Cerber Ransomware Partners with the Dridex Spam Distributor

Cerber ransomware incorporates the unusual feature of “speaking” its
ransom message after successfully infecting a user machine and
encrypting files. Cerber was first
seen in the wild
at the end of February 2016 and was observed
being delivered mostly via exploit kits (EK), notably using Magnitude
and Nuclear Pack’s zero-day
Flash exploit.

Figure 1 shows that on April 28, 2016, we observed a significant
increase in Microsoft Office document-based macro downloader spam
campaigns delivering Cerber ransomware as the payload. Since then we
observed successor campaigns at the same level of volume. What is more
notable about these campaigns is that the same distribution framework
used by Dridex seems to be the one delivering this Cerber campaign.

Figure 1. Cerber spam activity trend

Through FireEye’s Dynamic Threat Intelligence (DTI), we observed
that one Cerber spam campaign from May 4 was widely spread throughout
the world, with the most targets in the United States (see Figure 2).

Figure 2. Geographical distribution of Cerber
spam seen by FireEye DTI in May 4

Macro based Downloader

The malicious document attachment contains a macro that drops a
VBScript in the %appdata% path of the machine. The rest of the
malicious activities are performed by the dropped VBScript. This
method of malware delivery is used instead of sending the VBScript
directly as an email attachment, since some email gateway policies
might block attached scripts.

The dropped VBScript includes obfuscated code that is used to
download the Cerber payload.

The following are some of the obfuscation techniques used, briefly summarized:

  1. Declare several variables that are not used in the code. This
    junk code is added to deter reverse engineering.
  2. A
    subroutine is used for delaying execution. This subroutine will
    increment a counter variable from 1 to 96166237. After completing
    the FOR loop, it compares the value of the variable with 96166237 to
    ensure that the FOR loop executed completely and there was no short
    circuit done (see Figure 3). This is done to detect automated
    analysis systems.

Figure 3. Delay execution routine in VBScript

HTTP Range Request for Internet Connectivity Check

Before downloading the Cerber payload, a check is performed by the
VBScript to ensure that the environment has internet connectivity.

As seen in Figure 4, the VBScript sends an HTTP Range Request to a
benign website. It looks for the string “Partial Content” in the HTTP
response status text, as “206 Partial Content” is the expected
response code for an HTTP Range Request according to RFC7233. If the
response code is not correct, the VBScript calls a function to enter
an infinite loop. In this way, the execution does not complete without
Internet connectivity.

Figure 4. HTTP Range Request check for internet connectivity

Cerber Payload Download Method

After the check for internet connectivity is performed, the VBScript
sends another HTTP Range Request to fetch a JPEG file from the URL: hxxp://bsprint[.]ro/images/karma-autumn/bg-footer-bottom.jpg?ObIpcVG=

In the HTTP Request Headers, it sets the value of Range Header to:
"bytes=11193-". This indicates to the web server to return
only the content starting at offset 11,193 of the JPG file.

The response content of this request is XORed with the key:
"amfrshakf". Figure 5 shows the code section corresponding
to the decryption routine.

Figure 5. Payload decoding routine

This technique of downloading the final payload using an HTTP Range
Request check has been leveraged in the past by Dridex and Ursnif. We
have observed similar obfuscation techniques used in the dropped
VBScript as well.

Cerber Ransomware (MD5: 5a2ea6a1d12dcbeb840f5070c7f1e2f8)

There are no significant changes in the behavior of the Cerber
payload in this spam campaign when compared to earlier variants. It
still uses the ‘.cerber’ file extension name for the encrypted files.
In this particular sample it checks for the country location, local
language and whether it is inside a virtual machine environment as per
its decrypted configuration, as seen in Figure 6.

Figure 6. Configuration for country location,
language and virtual environment checks

This variant is also configured to target email, Word documents, and
Steam (gaming) related files. It closes the related processes to have
access to possible opened target files.

Figure 7. Configuration for closing processes

The malware asks the victim to visit any of the following websites
to pay the ransom and receive further steps to decrypt the encrypted files.

  • hxxp://decrypttozxybarc[.]dconnect[.]eu
  • hxxp://decrypttozxybarc[.]tor2web[.]org
  • hxxp://decrypttozxybarc[.]onion[.]cab
  • hxxp://decrypttozxybarc[.]onion[.]to
  • hxxp://decrypttozxybarc[.]onion[.]link

While examining the decrypted configuration file, we found
indications of the possible addition of a spambot module. The malware
operator can set options for the email attachment, subject and the
email body in the configuration, as seen in Figure 8. In this sample,
this feature seems to be in its development or test stage. In order
for the malware to be used as a spambot, it would also need a list of
email addresses to send the spam email.

Figure 8. Possible spambot related configuration

Conclusion

By partnering with the same spam distributor that has proven its
capability by delivering Dridex on a large scale, Cerber is likely to
become another serious email threat similar to Dridex and Locky. This
is in addition to the fact that Cerber is already known to be
delivered through exploit kits. We advise users to be cautious when
opening documents and other files from unknown senders, especially
when asked to enable macros.

Ransomware authors are constantly upgrading their craft in order to
maximize profits. An addition of a spambot module, for example, can
add value to their ransomware, since victim machines will also be used
as spam email distributors.

Hashes

Spam email

ace933ac89b5cdb6937bf1a43e265d9eb4cb11eead52be2709c4df2194ee3ba0
191db27efb10f96f2fcabcd6d5d759433b687b89a8b6fd90c123fe379b8b98eb
c5aa84c52764f3583e78a62adf8ed8bfda409ff4c8c306a155b82d7da66d0e95
3d0e5ea98fead3c28c6a9f4c6519e6488c4a791e1a40f701bb4fd681163804fe
72ac6b80deaeea9081ebed7edf7c9943813afbbbbbc365e1a781efa04d5765fc
304c21c77b52dce69bddc421b4166627a37068e18296920ac09bbd7cd4962748

Cerber payload

c6f29582e489506ccb14f19fdfa7c16

This is a Security Bloggers Network syndicated blog post authored by Nick Harbour. Read the original post at: Threat Research Blog