Magnitude EK delivers Cerber

Summary:

Perseverance is the key sometimes. I finally got Magnitude to drop a payload so yes Cerber is back on the EK table after the PseudoDarkleech gate seemed to vanish.

This is a very interesting sample. Aside from the usual scriptlet and sctask I also saw powershell and several new URL’s using a user agent named “contype”. There is lots to review here to determine what exactly happened which I will look into in the future.

For now hope you enjoy digging through the PCAP. Note I used a proxy so the destination IP addresses are not all accurate.

Downloads (in password protected zip)

Malvertising, Gates, Magnitude EK and Cerber Ransomware

xml.adservme.com/click?adv=75697&i=OvbWHBN9LYg_0
zv1.sierra-boa.com/zcvisitor/939a51f8-2621-11e7-881a-120b8a9756d6?campaignid=7b0bac00-9f63-11e6-b67a-0e0b03568723
track.reacheffect.com/click.php?c=6508&key=vapy165k197q98zvu855qijq&campaignid=457715&cid=zv939a51f8262111e7881a120b8a9756d69b3bd7b938ba4b7790b825db592f43420201836c3ce8bc5a47&keyword=1120000&match=&visitor=NON-ADULT&traffic=POPUP&tar=foxtrot-ope-KDUgZ0ei&source=rubiginous-reindeer&long_campaignid=7b0bac00-9f63-11e6-b67a-0e0b03568723
track.reacheffect.com/jump/?jl=5938753
pub.reacheffect.com/go/8740/Ze.6508.5.rubiginous-reindeer?clickid=19859172263webinvestfx.com/?pubid=3324286&clickid=19859172263
a15ab15peq.namehes.com/1187p984x1224p1280x1194p0x1233p24x864p96x867p96x2271ptruex700p1024x1237p96x1236p96x1234p24x799p96x798p96x741p1280x28p90fale420490h.yetsix.men/
28p90fale420490h.yetsix.men/47lec9w1l269cc5jeo
28p90fale420490h.yetsix.men/9bke7o63bl4fm73sf
28p90fale420490h.yetsix.men/9bke7o63bl4fm73sf
28p90fale420490h.yetsix.men/6a1bf2f35r49rc4n
28p90fale420490h.yetsix.men/59l8x35td53g4256
28p90fale420490h.yetsix.men/59l8x35td53g4256
28p90fale420490h.yetsix.men/6aafe41330492e3c6a44d22b804f1626.sct
/b9aaf93c8cd1cec06cf9906abcdc9759
28p90fale420490h.yetsix.men/59l8x35td53g4256
217.182.227.102/0fe67cf41bf78e5e8563ab7ac8ad673d
217.182.227.102/6a301484f548a191f7c5290f267f8ef6
/6a301484f548a191f7c5290f267f8ef6

UDP 6893 Len=14 – 94.21.172.0-31, 94.23.173.0-255, 94.22.172.0-31, 94.23.174.0-255, 94.23.172.0-255, 94.23.175.0-255

api.blockcypher.com/v1/btc/main/addrs/1HTDy9SkfhwaNCXFA8wFCvN53f3iGpm8kb?_=1492731591851

api.blockcypher.com/v1/btc/main/txs/d6a8ed5e1aab504c79ac86bb79b7c129826ad03774f3181780aaafb70a998f9e?_=1492731598192

Details of infection chain:

(click to enlarge!)

MagnitudeEKCerber.png

Magnitude drops Cerber. A lot is going on here including some powershell.

Full Details:

Please refer to this post for more details on magnitude Magnitude EK URL’s from 14-20 April. I will describe in brief some notable changes. Other than these changes, I still witnessed the scriptlet and the scheduled tasks as well as multiple failed payloads.

First I noticed the Flash file called a URL. In past examples I have looked at this was not seen. The URL uses an IP instead of the host name the rest of the EK is on. This then downloads the payload.FlashToPayload

After this small payload runs it calls another URL which is an executable (Cerber)PayloadExecutes

Other than this there is notable differences:

  • Different obfuscation on the second landing page. There may even be new code here.
  • I also noticed powershell was running though did not capture what was run.
  • The user agent “contype” was used for the new URL’s.
  • The payload was called “a.exe”.

There is lots to review and I will take a deeper dive into it in the future.

If you don’t know about Cerber Ransomware then where have you been! Probably the one of the most mature ransomwares, Cerber encrypts files and requests bitcoin in order to decrypt them. This sample encrypted files with the .ba89 extension.

CerberPic

SHA256: 01d934d41965248241ab941ef3a8b75314637e0aa50ce506cc76b67f506be901
File name: a.exe
Detection ratio: 14 / 61
TrendMicro-HouseCall Ransom_HPCERBER.SMONT3

Here are the VirusTotal report on the Flash exploit 59l8x35td53g4256.swf. Magnitude’s Flash exploits always have a very low detection rate. I’m surprised to see McAfee is the only one to detect this.

SHA256: feff4b90fd5cf172c5422f63ecafcecc71877931038708ef745e205e7c763f2a
File name: 59l8x35td53g4256.swf
Detection ratio: 1 / 56
McAfee-GW-Edition BehavesLike.Flash.Exploit.zl

4 thoughts on “Magnitude EK delivers Cerber

  1. Pingback: Multiple Magnitude EK drops Cerber Ransomware Samples | Zerophage Malware

  2. Pingback: Magnitude EK via Malvertising drops Cerber Ransomware | Zerophage Malware

  3. Pingback: Magnitude EK via malvertising delivers Cerber Ransomware | Zerophage Malware

  4. Pingback: Magnitude EK via RoughTed drops Cerber Ransomware | Zerophage Malware

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s