Malspam Campaign Distributing Cerber Ransomware

The LookingGlass Cyber Threat Intelligence Group (CTIG) observed a malspam campaign distributing the Cerber ransomware. The attachment in this campaign, which is being touted as a “new report” intended for the victim, is a malicious .dot (document template) file that natively opens with Microsoft Word. The .dot file contains a malicious macro, which upon execution, fetches and runs the Cerber payload. Cerber has been analyzed in detail here and here, so the scope of this blog will be limited to the indicators observed in this campaign.

Below is a screenshot of what an example of this malspam campaign looks like:

Screen Shot 2016-05-10 at 12.45.49 PM

Below are the details in the SMTP headers that can be used for identification and blocking on SMTP gateways:

Received: from tp-exch-v01.corpnet.asus ([172.21.130.191])
  by ms.asus.com with ESMTP; 10 May 2016 20:46:31 +0800
From: Moses Contreras <rahul_k@asus.com>
Subject: =?UTF-8?Q?Moses_Contreras?=
Date: Tue, 10 May 2016 07:46:02 -0500
MIME-Version: 1.0
X-mailer: Opera Mail 9.12.292
X-Originating-IP: [186.121.126.10]

The CTIG observed an attachment “66636c63-hm.a.dot” (MD5: 3D367E6774D1501EAF1B7632E099C1FB) that contained a VB Script macro “29212.vbs” (MD5: B5D1D7BA47D363620168DDD39ECF1EE2). The macro retrieved an encoded payload from the following URI:

hxxp://pompe-distribution[.]com/h.jpg?BkKSelC1CS=53 (188.165.242[.]106)

The payload (MD5: 6519603249EF66224BADF63A6D4DBF5A) can be seen being downloaded in an encoded form below:

Screen Shot 2016-05-10 at 10.16.49 AM

Before encrypting specific files on the victim machine, once the Cerber payload is decoded (MD5: 63688AB0D343B66FBBFBCECBBD62FFDF) and executed it starts communicating with a wide range of IP addresses 85.93.0[.]0 – 85.93.63[.]255 (85.93.0.0/18) via UDP on port 6892:

Screen Shot 2016-05-10 at 10.21.06 AM

The CTIG recommends blocking all of the below mentioned IOCs in your environment to proactively protect yourself from this threat. LookingGlass ScoutVision has observed the initial UDP communication address of 85.93.0[.]0 as being associated with Cerber ransomware as early as April 13, 2016.

Summary of IOCs:

Sender:

Moses Contreras <rahul_k@asus.com>

IP Addresses:

186.121.126[.]10
188.165.242[.]106
85.93.0[.]0 - 85.93.63[.]255 (85.93.0.0/18)

URIs:

hxxp://pompe-distribution[.]com/h.jpg?BkKSelC1CS=53

Malware MD5s:

3D367E6774D1501EAF1B7632E099C1FB
B5D1D7BA47D363620168DDD39ECF1EE2
6519603249EF66224BADF63A6D4DBF5A
63688AB0D343B66FBBFBCECBBD62FFDF

Filenames:

66636c63-hm.a.dot
29212.vbs
locator.exe

Filepaths:

C:\Documents and Settings\Administrator\Application Data\{19CF59F6-0800-788E-D3A1-D46836652FD8}\