Multiple Magnitude EK drops Cerber Ransomware Samples

Summary:

 

I still continue to look at Magnitude now that I have managed to get it to drop a payload. I’m amazed at how different the flows appears to look each time. It is a lot more interesting to witness than Rig EK.

Currently Magnitude is still region locked and “private” however it is still very active in these regions and is certainly a big threat to anyone using an outdated version of Flash, Windows or IE.

Here I have four samples which all dropped the latest version of Cerber Ransomware. I have created a CSV which contains all the URL’s for easier copy pasting for IOC’s.

Background Information

I came across this article which contains very good information about Magnitude and is mostly still relevant.

https://community.rsa.com/community/products/netwitness/blog/2017/02/09/magnitude-exploit-kit-under-the-hood

Some hints as to how to deobfuscate Magnitude:

https://pcsxcetrasupport3.wordpress.com/2017/04/24/a-look-at-the-magnitude-exploit-kit-encoding/

Downloads (in password protected zip)

Note to trigger Magnitude you need certain conditions so I have used a proxy to achive this which may explain odd headers and IP addresses.

Details of infection chain:

(click to enlarge!)

26MagCerber.png

This image shows flows of the latest Magnitude sample. The commands are taken from another sample that is also included in the pcaps.

Mag1

Magnitude EK starting with mymoneybit.com

 

Mag2

Magnitude EK starting with paplauskaja.net

 

 

Mag3

Magnitude EK starting with webinvestfx.com

 

Full Details:

For more information on Magnitude check out my previous posts:

Magnitude EK delivers Cerber

Magnitude EK URL’s from 14-20 April

I have Three samples of Cerber. I have been informed this is the latest version of Cerber. It did not change my background or play an audio. I would copy the hashes for easy copy paste but Cerber is very evasive when it comes to AV detections. The file sizes vary quite significantly between samples.

Cerber still attempts UDP 6893 connections. It also modifies firewall settings which you can see from the main image above. There is also a 5-10 min window in which the ransom ware actually takes effect.

CerberPic

These are the ransom notes .HTA and notepad file.

 

CerberPic

The Cerber Decryptor asks for  a language. There are multiple not show here and the text cycles the languages.

Language

 

It then asks to solve a captcha for a “security” check. I was unable to solve the puzzle so could not continue to the payment part.

CerberPuzzle.png

Lastly this icon appears on the decryptor.

CerberIcon

 

10 thoughts on “Multiple Magnitude EK drops Cerber Ransomware Samples

  1. Pingback: Magnitude EK via Malvertising drops Cerber Ransomware | Zerophage Malware

  2. Pingback: Magnitude EK via malvertising delivers Cerber Ransomware | Zerophage Malware

  3. Pingback: Magnitude EK via RoughTed drops Cerber Ransomware | Zerophage Malware

  4. Pingback: Magnitude EK drops “CBRB” (Cerber Ransomware) | Zerophage Malware

  5. Pingback: Magnitude EK drops Cerber (Scriplet changed to “.bmp”) | Zerophage Malware

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s