Welcome to the Computer Security Wiki! You can help us by expanding stubs, create new articles and improve current articles.
You can also help us by logging-in or creating an account!

Cerber

From Malware Wiki
Jump to: navigation, search

Stubsymbol.png This article is a stub. You can help by editing it.

MultipleIssues.png This page has multiple issues. These issues most likely include issues with references and manual of style violations. Please help Malware Wiki by correcting these issues.

Cerber
Cerber.png
TypeRansomware, Trojan
Creatorcrbr
DateNovember 10th, 2016
PlatformMicrosoft Windows
File TypeWin32 PE executable (.EXE)
Alias(es)Ransom.Cerber(Malwarebytes) Trj/GdSda.A(Panda)
Size176,128 bytes
MD5cfd2d6f189b04d42618007fc9c540352
SHA-1f8413a21c4179378b2c23a3302ba33505e273430
SHA-256408fd7edadfbdaab161e04afcfc115c464916e99aaba8b036f52c57c3ade49c5
SSDEEP3072:Uigl4prnPE9WsSpo09F/Kf1/amoH8k3DkN8K1ADC/DokyEKXcs2K+NPja7V:ngAPE92o09Mf1/azLxK1m0DXA+
Authentihashe915594d98920bf70f44e335c93ee520425e1b0cd6a24053cd2bcc0711ceb0a3
IMPhashc99d7803d06d53ee3ba6be545bdda900
This box: view  talk  edit

Cerber is a ransomware trojan on Microsoft Windows that is spread via spam emails and currently has 5 versions. The .DOCX file for Cerber arrives attached to an email message. When the user opens the .DOCX,

it shows a document with bad encoding and uses social enginerring to convince the user to activate macros. After the user does, it auto-extracts the payload.

The JS and malicious Word documents both contain obfuscated scripts that will download the Sage 2.0 installer to the %Temp% folder using a URL. It communicates with a Command and Control server after encrypting the user files, and sends encrypted data including a campaign ID. It can be inferred that this ransomware may be distributed in the Dark Web as a Ransomware-as-a-service (RaaS). Cerber is a large ransomware tree that includes many variants such as Cerber, Cerber 2, Cerber3, Cerber with random extensions, RedCerber, and ReadMe Cerber. The virus often spikes up and down.

The carried Cerber payloads feature removed version information which makes it harder for security solutions to remove infections without updated definition sets. The new versions of the virus feature two additional sets of IP ranges which are used in contacting the remote malicious C&C servers. In addition a TOR proxy site has replaced the usual payment gateways. The security experts also note that the virus now prioritizes Office folders that contain sensitive and critical files. This likely means that the criminal operators target enterprise environments.

It targets the following extensions:

