Zero-day exploits or recently patched/unpatched vulnerabilities are attractive targets for Threat Actors (TAs) to deploy malware efficiently. TAs leverages these vulnerabilities and exploits them to deliver the various types of malware to steal sensitive information for financial gain.
On June 11th, 2022, Microsoft tweeted a post where they mentioned that CVE-2022-26134 was being exploited to download and deploy the Cerber2021 ransomware (also known as “CerberImposter”).
TAs could exploit this Object-Graph Navigation Language (OGNL) injection vulnerability to take control of vulnerable servers. If it is successfully exploited, the vulnerability allows unauthenticated attackers to take control of unpatched servers remotely by creating new admin accounts and running arbitrary code on a Confluence server to deliver Cerber2021 ransomware.
Cerber is Ransomware-as-a-Service (RaaS), identified in the year 2016. In 2017, Cerber ransomware accounted for 26% of total ransomware infections. In 2018, the TAs belonging to Cerber moved to build other ransomware such as GandCrab, SamSam, and Spartacus.
In December 2021, researchers identified a new version of Cerber ransomware targeting both Linux and Windows users. In this infection, Cerber2021 was delivered by targeting the vulnerabilities in the Confluence and Gitlab servers. These vulnerabilities are tracked as CVE-2021-26084 and CVE-2021-22205, respectively.
Technical Analysis
The sample hash (SHA256), f301501b4e2b8db73c73a604a6b67d21e24c05cb558396bc395dcb3f98de7ccf was taken for this analysis. Based on static analysis, we found that the malicious file is a 32-bit Graphical User Interface (GUI) based binary, as shown in below figure.
Upon execution, the malware checks for the presence of three mutex strings, as shown in Figure 3. The malware terminates its execution if it identifies any of the mutex strings already present in the users’ machine. This mutex validation is implemented in the ransomware binary to avoid reinfecting the machine.
We found that strings in the binary file, such as “cryptographic algorithms, are disabled after a power-up self-test fails.” This indicates that the malware uses the freely available Crypto++ Library functions for encryption. The below figure shows the Crypto++ library function strings.
After infiltrating the victim’s computer, the ransomware checks the system drive from “C:” to “Z:” in the victim’s machine and encrypts files present in the identified drives. Cerber2021 ransomware targets files with the extensions mentioned in the below figure.
After encryption, the ransomware appends .locked extensions to the encrypted file name in the victim’s machine. The below figure shows the files encrypted by the ransomware.
After encrypting the files, the malware generates the Tor Onion URL link by appending a dynamically generated key at the end, as shown below.
Finally, the ransom note named __$$RECOVERY_README$$__.html is shown to the victims. In the ransom note, the TAs instruct victims to contact them through their TOR website. Additionally, the TAs threaten to disclose the information about the victim’s private data on public news and websites if they do not contact them within 30 days after the ransomware attack. The below figure shows the ransom note.
The decryption software service is available through the TOR link mentioned in the __$$RECOVERY_README$$__.html page. It requires a payment of 0.068 Bitcoins (~ USD 21,000) in 5 days; otherwise, the software price will be doubled, as shown in the figure below.
To delete the ransomware file after infection, it uses the ShellExecyteA() API function with the arguments shown below. This will remove the malware file from the system, leaving only the encrypted files and the ransom note behind.
Linux Variant
The sample hash (SHA256), 46998fe7f03cf9f870d95b6585324bbde64fe0a673382ef571662ca2f40499bb was taken for this analysis. Based on static analysis, we found that the malicious file is a 64-bit UPX-packed ELF binary as shown in below figure.
The ransomware functionalities present in the Linux version are similar to the Windows version. It targets the same file extensions to encrypt the files and shares a similar payment method. The below figure shows the encrypted files on a Linux machine.
Cerber vs. Cerber2021
- Cerber2021 ransomware uses different code than the older Cerber variants in 2016.
