SYMBOLCOMMON_NAMEaka. SYNONYMS
win.cerber (Back to overview)

Cerber

A prolific ransomware which originally added ".cerber" as a file extension to encrypted files. Has undergone multiple iterations in which the extension has changed. Uses a very readily identifiable set of of UDP activity to checkin and report infections. Primarily uses TOR for payment information.

References
2023-01-30CheckpointArie Olshtein
@online{olshtein:20230130:following:e442fcc, author = {Arie Olshtein}, title = {{Following the Scent of TrickGate: 6-Year-Old Packer Used to Deploy the Most Wanted Malware}}, date = {2023-01-30}, organization = {Checkpoint}, url = {https://research.checkpoint.com/2023/following-the-scent-of-trickgate-6-year-old-packer-used-to-deploy-the-most-wanted-malware/}, language = {English}, urldate = {2023-01-31} } Following the Scent of TrickGate: 6-Year-Old Packer Used to Deploy the Most Wanted Malware
Agent Tesla Azorult Buer Cerber Cobalt Strike Emotet Formbook HawkEye Keylogger Loki Password Stealer (PWS) Maze NetWire RC Remcos REvil TrickBot
2022-06-16SophosLabs UncutAndrew Brandt
@online{brandt:20220616:confluence:0bbf8de, author = {Andrew Brandt}, title = {{Confluence exploits used to drop ransomware on vulnerable servers}}, date = {2022-06-16}, organization = {SophosLabs Uncut}, url = {https://news.sophos.com/en-us/2022/06/16/confluence-exploits-used-to-drop-ransomware-on-vulnerable-servers/}, language = {English}, urldate = {2022-06-17} } Confluence exploits used to drop ransomware on vulnerable servers
Cerber
2022-01-19BlackberryThe BlackBerry Research & Intelligence Team
@online{team:20220119:kraken:5b52d17, author = {The BlackBerry Research & Intelligence Team}, title = {{Kraken the Code on Prometheus}}, date = {2022-01-19}, organization = {Blackberry}, url = {https://blogs.blackberry.com/en/2022/01/kraken-the-code-on-prometheus}, language = {English}, urldate = {2022-05-25} } Kraken the Code on Prometheus
Prometheus Backdoor BlackMatter Cerber Cobalt Strike DCRat Ficker Stealer QakBot REvil Ryuk
2021-10-05Trend MicroFyodor Yarochkin, Janus Agcaoili, Byron Gelera, Nikko Tamana
@online{yarochkin:20211005:ransomware:e5f5375, author = {Fyodor Yarochkin and Janus Agcaoili and Byron Gelera and Nikko Tamana}, title = {{Ransomware as a Service: Enabler of Widespread Attacks}}, date = {2021-10-05}, organization = {Trend Micro}, url = {https://www.trendmicro.com/vinfo/us/security/news/cybercrime-and-digital-threats/ransomware-as-a-service-enabler-of-widespread-attacks}, language = {English}, urldate = {2021-10-20} } Ransomware as a Service: Enabler of Widespread Attacks
Cerber Conti DarkSide Gandcrab Locky Nefilim REvil Ryuk
2021-09-01YouTube (Black Hat)Tsuyoshi Taniguchi, Christian Doerr
@online{taniguchi:20210901:how:98ed0d5, author = {Tsuyoshi Taniguchi and Christian Doerr}, title = {{How Did the Adversaries Abusing the Bitcoin Blockchain Evade Our Takeover?}}, date = {2021-09-01}, organization = {YouTube (Black Hat)}, url = {https://www.youtube.com/watch?v=y8Z9KnL8s8s}, language = {English}, urldate = {2021-09-12} } How Did the Adversaries Abusing the Bitcoin Blockchain Evade Our Takeover?
Cerber Pony
2021-08-05KrebsOnSecurityBrian Krebs
@online{krebs:20210805:ransomware:0962b82, author = {Brian Krebs}, title = {{Ransomware Gangs and the Name Game Distraction}}, date = {2021-08-05}, organization = {KrebsOnSecurity}, url = {https://krebsonsecurity.com/2021/08/ransomware-gangs-and-the-name-game-distraction/}, language = {English}, urldate = {2021-12-13} } Ransomware Gangs and the Name Game Distraction
