Website’s compromised by EiTest and pseudoDarkleech send GootKit and Cerber ransomware

NOTES:

  • Today I captured traffic from the latest version of Cerber ransomware. The ransomware was delivered via the pseudoDarkleech campaign with use of the Rig Exploit Kit.
  • I also captured traffic from the Rig Exploit Kit (EK) which delivered the GootKit banking malware via the EITEST campaign.
  • Thanks to Baber for sharing information on compromised website’s.

I have added a zipped pcap file for your analysis. The password for the zipped pcap is infected all lowercase.

PCAP file of the infection traffic:
2016-10-21-Rig-EK-GootKit-pcap.zip
2016-10-21-Rig-EK-Cerber1-pcap.zip
2016-10-21-Rig-EK-Cerber2-pcap.zip

 

ASSOCIATED DOMAINS AND IP ADDRESSES for irfanebrahim.com:

  • irfanebrahim.com – COMPROMISED SITE
  • 192.99.41.252 – g2p3pii.lahimh.top – RIG EK LANDING PAGE
  • 199.180.115.105 – mannyshrag.com Port 80 & 443 – POST INFECT TRAFFIC
  • 199.180.115.105 – bigikurik.com Port 80 & 443 – POST INFECT TRAFFIC
  • 79.110.251.102 – mannyshrag.com – POST INFECT TRAFFIC
  • 79.110.251.102 – bigikurik.com – POST INFECT TRAFFIC

IMAGES AND DETAILS OF INFECTION CHAIN for irfanebrahim.com:

Shown above: Network traffic  associated with the Rig exploit and the delivery of GootKit banking malware

 

Shown above: Injected script found on index page of compromised site which redirects visitor to the Rig EK landing page to start infection chain

 

ASSOCIATED DOMAINS AND IP ADDRESSES for mysteriousplayers.com:

  • mysteriousplayers.com – COMPROMISED SITE
  • 5.200.53.44 – do.xianstudios.net – RIG EK LANDING PAGE
  • 136.243.157.171 – ffoqr3ug7m726zou.dmhl2o.bid – CERBER POST INFECT TRAFFIC

IMAGES AND DETAILS OF INFECTION CHAIN for mysteriousplayers.com:

Shown above: Network traffic  associated with the Rig exploit and Cerber ransomware infection

 

Shown above: Injected script found on index page of compromised site which redirects visitor to the Rig EK landing page to start infection chain

 

ASSOCIATED DOMAINS AND IP ADDRESSES for katiescakes.com:

  • katiescakes.com – COMPROMISED SITE
  • 5.200.53.44 – do.xianstudios.net – RIG EK LANDING PAGE
  • 136.243.157.171 – ffoqr3ug7m726zou.twyjdx.bid – CERBER POST INFECT TRAFFIC

IMAGES AND DETAILS OF INFECTION CHAIN for katiescakes.com:

Shown above: Network traffic  associated with the Rig exploit and Cerber ransomware infection

 

Shown above: Injected script found on index page of compromised site which redirects visitor to the Rig EK landing page to start infection chain

 

MALICIOUS PAYLOAD ASSOCIATED WITH irfanebrahim.com:

MALICIOUS PAYLOAD ASSOCIATED WITH mysteriousplayers.com:

MALICIOUS PAYLOAD ASSOCIATED WITH katiescakes.com: