Back to Posts

RIG-v from 109.234.34.144 sends Cerber Ransomware

Posted in ransomware, exploitkit

RIG-v from 109.234.34.144 sends Cerber Ransomware

Domains:

50.59.102.32 colcap.com - Compromised site
109.234.34.144 add.edward40handsgloves.com - RIG-v
65.55.50.0/27 Cerber Checkin
192.42.118.0/27 Cerber Checkin
194.165.16.0/22 Cerber Checkin




Traffic:

image-title-here Evil Redirector


image-title-here RIG-v & Cerber Traffic




Network Signatures:
[1:2022962:3] ET CURRENT_EVENTS Evil Redirector Leading to EK Jul 12 2016
[1:2023401:3] ET CURRENT_EVENTS RIG EK URI struct Oct 24 2016 (RIG-v)
[1:2023196:2] ET CURRENT_EVENTS RIG EK Landing Sep 12 2016 T2
[1:2014726:88] ET POLICY Outdated Windows Flash Version IE
[1:2816808:2] ETPRO CURRENT_EVENTS RIG EK Flash Exploit Mar 29 2016
[1:2820989:3] ETPRO CURRENT_EVENTS RIG/Sundown/Xer EK Payload Jul 06 2016 M2
[1:2023453:5] ET TROJAN Ransomware/Cerber Checkin 2
[1:2816764:3] ETPRO TROJAN Ransomware/Cerber Checkin Error ICMP Response




image-title-here exploit and cerber execution




File Hashes:

Detection ratio: 4 / 54 Link

MD5: 7bebf4ba3379681524938ef93cf7f3bc
SHA1: 39cc64f47f9f005f437360ff74fa9c2b8d6d5673
SHA256: 83f623627fc0d87a588bc3b4ab5090caf959cef4c6035226d710375c09ef499f
File type: Flash

image-title-here



associated files:
traffic.zip

This website focuses on the latest malware, exploit kits, spam and phishing attacks that are seen in the wild. Inspired by @malware_traffic, @BroadAnalysis and @malwareforme

Read Next

IMG_\d+_\d+.js drops banking trojan