Jump to content

FYI - Cerber Ransomware Served Up From Web Site

itman

By itman
in Malware Finding and Cleaning

 Share

Recommended Posts

itman

itman 1,659

Posted
Posted

Eset nailed it and couldn't think of a better example for why SSL protocol scanning needs to be enable.

Attempted access to web site via Google produced this:

Time: 3/30/2017 3:16:03 PM
Scanner: HTTP filter
Object type: file
Object: hxxps://www.greyhathacker.net/?p=948
Threat: PowerShell/TrojanDownloader.Agent.DV trojan
Action: connection terminated
User: XXX-PC\XXX-XXXX
Information: Threat was detected upon access to web by the application: C:\Program Files\Internet Explorer\iexplore.exe
Hash: (8288B566340C2BFEC37768F5A029027DDA7C2A5B)
First seen here: 793568AC8277B3F03FAC123E0898A16AF1E103A5

Link to comment
Share on other sites
  • Administrators
Marcos

Marcos 5,070

Posted
  • Administrators
Posted

Did you somehow format the threat record that each field is on a new line? I'm asking cause Hash and First seen here are shifted one line down. Correctly it should look like:

Information: Threat was detected upon access to web by the application: C:\Program Files\Internet Explorer\iexplore.exe (8288B566340C2BFEC37768F5A029027DDA7C2A5B)
Hash: 793568AC8277B3F03FAC123E0898A16AF1E103A5
First seen here:

Link to comment
Share on other sites
itman

itman 1,659

Posted
  • Author
Posted (edited)

Yes. Sorry about that. Here's the unedited log:

Time;Scanner;Object type;Object;Threat;Action;User;Information;Hash;First seen here
3/30/2017 4:29:05 PM;HTTP filter;file;https://www.greyhathacker.net/?p=948;PowerShell/TrojanDownloader.Agent.DV trojan;connection terminated;XXX-PC\XXX-XXXX;Threat was detected upon access to web by the application: C:\Program Files\Internet Explorer\iexplore.exe (8288B566340C2BFEC37768F5A029027DDA7C2A5B).;C7214E6DC89BDAA2ED20CB6F6BA068BB1A3314A8;

Also, I scanned that URL at VirusTotal and its coming up 100% clean including NOD32 detection.

-EDIT- Just noticed the hash changed from the first detection?

Edited by itman
Link to comment
Share on other sites
itman

itman 1,659

Posted
  • Author
Posted (edited)

@Marcos What's the verdict on this?

Curious since to date web site ransomware has been delivered by exploit. Wondering if a new vulnerability has been found in IE11?

Also since the hash changes, looks like polymorphic ransomware to me.

-EDIT-

This also might be related: http://www.zdnet.com/article/skype-served-up-malware-through-in-app-malicious-ads/ i.e. Skype users hit by ransomware through in-app malicious ads.

I don't use Skype. But what caught my eye about this attack was:

The "fake Flash" ad, designed to target Windows machines, pushed a download, which when opened would trigger obfuscated JavaScript. The code starts a new command line, then deletes the application that the user just opened, and runs a PowerShell command, which then downloads a JavaScript Encoded Script (JSE) from a domain that no longer exists, likely one of many disposable domains used to hide an attacker's operations.

Don't see why a download could not be attempted upon web site access e.g. drive-by download?

Edited by itman
Link to comment
Share on other sites
Guest
This topic is now closed to further replies.
 Share
Go to topic listing

  • Recently Browsing   0 members

    • No registered users viewing this page.
×
×
  • Create New...