{ "Event": { "analysis": "2", "date": "2016-12-16", "extends_uuid": "", "info": "OSINT - One, if by email, and two, if by EK: The Cerbers are coming!", "publish_timestamp": "1481870914", "published": true, "threat_level_id": "3", "timestamp": "1481870845", "uuid": "58538c11-4694-47ba-a01c-4cfe02de0b81", "Orgc": { "name": "CIRCL", "uuid": "55f6ea5e-2c60-40e5-964f-47a8950d210f" }, "Tag": [ { "colour": "#3ab400", "local": false, "name": "enisa:nefarious-activity-abuse=\"exploits-exploit-kits\"", "relationship_type": "" }, { "colour": "#ffffff", "local": false, "name": "tlp:white", "relationship_type": "" } ], "Attribute": [ { "category": "External analysis", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1481870365", "to_ids": false, "type": "link", "uuid": "58538c1d-82a0-4d24-867d-41a202de0b81", "value": "https://isc.sans.edu/forums/diary/One+if+by+email+and+two+if+by+EK+The+Cerbers+are+coming/21823" }, { "category": "External analysis", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1481870399", "to_ids": false, "type": "comment", "uuid": "58538c3f-4960-4980-bab9-4c6b02de0b81", "value": "As I've discussed before, EKs are merely a method to distribute malware. Criminal groups establish campaigns utilizing EKs to distribute their malware. I often see indicators of campaigns that use Magnitude EK or Rig EK to distribute Cerber ransomware.\r\n\r\nIn my lab environment, I generally don't generate much Magnitude EK. Why? Because Magnitude usually happens through a malvertising campaign, and that's quite difficult to replicate. By the time any particular malvertisement's indicators are known, the criminals have moved to a new malvertisement.\r\n\r\nSince early October 2016, I've typically seen Cerber ransomware from the pseudoDarkleech campaign using Rig EK. PseudoDarkleech currently uses a variant of Rig EK that researcher Kafeine has designated as Rig-V, because it's a \"vip\" version that's evolved from the old Rig EK.\r\n\r\nEITest is another major campaign that utilizes EKs to distribute malware. Although EITest distributes a variety of malware, I'll occasionally see Cerber sent by this campaign." }, { "category": "Network activity", "comment": "Rig-V from the EITest campaign", "deleted": false, "disable_correlation": false, "timestamp": "1481870563", "to_ids": true, "type": "ip-dst", "uuid": "58538ce3-601c-4716-bb6f-417b02de0b81", "value": "195.133.49.182" }, { "category": "Network activity", "comment": "Rig-V from the EITest campaign", "deleted": false, "disable_correlation": false, "timestamp": "1481870564", "to_ids": true, "type": "hostname", "uuid": "58538ce4-7814-4334-8180-418102de0b81", "value": "hit.thincoachmd.com" }, { "category": "Network activity", "comment": "Rig-V from the pseudoDarkleech campaign", "deleted": false, "disable_correlation": false, "timestamp": "1481870564", "to_ids": true, "type": "hostname", "uuid": "58538ce4-7bec-4498-b89a-445302de0b81", "value": "new.slimcoachmd.com" }, { "category": "Network activity", "comment": "1.11.32.0 to 1.11.32.31 (1.11.32.0/27) UDP port 6892 - Cerber post-infection UDP traffic", "deleted": false, "disable_correlation": false, "timestamp": "1481870565", "to_ids": true, "type": "ip-dst", "uuid": "58538ce5-3240-4327-bcc6-4e1a02de0b81", "value": "1.11.32.0" }, { "category": "Network activity", "comment": "1.11.32.0 to 1.11.32.31 (1.11.32.0/27) UDP port 6892 - Cerber post-infection UDP traffic", "deleted": false, "disable_correlation": false, "timestamp": "1481870566", "to_ids": true, "type": "ip-dst", "uuid": "58538ce6-3e80-4e94-8ab8-46fe02de0b81", "value": "55.15.15.0" }, { "category": "Network