SYMBOLCOMMON_NAMEaka. SYNONYMS
win.cerber (Back to overview)

Cerber


A prolific ransomware which originally added ".cerber" as a file extension to encrypted files. Has undergone multiple iterations in which the extension has changed. Uses a very readily identifiable set of of UDP activity to checkin and report infections. Primarily uses TOR for payment information.

References
2020-12-10US-CERTUS-CERT, FBI, MS-ISAC
@online{uscert:20201210:alert:a5ec77e, author = {US-CERT and FBI and MS-ISAC}, title = {{Alert (AA20-345A): Cyber Actors Target K-12 Distance Learning Education to Cause Disruptions and Steal Data}}, date = {2020-12-10}, organization = {US-CERT}, url = {https://us-cert.cisa.gov/ncas/alerts/aa20-345a}, language = {English}, urldate = {2020-12-11} } Alert (AA20-345A): Cyber Actors Target K-12 Distance Learning Education to Cause Disruptions and Steal Data
PerlBot Shlayer Agent Tesla Cerber Dridex Ghost RAT Kovter Maze MedusaLocker Nanocore RAT Nefilim Ransomware REvil Ryuk Zeus
2020-07-29ESET Researchwelivesecurity
@techreport{welivesecurity:20200729:threat:496355c, author = {welivesecurity}, title = {{THREAT REPORT Q2 2020}}, date = {2020-07-29}, institution = {ESET Research}, url = {https://www.welivesecurity.com/wp-content/uploads/2020/07/ESET_Threat_Report_Q22020.pdf}, language = {English}, urldate = {2020-07-30} } THREAT REPORT Q2 2020
DEFENSOR ID HiddenAd Bundlore Pirrit Agent.BTZ Cerber ClipBanker CROSSWALK Cryptowall CTB Locker DanaBot Dharma Formbook Gandcrab Grandoreiro Houdini ISFB LockBit Locky Mailto Maze Microcin Nemty NjRAT Phobos Ransomware PlugX Pony REvil Socelars STOP Ransomware Tinba TrickBot WannaCryptor
2020-02-25RSA ConferenceJoel DeCapua
@online{decapua:20200225:feds:423f929, author = {Joel DeCapua}, title = {{Feds Fighting Ransomware: How the FBI Investigates and How You Can Help}}, date = {2020-02-25}, organization = {RSA Conference}, url = {https://www.youtube.com/watch?v=LUxOcpIRxmg}, language = {English}, urldate = {2020-03-04} } Feds Fighting Ransomware: How the FBI Investigates and How You Can Help
FastCash Cerber Defray Dharma FriedEx Gandcrab GlobeImposter Mamba Phobos Ransomware Rapid Ransom REvil Ryuk SamSam Zeus
2018-08-06rinse and REpeat analysisJames Haughom
@online{haughom:20180806:reversing:8b4d9cf, author = {James Haughom}, title = {{Reversing Cerber - RaaS}}, date = {2018-08-06}, organization = {rinse and REpeat analysis}, url = {https://rinseandrepeatanalysis.blogspot.com/2018/08/reversing-cerber-raas.html}, language = {English}, urldate = {2020-01-08} } Reversing Cerber - RaaS
Cerber
2017-12Check PointStanislav Skuratovich, Neomi Rona
@online{skuratovich:201712:nine:f4ecc23, author = {Stanislav Skuratovich and Neomi Rona}, title = {{Nine circles of Cerber}}, date = {2017-12}, organization = {Check Point}, url = {https://www.virusbulletin.com/virusbulletin/2017/12/vb2017-paper-nine-circles-cerber/}, language = {English}, urldate = {2019-11-26} } Nine circles of Cerber
Cerber
2017-03-28Trend MicroGilbert Sison
@online{sison:20170328:cerber:cfb6c77, author = {Gilbert Sison}, title = {{Cerber Starts Evading Machine Learning}}, date = {2017-03-28}, organization = {Trend Micro}, url = {http://blog.trendmicro.com/trendlabs-security-intelligence/cerber-starts-evading-machine-learning/}, language = {English}, urldate = {2019-12-19} } Cerber Starts Evading Machine Learning
Cerber
2016-03-11Malwarebyteshasherezade
@online{hasherezade:20160311:cerber:f1fb954, author = {hasherezade}, title = {{Cerber ransomware: new, but mature}}, date = {2016-03-11}, organization = {Malwarebytes}, url = {https://blog.malwarebytes.com/threat-analysis/2016/03/cerber-ransomware-new-but-mature/}, language = {English}, urldate = {2019-12-20} } Cerber ransomware: new, but mature
Cerber
Yara Rules
[TLP:WHITE] win_cerber_auto (20201023 | autogenerated rule brought to you by yara-signator)
rule win_cerber_auto {

