Michael Sconzo

The Evolution of Cerber

Blog Post created by Michael Sconzo Employee on Sep 27, 2016

Here's a great bit of research by RSA Research along with associated Live content by the Content team.

 

Background

Ransomware-as-a-Service (RaaS) offerings first emerged around May of 2015, and removes technical hurdles for would-be cyber criminals by providing configurable components that can be mixed and matched as needed based upon the runners target demographic, support services (e.g., payment processing) and even customer service [1]

Subsequently, ransomware-derived revenues have skyrocketed over the past year as operators have honed and refined their business approach.  As of summer ’16, it is widely believed that Ransomware represents the most profitable malware market to date for cyber criminals and dark web operators. 

Cerber pay screen

 

Cerber is perhaps the most profitable of recent ransomware campaigns, and recent estimates based upon analysis of statistics from counter-compromised affiliate panels project operator revenues at $2.5M for this year, based on a 40% cut of overall revenues[2].

 

Objective

The goal of this research effort is to investigate recent Cerber campaigns, identify deployment models and infrastructure, and create content/innovation that may aid in the detection of this ransomware. This is done by detonating multiple samples, analyzing the malware callbacks, and enumerating associated networks, behavior, and infrastructure. In order to accomplish the objective several tools where used: Maltego, PassiveTotal, VirusTotal, Malware-Traffic-Analysis, Google and others.

 

Findings

Research and enrichment of the core dataset, produced significant insight into 5 distinct Cerber campaigns, including what we believe to be an alpha or pilot run spanning 5/11 – 6/1, two phishing-based campaigns in July, and two Exploit Kit (EK) based campaigns in August and into early September, which RSA Research believes consistent with the purported improvements and timing for EK-delivery methods.

 

For the phishing delivered campaigns, RSA researchers identified a clear Domain Generating Algorithm (DGA) and Top Level Domain (TLD) pattern, which characterizes probable payment processing sites.  Based on a number of shared indicators (IPs, SSL certificates, and Domain registrations) that were correlated to previous Torrentlocker/Crypt0L0cker ransomware and Nuclear EK campaigns as well as a number of Alien Vault Open Threat Exchange postings[3], it is believed that these campaigns delivered mixed ransomware to victims.  Snapshots of the related Maltego graphs of these campaigns are below:

 

 

With regard to the EK-delivered Cerber campaigns, there is a significant evolution in complexity and scalability with regard to the actor’s deployment model as benchmarked from the alpha campaign through the August and September periods of activity.  Evident to this fact are the use of both perishable (sometimes rotating daily) IP infrastructure as well as nearly unique malware hashes that are created every 15 seconds[4].  Maltego snapshots of these networks with some technical details are below:

 

 

Regardless of deployment model changes, the IP-Geo check still functions as detailed in CheckPoint’s August 16th report[5] to bypass hosts in Eastern European countries or systems with correlating language settings.  IP geolocation services were seen from several providers including ‘ipinfo.io’ and ‘ip-api.com’ (neither of which are inherently malicious).

"languages": [ 1049, 1058, 1059, 1064, 1067, 1068, 1079, 1087, 1088, 1090, 1091, 2072, 2073, 2092, 2115]

"countries": [ "am", "az", "by", "ge", "kg", "kz", "md", "ru", "tm", "tj", "ua", "uz"]

Directly following the IP-Geo checks, the malware still sprays one-way Command and Control (C2) via UDP port 6892 to the well-known 31.184.234.0/23 netblock and somewhat less frequently to the 85.93.0.0/18 netblock.  There has also been some speculation that this UDP capability could be weaponized for DDOS, where the victim could redirect all response traffic from the C2 subnet to a targeted host[6]; however, RSA analysis of the binaries did not identify a ‘listen’ or redirect functions in current Cerber samples.

With regard to the ‘business’ side of Cerber, RSA was able to identify a slightly more sophisticated 16char-KEY[.]DGA[.]TLD pattern with 23 unique key values that correlate to embedded configuration files for the malware’s set up of bitcoin wallets for each victim.  This pay-site pattern was confirmed via the positive identification of 726 unique URLs[7], predominately registered with ‘Eranet International Limited’ or ‘AlpNames Limited’, and hosted on both Tor nodes as well as the rotational infrastructure detailed above.  

"2016-09-01 17:17:32", "Payment Site", "Cerber", "4kqd3hmqgptupi3p.6j7jcn[.]bid", "hxxp://4kqd3hmqgptupi3p.6j7jcn[.]bid", "offline", "104.168.102.127 | 104.168.102.127 | 167.114.138.9", "36352|16276", "US|CA"

While EK-delivered Cerber does present a challenge to diagnose intertwined ransomware and exploit kit behaviors and artifacts, some attribution can be made to particular EKs by leveraging findings on both C2 callbacks and the pay-site patterns.  Specifically, the May-June Cerber campaign demonstrates the previously noted UDP callbacks to the 85.93.0.0/18 netblock and also ‘cerberhhyed5frqa.[DGA].win’ as a naming convention for payment sites; each of these has been linked to RIG EK and the delivery of Cerber[8].  The August and September campaigns can also be attributed to a probable exploit kit.  One of the 20+ payment processing site keys noted in those campaigns was ‘unocl45trpuoefft[.]DGA[.]TLD’, which correlates to open source intelligence documentation as a known Magnitude EK naming convention[9]

 

These findings suggest that earlier Cerber campaigns may have been delivered by RIG, followed by the July phishing campaigns, and then the August-September Magnitude delivery campaigns; however much more than Cerber   During the course of this research, numerous non-Ransomware activities (e.g., malvertising and information stealing) and related infrastructures were also identified.  RSA believes that these observations demonstrate how campaign runners are diversifying across malvertising, EK’s, and ransomware to drive multiple revenue streams from their campaigns. 

