CERBER Ransomware Hidden C2 Servers Traffic and Malware Analysis

By | January 16, 2017

Cerber ransomware has been one of the most prolific crimeware botnets to have arisen, it is currently generating an estimated $2.5 million dollars a year and rising. Once infected, your content is encrypted and held for ransom as the name implies. You will see an image popup with instructions on how to reclaim your data as well as audio instructing you that you have been infected and to follow the instructions if you want your data back. The instructions require you to install Tor browser and make a bitcoin payment to reclaim your property. If you have anything you can’t live without on your computer I would recommend paying the ransom, otherwise the best course of action is to re-image your computer.

Why are they so successful? First off, they are rather smart and their infrastructure constantly changes and additionally they hide their C2 servers within UDP traffic to multiple CIDR ranges. 99% of the UDP traffic is benign serving only the purpose of confusing and hiding the true control servers.

 

The group hacks certain easily exploitable networks, they have their own master C2 servers that slave hacked servers pass data to, once such hacked host was hacked by a blackhat and monitored the Cerber communication, port 6892 was filtered but the communication sent to it was captured and forwarded to the master node, the ports running on the host were:

Not shown: 985 closed ports
PORT     STATE    SERVICE
21/tcp   open     ftp
22/tcp   open     ssh
25/tcp   filtered smtp
80/tcp   open     http
110/tcp  open     pop3
111/tcp  open     rpcbind
135/tcp  filtered msrpc
139/tcp  filtered netbios-ssn
143/tcp  open     imap
443/tcp  open     https
445/tcp  filtered microsoft-ds
993/tcp  open     imaps
995/tcp  open     pop3s
1720/tcp filtered h323q931
3306/tcp open     mysql

 

 

Suspected buried C2 IP ranges within each infection sample reviewed

Sample 1:

017-01-15 23:41:23.390149 IP 192.168.1.102.55397 >91.239.24.2.6892: UDP, length 25
E..5bM…..k…f[….e…!..c9e537574920044695010008c
2017-01-15 23:41:23.390153 IP 192.168.1.102.55397 > 91.239.24.3.6892: UDP, length 25
E..5-……….f[….e…!..c9e537574920044695010008c
2017-01-15 23:41:23.390201 IP 192.168.1.102.55397 > 91.239.24.4.6892: UDP, length 25
E..5.}…..9…f[….e…!..c9e537574920044695010008c

 

Sample 2:

 

2017-01-15 23:26:49.289051 IP 192.168.1.102.57428 > 194.165.16.9.6892: UDP, length 10
E..&…….D…f…     .T….6hhi005c9027……..
2017-01-15 23:26:49.289100 IP 192.168.1.102.57428 > 194.165.16.10.6892: UDP, length 10
E..&t…..2’…f…
.T….6ghi005c9027……..

2017-01-15 23:26:52.735146 IP 192.168.1.102.57429 > 194.165.17.244.6892: UDP, length 24
E..4Si….Q….f…..U… ..8870f233185a005c950110f5
2017-01-15 23:26:52.735196 IP 192.168.1.102.57429 > 194.165.17.245.6892: UDP, length 24
E..4…….O…f…..U… ..8870f233185a005c950110f5

 

Sample 3:

017-01-16 00:21:03.206140 IP 192.168.1.102.61992 > 91.239.25.241.6892: UDP, length 25
E..567………f[….(…!..9973e23bd78600889501000d0
2017-01-16 00:21:03.206190 IP 192.168.1.102.61992 > 91.239.25.242.6892: UDP, length 25
E..5N……….f[….(…!..9973e23bd78600889501000d0
2017-01-16 00:21:03.206248 IP 192.168.1.102.61992 > 91.239.25.243.6892: UDP, length 25
E..5…….:…f[….(…!..9973e23bd78600889501000d0

Sample 4:

017-01-16 00:01:48.758846 IP 192.168.1.102.65032 > 91.239.25.242.6892: UDP, length 25
E..5L……….f[……..!.o22cf9e2fd015008e9501000b2
2017-01-16 00:01:48.758909 IP 192.168.1.102.65032 > 91.239.25.243.6892: UDP, length 25
E..5…….:…f[……..!.n22cf9e2fd015008e9501000b2
2017-01-16 00:01:48.758966 IP 192.168.1.102.65032 > 91.239.25.244.6892: UDP, length 25
E..58……….f[……..!.m22cf9e2fd015008e9501000b2
2017-01-16 00:01:48.758971 IP 192.168.1.102.65032 > 91.239.25.245.6892: UDP, length 25
E..5…….(…f[……..!.l22cf9e2fd015008e9501000b2
2017-01-16 00:01:48.759037 IP 192.168.1.102.65032 > 91.239.25.246.6892: UDP, length 25
E..5………..f[……..!.k22cf9e2fd015008e9501000b2

Sample 5:

 