.accdb,.mdb,.mdf,.dbf,.vpd,.sdf,.sqlitedb,.sqlite3,.sqlite,.sql,.sdb,.doc,.docx,.odt,.xls,.xlsx,.ods,.ppt,.pptx,.odp,.pst,.dbx,.wab,.tbk,.pps,.ppsx,.pdf,.jpg,.tif,.pub,.one,.rtf,.csv,.docm,.xlsm,.pptm,.ppsm,.xlsb,.dot,.dotx,.dotm,.xlt,.xltx,.xltm,.pot,.potx,.potm,.xps,.wps,.xla,.xlam,.erbsql,.sqlite-shm,.sqlite-wal,.litesql,.ndf,.ost,.pab,.oab,.contact,.jnt,.mapimail,.msg,.prf,.rar,.txt,.xml,.zip,.1cd,.3ds,.3g2,.3gp,.7z,.7zip,.aoi,.asf,.asp,.aspx,.asx,.avi,.bak,.cer,.cfg,.class,.config,.css,.dds,.dwg,.dxf,.flf,.flv,.html,.idx,.js,.key,.kwm,.laccdb,.ldf,.lit,.m3u,.mbx,.md,.mid,.mlb,.mov,.mp3,.mp4,.mpg,.obj,.pages,.php,.psd,.pwm,.rm,.safe,.sav,.save,.srt,.swf,.thm,.vob,.wav,.wma,.wmv,.3dm,.aac,.ai,.arw,.c,.cdr,.cls,.cpi,.cpp,.cs,.db3,.drw,.dxb,.eps,.fla,.flac,.fxg,.java,.m,.m4v,.max,.pcd,.pct,.pl,.ppam,.ps,.pspimage,.r3d,.rw2,.sldm,.sldx,.svg,.tga,.xlm,.xlr,.xlw,.act,.adp,.al,.bkp,.blend,.cdf,.cdx,.cgm,.cr2,.crt,.dac,.dcr,.ddd,.design,.dtd,.fdb,.fff,.fpx,.h,.iif,.indd,.jpeg,.mos,.nd,.nsd,.nsf,.nsg,.nsh,.odc,.oil,.pas,.pat,.pef,.pfx,.ptx,.qbb,.qbm,.sas7bdat,.say,.st4,.st6,.stc,.sxc,.sxw,.tlg,.wad,.xlk,.aiff,.bin,.bmp,.cmt,.dat,.dit,.edb,.flvv,.gif,.groups,.hdd,.hpp,.m2ts,.m4p,.mkv,.mpeg,.nvram,.ogg,.pdb,.pif,.png,.qed,.qcow,.qcow2,.rvt,.st7,.stm,.vbox,.vdi,.vhd,.vhdx,.vmdk,.vmsd,.vmx,.vmxf,.3fr,.3pr,.ab4,.accde,.accdr,.accdt,.ach,.acr,.adb,.ads,.agdl,.ait,.apj,.asm,.awg,.back,.backup,.backupdb,.bank,.bay,.bdb,.bgt,.bik,.bpw,.cdr3,.cdr4,.cdr5,.cdr6,.cdrw,.ce1,.ce2,.cib,.craw,.crw,.csh,.csl,.db_journal,.dc2,.dcs,.ddoc,.ddrw,.der,.des,.dgc,.djvu,.dng,.drf,.dxg,.eml,.erf,.exf,.ffd,.fh,.fhd,.gray,.grey,.gry,.hbk,.ibank,.ibd,.ibz,.iiq,.incpas,.jpe,.kc2,.kdbx,.kdc,.kpdx,.lua,.mdc,.mef,.mfw,.mmw,.mny,.moneywell,.mrw,.myd,.ndd,.nef,.nk2,.nop,.nrw,.ns2,.ns3,.ns4,.nwb,.nx2,.nxl,.nyf,.odb,.odf,.odg,.odm,.orf,.otg,.oth,.otp,.ots,.ott,.p12,.p7b,.p7c,.pdd,.mts,.plus_muhd,.plc,.psafe3,.py,.qba,.qbr,.qbw,.qbx,.qby,.raf,.rat,.raw,.rdb,.rwl,.rwz,.s3db,.sd0,.sda,.sr2,.srf,.srw,.st5,.st8,.std,.sti,.stw,.stx,.sxd,.sxg,.sxi,.sxm,.tex,.wallet,.wb2,.wpd,.x11,.x3f,.xis,.ycbcra,.yuv,.mab,.json,.msf,.jar,.cdb,.srb,.abd,.qtb,.cfn,.info,.info_,.flb,.def,.atb,.tbn,.tbb,.tlx,.pml,.pmo,.pnx,.pnc,.pmi,.pmm,.lck,.pm!,.pmr,.usr,.pnd,.pmj,.pm,.lock,.srs,.pbf,.omg,.wmf,.sh,.war,.ascx,.k2p,.apk,.asset,.bsa,.d3dbsp,.das,.forge,.iwi,.lbf,.litemod,.ltx,.m4a,.re4,.slm,.tiff,.upk,.xxx,.money,.cash,.private,.cry,.vsd,.tax,.gbr,.dgn,.stl,.gho,.ma,.acc,.db

Other Languages

Cerber provides translations for these langauges:

  • English
  • Dutch
  • Spanish
  • French
  • Chinese
  • Japanese
  • Portuguese
  • Turkish
  • Arabic
  • Nederlands