Introduction

One, if by land, and two, if by sea is a phrase used by American poet Henry Wadsworth Longfellow in his poem Paul Reveres Ride first published in 1861. Longfellows poem tells a somewhat fictionalized tale of Paul Revere in 1775 during the American revolution. If British troops came to attack by land, Paul would hang one lantern in a church tower as a signal light. If British troops came by sea, Paul would hang two lanterns.

Much like the British arriving by land or by sea, Cerber ransomware has two main routes from which to rob your critical data of its independence. The first and most widely-used route is through email or malicious spam (malspam). The second route is through exploit kits (EKs).

Am I comparing colonial era British troops to Cerber ransomware in our current cyber landscape? You bet I am! Is it an accurate comparison? Probably not!

Nonethless, when I think of Cerber, I often think One, if by email, Two, if by exploit kit.

Yesterdays diary reviewed Cerber through email, so Ive already hung that lantern. Today Ill hang another lantern as we look at examples of Cerber ransomware through EKs.

Background

As Ive discussed before, EKs are merely a method to distribute malware. Criminal groups establish campaigns utilizing EKs to distribute their malware. I often see indicators of campaigns that use Magnitude EK or Rig EK to distribute Cerber ransomware.

In my lab environment, I generally dont generate much Magnitude EK. Why? Because Magnitude usually happens through a malvertising campaign, and thats quite difficult to replicate. By the time any particular malvertisements indicators are known, the criminals have moved to a new malvertisement.

Since early October 2016, Ive typically seen Cerber ransomware from the pseudoDarkleech campaign using Rig EK. PseudoDarkleech currently uses a variant of Rig EK that researcher Kafeine has designated as Rig-V, because its a vip version thats evolved from the old Rig EK.

EITest is another major campaign that utilizes EKs to distribute malware. Although EITest distributes a variety of malware, Ill occasionally see Cerber sent by this campaign.

On Thursday 2016-12-15, I generated two examples of EK-based campaigns delivering Cerber ransomware. One was from the pseudoDarkleech campaign, and the other was from EITest." />
Shown above: Flow chart for both infections.

The traffic

Both pseudoDarkleech and EITest use legitimate websites to kick off an infection chain. These websites are compromised, and if conditions are right, pages from these compromised sites have injected script. The injected script generates an iframe with an EK landing page URL. Each campaign has distinct patterns of injected script." />
Shown above:" />
Shown above: EITest script pointing to Rig-V on 2016-12-15.

t the infection traffic in Wireshark, youll find Rig-V with different domain names, but the same IP address both times. For both infections, I could not reach the page for the Cerber decryption instructions. The server didn" />
Shown above:" />
Shown above: Second infection (EITest) Rig-V on 2016-12-15.

atterns for Rig-V and Cerber havent changed much since my previous diary covering the pseudoDarkleech campaign on 2016-10-14. Only the domains and IP addresses are different.

The infected Windows desktop

Below is an image of the desktop from an infected Windows host. These samples of Cerber dropped an image to the desktop along with an .hta file containing the decryption instructions." />
Shown above: My copies of poems by Henry Wadsworth Longfellow... All gone!

Indicators of Compromise (IOCs)

The following are IOCs for the infection traffic I generated:

  • 195.133.49.182 port 80 - hit.thincoachmd.com - Rig-V from the EITest campaign
  • 195.133.49.182 port 80 - new.slimcoachmd.com - Rig-V from the pseudoDarkleech campaign
  • 1.11.32.0 to 1.11.32.31 (1.11.32.0/27) UDP port 6892 - Cerber post-infection UDP traffic
  • 55.15.15.0 to 55.15.15.31 (55.15.15.0/27) UDP port 6892 - Cerber post-infection UDP traffic
  • 194.165.16.0 to 194.165.17.255 (194.165.16.0/23) UDP port 6892 - Cerber post-infection UDP traffic
  • 185.45.192.155 port 80 - ftoxmpdipwobp4qy.19dmua.top - attempted HTTP connections by Cerber from pseudoDarkleech campaign
  • 185.45.192.155 port 80 - ffoqr3ug7m726zou.19dmua.top - attempted HTTP connections by Cerber from EITest campaign

The following are file hashes and other info for the Flash exploit and Cerber ransomware:

File description: Rig-V Flash exploit seen on 2016-12-15

  • SHA256 hash: df65f65dc15cfa999f07869b587c74c645da66129c009db5d8b8c2c29ae4fadf
  • File size: 14,094 bytes

File description: Cerber ransomware sent by Rig-V from the pseudoDarkleech campaign on 2016-12-15

  • SHA256 hash: 4e877be5523d5ab453342695fef1d03adb854d215bde2cff647421bd3d583060
  • File size: 252,967 bytes
  • File path: C:\Users\[username]\AppData\Local\Temp\rad8AA1F.tmp.exe

File description: Cerber ransomware sent by Rig-V from the EITest campaign on 2016-12-15

  • SHA256 hash: 0e395c547547a79bd29280ea7f918a0559058a58ffc789940ceb4caf7a708610
  • File size: 245,715 bytes
  • File path: C:\Users\[username]\AppData\Local\Temp\rad8DE79.tmp.exe

Final words

Pcap and malware for this diary can be found here.

