Last Updated: 2016-05-04 00:01:29 UTC
by Brad Duncan (Version: 1)
Seems like we're always finding new ransomware. In early March 2016, BleepingComputer announced a new ransomware named Cerber had appeared near the end of February . A few days later, the Malwarebytes blog provided further analysis and more details on subsequent Cerber samples .
Cerber is distributed through exploit kits (EKs) and malicious spam (malspam). I've only seen .rtf attachments that download and install Cerber if opened in Microsoft Word . But other types of malspam may also distribute Cerber.
Shown above: Image of Cerber malspam from tier1net.com
By April 2016, Proofpoint reported Cerber was being distributed by Magnitude exploit kit (EK) using a Flash exploit based on CVE-2016-1019 (then a zero-day exploit) . I ran across two Cerber malware samples sent by Neutrino EK near the end of April 2016, but I didn't realize it at the time . Since then, other sources like broadanalysis.com have also reported Neutrino EK send Cerber .
This diary examines a Cerber ransomware infection from Neutrino EK on Tuesday 2016-05-03.
The few compromised websites I've seen associated with this Neutrino EK/Cerber campaign have similar patterns of injected script as seen below.
It's a fairly straight-forward sequence of events. The compromised website leads to Neutrino EK. Then Neutrino EK sends Cerber ransomware. The only issue I had was when generating an infection on a virtual machine (VM). On a VM, the Cerber ransomware generated nearly the same network traffic, but it did not encrypt any files or show any notices before deleting itself. On a normal host, Cerber acts as you might expect, encrypting files and showing notifications. Cerber also checks its IP and location at ipinfo.io on a normal host. No check with ipinfo.io on a VM, though.
In the above two images, Neutrino EK is on 22.214.171.124 over TCP port 80 using the following domains:
With or without the IP check at ipinfo.io, Cerber sent UDP traffic with 9 bytes of data to 16,384 IP address from 126.96.36.199 to 188.8.131.52 (184.108.40.206/18 in CIDR notation). The infected host used the same source/destination ports, but content within those 9 bytes changed each time. Previous Cerber samples use different IP ranges and UDP ports. Not sure what this UDP traffic means, though. I haven't been able to find any more information about it, and I haven't have time to dig into it further.
Images from the infected host
As others have already reported, Cerber speaks to you. It does this through a .vbs file. In this infection, one of the files dropped to the infected user's desktop was # DECRYPT MY FILES #.vbs. This .vbs file is Visual Basic Script that causes your Windows computer to speak, saying "Attention! Attention! Attention!" ten times followed by "Your documents, photos, databases and other important files have been encrypted!"
As others have already noted, you must go through other browser pages to decrypt any files using the Cerber Decryptor.
I haven't seen as much Cerber as I've seen other ransomware like CryptXXX from Angler EK or Locky from malspam. However, Cerber has been a fairly consistent threat since it first appeared. I expect we'll see more Cerber in the coming weeks.
Pcaps and malware for this ISC diary can be found here.
brad [at] malware-traffic-analysis.net