DarkSide RansomEXX Babuk Cerber Conti DarkSide DoppelPaymer Egregor FriedEx Gandcrab Hermes Maze RansomEXX REvil Ryuk Sekhmet
2021-05-06Black HatTsuyoshi Taniguchi, Christian Doerr
@techreport{taniguchi:20210506:how:45b144d, author = {Tsuyoshi Taniguchi and Christian Doerr}, title = {{How Did the Adversaries Abusing Bitcoin Blockchain Evade Our Takeover}}, date = {2021-05-06}, institution = {Black Hat}, url = {https://i.blackhat.com/asia-21/Thursday-Handouts/as21-Taniguchi-How-Did-The-Adversaries-Abusing-The-Bitcoin-Blockchain-Evade-Our-Takeover.pdf}, language = {English}, urldate = {2021-09-12} } How Did the Adversaries Abusing Bitcoin Blockchain Evade Our Takeover
Cerber Pony
2021-04-12PTSecurityPTSecurity
@online{ptsecurity:20210412:paas:1d06836, author = {PTSecurity}, title = {{PaaS, or how hackers evade antivirus software}}, date = {2021-04-12}, organization = {PTSecurity}, url = {https://www.ptsecurity.com/ww-en/analytics/pt-esc-threat-intelligence/paas-or-how-hackers-evade-antivirus-software/}, language = {English}, urldate = {2021-04-12} } PaaS, or how hackers evade antivirus software
Amadey Bunitu Cerber Dridex ISFB KPOT Stealer Mailto Nemty Phobos Pony Predator The Thief QakBot Raccoon RTM SmokeLoader Zloader
2021-03-21BlackberryBlackberry Research
@techreport{research:20210321:2021:a393473, author = {Blackberry Research}, title = {{2021 Threat Report}}, date = {2021-03-21}, institution = {Blackberry}, url = {https://www.blackberry.com/content/dam/blackberry-com/asset/enterprise/pdf/direct/report-bb-2021-threat-report.pdf}, language = {English}, urldate = {2021-03-25} } 2021 Threat Report
Bashlite FritzFrog IPStorm Mirai Tsunami elf.wellmess AppleJeus Dacls EvilQuest Manuscrypt Astaroth BazarBackdoor Cerber Cobalt Strike Emotet FinFisher RAT Kwampirs MimiKatz NjRAT Ryuk SmokeLoader TrickBot
2020-12-10US-CERTUS-CERT, FBI, MS-ISAC
@online{uscert:20201210:alert:a5ec77e, author = {US-CERT and FBI and MS-ISAC}, title = {{Alert (AA20-345A): Cyber Actors Target K-12 Distance Learning Education to Cause Disruptions and Steal Data}}, date = {2020-12-10}, organization = {US-CERT}, url = {https://us-cert.cisa.gov/ncas/alerts/aa20-345a}, language = {English}, urldate = {2020-12-11} } Alert (AA20-345A): Cyber Actors Target K-12 Distance Learning Education to Cause Disruptions and Steal Data
PerlBot Shlayer Agent Tesla Cerber Dridex Ghost RAT Kovter Maze MedusaLocker Nanocore RAT Nefilim REvil Ryuk Zeus
2020-07-29ESET Researchwelivesecurity
@techreport{welivesecurity:20200729:threat:496355c, author = {welivesecurity}, title = {{THREAT REPORT Q2 2020}}, date = {2020-07-29}, institution = {ESET Research}, url = {https://www.welivesecurity.com/wp-content/uploads/2020/07/ESET_Threat_Report_Q22020.pdf}, language = {English}, urldate = {2020-07-30} } THREAT REPORT Q2 2020
DEFENSOR ID HiddenAd Bundlore Pirrit Agent.BTZ Cerber ClipBanker CROSSWALK Cryptowall CTB Locker DanaBot Dharma Formbook Gandcrab Grandoreiro Houdini ISFB LockBit Locky Mailto Maze Microcin Nemty NjRAT Phobos PlugX Pony REvil Socelars STOP Tinba TrickBot WannaCryptor
2020-02-25RSA ConferenceJoel DeCapua
