Wei Gao, Blog Author
Senior Security Research Engineer
Blog

Dissecting Cerber Ransomware

July 26, 2017 by Wei Gao

Ransomware is on the front page of almost all news coverage these days. It’s more difficult to tune out than in and it shows up even in non-technical writings. This blog is about one of these Ransomware families known as Cerber. Cerber is an advanced and mature Ransomware. It is efficient and, due to this efficiency, it is often delivered via another efficient attack method known as Exploit Kits. The two of these make a lethal combination, one that is very difficult to fight.

Here in the ATI Research Center, we research these types of malicious attacks and provide actionable intelligence to our products and customers. This is a technical blog meant to help you understand details about Cerber, what it does, and how to detect it.

The following sample is a variant of Cerber Ransomware. It will encrypt files using a random extension. For example, it will encrypt file string.txt to G9QO5QoCWC.9605

Before:

1

After:

2

Static Analysis

Pestudio 8.51 provides useful analysis of this sample. The sample’s imported symbols show seven functions that may have anti-debug capabilities. For example, GetTickCount will check if the sample can be stopped by a debugger. IsDebuggerPresent can exam if it is running in a debugger. These are potentially malicious aspects of a Windows executable that the tool is examining.

3

This shows an MD5 of each section of the malware sample:

4

These MD5 hash values could be used as Indicators of Compromise (IOC).

Exeinfo PE identifies the programming language and tool (compiler or packer) used to develop this sample:

5

It uses Visual C++ 6.0 to 7.0, Visual studio 2008.

Pescanner scans the malware sample:

6

The results show and indicate that something is “suspicious”.

Use PEframe to scan:

7

The results show anti-debug functions and some suspicious API calls. Often, a piece of software attempting to prevent debugging will be malicious. This is one of the features used by Machine Learning (ML) Anti-Virus (AV). A feature in the land of ML is a measurable property or characteristic that is applied to the calculation or pattern recognition in the algorithm.

Signsrch locates code used for crypto and compression.

signsrch test.exe

8

There is no crypto or compression used in this sample.

Behavioral Analysis

To determine how the malware acts at runtime, it is necessary to detonate and infect a host system. During this process, we can monitor the network activity as well as the system activity. After detonation, we will view the DNS requests:

9

The malware tries to perform DNS requests to get IP addresses of several domain names:

api.blockcypher.com

btc.blockr.io

bitaps.com

These domain names can be used for indicators of compromise (IOC), so be sure to apply a sink-hole via DNS or block these on your NGFW through a web content filter.

To recreate this, an HTTP server on a Linux machine was configured to receive the malware’s HTTP requests.

10

11

The malware sample sends HTTP GET requests to api.blockcypher.com and btc.blockr.io

GET /api/v1/address/txs/17gd1msp5FnMcEMF1MitTNSsYs7w7AQyCt?_=1498837828337

GET /v1/btc/main/addrs/17gd1msp5FnMcEMF1MitTNSsYs7w7AQyCt?_=1498837828250

These URLs can be used in your NGFW IOC.

Looking into the process via Process Hacker, we can see the malware deploying new instances,

Netsh.exe. It uses netsh to block Microsoft user account control (UAC).

12

Use Regshot to detect system details and registry changes. Save the changes in a file diff.txt

Malware sample created files:

 

%APPDATA%\Local\Temp\1459c218\44cb.tmp

%APPDATA%\Local\Temp\1459c218\625a.tmp

%APPDATA%\Local\Temp\1459c218\bt.tmp

13

14

Infection process

15

Create the Mutex

The sample creates the mutex using CreateMutexExw method to prevent multiple instances from running.

16

In this running, mutex is named shell.{6BB70FFF-55D6-3DAB-01F5-8B8292B26489}

17

Block Windows Defender

The malware sample uses the netsh command to add firewall rules that block network access to block Windows defender.

18

19

Privilege Escalation

This Cerber sample attempts to escalate privileges to admin level without displaying the UAC prompt.

20

Search and Encrypt File

The malware searches for files with extensions “.txt”, “.doc”, and similar. Then it encrypts these files.

Cerber enumerates the registry key “HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography\MachineGuid”:

21

The machine globally unique identifier (GUID) is 128-bits long and the format is similar to ”30dd879c-ee2f-11db-9605-0800200c9a66”. The malware sample uses the GUID’s 4th part as its encrypted file extension. That’s why in the beginning of this report, the file strint.txt gets encrypted as “.9605”.

Push 9605 as encryption file name extension.

22

The malware sample uses the bcrypt function to encrypt the file.

23
24

Ransom Note Display

It writes a ransom note file: _READ_THIS_FILE_CDOKZQ_.txt

25

I’ve provided this malware sample to help you determine whether your network anti-virus can detect and block Cerber ransomware; hopefully before it gets to your users.

Sample Hashes

MD5:0771f00985f1e0ce93740281da8752fe

SHA256:56f41afc8f025597659f11f59b191e66bd6c6525313cf3c0356c40490722b7c5