Introduction
Since Monday 2016-10-03, the pseudoDarkleech campaign has been using Rig exploit kit (EK) to distribute Cerber ransomware." />
Shown above: An infection chain of events.
Let" />
Shown above:" />
Shown above: UDP traffic seen during this infection.
aused by this infection chain of events:
- 5.200.55.214 port 80 - add.qualitiesforlife.com - Rig EK
- 31.184.234.0 through 31.184.235.255 (31.184.234.0/23) port 6892 - UDP traffic caused by Cerber
- 107.161.95.138 port 80 - ffoqr3ug7m726zou.nbz4dn.top - HTTP traffic caused by Cerber ransomware
Other domains from the Cerber ransomware decryption instructions:
- ffoqr3ug7m726zou.19jmfr.top
- ffoqr3ug7m726zou.5y6w0n.top
- ffoqr3ug7m726zou.onion.to
A variant of Rig Exploit Kit
Since 2016-09-26, Ive noticed a new variant of Rig EK. I believe its one that security researcher Kafeine has designated RIG-v (link). Kafeine describes RIG-v as a VIP version of Rig EK. RIG-v uses a slightly different obfuscation for its landing page. It also displays some Neutrino-style traits and uses RC4 encryption. Luis Rocha has a good write-up on this version of Rig EK in two parts (part 1, part 2).
The Flash exploits used by RIG-v are similar to what I saw from Neutrino EK before it nearly disappeared last month (something also discussed by Kafeine). I still see a trickle of detections for Neutrino EK, but thats dwarfed by the amount of Rig EK (both regular Rig EK and the newer RIG-v) I find on a daily basis.
RIG-v is currently used by the pseudoDarkleech campaign to distribute Cerber ransomware. Its also being used by the Afraidgate campaign to distribute Locky ransomware. The other EK-based campaign I regularly track is the EITest campaign, and it currently uses what I now call regular Rig EK." />
Shown above:" />
Shown above:" />
Shown above:" />
Shown above: RIG-v sends the payload (Cerber ransomware) as an encrypted binary.
rtifacts
Flash exploit sent by RIG-v:
- File size: 50,368 bytes
- SHA256 hash: b95fa5beddf64653bf88456ed521a0b7226d4fb4f5e8983b85ca5d03d8621be5
- Location: C:\Users\[username]\AppData\Local\Microsoft\Windows\Temporary Internet Files\index[1].swf
Malware payload (Cerber ransomware):
- File size: 481,175 bytes
- SHA256 hash: a31a437f86ee5b5325b77d1956c19b3c144a8d1059b47a642992684ee68bbda0
- Location:" />
Shown above:" />
Shown above: Desktop of the infected Windows host after rebooting.Getting to the ransom payment page
This Cerber ransomware is a newer version I hadnt noticed until recently. Previous versions of Cerber left more artifacts on the desktop with the decryption instructions (a text file, an html file, a VBS file to generate spoken instructions, and a shortcut). This most recent version of Cerber leaves only one file on the desktop, an .HTA file." />
Shown above: The web page that appeared when I clicked on one of the links from the HTA file.Using the window generated by the HTA file, you can get to the decryption instructions. However, this requires getting past a different type of CAPTCHA than before. This newer Cerber variant uses an image-based CAPTCHA that requires multiple clicks to get through." />
Shown above:" />
Shown above:" />
Shown above:" />
Shown above: The price to decrypt your files.ords
ke other ransomware, Cerber continues to be an evolving threat. I usually see Cerber distributed through EK traffic, but malicious spam (malspam) is another popular method for mass distribution of ransomware. However, these arent the only vectors. Social media is another vector thats increasingly popular for more targeted attacks. One reader shared a story of being targeted with ransomware through a person contacting her on Skype (see comments from SaraTheEnthusiast at the end of this diary).For EK traffic, properly-administered Windows hosts are not likely to be infected. As long as your Windows host is up-to-date and fully patched, your risk is minimal for ransomware delivered through an EK. If youre running Windows 10, you have little to worry about.
But enough people are running outdated versions of Windows that are un-patched or poorly-administered, so EK campaigns will continue. The pseudoDarkleech campaign has been using EKs to push ransomware, quite literally, for years now. And like other EK-based campaigns, it shows no signs of stopping.
Pcap and malware for this diary can be found here.
---
(c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.
Brad Duncan
brad [at] malware-traffic-analysis.net