Monday, 3 April 2017

Beware of Cerber in your parcel


New Cerber ransomware comes through parcel delivery notifications with zip attachments.




The zip archive contains a Java script that downloads a Cerber ransomware:

To run, Cerber needs the .NET Framework 2.0. Therefore, the ransomware may download the 'NetFx20SP1_x86.exe' package.

As usual, Cerber creates notification messages in the folder with encrypted files:

As well as, sets the wallpaper:

The cryptolocker takes advantage of Microsoft's CryptoAPI using AES+RSA algorithms and leaves no chances to decrypt files for a victim.

Sample


Network IoCs

levardphotos.com
eastgrandrapidsrealty.com
julianrockmemorial.org
flapropertylaw.com
asian-merchants.com
ccmiti.com
ah.5ith.com
conferenciabiblica2015.com
jasonanthonymusic.com
w3sa.ch
185.117.72.90
187.151.226.180
23.78.11.117
23.80.62.22
189.252.246.11
60.251.128.82
108.179.193.65
50.56.150.241

Yara rule

rule CerberRansomware_mem
{
    meta:
        author = "NioGuard Security Lab"
        info = "Detecting the Cerber process"
        reference = "http://nioguard.com/"

    strings:
        $a1 = "_READ_THIS_FILE_{RAND}_."
        $a2 = "hta"
        $a3 = "txt"
        $a4 = "jpeg"
 
    condition:
      $a1 and ($a2 or $a3 or $a4)
}

No comments:

Post a comment