Magnitude EK via Malvertising drops Cerber Ransomware

Summary:

For a few weeks I lost track of Magnitude. The proxies I was using were blocking the malvertising chain or were known to Magnitude Gates. However I have found it again and it has become the new “PseudoDarkleech” for me in that it is always seems to drop Cerber Ransomware. This time I followed the decryptor to see what the ransom was and got a special deal of 0.5654 bitcoin.

This time although I used a proxy, I modified the CSV to contain the real IP addresses. Please see previous Magnitude posts for a more detailed look at what is going on.

Background Information:

  • Article from RSA, although a few months old and missing some newer aspects of Magnitude, the fundamentals have not changed.

https://community.rsa.com/community/products/netwitness/blog/2017/02/09/magnitude-exploit-kit-under-the-hood

  • Previous Magnitude EK posts from me.

Multiple Magnitude EK drops Cerber Ransomware Samples

Magnitude EK delivers Cerber

Downloads (in password protected zip)

Details of infection chain:

(click to enlarge!)

16MagnitudeCerber

Magnitude EK via malvertising drops Cerber Ransomware

Full Details:

This flow was found through a malvertising chain. A series of 302 redirects leads to the first Magnitude profiling gate on a compromised website. These website are usually hosting financial scams. If you do not pass the profiling you are presented with a normal looking website.

I have detailed Magnitude EK in previous posts so please refer to the “background information” section above for more info.

Magnitude is very noisy from a users point of view. It’s multiple vectors for delivering a payload such a scheduled task and use of a Scriplet creates multiple failed payloads. I think I end up with about 5-6 empty payloads after every flow. I’m not sure if these have failed due to my host or a certain requirement has not been met. What’s more is it attempts to run the Scriplet multiple times each one creates a UAC prompt to accept the command meaning I am forced to cancel or OK it in order to do anything else. All the while, Magnitude is attempting to fetch a real payload.

What seems to lead to Cerber is Magnitude’s Flash file. The URL’s with no domain have been initiated from this file. Here are the VirusTotal report on the Flash exploit 343s66fq0i75g.swf. Magnitude’s Flash exploits always have a very low detection rate in fact this one was zero at the time of writing.

SHA256: d77aa8f5c7826c271cfc4f9be1b4b11863351add4cba4161005b134e80651fcb
File name: 343s66fq0i75g.swf
Detection ratio: 0 / 56

Oddly my version of Cerber had already been uploaded to Virus Total which meant the detection’s were quite high. This is very strange because usually Cerber has a unique hash for every sample (or at least from my experience from EK’s it has.).

SHA256: ab0b0f4fbfef9d965dcf1e49c7ff53378ee5d834e7ef79b9b621c3d0594211f0
File name: a.exe
Detection ratio: 28 / 62

Cerber encrypts using a .ba89 extention and drops a ransom note and a decryptor in the form of a HTA file. The ransom note was named “_READ_THIS_FILE_3WF17TOB.txt”. It did not play audio or change my background.

note1

hta

I decided this time to follow the instructions using the TOR link. After passing a “bot” CAPTCHA test (which i forgot to screenshot but involved clicking similar images to continue), The decryptor gave me a special price of 0.5654 bitcoin which would increase to 1.13008 after 5 days.

decrypt

There is also an option to decrypt 1 file for free to test that it is actually working. I did not try this but judging by the professionalism of this “service” it is likely it would work.

freefile

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s