Another Cerber from Rig EK. I’ve actually done several of these runs since my last post. I only really like to post if I can contribute something to the community. In this case I noticed the payload going idle for almost 10 minutes before the UDP requests began. I believe this could be an anti-sandbox evasion technique as often sandboxes have a default time out period.
Other than that, it’s the same old Cerber 🙂
- A few articles on Rig exploit kit and it’s evolution:
- Article on the PseudoDarkleech campaign and its history:
- 050217-rigcerber-> Contains pcapng and payload in password protected zip.
- 126.96.36.199 – golanguages[.]es – COMPROMISED WEBSITE
- 188.8.131.52 – park.medlawtalk[.]tv – RIG-V
- 184.108.40.206 -> 220.127.116.11 UDP port 6892 – Cerber Check In IP Range
- 18.104.22.168 -> 22.214.171.124 – UDP port 6892 – Cerber Check In IP Range
- 126.96.36.199 -> 188.8.131.52 – UDP port 6892 – Cerber Check In IP Range
- 184.108.40.206 -> 220.127.116.11 – UDP port 6892 – Cerber Check In IP Range
- 18.104.22.168 -> 22.214.171.124 – UDP port 6892 – Cerber Check In IP Range
- 126.96.36.199 -> 188.8.131.52 – UDP port 6892 – Cerber Check In IP Range
- Payload was rad69926.tmp.exe -> VirusTotal
- Had a time delay before UDP traffic occurred of almost 10 minutes indicating a possible sandbox evasion technique.
Details of infection chain:
- Compromised site redirects to Rig-V EK via PseudoDarkleech iframe.
- park.medlawtalk[.]tv is Rig EK, from top to bottom -> Pre-Landing -> Landing Page -> Flash -> Payload
- UDP traffic port 6892 all contained the data”fd6b47b9da60f3“
- Dropped payload “rad69926.tmp.exe”.
SHA256: bdba80fe4638b8ec8d0cde505cfd62ba89d90c86d856e409cabc032a34ec5750 File name: rad69926.tmp.exe Detection ratio: 26 / 56
- Payload encrypted files with a “.ba89” extension.
- The payload appeared to be idle for almost 10 minutes. After this the usual UDP and Nbstat requests occurred and the encryption completed.
- Cerber is likely waiting for Nbstat responses before it proceeds.
- Emerging Threat signatures for Cerber and NBTStat query response.
- Cerber changes the background and loads a HTA file containing instructions on how to decrypt your files. It also plays an eerie audio stating that your files have been encrypted in the Windows 7 female USA voice.
- I recorded the voice: https://instaud.io/JUA#0:00.1