- The new ransomware can encrypt files in both Windows and Linux machines, whereas the older version solely affects Windows systems.
- The latest variant uses the Crypto++ library for its encryption. The older version of Cerber uses Windows CryptoAPI libraries.
- Cerber2021 borrowed its name and copied the Tor payment sites and ransom notes from the older Cerber ransomware.
Conclusion
Ransomware is becoming an increasingly common and effective attack method that affects organizations and their productivity. TAs exploit recently patched/unpatched vulnerabilities to deliver ransomware such as Cerber2021. Currently, the best method to secure yourself and your organization against Cerber2021 is by applying the security updates released by the Atlassian Confluence to stay protected.
Many servers are patched; however, we can expect the TAs to target other vulnerabilities to breach servers and deploy their malware. Cyble Research Labs closely monitors the Cerber Ransomware group and other similar TA activities and analyzes them to better understand their motivations.
Our Recommendations
We have listed some essential cybersecurity best practices that create the first line of control against attackers. We recommend that our readers follow the best practices given below:
Safety Measures Needed to Prevent Ransomware Attacks
- Conduct regular backup practices and keep those backups offline or in a separate network.
- Turn on the automatic software update feature on your computer, mobile, and other connected devices wherever possible and pragmatic.
- Use a reputed anti-virus and Internet security software package on your connected devices, including PC, laptop, and mobile.
- Refrain from opening untrusted links and email attachments without verifying their authenticity.
Users Should Take the Following Steps After the Ransomware Attack
- Detach infected devices on the same network.
- Disconnect external storage devices if connected.
- Inspect system logs for suspicious events.
Impacts And Cruciality of Cerber2021 Ransomware
- Loss of Valuable data.
- Loss of organization’s reliability or integrity.
- Loss of organization’s business information.
- Disruption in organization operation.
- Economic loss.
MITRE ATT&CK® Techniques
| Tactic | Technique ID | Technique Name |
| Execution | T1204 | User Execution |
| Discovery | T1082 T1083 |
System Information Discovery File and Directory Discovery |
| Impact | T1490 T1486 |
Inhibit System Recovery Data Encrypted for Impact |
| Defense Evasion | T1070 | Indicator Removal on Host |
Indicators Of Compromise
| Indicators | Indicator Type |
File name |
| f40eb8db16cbc2ac5a69fc854ab4876c 0fc7472537b4991b6a52e56b7eaad73ab356522e f301501b4e2b8db73c73a604a6b67d21e24c05cb558396bc395dcb3f98de7ccf |
MD5 SHA1 Sha256 | x32 EXE binary |
| 02e99ee58ee459394afec7b0777a92db 6e9b7ca0e7442ce9ba91f6fb8eb4313050a9c3b7 46998fe7f03cf9f870d95b6585324bbde64fe0a673382ef571662ca2f40499bb |
MD5 SHA1 Sha256 | UPX packed x64 ELF binary |
| 714df70866e61f3c527489a51b286e88 3a951dd09d37b1ce59b7f6aeb7c704c91283f865 079987319655417735ed9b0359a6d8b46532cc38e68b75383c4c87227815bca4 |
MD5 SHA1 Sha256 | Unpacked x64 ELF binary |
| hxxp://pigetrzlperjreyr3fbytm27bljaq4eungv3gdq2tohnoyfrqu4bx5qd[.]onion/bt025fefe1cdf7daadba9 15550fc61bd0a32476366d83073ccd8941ebb1f20251338a8d0b478b7ea5a25ea739ae11b5df8c93f9583 4d5c0ff161170b5770ea8b6b339af6f4518d06d868d120ab786e87609a43d563ec65d6d5cd109dbf96ec6 2013c2d4876795a169befc9ba5c78ffaa69e5000c85ae62c8873e3d699b40026f5433/ |
URL | Tor site link |
Related
Source: https://blog.cyble.com/2022/06/17/cerber2021-ransomware-back-in-action/