As always, properly-administered Windows hosts are not likely to be infected by pseudoDarkleech, EITest, and other campaigns. As long as your Windows host is up-to-date and fully patched, your risk is minimal. If you">Paul said to his friend,
And I on the opposite shore will be,
Ready to respond and spread the alarm
Through every IT department and server farm,
For the companys folk to be up and to arm." />
Shown above: What really happened with Paul the incident responder.

Brad Duncan
brad [at] malware-traffic-analysis.net

(c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.
 
(c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.
 

Enlarge

If you run a mainstream distribution of Linux on a desktop computer, there's a good chance security researcher Chris Evans can hijack it when you do nothing more than open or even browse a specially crafted music file. And in the event you're running Chrome on the just-released Fedora 25, his code-execution attack works as a classic drive-by.

The zero-day exploits, which Evans published on Tuesday, are the latest to challenge the popular conceit that Linux, at least in its desktop form, is more immune to the types of attacks that have felled Windows computers for more than a decade and have increasingly snared Macs in recent years.

While Evans' attacks won't work on most Linux servers, they will reliably compromise most desktop versions of Linux, which employees at Google, Facebook, and other security conscious companies often use in an attempt to avoid the pitfalls of Windows and Mac OS X. Three weeks ago, Evans released a separate Linux zero-day that had similarly dire consequences.

Read 8 remaining paragraphs | Comments

 
RedHat Ceph CVE-2016-9579 Remote Denial of Service Vulnerability
 
Red Hat OpenShift Enterprise CVE-2016-8651 Information Disclosure Vulnerability
 

An image sent by DNC staffer Alexandra Chalupa shows a warning message she received from Yahoo Mail. She may have been targeted using data from one of the Yahoo breaches or a forged cookie based on stolen Yahoo code. (credit: Alexandra Chalupa)

In October of 2013, as a result of documents leaked by Edward Snowden, we learned the National Security Agency tapped straight into the connections between data centers at Yahoo and Google as part of a program called MUSCULAR. A month later, Yahoo announced it would encrypt all of its internal networks between data centers and add Secure Socket Layer encryption and secure (HTTPS) Web connections to all its services.

That move, however, failed to prevent two major breaches of user data: a breach affecting user data from more than 500 million user accounts late in 2014 (revealed in September) and the breach revealed yesterday involving data from more than 1 billion accounts. The recent break took place in August of 2013—before the barn door was closed. In addition, Yahoo's chief information security officer, Bob Lord, said that the parties behind the 2014 breach had stolen some of Yahoo's code and used it to forge Web "cookies" that gave access to users' accounts without the need to use login credentials.

Evidence of the August 2013 breach was given to Yahoo by "law enforcement officials," according to Lord, but it was likely discovered by a security researcher watching for data on underground markets. That suggests the data was in circulation in underground marketplaces in one form or another and actively in use by Internet criminal rings for a variety of purposes. If that's the case, then practically all of Yahoo's users who set up accounts prior to 2013 may have had details from their accounts used in targeted attacks, attempts to gain access to other Web accounts and cloud services, or any number of other scams.

Read 9 remaining paragraphs | Comments

 
Linux Kernel 'arch/x86/kvm/vmx.c' Denial of Service Vulnerability
 
MongoDB CVE-2016-3104 Remote Denial of Service Vulnerability
 
FreeIPA CVE-2016-7030 Denial of Service Vulnerability
 
Debian CVE-2016-1253 Remote Command Injection Vulnerability
 
JasPer 'jpc_t2cod.c' Remote Heap Buffer Overflow Vulnerability
 
Red Hat JBoss Enterprise Application Platform CVE-2016-9585 Remote Denial of Service Vulnerability
 
 
Huawei Firewall CVE-2016-8781 Remote Denial of Service Vulnerability
 
Joyent SmartOS CVE-2016-9033 Local Stack Buffer Overflow Vulnerability
 
Joyent SmartOS CVE-2016-9034 Local Stack Buffer Overflow Vulnerability
 
Joyent SmartOS CVE-2016-9035 Local Stack Buffer Overflow Vulnerability
 
Matroska libEBML CVE-2016-1515 Multiple Double Free Denial of Service Vulnerabilities
 
