Rig via PseudoDarkleech delivers Cerber Ransomware

Summary:

I have not been detecting as much Rig EK activity as last year. Many researchers are reporting interesting malwares dropped by other gates (EITest). I appear to be stuck with PseudoDarkleech which always delivers Cerber.

Nonetheless Cerber is a dangerous ransomware and hopefully some of the IOC’s or the pcap can help you to detect and block Cerber.

Background Information:

  • A few articles on Rig exploit kit and it’s evolution:

https://www.uperesia.com/analyzing-rig-exploit-kit
http://malware.dontneedcoffee.com/2016/10/rig-evolves-neutrino-waves-goodbye.html
http://securityaffairs.co/wordpress/55354/cyber-crime/rig-exploit-kit-cerber.html

  • Article on the PseudoDarkleech campaign and its history:

http://researchcenter.paloaltonetworks.com/2016/12/unit42-campaign-evolution-pseudo-darkleech-2016/

Downloads

Notable Details:

  • 87.98.231.16 – atadi[.]es – COMPROMISED WEBSITE
  • 217.107.34.172 – far.askgrannydating[.]com – RIG-V
  • 91.121.56.0 -> 91.121.56.255 UDP port 6892 – Cerber Check In IP Range
  • 91.121.57.0 -> 91.121.57.255 – UDP port 6892 – Cerber Check In IP Range
  • 91.121.58.0 -> 91.121.58.255 – UDP port 6892 – Cerber Check In IP Range
  • 91.121.59.0 -> 91.121.59.255 – UDP port 6892 – Cerber Check In IP Range
  • 91.119.56.0 -> 91.119.56.31 – UDP port 6892 – Cerber Check In IP Range
  • 91.120.56.0 -> 91.120.56.31 – UDP port 6892 – Cerber Check In IP Range
  • Payload was rad0489A.tmp.exe -> VirusTotal
  • Had a time delay before UDP traffic occurred of almost less than 2 minutes indicating a possible sandbox evasion technique.

Details of infection chain:

(click to enlarge!)

130217-rigcerber

Cerber encrypts files with a .ba89 extension. This picture shows UDP traffic and an excessive attempt to generate a new ransom URL.

Full Details:

  • Compromised site redirects to Rig-V EK via PseudoDarkleech iframe.
  • far.askgrannydating[.]com is Rig EK, from top to bottom -> Pre-Landing -> Landing Page -> Flash  -> Payload
  • UDP traffic port 6892 came in two variants. The first was of length 25 and occurred around 40 seconds from the start of capture. The second was of length 14 which occurred after almost 2 minutes.
  • Dropped payload “rad0489A.tmp.exe”.
  • SHA256: ad22b0a80b153f23d4fe63ad9a26d180d2c870c59ab6aec73976ef82fc3778da
    File name: rad0489A.tmp.exe
    Detection ratio: 6 / 57
  • Payload encrypted files with a  “.ba89” extension.
  • Cerber is likely waiting for Nbstat responses before it proceeds.
  • Emerging Threat signatures for Cerber and NBTStat query response.
  • Cerber changes the background and loads a HTA file containing instructions on how to decrypt your files. It also plays an eerie audio stating that your files have been encrypted in the Windows 7 female USA voice.
  • I recorded the voice: https://instaud.io/JUA#0:00.1
  • I could not access any of the ransom URL’s and attempts to generate a new URL using the HTA tool provided by Cerber failed and resulted in an error.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s