Summary:
In my previous blog I found Rig EK via RoughTed malvertising operation. I saw in the MalwareBytes article that it also redirected to Magnitude EK. Curious to find it, I set my lab up for Magnitude and went to find it. It only took about 5 minutes.
I wonder what else RoughTed leads to apart from that which has been listed.
Background Information:
- Article from RSA, although a few months old and missing some newer aspects of Magnitude, the fundamentals have not changed.
- A few previous Magnitude EK posts from me.
Multiple Magnitude EK drops Cerber Ransomware Samples
- An article regarding RoughTed Malvertising:
https://blog.malwarebytes.com/cybercrime/2017/05/roughted-the-anti-ad-blocker-malvertiser/
Downloads (in password protected zip)
- 31-May-2017-Magnitude-Cerber-PCAP– PCAP of Magnitude and Cerber
- 31-May-2017-Cerber Cerber (b.exe – 60e2b83d21c39f78d1612c2f5a06a943d8b6cc51c1f4a51312b85dff414f4e76)
- 31-May-2017-Magnitude-Cerber-CSV – CSV of traffic with resolved IP addresses.
Details of infection chain:
(click to enlarge!)
Magnitude EK via RoughTed malvertising drops Cerber
Full Details:
This flow began with “RoughTed”. This is a malvertising operation reported on by MalwareBytes recently. Other than the initial starting point, everything else seemed fairly normal.
I have detailed Magnitude EK in previous posts so please refer to the “background information” section above for more info.
This time though I had a double landing page which opened in a separate window. I did only saw Powershell commands in processes for both “a.exe” an “b.exe“. I this flow, “b.exe” was downloaded successfully and ran which I have not seen before. The Scriptlet also failed to create a failed payload.
Below is a screenshot of what happens when the Flash File runs. It appears to generate a URL that is met with a 404 however another URL is requested to download a payload that exploits CVE-2015-2426 and in this case allows Magnitude to run Powershell commands which were successful.
The Cerber binary had a reasonably high number of detections:
| SHA256: | 60e2b83d21c39f78d1612c2f5a06a943d8b6cc51c1f4a51312b85dff414f4e76 |
| File name: | b.exe |
| Detection ratio: | 19 / 61 |
I only noticed one change in this Cerber and that was the ransom note said (and no typo) “Hi, I’am CERBER RANSOMWARE :)” which I’m fairly sure I have not seen before.
Zerophage Malware 