 

If this is the case, then Cerber-RaaS fits well within the model previously employed by Exploit Kit authors, supplying market demand for subversive and malicious software packages.  This also shows that dark web operators are adopting mainstream models for operations and service delivery, further increasing evidence that adversaries are borrowing on legitimate business models.  An example is the Stampado ransomware, unlimited licenses being offered for $39 is a compelling example[10] of how low the bar now is for market entry.

 

 

What remains unknown is how many different groups of actors or affiliates might be actively pushing Cerber ransomware.  Given the enormous payout potential, different TTPs for the phishing and EK delivered campaigns, and a lack of any co-use infrastructure… it is possible if not likely that different actors/affiliates were responsible for each respective infection vector.  However, without further evidence this notion remains speculative.

 

Threat Intelligence & Detection

By design, the evolving nature of Cerber’s malware, distribution, and rotational infrastructure limits the shelf life and effectiveness for any indicators of compromise (IOCs).  Despite this fact, RSA FirstWatch thought the subject matter significant enough to push two sets of threat intelligence into the ‘FirstWatch Exploit Domains’ and ‘FirstWatch Exploit IPs’ feeds on 9/3 and 9/9.  Each of these feeds are set to age-off after 30-days.

 

In addition an App Rule is now available via Live that detects a set of 23 unique pay-site hosts for Cerber ransomware that correlate to embedded configuration files for the malware’s set up of bitcoin wallets for each victim.    This rule matches when the 'alias.host' (packet) or 'fqdn' (web logs) begins with one of the identified hostname patterns.  Either the HTTP_lua or HTTP native parser or one of the web log event sources is required.  You must have the September 2016 or later release of a web log event source plus the Envision Config File for the FQDN to be populated. 

alias.host begins '25z5g623wpqpdwis', '27lelchgcvs2wpm7', '32kl2rwsjvqjeui7', '3qbyaoohkcqkzrz6', '4kqd3hmqgptupi3p', '52uo5k3t73ypjije', '6dtxgqam4crv6rr6', 'cerberhhyed5frqa', 'de2nuvwegoo32oqv', 'i3ezlvkoi7fwyood', 'kkd47eh4hdjshb5t', 'lpholfnvwbukqwye', 'mphtadhci5mrdlju', 'mz7oyb3v32vshcvk', 'pmenboeqhyrpvomq', 'rzss2zfue73dfvmj', 'stgg5jv6mqiibmax', 'twbers4hmi6dc65f', 'unocl45trpuoefft', 'vrvis6ndra5jeggj', 'vrympoqs5ra34nfo', 'wjtqjleommc4z46i', 'zjfq4lnfbs7pncr5' || fqdn begins '25z5g623wpqpdwis', '27lelchgcvs2wpm7', '32kl2rwsjvqjeui7', '3qbyaoohkcqkzrz6', '4kqd3hmqgptupi3p', '52uo5k3t73ypjije', '6dtxgqam4crv6rr6', 'cerberhhyed5frqa', 'de2nuvwegoo32oqv', 'i3ezlvkoi7fwyood', 'kkd47eh4hdjshb5t', 'lpholfnvwbukqwye', 'mphtadhci5mrdlju', 'mz7oyb3v32vshcvk', 'pmenboeqhyrpvomq', 'rzss2zfue73dfvmj', 'stgg5jv6mqiibmax', 'twbers4hmi6dc65f', 'unocl45trpuoefft', 'vrvis6ndra5jeggj', 'vrympoqs5ra34nfo', 'wjtqjleommc4z46i', 'zjfq4lnfbs7pncr5'

An ESA rule is also available that Detects a pattern of Cerber ransomware in which a geolocation check of an IP is performed in order to bypass hosts in Eastern European countries directly followed by a one-way command and control (C2) via UDP port 6892. The time window, list of UDP port numbers and IP geolocation check sites are configurable. The traffic_flow Lua paser and either the native DNS or DNS_verbose_lua parsers are required. The ESA rule uses the following list of hostnames that were observed during the GeoIP check: myexternalip[.]com, ipecho[.]net, ip-addr[.]es, ipinfo[.]io, wtfismyip[.]com, freegeoip[.]net, curlmyip[.]com, ip-api[.]com, icanhazip[.]com.

 

Footnotes

[1] https://www.engadget.com/2016/09/09/customer-service-matters-when-it-comes-to-ransomware/

[2] https://threatpost.com/2-5-million-a-year-ransomware-as-a-service-ring-uncovered/119902/

[3] https://otx.alienvault.com/pulse/5790c6fbb16acc46a769a42e/

[4] https://www.malwaretech.com/2016/06/how-cerbers-hash-factory-works.html

[5] http://blog.checkpoint.com/2016/08/16/cerberring/

[6] https://www.invincea.com/2016/05/two-attacks-for-the-price-of-one-weaponized-document-delivers-ransomware-and-potential-ddos-attack/

[7] https://ransomwaretracker.abuse.ch/tracker/cerber/

[8] http://www.malware-traffic-analysis.net/2016/06/26/index.html

[9] https://otx.alienvault.com/pulse/57a6efd5151d8a0135cbb20c/

[10] https://heimdalsecurity.com/blog/security-alert-stampado-ransomware-on-sale/

 

 

Thanks to KevinAngela, and Ray for the data, research, and output.

Outcomes