Joyent SmartOS CVE-2016-9032 Local Stack Buffer Overflow Vulnerability
 
Nagios Core CVE-2016-9565 Remote Command Injection Vulnerability
 
Joyent SmartOS CVE-2016-9031 Local Integer Overflow Vulnerability
 
Nagios CVE-2016-9566 Local Privilege Escalation Vulnerability
 
MSIE 9 IEFRAME CMarkup­Pointer::Move­To­Gap use-after-free
 
Python-RSA CVE-2016-1494 Security Bypass Vulnerability
 
Fontconfig CVE-2016-5384 Local Privilege Escalation Vulnerability
 
powerpc-utils CVE-2014-8165 Remote Code Execution Vulnerability
 
util-linux CVE-2016-5011 Local Denial of Service Vulnerability
 
ISC DHCP CVE-2016-2774 Remote Denial of Service Vulnerability
 
NVIDIA Windows Kernel Mode Driver CVE-2016-8708 Local Denial of Service Vulnerability
 
Apple tvOS/Mac OS X/iOS CVE-2016-1823 Memory Corruption Vulnerability
 
Nagios Core < 4.2.2 Curl Command Injection leading to Remote Code Execution [CVE-2016-9565]
 

Introduction

Last month on 2016-11-22, I saw 10 items of malicious spam (malspam) sent to my spam folder. The messages all had links to malware. Unfortunately, by the time I examined those emails, the links were no longer active. I sent a tweet about it and moved on to other things [1].

Flash forward to this week. On Tuesday 2016-12-13, @malwrhunterteam noticed the same type of malspam [2]. I checked my spam folder and found another four similar messages. This time, the links were still active, and I generated a full chain of infection traffic. That wave of malspam distributed Cerber ransomware.

The very next day on Wednesday 2016-12-14, I noticed another two messages in my spam folder with the same characteristics using a different domain. This wave of malspam also distributed Cerber ransomware.

Todays diary looks at indicators from these three waves of malspam. Perhaps we can get a better idea of the actor behind this activity.

Chain of events

The four emails from 2016-12-13 have links that downloaded a .js file. In my lab environment, double-clicking the .js file downloaded and installed Cerber ransomware. The two emails from 2016-12-14 have a link for a Microsoft Word document. The Word document has a malicious macro." />
Shown above:" />
Shown above:" />
Shown above: Data on the malspam (part 2 of 2).

recipient email addresses in the malspam I received during all three waves:

Below are the subject lines I saw for each of the three waves:

  • 2016-11-22 - Subject: Domain Abuse Notice: [your domain name]
  • 2016-12-13 - Subject: Final Domain Abuse Notice: [your domain name]
  • 2016-12-14 - Subject: Third Invoice Overdue Notice for [your domain name]

For each wave I saw, the emails all came from the same mail server. These servers also hosted the malicious links within the malspam. The servers were:

  • 2016-11-22 - 37.61.222.141 - mail.domaincop.org
  • 2016-12-13 - 104.223.81.29 - mail.domaincop247.com
  • 2016-12-14 - 104.223.81.234 - mail.ccnotice.net

Based on the domain names and IP addresses, the criminals likely abused commercially available services. Below is the registration info and date registered for each domain.

  • First wave domain Name: domaincop.org
  • Sponsoring registrar: Namesilo, LLC
  • Date registered (creation date): 2016-11-22
  • Date I received the malspam: 2016-11-22
  • Second wave domain Name: domaincop247.com
  • Registrar: eNom, Inc (Reseller: Namecheap.Com)
  • Date registered (creation date): 2016-11-30
  • Date I received the malspam: 2016-12-13
  • Third wave domain name: ccnotice.net
  • Registrar: eNom, Inc (Reseller: Namecheap.Com)
  • Date registered (creation date): 2016-12-12
  • Date I received the malspam: 2016-12-14

All domains used a privacy guard service for the registration info, and all domains used name servers from cloudflare.com. Below is information on the IP addresses hosting the malspam domains:

  • First wave: 37.61.222.141 - Germany: velia.net Internetdienste GmbH
  • Second wave: 104.223.81.29 - US: Quadranet, Inc
  • Third wave: 104.223.81.234 - US: Quadranet, Inc

Links from the emails were unique for each email during the first two waves." />
Shown above: Links from the emails.

For details, see the spreadsheet available here.

