Rig-V Exploit Kit via pseudoDarkleech from 109.234.35.244 delivers Cerber ransomware

Jan 22, 2017 by Analysis in pseudoDarkleech

I have added a zipped pcap file for your analysis. The password for the zipped pcap is infected all lowercase.

PCAP file of the infection traffic:
2017-01-23-Rig-EK-pcap.zip

ASSOCIATED DOMAINS AND IP ADDRESSES:

betongstudio.no – COMPROMISED SITE
109.234.35.244 – 0z5w1.truepowernow.com – RIG-V EK LANDING PAGE
84.200.4.70 – p27dokhpz2n7nvgr.16fohp.top – CERBER POST INFECT TRAFFIC
90.2.1.0 – 90.3.1.31 UDP DESTINATION PORT 6892 – CERBER POST INFECT TRAFFIC
91.239.24.0 – 91.239.25.255 UDP DESTINATION PORT 6892 – CERBER POST INFECT TRAFFIC

IMAGES AND DETAILS OF INFECTION CHAIN:

Shown above: Network traffic associated with the Rig-V exploit and Cerber ransomware infection

Shown above: Injected script found on index page of compromised site which redirects visitor to the Rig-V EK landing page to start infection chain – Web page source code can be found by right clicking on web page and selecting “View source”

Shown above: Infected host desktop ransom note and payment instructions associated with Cerber Ransomware

MALICIOUS PAYLOAD ASSOCIATED WITH RIG EXPLOIT:

2017-01-23-Rig-EK.swf
Virus Total Link
2017-01-23-radF22EA.tmp.exe
Virus Total Link

Tagged with: Cerber Ransomware, Exploit Kits, Indicator's of Compromise, IOC's, Malware Research