For a few weeks I lost track of Magnitude. The proxies I was using were blocking the malvertising chain or were known to Magnitude Gates. However I have found it again and it has become the new “PseudoDarkleech” for me in that it is always seems to drop Cerber Ransomware. This time I followed the decryptor to see what the ransom was and got a special deal of 0.5654 bitcoin.
This time although I used a proxy, I modified the CSV to contain the real IP addresses. Please see previous Magnitude posts for a more detailed look at what is going on.
- Article from RSA, although a few months old and missing some newer aspects of Magnitude, the fundamentals have not changed.
- Previous Magnitude EK posts from me.
Multiple Magnitude EK drops Cerber Ransomware Samples
Downloads (in password protected zip)
- 16-May-2017-Magnitude-Cerber– PCAP of Magnitude and Cerber
- 16-May-2017-Cerber– Cerber (a.exe – ab0b0f4fbfef9d965dcf1e49c7ff53378ee5d834e7ef79b9b621c3d0594211f0)
- 16-May-17-Magnitude-CerberCSV – CSV of traffic with resolved IP addresses.
- 16-May-2017-Magnitude-Flash – Magnitudes Flash exploit (d77aa8f5c7826c271cfc4f9be1b4b11863351add4cba4161005b134e80651fcb)
Details of infection chain:
(click to enlarge!)
This flow was found through a malvertising chain. A series of 302 redirects leads to the first Magnitude profiling gate on a compromised website. These website are usually hosting financial scams. If you do not pass the profiling you are presented with a normal looking website.
I have detailed Magnitude EK in previous posts so please refer to the “background information” section above for more info.
Magnitude is very noisy from a users point of view. It’s multiple vectors for delivering a payload such a scheduled task and use of a Scriplet creates multiple failed payloads. I think I end up with about 5-6 empty payloads after every flow. I’m not sure if these have failed due to my host or a certain requirement has not been met. What’s more is it attempts to run the Scriplet multiple times each one creates a UAC prompt to accept the command meaning I am forced to cancel or OK it in order to do anything else. All the while, Magnitude is attempting to fetch a real payload.
What seems to lead to Cerber is Magnitude’s Flash file. The URL’s with no domain have been initiated from this file. Here are the VirusTotal report on the Flash exploit 343s66fq0i75g.swf. Magnitude’s Flash exploits always have a very low detection rate in fact this one was zero at the time of writing.
|Detection ratio:||0 / 56|
Oddly my version of Cerber had already been uploaded to Virus Total which meant the detection’s were quite high. This is very strange because usually Cerber has a unique hash for every sample (or at least from my experience from EK’s it has.).
|Detection ratio:||28 / 62|
Cerber encrypts using a .ba89 extention and drops a ransom note and a decryptor in the form of a HTA file. The ransom note was named “_READ_THIS_FILE_3WF17TOB.txt”. It did not play audio or change my background.
I decided this time to follow the instructions using the TOR link. After passing a “bot” CAPTCHA test (which i forgot to screenshot but involved clicking similar images to continue), The decryptor gave me a special price of 0.5654 bitcoin which would increase to 1.13008 after 5 days.
There is also an option to decrypt 1 file for free to test that it is actually working. I did not try this but judging by the professionalism of this “service” it is likely it would work.