Magnitude EK via RoughTed drops Cerber Ransomware

Summary:

In my previous blog I found Rig EK via RoughTed malvertising operation. I saw in the MalwareBytes article that it also redirected to Magnitude EK. Curious to find it, I set my lab up for Magnitude and went to find it. It only took about 5 minutes.

I wonder what else RoughTed leads to apart from that which has been listed.

Background Information:

  • Article from RSA, although a few months old and missing some newer aspects of Magnitude, the fundamentals have not changed.

https://community.rsa.com/community/products/netwitness/blog/2017/02/09/magnitude-exploit-kit-under-the-hood

  • A few previous Magnitude EK posts from me.

Multiple Magnitude EK drops Cerber Ransomware Samples

Magnitude EK delivers Cerber

  • An article regarding RoughTed Malvertising:

https://blog.malwarebytes.com/cybercrime/2017/05/roughted-the-anti-ad-blocker-malvertiser/

Downloads (in password protected zip)

Details of infection chain:

(click to enlarge!)

MAgnitudeRoughTed

Magnitude EK via RoughTed malvertising drops Cerber

Full Details:

This flow began with “RoughTed”. This is a malvertising operation reported on by MalwareBytes recently. Other than the initial starting point, everything else seemed fairly normal.

I have detailed Magnitude EK in previous posts so please refer to the “background information” section above for more info.

This time though I had a double landing page which opened in a separate window. I did only saw Powershell commands in processes for both “a.exe” an “b.exe“. I this flow, “b.exe” was downloaded successfully and ran which I have not seen before. The Scriptlet also failed to create a failed payload.

Below is a screenshot of what happens when the Flash File runs. It appears to generate a URL that is met with a 404 however another URL is requested to download a payload that exploits CVE-2015-2426 and in this case allows Magnitude to run Powershell commands which were successful.

MagnitudeFlash

The Cerber binary had a reasonably high number of detections:

SHA256: 60e2b83d21c39f78d1612c2f5a06a943d8b6cc51c1f4a51312b85dff414f4e76
File name: b.exe
Detection ratio: 19 / 61

I only noticed one change in this Cerber and that was the ransom note said (and no typo) “Hi, I’am CERBER RANSOMWARE :)” which I’m fairly sure I have not seen before.

CerberShot

 

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s