Kevin Stear

Blank Slate Delivers Cerber 6-15-2017

Blog Post created by Kevin Stear Employee on Jun 19, 2017

Blank Slate campaign was noted as active and delivering Cerber ransomware yesterday, June 15th, 2017.  Malicious attachments "PO.doc" and "build.doc" noted in the malspam delivery.

 

This campaign has been previously noted with multiple delivery vectors.  This was again seen in yesterday's campaign, where one of the two delivery methods failed to retrieve the payload from www[.]host[.]com, which is still being served from 104[.]27[.]137[.]194.

cerber infection fail 404

cerber infection fail 404

 

In this instance, the second delivery method succeeded in retrieving a payload from oooweqwnenwqew[.]net, which is still currently being served from 193[.]34[.]93[.]145.

cerber infection

cerber infection

 

Payload is Cerber "2150342-107-0_1.panse.exe", which executes and then checks in to establish payment methods via a p27dokhpz2n7nvgr[.]12nwsw[.]top, a Tor2Web proxy hosted on 184[.]170[.]243[.]164

cerber check in

cerber check in

 

Post infection, noted Cerber UDP spray outbound to 87.98.176.0/22, 15.54.20.0/29, 55.1.64.0/29 on port 6893.

cerber UDP spray to port 6893

 

Current NetWitness detection flags both payment domain (key.dga.tld pattern) as 'cerber ransomware' and the UDP spray as 'cerber beaconing' in the <Indicators of Compromise> meta field.  Additionally, <File Analysis> flags for 'js eval no docwrite' and 'exe filetype but not exe extension' should be noted as indicators of possibly malicious files.

 

NW cerber beaconing detection

Outcomes