Last Updated: 2016-10-14 18:50:11 UTC
by Brad Duncan (Version: 1)
Let's take a look at an infection from the pseudoDarkleech campaign that I intercepted earlier today (Friday 2016-10-14).
Below are screenshots of the traffic filtered in Wireshark.
Traffic caused by this infection chain of events:
- 126.96.36.199 port 80 - add.qualitiesforlife.com - Rig EK
- 188.8.131.52 through 184.108.40.206 (220.127.116.11/23) port 6892 - UDP traffic caused by Cerber
- 18.104.22.168 port 80 - ffoqr3ug7m726zou.nbz4dn.top - HTTP traffic caused by Cerber ransomware
Other domains from the Cerber ransomware decryption instructions:
A variant of Rig Exploit Kit
Since 2016-09-26, I've noticed a new variant of Rig EK. I believe it's one that security researcher Kafeine has designated RIG-v (link). Kafeine describes RIG-v as a "VIP version" of Rig EK. RIG-v uses a slightly different obfuscation for its landing page. It also displays some Neutrino-style traits and uses RC4 encryption. Luis Rocha has a good write-up on this version of Rig EK in two parts (part 1, part 2).
The Flash exploits used by RIG-v are similar to what I saw from Neutrino EK before it nearly disappeared last month (something also discussed by Kafeine). I still see a trickle of detections for Neutrino EK, but that's dwarfed by the amount of Rig EK (both regular Rig EK and the newer RIG-v) I find on a daily basis.
RIG-v is currently used by the pseudoDarkleech campaign to distribute Cerber ransomware. It's also being used by the Afraidgate campaign to distribute Locky ransomware. The other EK-based campaign I regularly track is the EITest campaign, and it currently uses what I now call "regular Rig EK."
Below are some images of this infection traffic:
Malware and artifacts
Flash exploit sent by RIG-v:
- File size: 50,368 bytes
- SHA256 hash: b95fa5beddf64653bf88456ed521a0b7226d4fb4f5e8983b85ca5d03d8621be5
- Location: C:\Users\[username]\AppData\Local\Microsoft\Windows\Temporary Internet Files\index.swf
Malware payload (Cerber ransomware):
- File size: 481,175 bytes
- SHA256 hash: a31a437f86ee5b5325b77d1956c19b3c144a8d1059b47a642992684ee68bbda0
- Location: C:\Users\[username]\AppData\Local\Temp\rad13FE2.tmp.exe
Getting to the ransom payment page
This Cerber ransomware is a newer version I hadn't noticed until recently. Previous versions of Cerber left more artifacts on the desktop with the decryption instructions (a text file, an html file, a VBS file to generate spoken instructions, and a shortcut). This most recent version of Cerber leaves only one file on the desktop, an .HTA file. HTA is a file extension for HTML Application files.
Using the window generated by the HTA file, you can get to the decryption instructions. However, this requires getting past a different type of CAPTCHA than before. This newer Cerber variant uses an image-based CAPTCHA that requires multiple clicks to get through. Turns out this new variant of Cerber with the updated CAPTCHA debuted back in August 2016 as noted by BleepingComputer.
This particular Cerber infection showed a ransom payment of 0.7238 bitcoin (460 US dollars) for the first 5 days, after which it will double to 1.4476 bitcoin (921 US dollars).
Like other ransomware, Cerber continues to be an evolving threat. I usually see Cerber distributed through EK traffic, but malicious spam (malspam) is another popular method for mass distribution of ransomware. However, these aren't the only vectors. Social media is another vector that's increasingly popular for more targeted attacks. One reader shared a story of being targeted with ransomware through a person contacting her on Skype (see comments from SaraTheEnthusiast at the end of this diary).
For EK traffic, properly-administered Windows hosts are not likely to be infected. As long as your Windows host is up-to-date and fully patched, your risk is minimal for ransomware delivered through an EK. If you're running Windows 10, you have little to worry about.
But enough people are running outdated versions of Windows that are un-patched or poorly-administered, so EK campaigns will continue. The pseudoDarkleech campaign has been using EKs to push ransomware, quite literally, for years now. And like other EK-based campaigns, it shows no signs of stopping.
Pcap and malware for this diary can be found here.
brad [at] malware-traffic-analysis.net