    meta:
        author = "Felix Bilstein - yara-signator at cocacoding dot com"
        date = "2020-12-22"
        version = "1"
        description = "autogenerated rule brought to you by yara-signator"
        tool = "yara-signator v0.6.0"
        signator_config = "callsandjumps;datarefs;binvalue"
        malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.cerber"
        malpedia_rule_date = "20201222"
        malpedia_hash = "30354d830a29f0fbd3714d93d94dea941d77a130"
        malpedia_version = "20201023"
        malpedia_license = "CC BY-SA 4.0"
        malpedia_sharing = "TLP:WHITE"

    /* DISCLAIMER
     * The strings used in this rule have been automatically selected from the
     * disassembly of memory dumps and unpacked files, using YARA-Signator.
     * The code and documentation is published here:
     * https://github.com/fxb-cocacoding/yara-signator
     * As Malpedia is used as data source, please note that for a given
     * number of families, only single samples are documented.
     * This likely impacts the degree of generalization these rules will offer.
     * Take the described generation method also into consideration when you
     * apply the rules in your use cases and assign them confidence levels.
     */


    strings:
        $sequence_0 = { eba0 47 3bf8 0f8c3effffff 5e 5b 5f }
            // n = 7, score = 1200
            //   eba0                 | jmp                 0xffffffa2
            //   47                   | inc                 edi
            //   3bf8                 | cmp                 edi, eax
            //   0f8c3effffff         | jl                  0xffffff44
            //   5e                   | pop                 esi
            //   5b                   | pop                 ebx
            //   5f                   | pop                 edi

        $sequence_1 = { ff750c e8???????? 59 59 84c0 74e9 8d45f8 }
            // n = 7, score = 1200
            //   ff750c               | push                dword ptr [ebp + 0xc]
            //   e8????????           |                     
            //   59                   | pop                 ecx
            //   59                   | pop                 ecx
            //   84c0                 | test                al, al
            //   74e9                 | je                  0xffffffeb
            //   8d45f8               | lea                 eax, [ebp - 8]

        $sequence_2 = { 8b4510 c6040200 4a 79f6 }
            // n = 4, score = 1200
            //   8b4510               | mov                 eax, dword ptr [ebp + 0x10]
            //   c6040200             | mov                 byte ptr [edx + eax], 0
            //   4a                   | dec                 edx
            //   79f6                 | jns                 0xfffffff8

        $sequence_3 = { 237878 899804010000 8b5864 23de 8b75fc }
            // n = 5, score = 1200
            //   237878               | and                 edi, dword ptr [eax + 0x78]
            //   899804010000         | mov                 dword ptr [eax + 0x104], ebx
            //   8b5864               | mov                 ebx, dword ptr [eax + 0x64]
            //   23de                 | and                 ebx, esi
            //   8b75fc               | mov                 esi, dword ptr [ebp - 4]

        $sequence_4 = { 6a00 ff36 ff15???????? bf02010000 3bc7 7561 }
            // n = 6, score = 1200
            //   6a00                 | push                0
            //   ff36                 | push                dword ptr [esi]
            //   ff15????????         |                     
            //   bf02010000           | mov                 edi, 0x102
            //   3bc7                 | cmp                 eax, edi
            //   7561                 | jne                 0x63

        $sequence_5 = { 7508 6a03 58 e9???????? 39860c010000 }
            // n = 5, score = 1200
            //   7508                 | jne                 0xa
            //   6a03                 | push                3
            //   58                   | pop                 eax
            //   e9????????           |                     
            //   39860c010000         | cmp                 dword ptr [esi + 0x10c], eax

        $sequence_6 = { 75d9 8b45f8 5f 5e 5b c9 c3 }
            // n = 7, score = 1200
            //   75d9                 | jne                 0xffffffdb
            //   8b45f8               | mov                 eax, dword ptr [ebp - 8]
            //   5f                   | pop                 edi
            //   5e                   | pop                 esi
            //   5b                   | pop                 ebx
            //   c9                   | leave               
            //   c3                   | ret                 

        $sequence_7 = { 51 8d843078030000 50 e8???????? eb1d }
            // n = 5, score = 1200
            //   51                   | push                ecx
            //   8d843078030000       | lea                 eax, [eax + esi + 0x378]
            //   50                   | push                eax
            //   e8????????           |                     
            //   eb1d                 | jmp                 0x1f

    condition:
        7 of them and filesize < 573440
}
Download all Yara Rules