Saturday, July 16, 2016

Analysis of Cerber (Professional) Ransomware

Bottom Line Up Front:  Cerber is a professional piece of ransomware malware that is widely deployed with three major exploit kits (Magnitude, Neutrino and RIG), VBS spear phishing attachments, and popular JavaScript downloaders such as Nemucod. The malware appears to be easily customized to avoid detection on the host system. A Cerber payload was recently observed by a Wapack Labs subscriber as the final payload of spear phished VBS attachment.  Wapack Labs analyzed dozens of recent Cerber samples as well as malicious emails delivering a Cerber download attachment.

Cerber infrastructure operators have previously registered domains (2014) for scams involving fake employment offers under fake Chinese names. The infrastructure is indirectly associated with BART ransomware, Pony/Fareit malware, Android malware and phishing pages.  Malware operators also modified C2 infrastructure in the course of a few months to include a “.win” top level domain in addition to other publically reported research.

Publication Date:  6 July 2016; information cutoff date: 1 July 2016

Handling requirements: Traffic light protocol (TLP) AMBER.  Recipients may only share TLP: AMBER information with members of their own organization on a “need-to-know” basis and only as widely as necessary to act on that information.

Attribution/Threat Actors: Criminal

Actor typeAdversary capabilities have been assessed as Tier IV– Criminal or state actors who are organized, highly technical, proficient, well-funded professionals working in teams to discover new vulnerabilities and develop exploits.

Previous Reporting: None

Industries Targeted: Financial Services (US, Germany), Construction (Japan), Shipping (Italy), Education, Pharmaceuticals (Germany).

Indicators will be available Threat Recon:

The full report was posted to the Red Sky Alliance portal on 7/15/16. Indicators are available in For more information, contact Wapack Labs. 844-4-WAPACK.