I have not been detecting as much Rig EK activity as last year. Many researchers are reporting interesting malwares dropped by other gates (EITest). I appear to be stuck with PseudoDarkleech which always delivers Cerber.
Nonetheless Cerber is a dangerous ransomware and hopefully some of the IOC’s or the pcap can help you to detect and block Cerber.
- A few articles on Rig exploit kit and it’s evolution:
- Article on the PseudoDarkleech campaign and its history:
- cerberrig-130217-> Contains pcapng and payload in password protected zip.
- 22.214.171.124 – atadi[.]es – COMPROMISED WEBSITE
- 126.96.36.199 – far.askgrannydating[.]com – RIG-V
- 188.8.131.52 -> 184.108.40.206 UDP port 6892 – Cerber Check In IP Range
- 220.127.116.11 -> 18.104.22.168 – UDP port 6892 – Cerber Check In IP Range
- 22.214.171.124 -> 126.96.36.199 – UDP port 6892 – Cerber Check In IP Range
- 188.8.131.52 -> 184.108.40.206 – UDP port 6892 – Cerber Check In IP Range
- 220.127.116.11 -> 18.104.22.168 – UDP port 6892 – Cerber Check In IP Range
- 22.214.171.124 -> 126.96.36.199 – UDP port 6892 – Cerber Check In IP Range
- Payload was rad0489A.tmp.exe -> VirusTotal
- Had a time delay before UDP traffic occurred of almost less than 2 minutes indicating a possible sandbox evasion technique.
Details of infection chain:
(click to enlarge!)
- Compromised site redirects to Rig-V EK via PseudoDarkleech iframe.
- far.askgrannydating[.]com is Rig EK, from top to bottom -> Pre-Landing -> Landing Page -> Flash -> Payload
- UDP traffic port 6892 came in two variants. The first was of length 25 and occurred around 40 seconds from the start of capture. The second was of length 14 which occurred after almost 2 minutes.
- Dropped payload “rad0489A.tmp.exe”.
SHA256: ad22b0a80b153f23d4fe63ad9a26d180d2c870c59ab6aec73976ef82fc3778da File name: rad0489A.tmp.exe Detection ratio: 6 / 57
- Payload encrypted files with a “.ba89” extension.
- Cerber is likely waiting for Nbstat responses before it proceeds.
- Emerging Threat signatures for Cerber and NBTStat query response.
- Cerber changes the background and loads a HTA file containing instructions on how to decrypt your files. It also plays an eerie audio stating that your files have been encrypted in the Windows 7 female USA voice.
- I recorded the voice: https://instaud.io/JUA#0:00.1
- I could not access any of the ransom URL’s and attempts to generate a new URL using the HTA tool provided by Cerber failed and resulted in an error.