Security Alert: Malicious Script Injections Spread Cerber Ransomware, Make Use of Nemucod Downloader

save
Share and earn Cybytes
Facebook Twitter LinkedIn Email

This ongoing ransomware campaign packs a big punch against its victims, aiming for a high success rate in terms of infected systems.

Using a malware cocktail to drive infection rates

The cybercriminals behind the campaign are compromising legitimate websites by injecting malicious scripts. The injects then redirect the victims’ Internet traffic to a Cerber gateway which is known as Pseudo Darkleech (more on this below). The latter is a type of malware infection created to add a strong obfuscation layer and keep detection rates low.

The malicious script injected into these websites is the notorious Nemucod, the generic malware downloader used to transfer malicious software onto the victims’ computers.

In this case, Nemucod is used to download and run Cerber ransomware from two main websites in the execution routine (sanitized for your safety):

doomgamesoa [.] Top / read.php? F = 0.dat

http: //www.astrosean [.] Top / admin.php? F = 1.dat

The attackers are exploiting vulnerabilities in Internet Explorer, Microsoft Edge, Flash Player and Silverlight to infect unsuspecting users. The extent of these exploits is still under investigation and we will update the alert as soon as we have more details.

The extortion part of the ransomware attack is centered around the following domains, a few of which are listed below (sanitized for your safety):

fnmi62725zfti2vy.17vj7b [.] top

ftoxmpdipwobp4qy.17vj7b [.] top

pe2cku7pebkpgeko.17vj7b [.] top

avsxrcoq2q5fgrw2.1bpfr1 [.] top

ffoqr3ug7m726zou.1bpfr1 [.] top

fnmi62725zfti2vy.1bpfr1 [.] top

ftoxmpdipwobp4qy.1bpfr1 [.] top

pe2cku7pebkpgeko.1bpfr1 [.] top

avsxrcoq2q5fgrw2.1mstqg [.] top

cerberhhyed5frqa.1mstqg [.] top

ffoqr3ug7m726zou.1mstqg [.] top

fnmi62725zfti2vy.1mstqg [.] top

ftoxmpdipwobp4qy.1mstqg [.] top

In terms of antivirus detection

Here are the printscreens taken when publishing these alerts:

The malicious payload which supplies Cerber has a detection rate of 3/55 on VirusTotal:

Nemucod payload detection rate - December 22 2016

The Cerber code achieves a detection rate of 5/57 on VirusTotal:

cerber detection rate - December 22 2016

Please keep in mind that this ransomware campaign can affect both individual Internet users and companies. What’s more, Cerber has recently started targeting companies’ databases to maximize profits from the ransom, so this is another reason to take additional precautions.

Why attackers combine multiple types of malware

You may wonder why cyber attackers choose to incorporate so many types of malware in a single attack. The answer is that, by packing multiple types of malicious software, they aim to do two things:

  1. Make the infection stealthy, so it can’t be detected and stopped by antivirus (which is what most people use for protection);
  2. And to make the infection stick (persistence) until it can encrypt all the victim’s data and get to the point where it can ask for ransom and the victim feels compelled to pay for it.  

Second generation malware, such as strong ransomware strains (e.g. Cerber), uses a variety of mechanism to evade antivirus detection. We actually explained some of them in this guide.

These mechanisms are some of the attributes that we often see in advanced cyber attacks, such as the one I just described at the beginning of this alert.

So let’s see what each piece of the puzzle does:

Nemucod

Nemucod first emerged in December 2015 as a Trojan downloader. This cyber threat can download and install other programs (especially malware) on computers without the owner’s consent.

Nemucod can connect to a remote host (as we’ve seen in this alert) and perform a series of actions, including:

  • Checking for an Internet connection
  • Using that connection to download and run files (this includes other malware as well)
  • Reporting infections to the cyber criminal behind the attack
  • Receiving data such as configurations, further instructions and more
  • Uploading information harvested from the infected computer and other malicious tasks.

This malware downloader recently got a ton of attention when it was used in spam IMs on Facebook Messenger to spread Locky ransomware.

Pseudo DarkLeech

We’ve mentioned Pseudo DarkLeech in a security alert published in September 2016, which involved the RIG exploit kit distributing CrypMIC ransomware (no decryption tool available for it yet).

This type of infection uses hidden iframe injections and randomizes elements to enable the malware to operate covertly. This blogpost by Sucuri Security explains its evolution in detail.

