Summary:
Perseverance is the key sometimes. I finally got Magnitude to drop a payload so yes Cerber is back on the EK table after the PseudoDarkleech gate seemed to vanish.
This is a very interesting sample. Aside from the usual scriptlet and sctask I also saw powershell and several new URL’s using a user agent named “contype”. There is lots to review here to determine what exactly happened which I will look into in the future.
For now hope you enjoy digging through the PCAP. Note I used a proxy so the destination IP addresses are not all accurate.
Downloads (in password protected zip)
- 210417-MagnitudeCerber-PCAP– PCAP of Magnitude and Cerber
- 210417-Cerber – Cerber (a.exe – 01d934d41965248241ab941ef3a8b75314637e0aa50ce506cc76b67f506be901)
- 210417-MagnitudeFlash – Magnitudes Flash exploit (feff4b90fd5cf172c5422f63ecafcecc71877931038708ef745e205e7c763f2a)
Malvertising, Gates, Magnitude EK and Cerber Ransomware
zv1.sierra-boa.com/zcvisitor/939a51f8-2621-11e7-881a-120b8a9756d6?campaignid=7b0bac00-9f63-11e6-b67a-0e0b03568723
track.reacheffect.com/click.php?c=6508&key=vapy165k197q98zvu855qijq&campaignid=457715&cid=zv939a51f8262111e7881a120b8a9756d69b3bd7b938ba4b7790b825db592f43420201836c3ce8bc5a47&keyword=1120000&match=&visitor=NON-ADULT&traffic=POPUP&tar=foxtrot-ope-KDUgZ0ei&source=rubiginous-reindeer&long_campaignid=7b0bac00-9f63-11e6-b67a-0e0b03568723
track.reacheffect.com/jump/?jl=5938753
pub.reacheffect.com/go/8740/Ze.6508.5.rubiginous-reindeer?clickid=19859172263webinvestfx.com/?pubid=3324286&clickid=19859172263
a15ab15peq.namehes.com/1187p984x1224p1280x1194p0x1233p24x864p96x867p96x2271ptruex700p1024x1237p96x1236p96x1234p24x799p96x798p96x741p1280x28p90fale420490h.yetsix.men/
28p90fale420490h.yetsix.men/47lec9w1l269cc5jeo
28p90fale420490h.yetsix.men/9bke7o63bl4fm73sf
28p90fale420490h.yetsix.men/9bke7o63bl4fm73sf
28p90fale420490h.yetsix.men/6a1bf2f35r49rc4n
28p90fale420490h.yetsix.men/59l8x35td53g4256
28p90fale420490h.yetsix.men/59l8x35td53g4256
28p90fale420490h.yetsix.men/6aafe41330492e3c6a44d22b804f1626.sct
/b9aaf93c8cd1cec06cf9906abcdc9759
28p90fale420490h.yetsix.men/59l8x35td53g4256
217.182.227.102/0fe67cf41bf78e5e8563ab7ac8ad673d
217.182.227.102/6a301484f548a191f7c5290f267f8ef6
/6a301484f548a191f7c5290f267f8ef6
UDP 6893 Len=14 – 94.21.172.0-31, 94.23.173.0-255, 94.22.172.0-31, 94.23.174.0-255, 94.23.172.0-255, 94.23.175.0-255
api.blockcypher.com/v1/btc/main/addrs/1HTDy9SkfhwaNCXFA8wFCvN53f3iGpm8kb?_=1492731591851
api.blockcypher.com/v1/btc/main/txs/d6a8ed5e1aab504c79ac86bb79b7c129826ad03774f3181780aaafb70a998f9e?_=1492731598192
Details of infection chain:
(click to enlarge!)
Magnitude drops Cerber. A lot is going on here including some powershell.
Full Details:
Please refer to this post for more details on magnitude Magnitude EK URL’s from 14-20 April. I will describe in brief some notable changes. Other than these changes, I still witnessed the scriptlet and the scheduled tasks as well as multiple failed payloads.
First I noticed the Flash file called a URL. In past examples I have looked at this was not seen. The URL uses an IP instead of the host name the rest of the EK is on. This then downloads the payload.
After this small payload runs it calls another URL which is an executable (Cerber)
Other than this there is notable differences:
- Different obfuscation on the second landing page. There may even be new code here.
- I also noticed powershell was running though did not capture what was run.
- The user agent “contype” was used for the new URL’s.
- The payload was called “a.exe”.
There is lots to review and I will take a deeper dive into it in the future.
If you don’t know about Cerber Ransomware then where have you been! Probably the one of the most mature ransomwares, Cerber encrypts files and requests bitcoin in order to decrypt them. This sample encrypted files with the .ba89 extension.
| SHA256: | 01d934d41965248241ab941ef3a8b75314637e0aa50ce506cc76b67f506be901 |
| File name: | a.exe |
| Detection ratio: | 14 / 61 |
| TrendMicro-HouseCall | Ransom_HPCERBER.SMONT3 |
Here are the VirusTotal report on the Flash exploit 59l8x35td53g4256.swf. Magnitude’s Flash exploits always have a very low detection rate. I’m surprised to see McAfee is the only one to detect this.
| SHA256: | feff4b90fd5cf172c5422f63ecafcecc71877931038708ef745e205e7c763f2a |
| File name: | 59l8x35td53g4256.swf |
| Detection ratio: | 1 / 56 |
| McAfee-GW-Edition | BehavesLike.Flash.Exploit.zl |
Zerophage Malware 
Pingback: Multiple Magnitude EK drops Cerber Ransomware Samples | Zerophage Malware
Pingback: Magnitude EK via Malvertising drops Cerber Ransomware | Zerophage Malware
Pingback: Magnitude EK via malvertising delivers Cerber Ransomware | Zerophage Malware
Pingback: Magnitude EK via RoughTed drops Cerber Ransomware | Zerophage Malware