Cerber ransomware has been one of the most prolific crimeware botnets to have arisen, it is currently generating an estimated $2.5 million dollars a year and rising. Once infected, your content is encrypted and held for ransom as the name implies. You will see an image popup with instructions on how to reclaim your data as well as audio instructing you that you have been infected and to follow the instructions if you want your data back. The instructions require you to install Tor browser and make a bitcoin payment to reclaim your property. If you have anything you can’t live without on your computer I would recommend paying the ransom, otherwise the best course of action is to re-image your computer.
Why are they so successful? First off, they are rather smart and their infrastructure constantly changes and additionally they hide their C2 servers within UDP traffic to multiple CIDR ranges. 99% of the UDP traffic is benign serving only the purpose of confusing and hiding the true control servers.
The group hacks certain easily exploitable networks, they have their own master C2 servers that slave hacked servers pass data to, once such hacked host was hacked by a blackhat and monitored the Cerber communication, port 6892 was filtered but the communication sent to it was captured and forwarded to the master node, the ports running on the host were:
Not shown: 985 closed ports
PORT STATE SERVICE
21/tcp open ftp
22/tcp open ssh
25/tcp filtered smtp
80/tcp open http
110/tcp open pop3
111/tcp open rpcbind
135/tcp filtered msrpc
139/tcp filtered netbios-ssn
143/tcp open imap
443/tcp open https
445/tcp filtered microsoft-ds
993/tcp open imaps
995/tcp open pop3s
1720/tcp filtered h323q931
3306/tcp open mysql
Suspected buried C2 IP ranges within each infection sample reviewed
Sample 1:
017-01-15 23:41:23.390149 IP 192.168.1.102.55397 >91.239.24.2.6892: UDP, Length 25
E..5bM…..k…f[….e…!..c9e537574920044695010008c
2017-01-15 23:41:23.390153 IP 192.168.1.102.55397 > 91.239.24.3.6892: UDP, length 25
E..5-……….f[….e…!..c9e537574920044695010008c
2017-01-15 23:41:23.390201 IP 192.168.1.102.55397 > 91.239.24.4.6892: UDP, length 25
E..5.}…..9…f[….e…!..c9e537574920044695010008c
Sample 2:
2017-01-15 23:26:49.289051 IP 192.168.1.102.57428 > 194.165.16.9.6892: UDP, length 10
E..&…….D…f… .T….6hhi005c9027……..
2017-01-15 23:26:49.289100 IP 192.168.1.102.57428 > 194.165.16.10.6892: UDP, length 10
E..&t…..2’…f…
.T….6ghi005c9027……..
2017-01-15 23:26:52.735146 IP 192.168.1.102.57429 > 194.165.17.244.6892: UDP, length 24
E..4Si….Q….f…..U… ..8870f233185a005c950110f5
2017-01-15 23:26:52.735196 IP 192.168.1.102.57429 > 194.165.17.245.6892: UDP, length 24
E..4…….O…f…..U… ..8870f233185a005c950110f5
Sample 3:
017-01-16 00:21:03.206140 IP 192.168.1.102.61992 > 91.239.25.241.6892: UDP, length 25
E..567………f[….(…!..9973e23bd78600889501000d0
2017-01-16 00:21:03.206190 IP 192.168.1.102.61992 > 91.239.25.242.6892: UDP, length 25
E..5N……….f[….(…!..9973e23bd78600889501000d0
2017-01-16 00:21:03.206248 IP 192.168.1.102.61992 > 91.239.25.243.6892: UDP, length 25
E..5…….:…f[….(…!..9973e23bd78600889501000d0
Sample 4:
017-01-16 00:01:48.758846 IP 192.168.1.102.65032 > 91.239.25.242.6892: UDP, length 25
E..5L……….f[……..!.o22cf9e2fd015008e9501000b2
2017-01-16 00:01:48.758909 IP 192.168.1.102.65032 > 91.239.25.243.6892: UDP, length 25
E..5…….:…f[……..!.n22cf9e2fd015008e9501000b2
2017-01-16 00:01:48.758966 IP 192.168.1.102.65032 > 91.239.25.244.6892: UDP, length 25
E..58……….f[……..!.m22cf9e2fd015008e9501000b2
2017-01-16 00:01:48.758971 IP 192.168.1.102.65032 > 91.239.25.245.6892: UDP, length 25
E..5…….(…f[……..!.l22cf9e2fd015008e9501000b2
2017-01-16 00:01:48.759037 IP 192.168.1.102.65032 > 91.239.25.246.6892: UDP, length 25
