I found this website through someone mentioning Rig EK patterns so decided to see what it was all about. The website actually contained two redirects. One looked for a mobile user agent and redirected to a website and the other was the PseudoDarkleech gate.
My setup did not deliver Cerber ransomware however the Cerber Check In UDP traffic was observed and I believe an issue with my setup was to blame. I observed the payload terminating and deleting itself. It will be interesting to find out why this was the case.
- A few articles on Rig exploit kit and it’s evolution:
- Article on the PseudoDarkleech campaign and its history:
- PCAP to come
- 126.96.36.199 – tlcbarandgrill[.]com – COMPROMISED WEBSITE
- 188.8.131.52 – seo[.]marketingactivo[.]club – RIG-V
- 184.108.40.206/24 – UDP port 6892 – Cerber Check In IP Range
- 220.127.116.11 – No domain – Mobile malware re-director
Details of infection chain:
- Compromised site redirects to Rig-V EK via PseudoDarkleech iframe.
- seo[.]marketingactivo[.]club GET /?br_fl=5730&oq=CelSA9KIuKLUBbArphEyCcgZjnt9aUwtC9ampjESEy0Ob1MbR9CW9U U4HupE&q=z3bQMvXcJwDQDoTCMvrESLtEMU_OHkKK2OH_783VCZn9JHT1vvHPRAP 2tgW&tuif=2014&yus=Vivaldi.99zf91.406v4o7r8&biw=Vivaldi.107xr110.406u4n4a9&ct=Vivaldi – Pre-Landing Page
- seo[.]marketingactivo[.]club POST /?ct=SeaMonkey&oq=2aCm3YpPcsfLFXbFLoik2JcgdonoxdA10SpvisjkHXzEee1ZDW- 0TeUTp1&tuif=1830&yus=SeaMonkey.124zw109.406n6g1m6&biw=SeaMonkey.102pl5 8.406w0o3q4&br_fl=3934&q=wXbQMvXcJwDQDobGMvrESLtANknQA0KK2Ib2_dqyEo H9eGnihNzUSkr76B – seo[.]marketingactivo[.]club GET /? q=wHjQMvXcJwDKFYbGMvrERqNbNknQA0KPxpH2_drSdZqxKGni0eb5UUSk6F6CEh3 h_&ct=Microsoft_Edge&yus=Microsoft_Edge.91fh110.406b7f1a2&tuif=3751&oq=KIkL ONTOlKwjUyIcgxjlYdfUAsU9vio30PVyxPNhZXX- kHcMg51_ZKTFLIy6B6ymQ&br_fl=4546&biw=Microsoft_Edge.99ue70.406l7h6j3 – Flash exploit
- seo[.]marketingactivo[.]club GET /? tuif=5613&ct=Mozilla&br_fl=2142&biw=Mozilla.109db100.406y5d8m0&oq=xfIkfLMBP gvm3BSJcwxolYxUUF0Rpq6v30CEyxaehZTT_0CKNQgUrKKTE7ALhR32&yus=Mozilla.9 8lg70.406z1b0j8&q=w3vQMvXcJx7QFYbGMvvDSKNbNkjWHViPxouG9MildZeqZGX_k 7vDfF-qoVzcCgWR – Payload
- UDP traffic port 6892 to 18.104.22.168/24 all contained the data “400cd244ca0f008c170000034“
- Dropped payload “rad92106.tmp.exe“UDP traffic port 6892 to 22.214.171.124/24 all contained the data “400cd244ca0f008c170000034“
- Payload terminated itself and then deleted itself.
- Emerging Threat signatures for Cerber, Conficker and Mobile Malware re-director.
- I have not ruled out that this could be Conficker but many other researchers have received Cerber following the UDP traffic observed. I have also seen the same in the past.
- Mobile malware URL link was dead but here is the Virus Total link which suggest it could be Kryptik: https://www.virustotal.com/en/url/16036f676ae68af394551bef757b828985d1f1f805cd3561e851fca8b6c0179a/analysis/