@online{decapua:20200225:feds:423f929, author = {Joel DeCapua}, title = {{Feds Fighting Ransomware: How the FBI Investigates and How You Can Help}}, date = {2020-02-25}, organization = {RSA Conference}, url = {https://www.youtube.com/watch?v=LUxOcpIRxmg}, language = {English}, urldate = {2020-03-04} } Feds Fighting Ransomware: How the FBI Investigates and How You Can Help
FastCash Cerber Defray Dharma FriedEx Gandcrab GlobeImposter Mamba Phobos Rapid Ransom REvil Ryuk SamSam Zeus
2018-08-06rinse and REpeat analysisJames Haughom
@online{haughom:20180806:reversing:8b4d9cf, author = {James Haughom}, title = {{Reversing Cerber - RaaS}}, date = {2018-08-06}, organization = {rinse and REpeat analysis}, url = {https://rinseandrepeatanalysis.blogspot.com/2018/08/reversing-cerber-raas.html}, language = {English}, urldate = {2020-01-08} } Reversing Cerber - RaaS
Cerber
2018-07-26IEEE Symposium on Security and Privacy (SP)Danny Yuxing Huang, Maxwell Matthaios Aliapoulios, Vector Guo Li, Luca Invernizzi, Kylie McRoberts, Elie Bursztein, Jonathan Levin, Kirill Levchenko, Alex C. Snoeren, Damon McCoy
@techreport{huang:20180726:tracking:b51d0ee, author = {Danny Yuxing Huang and Maxwell Matthaios Aliapoulios and Vector Guo Li and Luca Invernizzi and Kylie McRoberts and Elie Bursztein and Jonathan Levin and Kirill Levchenko and Alex C. Snoeren and Damon McCoy}, title = {{Tracking Ransomware End-to-end}}, date = {2018-07-26}, institution = {IEEE Symposium on Security and Privacy (SP)}, url = {https://storage.googleapis.com/pub-tools-public-publication-data/pdf/ce44cbda9fdc061050c1d2a5dec0270874a9dc85.pdf}, language = {English}, urldate = {2021-04-16} } Tracking Ransomware End-to-end
Cerber Locky WannaCryptor
2017-12-11United States Department of JusticeUnited States Department of Justice
@online{justice:20171211:united:3fee774, author = {United States Department of Justice}, title = {{United States of America v. MIHAI ALEXANDRU ISVANCA and EVELINE CISMARU}}, date = {2017-12-11}, organization = {United States Department of Justice}, url = {https://www.justice.gov/usao-dc/press-release/file/1021186/download}, language = {English}, urldate = {2023-07-19} } United States of America v. MIHAI ALEXANDRU ISVANCA and EVELINE CISMARU
Cerber Dharma
2017-12Check PointStanislav Skuratovich, Neomi Rona
@online{skuratovich:201712:nine:f4ecc23, author = {Stanislav Skuratovich and Neomi Rona}, title = {{Nine circles of Cerber}}, date = {2017-12}, organization = {Check Point}, url = {https://www.virusbulletin.com/virusbulletin/2017/12/vb2017-paper-nine-circles-cerber/}, language = {English}, urldate = {2019-11-26} } Nine circles of Cerber
Cerber
2017-03-28Trend MicroGilbert Sison
@online{sison:20170328:cerber:cfb6c77, author = {Gilbert Sison}, title = {{Cerber Starts Evading Machine Learning}}, date = {2017-03-28}, organization = {Trend Micro}, url = {http://blog.trendmicro.com/trendlabs-security-intelligence/cerber-starts-evading-machine-learning/}, language = {English}, urldate = {2019-12-19} } Cerber Starts Evading Machine Learning
Cerber
2016-03-11Malwarebyteshasherezade
@online{hasherezade:20160311:cerber:f1fb954, author = {hasherezade}, title = {{Cerber ransomware: new, but mature}}, date = {2016-03-11}, organization = {Malwarebytes}, url = {https://blog.malwarebytes.com/threat-analysis/2016/03/cerber-ransomware-new-but-mature/}, language = {English}, urldate = {2019-12-20} } Cerber ransomware: new, but mature
Cerber
Yara Rules
[TLP:WHITE] win_cerber_auto (20230715 | Detects win.cerber.)
rule win_cerber_auto {

