Rig-V Exploit Kit via pseudoDarkleech from 109.234.35.244 delivers Cerber ransomware

I have added a zipped pcap file for your analysis. The password for the zipped pcap is infected all lowercase.

PCAP file of the infection traffic:
2017-01-23-Rig-EK-pcap.zip

 

ASSOCIATED DOMAINS AND IP ADDRESSES:

  • betongstudio.no – COMPROMISED SITE
  • 109.234.35.244 – 0z5w1.truepowernow.com – RIG-V EK LANDING PAGE
  • 84.200.4.70 – p27dokhpz2n7nvgr.16fohp.top – CERBER POST INFECT TRAFFIC
  • 90.2.1.0 – 90.3.1.31 UDP DESTINATION PORT 6892 – CERBER POST INFECT TRAFFIC
  • 91.239.24.0 – 91.239.25.255 UDP DESTINATION PORT 6892 – CERBER POST INFECT TRAFFIC

 

IMAGES AND DETAILS OF INFECTION CHAIN:

Shown above: Network traffic  associated with the Rig-V exploit and Cerber ransomware infection

 

Shown above: Injected script found on index page of compromised site which redirects visitor to the Rig-V EK landing page to start infection chain – Web page source code can be found by right clicking on web page and selecting “View source”

 

Shown above: Infected host desktop ransom note and payment instructions associated with Cerber Ransomware

 

MALICIOUS PAYLOAD ASSOCIATED WITH RIG EXPLOIT: