tv is Rig EK, from top to bottom -> Pre-Landing -> Landing Page -> Flash -> Payload
- I included the shellcode that is run after the successful exploit.
- UDP traffic port 6892 all contained the data”7c1cf9fa1c20008c1700000ec“
- Dropped payload “radC873.tmp.exe“. Payload did not create any unusual files like I have seen previously.
SHA256: 346aa416f048b2733b0971f3ae02ad353f7d3b22f447c372b16bab16af5a290a File name: radC8973.tmp.exe Detection ratio: 9 / 56
- Payload terminated itself, did a Ping – n 127.0.0.1 and then deleted itself.
- Emerging Threat signatures for Cerber and Conficker.
- Malwarebytes detects it as Cerber Ransomware.
- I have not ruled out that this could be an action of Conficker but many other researchers have received Cerber following the UDP traffic observed. I have also seen the same in the past and received Cerber.