I still continue to look at Magnitude now that I have managed to get it to drop a payload. I’m amazed at how different the flows appears to look each time. It is a lot more interesting to witness than Rig EK.
Currently Magnitude is still region locked and “private” however it is still very active in these regions and is certainly a big threat to anyone using an outdated version of Flash, Windows or IE.
Here I have four samples which all dropped the latest version of Cerber Ransomware. I have created a CSV which contains all the URL’s for easier copy pasting for IOC’s.
I came across this article which contains very good information about Magnitude and is mostly still relevant.
Some hints as to how to deobfuscate Magnitude:
Downloads (in password protected zip)
Note to trigger Magnitude you need certain conditions so I have used a proxy to achive this which may explain odd headers and IP addresses.
Details of infection chain:
(click to enlarge!)
For more information on Magnitude check out my previous posts:
I have Three samples of Cerber. I have been informed this is the latest version of Cerber. It did not change my background or play an audio. I would copy the hashes for easy copy paste but Cerber is very evasive when it comes to AV detections. The file sizes vary quite significantly between samples.
Cerber still attempts UDP 6893 connections. It also modifies firewall settings which you can see from the main image above. There is also a 5-10 min window in which the ransom ware actually takes effect.
These are the ransom notes .HTA and notepad file.
The Cerber Decryptor asks for a language. There are multiple not show here and the text cycles the languages.
It then asks to solve a captcha for a “security” check. I was unable to solve the puzzle so could not continue to the payment part.
Lastly this icon appears on the decryptor.