Back to Posts

RIG-v from 194.87.238.148 sends Cerber Ransomware

Posted in ransomware, exploitkit

RIG-v from 194.87.238.148 sends Cerber Ransomware


Today I got a fresh sample of the latest Cerber Ransomware. It’s faster and uses much less system resources.

Domains:

188.166.61.165   wordpress-14104-30674-76641.cloudwaysapps.com   Compromised site
194.87.238.148   add.nocoauto.net   RIG-v EK
15.49.2.0/27      Cerber Checkin
122.1.13.0/27      Cerber Checkin
194.165.16.0/24      Cerber Checkin
194.165.17.0/24      Cerber Checkin



Traffic:

image-title-here Evil Redirector


image-title-here RIG-v & Cerber Scanning



Network Signatures:

ET CURRENT_EVENTS RIG EK URI struct Oct 24 2016 (RIG-v)
ETPRO CURRENT_EVENTS Evil Redirect to RIG-v EK Oct 24 2016
ET CURRENT_EVENTS Evil Redirector Leading to EK Jul 12 2016
ET CURRENT_EVENTS RIG EK Landing Sep 12 2016 T2
ETPRO CURRENT_EVENTS RIG EK Landing Nov 30 2016 (RIG-v)
ET POLICY Outdated Windows Flash Version IE
ET CURRENT_EVENTS RIG EK URI struct Oct 24 2016 (RIG-v)
ETPRO CURRENT_EVENTS RIG/Sundown/Xer EK Payload Jul 06 2016 M2
ETPRO CURRENT_EVENTS RIG EK Flash Exploit Mar 29 2016
ETPRO CURRENT_EVENTS RIG EK Flash Exploit Nov 25 2016
ET TROJAN Ransomware/Cerber Checkin 2
ETPRO TROJAN Cerber Ransomware UDP Scanning
ETPRO TROJAN W32.Cerber Ransomware HTTP Pattern



Process Tree:

image-title-here Exploit and Cerber execution



File Hashes:

Detection ratio: 6 / 54 Link

SHA256: 1f593737d5850d0b854d6f1f3fd8977b56bef479c14558339b0dad4a1d466647
File type: Flash


Detection ratio: 12 / 52 Link

SHA256: 3bc5db596f58fc574e29a9a6ad640aebcd35c2c3c2e13c0efae6b18b382eb002
File type: Win32 EXE

image-title-here



New Wallpaper:

image-title-here New Cerber Wallpaper & Note


The new version of Cerber has a noticeably lower CPU & Memory usage on the system during encryption:

image-title-here New Cerber CPU & Memory Usage

vs

image-title-here Old Cerber CPU & Memory Usage


associated files:
traffic.zip

This website focuses on the latest malware, exploit kits, spam and phishing attacks that are seen in the wild. Inspired by @malware_traffic, @BroadAnalysis and @malwareforme

Read Next

RIG-v from 194.87.238.156 sends Cerber Ransomware