Back to Posts

RIG-v from sends Cerber Ransomware

Posted in ransomware, exploitkit

RIG-v from sends Cerber Ransomware

Domains:   Compromised site   RIG-v EK      Cerber Checkin      Why???


image-title-here Evil Redirector

image-title-here RIG-v & Cerber Scanning

Network Signatures:

[1:2022962:3] ET CURRENT_EVENTS Evil Redirector Leading to EK Jul 12 2016
[1:2023401:3] ET CURRENT_EVENTS RIG EK URI struct Oct 24 2016 (RIG-v)
[1:2023196:2] ET CURRENT_EVENTS RIG EK Landing Sep 12 2016 T2
[1:2014726:88] ET POLICY Outdated Windows Flash Version IE
[1:2023401:3] ET CURRENT_EVENTS RIG EK URI struct Oct 24 2016 (RIG-v)
[1:2820989:3] ETPRO CURRENT_EVENTS RIG/Sundown/Xer EK Payload Jul 06 2016 M2
[1:2023453:5] ET TROJAN Ransomware/Cerber Checkin 2
[1:2816808:2] ETPRO CURRENT_EVENTS RIG EK Flash Exploit Mar 29 2016
[1:2816505:2] ETPRO TROJAN Cerber Ransomware UDP Scanning

Process Tree:

image-title-here Exploit and Cerber execution

File Hashes:

Detection ratio: 10 / 54 Link

SHA256: a51c4a6e8797b75620efb64edf297bd2137230a45c18d96f66a3e9edbe988403
File type: Flash

Detection ratio: 8 / 56 Link

SHA256: 87cf0ee7bfd0c089a88809b5236e6398fc2b7c899af61458e357f411983719be
File type: Win32 EXE


Detection ratio: 1 / 56 Link

SHA256: 2e226715419a5882e2e14278940ee8ef0aa648a3ef7af5b3dc252674111962bc
File type: Win32 DLL


associated files:

This website focuses on the latest malware, exploit kits, spam and phishing attacks that are seen in the wild. Inspired by @malware_traffic, @BroadAnalysis and @malwareforme

Read Next

RIG EK from drops Dreambot