New Cerber ransomware comes through parcel delivery notifications with zip attachments.
The zip archive contains a Java script that downloads a Cerber ransomware:
To run, Cerber needs the .NET Framework 2.0. Therefore, the ransomware may download the 'NetFx20SP1_x86.exe' package.
As usual, Cerber creates notification messages in the folder with encrypted files:
As well as, sets the wallpaper:
The cryptolocker takes advantage of Microsoft's CryptoAPI using AES+RSA algorithms and leaves no chances to decrypt files for a victim.
Sample
Network IoCs
levardphotos.com
eastgrandrapidsrealty.com
julianrockmemorial.org
flapropertylaw.com
asian-merchants.com
ccmiti.com
ah.5ith.com
conferenciabiblica2015.com
jasonanthonymusic.com
w3sa.ch
185.117.72.90
187.151.226.180
23.78.11.117
23.80.62.22
189.252.246.11
60.251.128.82
108.179.193.65
50.56.150.241
Yara rule
rule CerberRansomware_mem
{
meta:
author = "NioGuard Security Lab"
info = "Detecting the Cerber process"
reference = "http://nioguard.com/"
strings:
$a1 = "_READ_THIS_FILE_{RAND}_."
$a2 = "hta"
$a3 = "txt"
$a4 = "jpeg"
condition:
$a1 and ($a2 or $a3 or $a4)
}
No comments:
Post a Comment