Rig-V Exploit Kit via pseudoDarkleech from 109.234.35.244 delivers Cerber ransomware
I have added a zipped pcap file for your analysis. The password for the zipped pcap is infected all lowercase.
PCAP file of the infection traffic:
2017-01-23-Rig-EK-pcap.zip
ASSOCIATED DOMAINS AND IP ADDRESSES:
- betongstudio.no – COMPROMISED SITE
- 109.234.35.244 – 0z5w1.truepowernow.com – RIG-V EK LANDING PAGE
- 84.200.4.70 – p27dokhpz2n7nvgr.16fohp.top – CERBER POST INFECT TRAFFIC
- 90.2.1.0 – 90.3.1.31 UDP DESTINATION PORT 6892 – CERBER POST INFECT TRAFFIC
- 91.239.24.0 – 91.239.25.255 UDP DESTINATION PORT 6892 – CERBER POST INFECT TRAFFIC
IMAGES AND DETAILS OF INFECTION CHAIN:
Shown above: Network traffic associated with the Rig-V exploit and Cerber ransomware infection
Shown above: Injected script found on index page of compromised site which redirects visitor to the Rig-V EK landing page to start infection chain – Web page source code can be found by right clicking on web page and selecting “View source”
Shown above: Infected host desktop ransom note and payment instructions associated with Cerber Ransomware
MALICIOUS PAYLOAD ASSOCIATED WITH RIG EXPLOIT:
- 2017-01-23-Rig-EK.swf
Virus Total Link - 2017-01-23-radF22EA.tmp.exe
Virus Total Link