Rig Exploit Kit via EITEST delivers Cerber ransomware
- Today I captured traffic from the Rig Exploit Kit (EK) which delivered Cerber Ransomware via the EITEST campaign.
- This is my first time seeing the EITEST campaign deliver Cerber ransomware.
- I was not able to retrieve the payload from post infected host. However it is in the pcap file encrypted.
- EITEST campaign continues to use the Rig EK since switching from the Neutrino EK on August 15th 2016.
- This is a follow-up post to an earlier twitter post.
- Again thanks to @CyberScimitar for the tip.
I have added a zipped pcap file for your analysis. The password is the usual used by malware researchers. If you do not know it please email me.
PCAP file of the infection traffic:
ASSOCIATED DOMAINS AND IP ADDRESSES:
- 126.96.36.199 – oveced.xyz – EITEST GATE
- 188.8.131.52 – ew.yoursleepcoach.com – RIG EK LANDING PAGE
- 184.108.40.206 – ip-api.com – GET /json – Connectivity/IP check by the Cerber
- 220.127.116.11 – 4kqd3hmqgptupi3p.8kcfnk.bid – Cerber Decrypt Instructions
- 18.104.22.168 – 22.214.171.124 Port 6892 – UDP Post infection traffic associated with Cerber Ransomware
ASSOCIATED DOMAIN FOR RANSOM PAYMENT:
IMAGES AND DETAILS OF INFECTION CHAIN:
Shown above: Injected script found on index page of compromised site which redirects visitor to the EITEST gate to start infection chain – Web page source code can be found by right clicking on web page and selecting “View source”
I excluded the ip-api.com from the pcap file to protect my source address and sorry I forgot to add the UDP traffic after scrubbing and uploading pcap file.