Definitely Not Cerber

At the beginning of last week we noticed a spam campaign delivering a double zipped JScript file. The campaign started on September 8th. The email had the subject line of “RE: [name of recipient]” with an empty body, and an attached zip file named “[recipient name][a-z]{4}.zip”.

The characteristics of the mail, naming of the attached item, and obfuscation used in the sample were similar to what has been previously seen with the distribution of Cerber ransomware. Testing one of the samples lead to an unpleasant surprise looking nothing like Cerber.


Definitely not Cerber

The final payload of that particular sample was Locky ransomware. It was an odd discovery, especially as Locky is known to be distributed by the Necurs botnet in totally different campaigns with higher prevalence. This campaign spanned over a week, with no more than a few dozen samples per day. Further analysis of the campaign revealed minor tweaks and updates to the attached item during the week.


The first delivered attachment type on the evening of the 8th was an obfuscated JScript downloader. Distributing this type continued for few days. The next surge two days later delivered a similarly obfuscated JScript downloader in a JScript encoded script file (.jse). Later, the campaign continued by spamming encrypted JScript files, but changed the obfuscation to support custom XOR encryption on critical strings. In the last update the size of the downloader was doubled with comments, and the distribution spiked a little.

The contacted URLs were also following the format observed in previous Cerber campaigns. In total, the samples contacted 7 domains registered under the .top domain (TLD), resolving to two IP addresses, each with 7 different query parameters in format of ?f=[1-7]{1}.bin. The query was hard-coded on the distributed samples, and 25% of the samples were contacting the domains with query parameter 1. (By comparison, if the parameters were randomly generated the distribution share would be 14% instead of 25%.)

Further analysis on the URLs revealed that same sample of Locky was delivered on all domains with query parameters from 2 to 7. Query parameter 1 was allocated to serve Cerber ransomware.


Probably Cerber

This is not the first time Cerber has been distributed in the same campaigns with other nasty malware. Last May Cerber shared distribution framework with Dridex banking trojan. Though the campaign seems to be on a test phase based on the multiple minor updates on the dropper during the week, so far seeing two different ransomware on same campaign is unusual.


Articles with similar Tags