Rig Exploit Kit sends Cerber Ransomware from 45.35.86.57


NOTES:

  • The Rig Exploit Kit (EK) is again using DoSWF in an attempt to mask itself. See my June 23rd 2016 post for the infection chain details and Rig’s encryption process. [HERE]
  • I have not seen Cerber ransomware since last month when it was delivered by the Neutrino Exploit Kit. [HERE]
  • This is the first time I have seen Cerber Ransomware being delivered via the Rig Exploit Kit. Other avenues of delivery have included the Neutrino Exploit Kit and Malspam.
  • Detailed information about Cerber ransomware can be found at blog.malwarebytes.com.
  • Cerber continues to use the .cerber file extension after file encryption.
  • Below is a brief summary of today’s infection along with its pcap file.

I have added a zipped pcap file for your analysis. The password is the usual used by malware researchers. If you do not know it please email me.
info@broadanalysis.com

PCAP file of the infection traffic: UDP Traffic not included
2016-06-26-Rig-EK-Cerber-pcap.zip

 

ASSOCIATED DOMAINS AND IP ADDRESSES:

  • 85.25.95.39 – realstatistics.info GET /js/analytic.php?id=4 – Rig EK REDIRECT GATE
  • 85.25.95.39 – realstatistics.info GET //js/analytic.php?id=4&tz=-5&rs=1024×768 – Rig EK REDIRECT GATE
  • 45.35.86.57 – ht.gone2vape.org – Rig EK LANDING PAGE
  • 54.84.252.139 – ipinfo.io – Cerber IP ADDRESS CHECK
  • 115.28.36.224 – www.doswf.com – POST INFECT TRAFFIC ASSOCIATED WITH RIG ENCRYPTION
  • 45.35.86.57 – cerberhhyed5frqa.as13fd.win – Cerber POST INFECT TRAFFIC CnC
  • 85.93.0.0 – 85.93.63.255 UDP Source port: 60333 – Destination post: 6892

 

DETAILS OF INFECTION CHAIN:

Shown above: IP addresses and Domains associated with today’s Cerber Ransomware infection

 

Shown above: Cerber changes the infected host’s Desktop Background

 

Shown above: Cerber .HTML ransom note and De-Crypt instructions

 

Shown above: Cerber .HTML ransom note and De-Crypt instructions

 

Shown above: .cerber file extension used on encrypted files

Shown above: Windows Registry entries associated with Cerber infection

 

MALICIOUS PAYLOAD ASSOCIATED WITH RIG EXPLOIT:

  • 2016-06-25-Rig-EK.swf
    Virus Total Link
  • 2016-06-25-Perl.dll
    C:\Users\%UserName%\AppData\Roaming
    Virus Total Link
  • 2016-06-25-forfiles.exe
    C:\Users\%UserName%\AppData\Roaming\{Random-numbers-Letters}
    Deletes self after infection process completes
    Virus Total Link