activity", "comment": "194.165.16.0/23) UDP port 6892 - Cerber post-infection UDP traffic", "deleted": false, "disable_correlation": false, "timestamp": "1481870568", "to_ids": true, "type": "ip-dst", "uuid": "58538ce8-2d7c-49ca-89ae-48bd02de0b81", "value": "194.165.16.0" }, { "category": "Network activity", "comment": "attempted HTTP connections by Cerber from pseudoDarkleech campaign", "deleted": false, "disable_correlation": false, "timestamp": "1481870570", "to_ids": true, "type": "ip-dst", "uuid": "58538cea-d9f0-4ef3-8d22-453e02de0b81", "value": "185.45.192.155" }, { "category": "Network activity", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1481870570", "to_ids": true, "type": "hostname", "uuid": "58538cea-4fe0-4dca-b42e-450802de0b81", "value": "ftoxmpdipwobp4qy.19dmua.top" }, { "category": "Network activity", "comment": "attempted HTTP connections by Cerber from EITest campaign", "deleted": false, "disable_correlation": false, "timestamp": "1481870571", "to_ids": true, "type": "hostname", "uuid": "58538ceb-a834-43a4-aa47-4a9802de0b81", "value": "ffoqr3ug7m726zou.19dmua.top" }, { "category": "Payload delivery", "comment": "Rig-V Flash exploit seen on 2016-12-15", "deleted": false, "disable_correlation": false, "timestamp": "1481870625", "to_ids": true, "type": "sha256", "uuid": "58538d21-bb20-4511-b10a-4a7402de0b81", "value": "df65f65dc15cfa999f07869b587c74c645da66129c009db5d8b8c2c29ae4fadf" }, { "category": "Payload delivery", "comment": "C:\\Users\\[username]\\AppData\\Local\\Temp\\rad8AA1F.tmp.exe", "deleted": false, "disable_correlation": false, "timestamp": "1481870733", "to_ids": true, "type": "sha256", "uuid": "58538d8d-0888-4b53-a42a-4a4102de0b81", "value": "4e877be5523d5ab453342695fef1d03adb854d215bde2cff647421bd3d583060" }, { "category": "Payload delivery", "comment": "C:\\Users\\[username]\\AppData\\Local\\Temp\\rad8DE79.tmp.exe", "deleted": false, "disable_correlation": false, "timestamp": "1481870753", "to_ids": true, "type": "sha256", "uuid": "58538da1-7b68-45ed-abb7-436b02de0b81", "value": "0e395c547547a79bd29280ea7f918a0559058a58ffc789940ceb4caf7a708610" }, { "category": "External analysis", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1481870766", "to_ids": false, "type": "link", "uuid": "58538dae-a6d8-4f69-bc5c-4fa502de0b81", "value": "http://www.malware-traffic-analysis.net/2016/12/16/index.html" }, { "category": "Payload delivery", "comment": "Rig-V Flash exploit seen on 2016-12-15 - Xchecked via VT: df65f65dc15cfa999f07869b587c74c645da66129c009db5d8b8c2c29ae4fadf", "deleted": false, "disable_correlation": false, "timestamp": "1481870845", "to_ids": true, "type": "sha1", "uuid": "58538dfd-53a0-4703-ad4e-4e0e02de0b81", "value": "9284df1374b35d929f07e010e88b78a8495c0cfd" }, { "category": "Payload delivery", "comment": "Rig-V Flash exploit seen on 2016-12-15 - Xchecked via VT: df65f65dc15cfa999f07869b587c74c645da66129c009db5d8b8c2c29ae4fadf", "deleted": false, "disable_correlation": false, "timestamp": "1481870846", "to_ids": true, "type": "md5", "uuid": "58538dfe-0c74-4137-aa72-4db102de0b81", "value": "2b3e5fa9c8932e27531dd26dc92c81f8" }, { "category": "External analysis", "comment": "Rig-V Flash exploit seen on 2016-12-15 - Xchecked via VT: df65f65dc15cfa999f07869b587c74c645da66129c009db5d8b8c2c29ae4fadf", "deleted": false, "disable_correlation": false, "timestamp": "1481870846", "to_ids": false, "type": "link", "uuid": "58538dfe-0750-4380-83c4-448802de0b81", "value": "https://www.virustotal.com/file/df65f65dc15cfa999f07869b587c74c645da66129c009db5d8b8c2c29ae4fadf/analysis/1481853351/" } ] } }