E..5………..f[……..!.k22cf9e2fd015008e9501000b2
Sample 5:
2017-01-15 23:51:16.211660 IP 192.168.1.102.57972 > 91.239.24.11.6892: UDP, length 25
E..5H……….f[….t…!..9b735127a8440091c50100086
2017-01-15 23:51:16.211662 IP 192.168.1.102.57972 > 91.239.24.12.6892: UDP, length 25
E..5………..f[….t…!..9b735127a8440091c50100086
2017-01-15 23:51:16.211750 IP 192.168.1.102.57972 > 91.239.24.13.6892: UDP, length 25
E..54D…..i…f[….t…!..9b735127a8440091c50100086
2017-01-15 23:51:16.211800 IP 192.168.1.102.57972 > 91.239.24.14.6892: UDP, length 25
E..5\`…..L…f[….t…!..9b735127a8440091c50100086
2017-01-15 23:51:16.211850 IP 192.168.1.102.57972 > 91.239.24.15.6892: UDP, length 25
E..5………..f[….t…!..9b735127a8440091c50100086
Sample 6:
2016-12-17 00:01:33.939738 IP 192.168.1.102.50260 > 91.239.24.0.6892: UDP, length 25
E..5………..f[….T…!..ac71ae205179044695010009a
2016-12-17 00:01:33.939746 IP 192.168.1.102.50260 > 91.239.24.1.6892: UDP, length 25
E..5;-………f[….T…!..ac71ae205179044695010009a
2016-12-17 00:01:33.939798 IP 192.168.1.102.50260 > 91.239.24.2.6892: UDP, length 25
E..5^……….f[….T…!..ac71ae205179044695010009a
2016-12-17 00:01:33.939878 IP 192.168.1.102.50260 > 91.239.24.3.6892: UDP, length 25
E..5g……….f[….T…!..ac71ae205179044695010009a
2016-12-17 00:01:33.939887 IP 192.168.1.102.50260 > 91.239.24.4.6892: UDP, length 25
E..5,……(…f[….T…!..ac71ae205179044695010009a
Sample 7:
2016-12-16 01:29:16.678089 IP 192.168.1.102.59297 > 194.165.16.1.6892: UDP, length 10
E..&o…..7P…f……….’Uhi00889070……..
2016-12-16 01:29:16.678161 IP 192.168.1.102.59297 > 194.165.16.2.6892: UDP, length 10
E..&
……….f……….’Thi00889070……..
2016-12-16 01:29:16.678172 IP 192.168.1.102.59297 > 194.165.16.3.6892: UDP, length 10
E..&3+….s….f……….’Shi00889070……..
2016-12-16 01:29:16.678223 IP 192.168.1.102.59297 > 194.165.16.4.6892: UDP, length 10
E..&xk………f……….’Rhi00889070……..
2016-12-16 01:29:16.678305 IP 192.168.1.102.59297 > 194.165.16.5.6892: UDP, length 10
E..&A…..eT…f……….’Qhi00889070……..
2016-12-16 01:29:16.678357 IP 192.168.1.102.59297 > 194.165.16.6.6892: UDP, length 10
E..&$……y…f……….’Phi00889070……..
2016-12-16 01:29:16.678363 IP 192.168.1.102.59297 > 194.165.16.7.6892: UDP, length 10
E..&.c………f……….’Ohi00889070……..
Domain Whois record
Queried whois.publicinterestregistry.net with “adm-service.org“…
Domain Name: ADM-SERVICE.ORG Domain ID: D166856235-LROR WHOIS Server: Referral URL: www.bizcn.com Updated Date: 2016-06-28T14:46:27Z Creation Date: 2012-10-15T15:09:33Z Registry Expiry Date: 2017-10-15T15:09:33Z Sponsoring Registrar: Bizcn.com, Inc. Sponsoring Registrar IANA ID: 471 Domain Status: clientTransferProhibited https://icann.org/epp#clientTransferProhibited Registrant ID: orgmc50313771827 Registrant Name: Medoro Chicoine Registrant Organization: ADM Service Ltd Registrant Street: 25 avenue Albert II Registrant City: Monaco Registrant State/Province: Monaco Registrant Postal Code: 98000 Registrant Country: MC Registrant Phone: +86.37798587511 Registrant Phone Ext: Registrant Fax: +86.37798587512 Registrant Fax Ext: Registrant Email: [email protected] Admin ID: orgmc50313772139 Admin Name: Medoro Chicoine Admin Organization: ADM Service Ltd Admin Street: 25 avenue Albert II Admin City: Monaco Admin State/Province: Monaco Admin Postal Code: 98000 Admin Country: MC Admin Phone: +86.37798587511 Admin Phone Ext: Admin Fax: +86.37798587512 Admin Fax Ext: Admin Email: [email protected] Tech ID: orgmc50313773049 Tech Name: Medoro Chicoine Tech Organization: ADM Service Ltd Tech Street: 25 avenue Albert II Tech City: Monaco Tech State/Province: Monaco Tech Postal Code: 98000 Tech Country: MC Tech Phone: +86.37798587511
This post first appeared on Computer Security.org - CyberSecurity News, Inform, please read the originial post: here