Cerber ransomware incorporates the unusual feature of “speaking” its ransom message after successfully infecting a user machine and encrypting files. Cerber was first seen in the wild at the end of February 2016 and was observed being delivered mostly via exploit kits (EK), notably using Magnitude and Nuclear Pack’s zero-day Flash exploit.

Figure 1 shows that on April 28, 2016, we observed a significant increase in Microsoft Office document-based macro downloader spam campaigns delivering Cerber ransomware as the payload. Since then we observed successor campaigns at the same level of volume. What is more notable about these campaigns is that the same distribution framework used by Dridex seems to be the one delivering this Cerber campaign.

Figure 1. Cerber spam activity trend

Through FireEye’s Dynamic Threat Intelligence (DTI), we observed that one Cerber spam campaign from May 4 was widely spread throughout the world, with the most targets in the United States (see Figure 2).

Figure 2. Geographical distribution of Cerber spam seen by FireEye DTI in May 4

Macro based Downloader

The malicious document attachment contains a macro that drops a VBScript in the %appdata% path of the machine. The rest of the malicious activities are performed by the dropped VBScript. This method of malware delivery is used instead of sending the VBScript directly as an email attachment, since some email gateway policies might block attached scripts.

The dropped VBScript includes obfuscated code that is used to download the Cerber payload.

The following are some of the obfuscation techniques used, briefly summarized:

Declare several variables that are not used in the code. This junk code is added to deter reverse engineering. A subroutine is used for delaying execution. This subroutine will increment a counter variable from 1 to 96166237. After completing the FOR loop, it compares the value of the variable with 96166237 to ensure that the FOR loop executed completely and there was no short circuit done (see Figure 3). This is done to detect automated analysis systems.

Figure 3. Delay execution routine in VBScript

HTTP Range Request for Internet Connectivity Check

Before downloading the Cerber payload, a check is performed by the VBScript to ensure that the environment has internet connectivity.

As seen in Figure 4, the VBScript sends an HTTP Range Request to a benign website. It looks for the string “Partial Content” in the HTTP response status text, as “206 Partial Content” is the expected response code for an HTTP Range Request according to RFC7233. If the response code is not correct, the VBScript calls a function to enter an infinite loop. In this way, the execution does not complete without Internet connectivity.

Figure 4. HTTP Range Request check for internet connectivity

Cerber Payload Download Method

After the check for internet connectivity is performed, the VBScript sends another HTTP Range Request to fetch a JPEG file from the URL: hxxp://bsprint[.]ro/images/karma-autumn/bg-footer-bottom.jpg?ObIpcVG=

In the HTTP Request Headers, it sets the value of Range Header to: "bytes=11193-". This indicates to the web server to return only the content starting at offset 11,193 of the JPG file.

The response content of this request is XORed with the key: "amfrshakf". Figure 5 shows the code section corresponding to the decryption routine.

Figure 5. Payload decoding routine

This technique of downloading the final payload using an HTTP Range Request check has been leveraged in the past by Dridex and Ursnif. We have observed similar obfuscation techniques used in the dropped VBScript as well.

Cerber Ransomware (MD5: 5a2ea6a1d12dcbeb840f5070c7f1e2f8)

There are no significant changes in the behavior of the Cerber payload in this spam campaign when compared to earlier variants. It still uses the ‘.cerber’ file extension name for the encrypted files. In this particular sample it checks for the country location, local language and whether it is inside a virtual machine environment as per its decrypted configuration, as seen in Figure 6.

Figure 6. Configuration for country location, language and virtual environment checks

This variant is also configured to target email, Word documents, and Steam (gaming) related files. It closes the related processes to have access to possible opened target files.

Figure 7. Configuration for closing processes

The malware asks the victim to visit any of the following websites to pay the ransom and receive further steps to decrypt the encrypted files.

hxxp://decrypttozxybarc[.]dconnect[.]eu

hxxp://decrypttozxybarc[.]tor2web[.]org

hxxp://decrypttozxybarc[.]onion[.]cab

hxxp://decrypttozxybarc[.]onion[.]to

hxxp://decrypttozxybarc[.]onion[.]link

While examining the decrypted configuration file, we found indications of the possible addition of a spambot module. The malware operator can set options for the email attachment, subject and the email body in the configuration, as seen in Figure 8. In this sample, this feature seems to be in its development or test stage. In order for the malware to be used as a spambot, it would also need a list of email addresses to send the spam email.

Figure 8. Possible spambot related configuration

Conclusion

By partnering with the same spam distributor that has proven its capability by delivering Dridex on a large scale, Cerber is likely to become another serious email threat similar to Dridex and Locky. This is in addition to the fact that Cerber is already known to be delivered through exploit kits. We advise users to be cautious when opening documents and other files from unknown senders, especially when asked to enable macros.

Ransomware authors are constantly upgrading their craft in order to maximize profits. An addition of a spambot module, for example, can add value to their ransomware, since victim machines will also be used as spam email distributors.

Hashes

Spam email

ace933ac89b5cdb6937bf1a43e265d9eb4cb11eead52be2709c4df2194ee3ba0

191db27efb10f96f2fcabcd6d5d759433b687b89a8b6fd90c123fe379b8b98eb

c5aa84c52764f3583e78a62adf8ed8bfda409ff4c8c306a155b82d7da66d0e95

3d0e5ea98fead3c28c6a9f4c6519e6488c4a791e1a40f701bb4fd681163804fe

72ac6b80deaeea9081ebed7edf7c9943813afbbbbbc365e1a781efa04d5765fc

304c21c77b52dce69bddc421b4166627a37068e18296920ac09bbd7cd4962748

Cerber payload

c6f29582e489506ccb14f19fdfa7c16