Rig via PseudoDarkleech delivers Cerber Ransomware

/ zerophage

Summary:

Another Cerber from Rig EK. I’ve actually done several of these runs since my last post. I only really like to post if I can contribute something to the community. In this case I noticed the payload going idle for almost 10 minutes before the UDP requests began. I believe this could be an anti-sandbox evasion technique as often sandboxes have a default time out period.

Other than that, it’s the same old Cerber 🙂

Background Information:

  • A few articles on Rig exploit kit and it’s evolution:

https://www.uperesia.com/analyzing-rig-exploit-kit
http://malware.dontneedcoffee.com/2016/10/rig-evolves-neutrino-waves-goodbye.html
http://securityaffairs.co/wordpress/55354/cyber-crime/rig-exploit-kit-cerber.html

  • Article on the PseudoDarkleech campaign and its history:

http://researchcenter.paloaltonetworks.com/2016/12/unit42-campaign-evolution-pseudo-darkleech-2016/

Downloads

Notable Details:

  • 104.27.166.186 – golanguages[.]es – COMPROMISED WEBSITE
  • 194.87.238.245 – park.medlawtalk[.]tv – RIG-V
  • 91.117.40.0 -> 91.117.40.31 UDP port 6892 – Cerber Check In IP Range
  • 91.119.40.0 -> 91.119.40.31 – UDP port 6892 – Cerber Check In IP Range
  • 91.121.40.0 -> 91.121.40.255 – UDP port 6892 – Cerber Check In IP Range
  • 91.121.41.0 -> 91.121.41.255 – UDP port 6892 – Cerber Check In IP Range
  • 91.121.42.0 -> 91.121.42.255 – UDP port 6892 – Cerber Check In IP Range
  • 91.121.43.0 -> 91.121.43.255 – UDP port 6892 – Cerber Check In IP Range
  • Payload was rad69926.tmp.exe -> VirusTotal
  • Had a time delay before UDP traffic occurred of almost 10 minutes indicating a possible sandbox evasion technique.

Details of infection chain:

050217-rigcerber

Cerber encrypts with a .ba89 extension. Note the time delay between the payload and the first UDP check in.

Full Details:

  • Compromised site redirects to Rig-V EK via PseudoDarkleech iframe.
  • park.medlawtalk[.]tv is Rig EK, from top to bottom -> Pre-Landing -> Landing Page -> Flash  -> Payload
  • UDP traffic port 6892 all contained the data”fd6b47b9da60f3
  • Dropped payload “rad69926.tmp.exe”.
  • SHA256: bdba80fe4638b8ec8d0cde505cfd62ba89d90c86d856e409cabc032a34ec5750
    File name: rad69926.tmp.exe
    Detection ratio: 26 / 56
  • Payload encrypted files with a  “.ba89” extension.
  • The payload appeared to be idle for almost 10 minutes. After this the usual UDP and Nbstat requests occurred and the encryption completed.
  • Cerber is likely waiting for Nbstat responses before it proceeds.
  • Emerging Threat signatures for Cerber and NBTStat query response.
  • Cerber changes the background and loads a HTA file containing instructions on how to decrypt your files. It also plays an eerie audio stating that your files have been encrypted in the Windows 7 female USA voice.
  • I recorded the voice: https://instaud.io/JUA#0:00.1

Leave a Reply

Fill in your details below or click an icon to log in:

Gravatar
WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Cancel

Connecting to %s