2017-01-15 23:51:16.211660 IP 192.168.1.102.57972 > 91.239.24.11.6892: UDP, length 25
E..5H……….f[….t…!..9b735127a8440091c50100086
2017-01-15 23:51:16.211662 IP 192.168.1.102.57972 > 91.239.24.12.6892: UDP, length 25
E..5………..f[….t…!..9b735127a8440091c50100086
2017-01-15 23:51:16.211750 IP 192.168.1.102.57972 > 91.239.24.13.6892: UDP, length 25
E..54D…..i…f[….t…!..9b735127a8440091c50100086
2017-01-15 23:51:16.211800 IP 192.168.1.102.57972 > 91.239.24.14.6892: UDP, length 25
E..5\`…..L…f[….t…!..9b735127a8440091c50100086
2017-01-15 23:51:16.211850 IP 192.168.1.102.57972 > 91.239.24.15.6892: UDP, length 25
E..5………..f[….t…!..9b735127a8440091c50100086

Sample 6:

 

2016-12-17 00:01:33.939738 IP 192.168.1.102.50260 > 91.239.24.0.6892: UDP, length 25
E..5………..f[….T…!..ac71ae205179044695010009a
2016-12-17 00:01:33.939746 IP 192.168.1.102.50260 > 91.239.24.1.6892: UDP, length 25
E..5;-………f[….T…!..ac71ae205179044695010009a
2016-12-17 00:01:33.939798 IP 192.168.1.102.50260 > 91.239.24.2.6892: UDP, length 25
E..5^……….f[….T…!..ac71ae205179044695010009a
2016-12-17 00:01:33.939878 IP 192.168.1.102.50260 > 91.239.24.3.6892: UDP, length 25
E..5g……….f[….T…!..ac71ae205179044695010009a
2016-12-17 00:01:33.939887 IP 192.168.1.102.50260 > 91.239.24.4.6892: UDP, length 25
E..5,……(…f[….T…!..ac71ae205179044695010009a

Sample 7:

2016-12-16 01:29:16.678089 IP 192.168.1.102.59297 > 194.165.16.1.6892: UDP, length 10
E..&o…..7P…f……….’Uhi00889070……..
2016-12-16 01:29:16.678161 IP 192.168.1.102.59297 > 194.165.16.2.6892: UDP, length 10
E..&
……….f……….’Thi00889070……..
2016-12-16 01:29:16.678172 IP 192.168.1.102.59297 > 194.165.16.3.6892: UDP, length 10
E..&3+….s….f……….’Shi00889070……..
2016-12-16 01:29:16.678223 IP 192.168.1.102.59297 > 194.165.16.4.6892: UDP, length 10
E..&xk………f……….’Rhi00889070……..
2016-12-16 01:29:16.678305 IP 192.168.1.102.59297 > 194.165.16.5.6892: UDP, length 10
E..&A…..eT…f……….’Qhi00889070……..
2016-12-16 01:29:16.678357 IP 192.168.1.102.59297 > 194.165.16.6.6892: UDP, length 10
E..&$……y…f……….’Phi00889070……..
2016-12-16 01:29:16.678363 IP 192.168.1.102.59297 > 194.165.16.7.6892: UDP, length 10
E..&.c………f……….’Ohi00889070……..

Domain Whois record

Queried whois.publicinterestregistry.net with “adm-service.org“…

Domain Name: ADM-SERVICE.ORG
Domain ID: D166856235-LROR
WHOIS Server:
Referral URL: www.bizcn.com
Updated Date: 2016-06-28T14:46:27Z
Creation Date: 2012-10-15T15:09:33Z
Registry Expiry Date: 2017-10-15T15:09:33Z
Sponsoring Registrar: Bizcn.com, Inc.
Sponsoring Registrar IANA ID: 471
Domain Status: clientTransferProhibited https://icann.org/epp#clientTransferProhibited
Registrant ID: orgmc50313771827
Registrant Name: Medoro Chicoine
Registrant Organization: ADM Service Ltd
Registrant Street: 25 avenue Albert II
Registrant City: Monaco
Registrant State/Province: Monaco
Registrant Postal Code: 98000
Registrant Country: MC
Registrant Phone: +86.37798587511
Registrant Phone Ext:
Registrant Fax: +86.37798587512
Registrant Fax Ext:
Registrant Email: info@adm-service.org
Admin ID: orgmc50313772139
Admin Name: Medoro Chicoine
Admin Organization: ADM Service Ltd
Admin Street: 25 avenue Albert II
Admin City: Monaco
Admin State/Province: Monaco
Admin Postal Code: 98000
Admin Country: MC
Admin Phone: +86.37798587511
Admin Phone Ext:
Admin Fax: +86.37798587512
Admin Fax Ext:
Admin Email: info@adm-service.org
Tech ID: orgmc50313773049
Tech Name: Medoro Chicoine
Tech Organization: ADM Service Ltd
Tech Street: 25 avenue Albert II
Tech City: Monaco
Tech State/Province: Monaco
Tech Postal Code: 98000
Tech Country: MC
Tech Phone: +86.37798587511
Share Button

Leave a Reply

Your email address will not be published. Required fields are marked *