Rig Exploit Kit via pseudoDarkleech gate hopto.org delivers Cerber ransomware

NOTES:

  • Today I captured traffic from the latest version of Cerber ransomware. The ransomware was delivered via the pseudoDarkleech campaign with use of the Rig Exploit Kit (EK).
  • pseudoDarkleech redirected to the Rig Exploit Kit Landing page via the hopto.org gate.

I have added a zipped pcap file for your analysis. The password for the zipped pcap is infected all lowercase.

PCAP file of the infection traffic:
2016-10-11-Rig-EK-pcap.zip

 

ASSOCIATED DOMAINS AND IP ADDRESSES:

  • libertyleague.com.sg – COMPROMISED SITE
  • 83.217.27.178 – dzguljqiev.hopto.org – REDIRECT GATE
  • 91.107.105.225 – try.goldmillgroup.com – RIG EK LANDING PAGE
  • 148.251.6.214 – btc.blockr.io – CERBER POST INFECTION TRAFFIC
  • 107.161.95.138 – ffoqr3ug7m726zou.zreknv.bid – CERBER POST INFECTION TRAFFIC

ASSOCIATED DOMAINS FOR RANSOM PAYMENT:

http://ffoqr3ug7m726zou.zreknv.bid
http://ffoqr3ug7m726zou.ev99l6.bid
http://ffoqr3ug7m726zou.onion.to

 

IMAGES AND DETAILS OF INFECTION CHAIN:

Shown above: Network traffic  associated with the Rig exploit and the delivery of Cerber ransomware

 

Shown above: Using Wiresharks “Follow Stream” on compromised site shows inject script redirecting to dzguljqiev.hopto.org gate

 

Shown above: Using Wireshark “Export Objects” to extract hopto.org html file

 

Shown above: Extracted .htm file from hopto.org gate shows redirect script to Rig Exploit Kit landing page

 

Shown above: HTML ransom note and payment instructions associated with Cerber ransomware

 

Shown above: Infected host desktop ransom note and payment instructions associated with Cerber Ransomware

 

MALICIOUS PAYLOAD ASSOCIATED WITH RIG EXPLOIT: