Rig-V Exploit Kit via pseudoDarkleech from 195.161.114.179 delivers Cerber ransomware

Thanks to @inept_secops for tweeting information on compromised site

I have added a zipped pcap file for your analysis. The password for the zipped pcap is infected all lowercase.

PCAP file of the infection traffic:
2017-02-21-Rig-EK-pcap.zip

 

ASSOCIATED DOMAINS AND IP ADDRESSES:

  • autismservicesaba.com – COMPROMISED SITE
  • 195.161.114.179 – art.allthin.gs – RIG-V EK LANDING PAGE
  • 94.140.120.111 – p27dokhpz2n7nvgr.1gqqsc.top – CERBER POST INFECT TRAFFIC

IMAGES AND DETAILS OF INFECTION CHAIN:

Shown above: Network traffic  associated with the Rig-V exploit and Cerber ransomware infection

 

Shown above: Injected script found on index page of compromised site which redirects visitor to the Rig-V EK landing page to start infection chain

 

Shown above: Infected host desktop ransom note and payment instructions associated with Cerber Ransomware

 

MALICIOUS PAYLOAD ASSOCIATED WITH RIG EXPLOIT:

2017-02-21-rad9AED0.tmp.exe – [Cerber]
Virus Total Link