Definitely Not Cerber

At the beginning of last week we noticed a spam campaign delivering a double zipped JScript file. The campaign started on September 8th. The email had the subject line of “RE: [name of recipient]” with an empty body, and an attached zip file named “[recipient name][a-z]{4}.zip”.

The characteristics of the mail, naming of the attached item, and obfuscation used in the sample were similar to what has been previously seen with the distribution of Cerber ransomware. Testing one of the samples lead to an unpleasant surprise looking nothing like Cerber.


Definitely not Cerber

The final payload of that particular sample was Locky ransomware. It was an odd discovery, especially as Locky is known to be distributed by the Necurs botnet in totally different campaigns with higher prevalence. This campaign spanned over a week, with no more than a few dozen samples per day. Further analysis of the campaign revealed minor tweaks and updates to the attached item during the week.


The first delivered attachment type on the evening of the 8th was an obfuscated JScript downloader. Distributing this type continued for few days. The next surge two days later delivered a similarly obfuscated JScript downloader in a JScript encoded script file (.jse). Later, the campaign continued by spamming encrypted JScript files, but changed the obfuscation to support custom XOR encryption on critical strings. In the last update the size of the downloader was doubled with comments, and the distribution spiked a little.

The contacted URLs were also following the format observed in previous Cerber campaigns. In total, the samples contacted 7 domains registered under the .top domain (TLD), resolving to two IP addresses, each with 7 different query parameters in format of ?f=[1-7]{1}.bin. The query was hard-coded on the distributed samples, and 25% of the samples were contacting the domains with query parameter 1. (By comparison, if the parameters were randomly generated the distribution share would be 14% instead of 25%.)

Further analysis on the URLs revealed that same sample of Locky was delivered on all domains with query parameters from 2 to 7. Query parameter 1 was allocated to serve Cerber ransomware.


Probably Cerber

This is not the first time Cerber has been distributed in the same campaigns with other nasty malware. Last May Cerber shared distribution framework with Dridex banking trojan. Though the campaign seems to be on a test phase based on the multiple minor updates on the dropper during the week, so far seeing two different ransomware on same campaign is unusual.


Tagged: Cerber, Kyb3r, Locky, Ransomware

Seriously, Put Away The Foil

I was scanning the headlines this morning, as I do, and came across this article by YLE Uutiset (News). — “Finnish police: Keep your car keys in the fridge”

Finnish police: keep your car keys in the fridge

From YLE’s article:

“These so-called smart keys work by emitting a signal when the driver touches the door handle. The lock opens when it recognises the key’s signal. Criminals have technology that can strengthen that signal even from a hundred metres away—well inside the residential property where most owners keep their keys, according to Eero Heino of the If insurance company.”

So, should you keep your keys in a refrigerator?

Car key in a fridge

Don’t. (Cold can damage some batteries.)

Well, what about foil?

No. Put away the foil…

Look, if you have a car that’s actually valuable enough to be concerned about – get yourself a Faraday bag. Here’s one designed to fit a phone.

Car key in a Faraday bag

A very handy item to have when traveling abroad to “certain countries“.

Wickr branded Faraday bag

I got mine from the fine folks at Wickr. A quick search on Amazon yields results starting at about 10 bucks.

Or hey, here’s an idea, perhaps insurance companies could start giving customers Faraday bags when insuring an expensive car?

Just a thought.

Tagged: Faraday, Kyb3r