Cerber ransomware incorporates the unusual feature of “speaking” its ransom message after successfully infecting a user machine and encrypting files. Cerber was first seen in the wild at the end of February 2016 and was observed being delivered mostly via exploit kits (EK), notably using Magnitude and Nuclear Pack’s zero-day Flash exploit.
Figure 1 shows that on April 28, 2016, we observed a significant increase in Microsoft Office document-based macro downloader spam campaigns delivering Cerber ransomware as the payload. Since then we observed successor campaigns at the same level of volume. What is more notable about these campaigns is that the same distribution framework used by Dridex seems to be the one delivering this Cerber campaign.
Figure 1. Cerber spam activity trend
Through FireEye’s Dynamic Threat Intelligence (DTI), we observed that one Cerber spam campaign from May 4 was widely spread throughout the world, with the most targets in the United States (see Figure 2).
Figure 2. Geographical distribution of Cerber spam seen by FireEye DTI in May 4
Macro based Downloader
The malicious document attachment contains a macro that drops a VBScript in the %appdata% path of the machine. The rest of the malicious activities are performed by the dropped VBScript. This method of malware delivery is used instead of sending the VBScript directly as an email attachment, since some email gateway policies might block attached scripts.
The dropped VBScript includes obfuscated code that is used to download the Cerber payload.
The following are some of the obfuscation techniques used, briefly summarized:
- Declare several variables that are not used in the code. This junk code is added to deter reverse engineering.
- A subroutine is used for delaying execution. This subroutine will increment a counter variable from 1 to 96166237. After completing the FOR loop, it compares the value of the variable with 96166237 to ensure that the FOR loop executed completely and there was no short circuit done (see Figure 3). This is done to detect automated analysis systems.
Figure 3. Delay execution routine in VBScript
HTTP Range Request for Internet Connectivity Check
Before downloading the Cerber payload, a check is performed by the VBScript to ensure that the environment has internet connectivity.
As seen in Figure 4, the VBScript sends an HTTP Range Request to a benign website. It looks for the string “Partial Content” in the HTTP response status text, as “206 Partial Content” is the expected response code for an HTTP Range Request according to RFC7233. If the response code is not correct, the VBScript calls a function to enter an infinite loop. In this way, the execution does not complete without Internet connectivity.
Figure 4. HTTP Range Request check for internet connectivity
Cerber Payload Download Method
After the check for internet connectivity is performed, the VBScript sends another HTTP Range Request to fetch a JPEG file from the URL: hxxp://bsprint[.]ro/images/karma-autumn/bg-footer-bottom.jpg?ObIpcVG=
In the HTTP Request Headers, it sets the value of Range Header to: "bytes=11193-". This indicates to the web server to return only the content starting at offset 11,193 of the JPG file.
The response content of this request is XORed with the key: "amfrshakf". Figure 5 shows the code section corresponding to the decryption routine.
Figure 5. Payload decoding routine
This technique of downloading the final payload using an HTTP Range Request check has been leveraged in the past by Dridex and Ursnif. We have observed similar obfuscation techniques used in the dropped VBScript as well.
Cerber Ransomware (MD5: 5a2ea6a1d12dcbeb840f5070c7f1e2f8)
There are no significant changes in the behavior of the Cerber payload in this spam campaign when compared to earlier variants. It still uses the ‘.cerber’ file extension name for the encrypted files. In this particular sample it checks for the country location, local language and whether it is inside a virtual machine environment as per its decrypted configuration, as seen in Figure 6.
Figure 6. Configuration for country location, language and virtual environment checks
This variant is also configured to target email, Word documents, and Steam (gaming) related files. It closes the related processes to have access to possible opened target files.
Figure 7. Configuration for closing processes
The malware asks the victim to visit any of the following websites to pay the ransom and receive further steps to decrypt the encrypted files.
While examining the decrypted configuration file, we found indications of the possible addition of a spambot module. The malware operator can set options for the email attachment, subject and the email body in the configuration, as seen in Figure 8. In this sample, this feature seems to be in its development or test stage. In order for the malware to be used as a spambot, it would also need a list of email addresses to send the spam email.
Figure 8. Possible spambot related configuration
By partnering with the same spam distributor that has proven its capability by delivering Dridex on a large scale, Cerber is likely to become another serious email threat similar to Dridex and Locky. This is in addition to the fact that Cerber is already known to be delivered through exploit kits. We advise users to be cautious when opening documents and other files from unknown senders, especially when asked to enable macros.
Ransomware authors are constantly upgrading their craft in order to maximize profits. An addition of a spambot module, for example, can add value to their ransomware, since victim machines will also be used as spam email distributors.