Rajas Save

Ransomware Cerber v6.x - Delivery and Detection

Blog Post created by Rajas Save Employee on Jun 19, 2017

Cerber Ransomware has again taken the cyber world by storm by taking over 87% share in terms of cyber-attacks in 1st Quarter of 2017, and it remains the most profitable ransomware in the market for close to a year now.  Now a little over a year after its first variants were found in the wild, Cerber developers have released their 6th edition codebase, which boasts a slew of new of improvements.  

 

Specifically Cerber has added new encryption patterns, and anti-VM and anti-sandboxing features, which have raised the bar for researchers (and also automated systems) to detonate and identify the new ransomware.  These new features combined with varied distribution channels show that the Cerber crew is taking ransomware development to the next level, making it by far the most dangerous ransomware on the market today.

 

Here is some of the previous research from RSA about Cerber Ransomware and its Evolution:

 

The following chart shows features of different Cerber versions:

 

 

Cerber v1, v2 and v3

Cerber v4

Cerber v5

Cerber SFX

Cerber v6

File Type

EXE

EXE

EXE

SFX (Loader) VBS, DLL

EXE

Exceptions (Cerber doesn’t execute if it detects certain components in the system)

Language in v1 and v3*

Language and antivirus (AV) for v2*

Language*

Language*

AV, VM, Sandbox (Loader*), and Language*

Language*

Anti-AV Routine

None

None

None

None

EXE files of AV, Firewall and Antispyware products set to be blocked by Windows firewall rules*

Anti-sandbox

None

None

None

VM and Sandbox (Loader*)

VM and Sandbox (Loader*)

Backup Deletion

Yes (vsadmin, WMIC, BCDEdit)*

Yes (WMIC)*

Yes (WMIC)*

 

Removed in v5.02

 Varies (some samples have backup deletion capabilities)

Varies (some samples have backup deletion capabilities)

Exclusion List 
(directories and file types Cerber doesn’t encrypt)

Folder and file*

Folder and file*

Folder and file*; and AV, Antispyware, and Firewall directories

Folder and file*; and AV, Antispyware, and Firewall directories

Folder and file*

*Cerber RaaS Configurable

 

Exploit kits and Malspam emails are the two major delivery vectors for Cerber today. In the case of exploit kits, a compromised site or malvertising often redirects victims to a malicious landing page that downloads and executes a payload.  With regard to malspam, a victim is typically tricked (and clicks on a link) to download and run js, ps1 or sfx files, which eventually inject and execute the ransomware payload. 

Following diagram shows delivery of Cerber in brief:

  

 

Until May 2017, Cerber was heavily using RigEK over malspam campaigns to deliver Cerber infections; yet, after combined efforts of researchers and domain registrar, GoDaddy, a massive amount of Rig-related shadow domains were taken down during Operation Shadowfall. Post Shadowfall, the group’s distribution vector changed over to more malspam-centric campaigns for delivering the Cerber payload. The delivery of Cerber via the ‘Blank Slate’ campaign in 2nd quarter of 2017is evidence to this fact, and a diagram of the infection vector is below.

 

 

‘Blank Slate’ delivery is through spam emails with subjects like “Unusual Sign-In Activity”, “Chrome Update”, “Delivery Invoice” etc.  Unwitting victims are tricked into clicking on a link provided or button to download a zip file, which on extraction injects a .js, .doc, or .ps1 script to download and install the Cerber payload.

 

  

 

 

 

RTF file with Macros are also used to trigger ransomware delivery, and a great explanation of both RTF and the recent MS 2017-10 zero day can by RSA’s own Kevin Douglas can be found here

 

 

 

New variants of Cerber also show some different but unique patterns in post exploitation traffic. UDP beaconing ports are changed along with some new payment site alias hosts. After April 2017, Cerber payment sites, patterns and UDP port (which is now 6893, previously 6892) changed.

RSA Netwitness Live Content for detection can detect newest variants of Cerber beaconing.  An updated Event Stream Analysis (ESA) rule looks for a spray of outbound suspected command and control (C2) traffic via UDP to port 6892, 6893 from a single source IP to multiple destinations IPs (within the same netblock).

 

 

 

NetWitness Packet also has an application rule that detects Cerber pay-site patterns, correlating on the ransomware’s embedded configuration files for the set up of bitcoin wallets for each victim. This rule matches when the 'alias.host' (packet) or 'fqdn' (web logs) begins with one of the identified pay-sites.

Meta Keys:

  • Risk Warning = cerber ransomware
  • Indicators of Compromise = cerber ransomware

 

 

 

All the IOCs are added to the following feeds on Live:

  • RSA FirstWatch Command and Control Domains
  • RSA FirstWatch Command and Control IPs

 

 

Thanks goes to Kevin Stear for contributing to this threat advisory.

 

 

 

References:

Outcomes