Kevin Stear

The Evolution of Cerber… v4.1.x

Blog Post created by Kevin Stear Employee on Nov 4, 2016

During the end of October 2016, we have had the pleasure of witnessing yet another step in the evolution of Cerber as version 4.1.0 appeared in the wild. And while the ‘soupe de jour’ shares many similarities with past versions (much of which we detailed in our initial Cerber post[1]), there are enough differences here to warrant a brief breakdown of Cerber4. To conduct this analysis and consequently this discussion, we began with the reverse engineering and detonation of 68 Cerber4 hashes, each submitted to VirusTotal on October 30th and 31st.

 

In the Cerber 4.1.0 samples examined, the main payload is a typical installer that deletes itself after setting up the ransomware. Upon execution, the ransomware encrypts target files and tags them with a new 4-char extension (e.g., ‘.a8dd’, ‘.9ca1’, etc.). This is definitely a departure from the namesake ‘.cerber’ encrypted file extensions and sadly thwarts many basic detection capabilities.   Post encryption the executable also places a single README.HTA file in each affected folder; this is another change from past flavors of Cerber that have historically dropped three files to “help the user”. In any case, this HTML application displays instructions (accompanied by SpVoice Speak) for how to unlock encrypted files by paying a ransom.

 

Cerber4 welcome screen

 

On the network side of things, we observed DNS and then callouts to ‘btc[.]blockr[.]io’ as well as a slew of payment sites, which all appear to match patterns of key[.]6-char DGA[.]TLD, which remains consistent with the findings of our September Cerber post. Each of these payment sites is registered to Eranet International Limited (naturally), and they all appear to backend into cerberhhyed5frqa[.]6-char DGA[.]bid domains and dedicated malware servers. Like its predecessors v4.1.0 also lacks formal Command and Control (C2); instead we observed the expected UDP spray on port 6892 out to 194.165.16.0/24. This recognized netblock has been attributed to recent EITest RIG Exploit Kit (EK) banking[2] and now to Cerber campaigns. The Maltego graph below depicts an initial breakdown of Cerber4 infrastructure and related domains (as of Nov 1st, 2016).

 

cerber4 network

Upon closer evaluation of the Cerber infrastructure, our observations immediately correlated with the current pseudo-darkleech-RIGv-Cerber4.1.0-1 campaign. This probable attribution is based on continued infrastructure reuse (e.g., EITest gate), current open source intelligence[3][4], and overall cohesiveness with past tactics, techniques, and procedures (TTPs).

 

In addition to Cerber payload, we also noted some secondary activity with callbacks out to Akamai infrastructure (possibly leveraging Akamai GHost). We believe this is consistent with the growing trend for ransomware to be deployed along with more mainstream crimeware (adware, spyware, RATs, etc.), which aims to establish a secondary revenue stream (e.g., malvertising). A snapshot of our graphing for relevant IPv4 addresses and domains from these callbacks can be found below. (Note: FirstWatch is continuing its assessment of this and related trends from other campaigns as part of concurrent EK-specific effort).

 

cerber4 akamai

 

Current NetWitness and ESA detection rules still correctly identify Cerber and have been adjusted to include detection of v4.1.0 and v4.1.1. Specifically, new keys were added to the existing App Rule that detects Cerber pay-sites that correlate to embedded configuration files for the malware’s set up of bitcoin wallets for each victim.  This rule matches when the 'alias.host' (packet) or 'fqdn' (web logs) begins with one of the identified hostname patterns.  Additionally, we also added 'btc[.]blockr[.]io' to the first stage of the existing Cerber ESA rule that identifies outbound DNS (i.e., whitelisted) directly followed by a C2-ish UDP spray on port 6892.  

 

As with any of our efforts, all observed indicators of compromise (IOCs) have been disseminated via the FirstWatch Exploit Domains and FirstWatch Exploit IP feeds as of today, Nov 4th, 2016.  Hits on these feeds will tag corresponding meta data with threat.desc = "cerber4" (for cerber4 specific domains and IPs) or "EITest" for infrastructure leveraged during the corresponding Cerber4 campaign.   

 

Big thanks to Ray, Rotem, Christopher Elisan, and Angela Stranahan for their support on this effort.

 

 

 

[1] https://community.rsa.com/community/products/netwitness/blog/2016/09/27/the-evolution-of-cerber

[2] https://otx.alienvault.com/browse/pulses/?q=194.165.16

[3] http://www.malware-traffic-analysis.net/2016/10/31/index3.html

[4] https://medium.com/@rivafy89/2016-10-02-ek-psuedo-darkleech-rig-ek-cerber-1534b6186aca#.ufolv9sbh

Outcomes