Cerber ransomware

Cerber was discovered in March 2016 and its distinguishing features include the fact that it’s professionally coded and that it provides many customization options. From the first analyses it became clear that this encrypting malware is not the work of amateurs.

Since it first appeared, Cerber has has a significant impact on victims all over the world. In Symantec’s ISTR Special Report: Ransomware and Businesses 2016, the team of researchers mentions that:  

Like Locky, Cerber appears to have access to the Dridex spam network, meaning it can be pushed out quickly in large spam campaigns.

Victims whose data is encrypted with Cerber are usually extorted for amounts ranging from 1.24 bitcoins (BTC) to 2.48 BTC ($1,068 to $2,136 according to December 2016 rates).

If you’d like to read more about Cerber, this analysis by MalwareBytes is quite comprehensive.

Together, these 3 elements make for a powerful attack against unsuspecting Internet users.

Core prevention advice

Ransomware is a formidable threat that we’ve written about many times and whose intricacies we tried to unscramble in this dedicated guide.

While more and more decryption tools available for some types of ransomware, the bulk of it remains unbreakable.

To avoid becoming a victim of ransomware, try to follow these 5 steps:

  1. Keep your software up to date. In the case of this current campaign (as with many others), keeping your software up to date is a great layer of defense. Your browsers and software such as Flash and Java are key targets for cyber criminals. Leaving them outdated creates the security holes that attackers exploit to infect your system. Installing updates will help keep your guard up and not give a chance to ransomware infections.
  2.  Create and maintain at least 2 backups of your data, in different locations (in the cloud + on an external drive). If you do get hit with ransomware or any other type of malware, you’ll be able to just wipe your computer clean and restore your data from a backup. No ransom paid, no further fueling cyber criminals in their malicious activities. This is a must-have plan B!
  3. Enhance your browser protection. Many cyber attacks nowadays start from your browser and exploit vulnerabilities in it. If you don’t know where to start, you can check out our guide on the topic.
  4.   Use a reliable antivirus. It may not be able to catch every threat out there, but, to be honest, no security product can. That’s why you need multiple layers. Choose a sturdy AV product and use it to its full potential.
  5. Complement your reactive protection with a proactive security solution. The more security layers you have, the stronger your chances to resist a ransomware infection. This doesn’t mean using multiple AVs (not recommended), but using additional products that complement its functions. You can look for solutions that offer traffic filtering and can block connections to websites and servers that distribute malware, such as the ones involved in this security alert.  

If you want to do even more for your protection (which i hope you do), this anti-ransomware protection plan can help guide your actions.

*This article features cyber intelligence provided by CSIS Security Group researchers.

Share this post and earn Cybytes
Facebook Twitter LinkedIn Email
Follow
138 Followers
About Heimdal Security
We protect users and companies from cyber-criminal actions, by keeping confidential information and intellectual property safe. We build products focused on proactive cyber security and we dedicate a big part of our efforts to cyber security education for everyone.
Promoted Content
Expert Roundup: Is Internet Security a Losing Battle?
A while ago, one of our readers asked us to answer the following questions: Is Internet security a losing battle? How come companies are always 1-2 steps behind the fight? How can the bad guys respond so fast?That reader is certainly not the only one with this issue on his mind. Many Internet users feel discouraged by the current state of cyber crime and its consequences, and the rest don’t yet understand why they should care about it. We wanted to do something to change this.Naturally, users like you and me are not the only ones who wrestle this dilemma. Within the industry, cyber security experts are deeply involved in studying the causes and changes which have brought us to this point so they can create better solutions. Each of these experts brings a different perspective to the discussion, because no single person can ever claim to have the full picture.That is why we reached out to some of the most experienced cyber security specialists in the field to gather their thoughts on the topic. We believe that the questions we received are justified and they deserve an honest answer. And you will find plenty of them in the article!

Our Revolution

We believe Cyber Security training should be free, for everyone, FOREVER. Everyone, everywhere, deserves the OPPORTUNITY to learn, begin and grow a career in this fascinating field. Therefore, Cybrary is a free community where people, companies and training come together to give everyone the ability to collaborate in an open source way that is revolutionizing the cyber security educational experience.

Cybrary On The Go

Get the Cybrary app for Android for online and offline viewing of our lessons.

Get it on Google Play
 

Support Cybrary

Donate Here to Get This Month's Donor Badge

 
Skip to toolbar

We recommend always using caution when following any link

Are you sure you want to continue?

Continue
Cancel