Perseverance is the key sometimes. I finally got Magnitude to drop a payload so yes Cerber is back on the EK table after the PseudoDarkleech gate seemed to vanish.
This is a very interesting sample. Aside from the usual scriptlet and sctask I also saw powershell and several new URL’s using a user agent named “contype”. There is lots to review here to determine what exactly happened which I will look into in the future.
For now hope you enjoy digging through the PCAP. Note I used a proxy so the destination IP addresses are not all accurate.
Downloads (in password protected zip)
- 210417-MagnitudeCerber-PCAP– PCAP of Magnitude and Cerber
- 210417-Cerber – Cerber (a.exe – 01d934d41965248241ab941ef3a8b75314637e0aa50ce506cc76b67f506be901)
- 210417-MagnitudeFlash – Magnitudes Flash exploit (feff4b90fd5cf172c5422f63ecafcecc71877931038708ef745e205e7c763f2a)
Malvertising, Gates, Magnitude EK and Cerber Ransomware
Details of infection chain:
(click to enlarge!)
Please refer to this post for more details on magnitude Magnitude EK URL’s from 14-20 April. I will describe in brief some notable changes. Other than these changes, I still witnessed the scriptlet and the scheduled tasks as well as multiple failed payloads.
First I noticed the Flash file called a URL. In past examples I have looked at this was not seen. The URL uses an IP instead of the host name the rest of the EK is on. This then downloads the payload.
Other than this there is notable differences:
- Different obfuscation on the second landing page. There may even be new code here.
- I also noticed powershell was running though did not capture what was run.
- The user agent “contype” was used for the new URL’s.
- The payload was called “a.exe”.
There is lots to review and I will take a deeper dive into it in the future.
If you don’t know about Cerber Ransomware then where have you been! Probably the one of the most mature ransomwares, Cerber encrypts files and requests bitcoin in order to decrypt them. This sample encrypted files with the .ba89 extension.
|Detection ratio:||14 / 61|
Here are the VirusTotal report on the Flash exploit 59l8x35td53g4256.swf. Magnitude’s Flash exploits always have a very low detection rate. I’m surprised to see McAfee is the only one to detect this.
|Detection ratio:||1 / 56|