Neutrino exploit kit sends Cerber ransomware

Published: 2016-05-04
Last Updated: 2016-05-04 02:33:31 UTC
by Brad Duncan (Version: 1)
5 comment(s)

Introduction

Seems like we're always finding new ransomware.  In early March 2016, BleepingComputer announced a new ransomware named Cerber had appeared near the end of February [1].  A few days later, Malwarebytes provided further analysis and more details on subsequent Cerber samples [2].

I've seen Cerber distributed through exploit kits (EKs) and malicious spam (malspam).  I'm only aware of .rtf attachments that download and install Cerber when opened in Microsoft Word [3].  But other types of malspam may also distribute Cerber.


Shown above:  Image of Cerber malspam from tier1net.com

By April 2016, Proofpoint reported Cerber was being distributed by Magnitude exploit kit (EK) using a Flash exploit based on CVE-2016-1019 (then a zero-day exploit) [4].  I ran across two Cerber malware samples sent by Neutrino EK near the end of April 2016, but I didn't realize it at the time [5].  Since then, other sources like broadanalysis.com have also reported Neutrino EK sending Cerber [6].

This diary examines a Cerber ransomware infection from Neutrino EK on Tuesday 2016-05-03. 


Shown above:  Cerber from Neutrino EK.

Details

The few compromised websites I've seen associated with this particular Neutrino EK campaign have similar patterns of injected script as seen below. 


Shown above:  Injected script in page from a compromised website leading to Neutrino EK.

It's a fairly straight-forward sequence of events.  The compromised website leads to Neutrino EK.  Then Neutrino EK sends Cerber ransomware.  The only issue I had was generating an infection on a virtual machine (VM).  On a VM, Cerber generated nearly the same network traffic, but it did not encrypt any files or generate any notices before deleting itself.  On a normal host, Cerber acts as you might expect, encrypting files and showing notifications.  Cerber also checks its IP and location at ipinfo.io on a normal host.  No check with ipinfo.io on a VM, though.


Shown above:  Traffic from a Cerber infection on a normal host filtered in Wireshark.


Shown above:  Traffic from a Cerber infection on a VM filtered in Wireshark.

In the above two images, Neutrino EK is on 185.58.227.227 over TCP port 80 using the following domains:

  • blmeujdhcb.eilong.top
  • mifblup.eilong.top
  • psjebmwpes.eaautomatic.top
  • wocvx.eaautomatic.top

With or without the IP check at ipinfo.io, Cerber sent UDP traffic with 9 bytes of data to 16,384 IP address from 85.93.0.0 to 85.93.63.255 (85.93.0.0/18 in CIDR notation).  The infected host used the same source/destination ports, but content within those 9 bytes changed each time.  Previous Cerber samples use different IP ranges and UDP ports.  Not sure what this UDP traffic means, though.  I haven't found any more information about it, and I haven't have time to dig into it further.

Images from the infected host


Shown above:  Desktop of the Windows host after being infected with Cerber from Neutrino EK.

As others have already reported, Cerber speaks to you.  It does this through a .vbs file named # DECRYPT MY FILES #.vbs.  This .vbs file contains Visual Basic script that causes your Windows computer to speak, saying "Attention! Attention! Attention!" ten times followed by "Your documents, photos, databases and other important files have been encrypted!"


Shown above:  VBS that causes your Cerber-infected computer to speak.

As others have already noted, you must go through other browser pages to use the Cerber Decryptor.


Shown above:  Choosing your language before you proceed.


Shown above:  Must do a CAPTCHA before you go any further.


Shown above:  The final screen for the Cerber Decryptor.


Shown above:  The final screen for the Cerber Decryptor, scrolled down a bit more.

Final words

I haven't seen as much Cerber as I've seen other ransomware like CryptXXX from Angler EK or Locky from malspam.  However, Cerber has been a fairly consistent threat since it first appeared.  I expect we'll see more Cerber in the coming weeks.

Pcaps and malware for this ISC diary can be found here.

---
Brad Duncan
brad [at] malware-traffic-analysis.net

References:

[1] http://www.bleepingcomputer.com/news/security/the-cerber-ransomware-not-only-encrypts-your-data-but-also-speaks-to-you/
[2] https://blog.malwarebytes.org/threat-analysis/2016/03/cerber-ransomware-new-but-mature/
[3] https://www.tier1net.com/cerber-ransomware-campaign/
[4] https://www.proofpoint.com/us/threat-insight/post/killing-zero-day-in-the-egg
[5] http://www.malware-traffic-analysis.net/2016/04/29/index.html
[6] http://www.broadanalysis.com/2016/05/02/neutrino-ek-from-185-58-227-227-sends-cerber-ransomware/

Keywords:
5 comment(s)

Comments

[quote]It's a fairly straight-forward sequence of events. The compromised website leads to Neutrino EK. Then Neutrino EK sends Cerber ransomware.[/quote]

But who receives the Cerber ransomware sent?
And why does or should the receipient save and execute it then?

DON'T PANIC! As always, this Cerber thing is MOSTLY HARMLESS too!
Keep your system and ALL installed software up-to-date, use a restricted user account and implement W^X in the filesystem via SAFER/AppLocker.
[quote=comment#37021]

But who receives the Cerber ransomware sent?
And why does or should the receipient save and execute it then?

DON'T PANIC! As always, this Cerber thing is MOSTLY HARMLESS too!
Keep your system and ALL installed software up-to-date, use a restricted user account and implement W^X in the filesystem via SAFER/AppLocker.[/quote]

Thanks for the comments. I research exploit kit activity on a daily basis, so I often forget to re-emphasize some of the basic principles behind the traffic.

Exploit kit activity happens behind the scenes during casual web browsing. No one is purposely downloading or executing the malaware. This type of campaign is designed for wide-spread malware distribution, and it's not targeted. If a user's Windows computer is not fully-patched and up-to-date, it will get infected, especially if it's using default Windows settings. The users never know they have malware delivered by an exploit kit until it is too late.

As always, these reports on exploit kit activity are not designed to generate panic. They are supposed to promote awareness of a current threat. As always, if everyone keeps their software up-to-date and uses SAFER/AppLocker, we'd have far less to worry about. But that's never the case. Why else do we continue to see wave after wave of campaigns distributing malware in this manner?

I still see the occasional report on companies hit with ransomware. These methods of malware distribution are relentless, whether behind the scenes through exploit kits, or more straight-forward through malicious spam. As long as Windows' default settings allow these infections, they will remain a very real threat.

Thanks again for reminding people they can be protected through SAFER/AppLocker. I wish more people would follow your advice.
Seeing the same today with .DOT attachments, too.

Thanks for the info.
@hasherezade has a great cerber config on github. has the same range IP addresses as well as port number for the pcaps you posted on your blog.

https://gist.github.com/hasherezade/f20d48bf5a894f5c30e898087dee463b#file-404a73ba37fa813e9ab4e6e4f0480706-json
[quote=comment#37027]@hasherezade has a great cerber config on github. has the same range IP addresses as well as port number for the pcaps you posted on your blog.

https://gist.github.com/hasherezade/f20d48bf5a894f5c30e898087dee463b#file-404a73ba37fa813e9ab4e6e4f0480706-json[/quote]

Thanks... That Cerber config is good information!

Diary Archives