It’s been several weeks since FirstWatch conducted a detailed investigation of recent activity for Cerber ransomware, and after doing so (again) it’s clear that not much has changed. Current infections appear primarily due to the ongoing PsuedoDarkleech campaign, which delivers Cerber via the RIGv exploit kit, and also a secondary malspam campaign that delivers the malware via a zipped .doc or .js attachment. In each of these instances though, the underlying malcode appears largely unchanged (see a sample here), and as expected we observed the tell-tale UDP spray to the 18.104.22.168/24 subnet over port 6892.
Cerber domains remain heavily registered via Eranet International Limited, and we even noted some old friends (e.g., 'Xinjuan Wang') in the registration details. We also noted the prevalence of ‘852’ prefaced 13 digit phone numbers and disposable email accounts carried by dropmail.com, yomail.com, 10mail.org, and emltmp.com within the registration details. These are all consistent with the ransomware's modus operandi, and a snapshot of the Cerber operational infrastructure as of February 7, 2017 is below (with some notable infrastructure called out):
In the course of this analysis, we were able to improve current detection by updating keys within the NW detection capability for Cerber’s [key].[dga].[tld] payment site format. Additionally, 225 indicators of compromise were published to RSA Live within the FirstWatch C2_IPs and C2_DOMAINs feeds (threat.source = ‘rsa-firstwatch’, threat.category = ‘ransomware’, and threat.desc = ‘cerber’).
A couple good references by Brad Duncan for technical walk thru: