This campaign has been previously noted with multiple delivery vectors. This was again seen in yesterday's campaign, where one of the two delivery methods failed to retrieve the payload from www[.]host[.]com, which is still being served from 104[.]27[.]137[.]194.
In this instance, the second delivery method succeeded in retrieving a payload from oooweqwnenwqew[.]net, which is still currently being served from 193[.]34[.]93[.]145.
Post infection, noted Cerber UDP spray outbound to 22.214.171.124/22, 126.96.36.199/29, 188.8.131.52/29 on port 6893.
Current NetWitness detection flags both payment domain (key.dga.tld pattern) as 'cerber ransomware' and the UDP spray as 'cerber beaconing' in the <Indicators of Compromise> meta field. Additionally, <File Analysis> flags for 'js eval no docwrite' and 'exe filetype but not exe extension' should be noted as indicators of possibly malicious files.
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.