    meta:
        author = "Felix Bilstein - yara-signator at cocacoding dot com"
        date = "2023-07-11"
        version = "1"
        description = "Detects win.cerber."
        info = "autogenerated rule brought to you by yara-signator"
        tool = "yara-signator v0.6.0"
        signator_config = "callsandjumps;datarefs;binvalue"
        malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.cerber"
        malpedia_rule_date = "20230705"
        malpedia_hash = "42d0574f4405bd7d2b154d321d345acb18834a41"
        malpedia_version = "20230715"
        malpedia_license = "CC BY-SA 4.0"
        malpedia_sharing = "TLP:WHITE"

    /* DISCLAIMER
     * The strings used in this rule have been automatically selected from the
     * disassembly of memory dumps and unpacked files, using YARA-Signator.
     * The code and documentation is published here:
     * https://github.com/fxb-cocacoding/yara-signator
     * As Malpedia is used as data source, please note that for a given
     * number of families, only single samples are documented.
     * This likely impacts the degree of generalization these rules will offer.
     * Take the described generation method also into consideration when you
     * apply the rules in your use cases and assign them confidence levels.
     */


    strings:
        $sequence_0 = { 83be0c01000000 7508 ff36 ff15???????? 899e14010000 eb06 89be14010000 }
            // n = 7, score = 1200
            //   83be0c01000000       | cmp                 dword ptr [esi + 0x10c], 0
            //   7508                 | jne                 0xa
            //   ff36                 | push                dword ptr [esi]
            //   ff15????????         |                     
            //   899e14010000         | mov                 dword ptr [esi + 0x114], ebx
            //   eb06                 | jmp                 8
            //   89be14010000         | mov                 dword ptr [esi + 0x114], edi

        $sequence_1 = { e8???????? 83c410 0bf0 8bc6 eb4f 8365f800 83c8ff }
            // n = 7, score = 1200
            //   e8????????           |                     
            //   83c410               | add                 esp, 0x10
            //   0bf0                 | or                  esi, eax
            //   8bc6                 | mov                 eax, esi
            //   eb4f                 | jmp                 0x51
            //   8365f800             | and                 dword ptr [ebp - 8], 0
            //   83c8ff               | or                  eax, 0xffffffff

        $sequence_2 = { b9b2000000 8bfb f3a5 8b4d0c 8bc3 e8???????? 8b450c }
            // n = 7, score = 1200
            //   b9b2000000           | mov                 ecx, 0xb2
            //   8bfb                 | mov                 edi, ebx
            //   f3a5                 | rep movsd           dword ptr es:[edi], dword ptr [esi]
            //   8b4d0c               | mov                 ecx, dword ptr [ebp + 0xc]
            //   8bc3                 | mov                 eax, ebx
            //   e8????????           |                     
            //   8b450c               | mov                 eax, dword ptr [ebp + 0xc]

        $sequence_3 = { 83f9ff 7407 49 898e10010000 6a00 ff36 ff15???????? }
            // n = 7, score = 1200
            //   83f9ff               | cmp                 ecx, -1
            //   7407                 | je                  9
            //   49                   | dec                 ecx
            //   898e10010000         | mov                 dword ptr [esi + 0x110], ecx
            //   6a00                 | push                0
            //   ff36                 | push                dword ptr [esi]
            //   ff15????????         |                     

        $sequence_4 = { ff15???????? f7d8 1bc0 f7d8 c3 85c0 741e }
            // n = 7, score = 1200
            //   ff15????????         |                     
            //   f7d8                 | neg                 eax
            //   1bc0                 | sbb                 eax, eax
            //   f7d8                 | neg                 eax
            //   c3                   | ret                 
            //   85c0                 | test                eax, eax
            //   741e                 | je                  0x20

        $sequence_5 = { 33c0 eb5a 8365e400 8365fc00 ff7508 8b3d???????? ffd7 }
            // n = 7, score = 1200
            //   33c0                 | xor                 eax, eax
            //   eb5a                 | jmp                 0x5c
            //   8365e400             | and                 dword ptr [ebp - 0x1c], 0
            //   8365fc00             | and                 dword ptr [ebp - 4], 0
            //   ff7508               | push                dword ptr [ebp + 8]
            //   8b3d????????         |                     
            //   ffd7                 | call                edi

        $sequence_6 = { 8bd8 d3eb 8b4d10 881c0a 4a 79e6 }
            // n = 6, score = 1200
            //   8bd8                 | mov                 ebx, eax
            //   d3eb                 | shr                 ebx, cl
            //   8b4d10               | mov                 ecx, dword ptr [ebp + 0x10]
            //   881c0a               | mov                 byte ptr [edx + ecx], bl
            //   4a                   | dec                 edx
            //   79e6                 | jns                 0xffffffe8

        $sequence_7 = { e9???????? ff7528 8d8534fdffff 53 ff7520 ff751c ff7518 }
            // n = 7, score = 1200
            //   e9????????           |                     
            //   ff7528               | push                dword ptr [ebp + 0x28]
            //   8d8534fdffff         | lea                 eax, [ebp - 0x2cc]
            //   53                   | push                ebx
            //   ff7520               | push                dword ptr [ebp + 0x20]
            //   ff751c               | push                dword ptr [ebp + 0x1c]
            //   ff7518               | push                dword ptr [ebp + 0x18]

    condition:
        7 of them and filesize < 573440
}
Download all Yara Rules