Traffic

In both waves I have traffic for, the same URL for the Cerber ransomware executable was generated, whether it was the .js file from 2016-12-13 or the .doc macro from 2016-12-14." />
Shown above:" />
Shown above: .doc macro from 2016-12-14 getting the Cerber executable.

mware was different each day, each with a different file hash, and each with different IP addresses and domains during the post-infection traffic." />
Shown above: Windows desktop from the 2016-12-13 infection.

Below are indicators of compromise (IOCs) for traffic generated from the 2016-12-13 wave of malspam:

  • 104.28.11.141 port 80 - www.domaincop247.com - various GET requests redirect to next URL
  • 104.28.10.141 port 80 - report.domaincop247.com - GET /view/download.php?download_file=Domain_Abuse_Report_Viewer.js
  • 185.153.198.117 port 80 - ggjghhfhfh.com - GET /kqaer2c56ds34caq12/file.exe
  • 15.49.2.0 to 15.49.2.31 (15.49.2.0/27) UDP port 6892 - Cerber post-infection UDP traffic
  • 122.1.13.0 to 122.1.1331 (122.1.13.0/27) UDP port 6892 - Cerber post-infection UDP traffic
  • 194.165.16.0 to 194.165.17.255 (194.165.16.0/23) UDP port 6892 - Cerber post-infection UDP traffic
  • 37.10.71.202 port 80 - ftoxmpdipwobp4qy.1mznhc.top - Cerber post-infection HTTP traffic

Below are IOCs for traffic generated from the 2016-12-14 wave of malspam:

  • 185.153.198.117 port 80 - view.ccnotice.net - GET /clients/Invoice_349KL.doc
  • 185.153.198.117 port 80 - ggjghhfhfh.com - GET /kqaer2c56ds34caq12/file2.exe
  • 1.11.32.0 to 1.11.32.31 (1.11.32.0/27) UDP port 6892 - Cerber post-infection UDP traffic
  • 55.15.15.0 to 55.15.15.31 (55.15.15.0/27) UDP port 6892 - Cerber post-infection UDP traffic
  • 194.165.16.0 to 194.165.17.255 (194.165.16.0/23) UDP port 6892 - Cerber post-infection UDP traffic
  • 185.45.192.155 port 80 - ffoqr3ug7m726zou.19dmua.top - Cerber post-infection HTTP traffic

Below is information for the associated .js file, .doc file, and Cerber ransomware executables:

File name: Domain_Abuse_Report_Viewer.js

  • File size: 9,032 bytes
  • SHA256 hash: 12c72ccf0b64bc1b288c80e3ba8eb18bc88967264ca3ad392992354be9b51eb9

File description: Cerber downloaded by .js file from ggjghhfhfh.com on 2016-12-13

  • File location: C:\Users\[username]\appdata\Local\Temp\ixjobi7na.exe
  • File size: 255,018 bytes
  • SHA256 hash: 5e396520da517174e5556e5b2c3b6e6ff25214c083e4458248f1be2e89967c65

File name: Invoice_349KL.doc

  • File size: 206,120 bytes
  • SHA256 hash: 12c72ccf0b64bc1b288c80e3ba8eb18bc88967264ca3ad392992354be9b51eb9

File description: Cerber downloaded by Word macro from ggjghhfhfh.com on 2016-12-14

  • File location: C:\Users\[username]\Desktop\error.bat (or whatever directory the Word doc was opened in)
  • File size: 262,111 bytes
  • SHA256 hash: 5e396520da517174e5556e5b2c3b6e6ff25214c083e4458248f1be2e89967c65

Final words

A copy of the infection traffic, associated emails, malware, and artifacts can be found here.

Other people have noticed these malspam runs, and theyve gotten some public attention through various blogs [3, 4, 5]. They never last long. I assume thats because the associated IOCs are reported fairly quickly, and the emails Ive seen always get flagged as spam.

Fortunately, best security practices will help prevent infections like the ones in todays diary. A good email filtering system, properly administered Windows hosts, and an educated workforce mean users are much less likely to be infected.

Nonetheless, I assume this activity is somehow profitable for the people behind it. The criminals must be having some sort of success with these Cerber ransomware malspam runs. Why else would it keep happening?

---
Brad Duncan
brad [at] malware-traffic-analysis.net

[1] https://twitter.com/malware_traffic/status/801330398370418688
[2] https://twitter.com/malwrhunterteam/status/808752888063332352
[3] https://www.namepros.com/threads/these-domaincop-idiots-are-at-it-again.989576/
[4] https://www.blackmoreops.com/2016/11/23/domaincop-org-domain-abuse-notice-spam/
[5] http://onlinedomain.com/2016/11/22/domain-name-news/spamscam-email-domaincop-net-targeting-domain-name-website-owners/

(c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.
 
Internet Storm Center Infocon Status