This post was originally published on this site is a participant in the Amazon Services LLC Associates Program, an affiliate advertising program designed to provide a means for sites to earn advertising fees by advertising and linking to

Cerber ransomware incorporates the unusual feature of “speaking” its
ransom message after successfully infecting a user machine and
encrypting files. Cerber was first
seen in the wild
at the end of February 2016 and was observed
being delivered mostly via exploit kits (EK), notably using Magnitude
and Nuclear Pack’s zero-day
Flash exploit.

Figure 1 shows that on April 28, 2016, we observed a significant
increase in Microsoft Office document-based macro downloader spam
campaigns delivering Cerber ransomware as the payload. Since then we
observed successor campaigns at the same level of volume. What is more
notable about these campaigns is that the same distribution framework
used by Dridex seems to be the one delivering this Cerber campaign.

Figure 1. Cerber spam activity trend

Through FireEye’s Dynamic Threat Intelligence (DTI), we observed
that one Cerber spam campaign from May 4 was widely spread throughout
the world, with the most targets in the United States (see Figure 2).

Figure 2. Geographical distribution of Cerber
spam seen by FireEye DTI in May 4

Macro based Downloader

The malicious document attachment contains a macro that drops a
VBScript in the %appdata% path of the machine. The rest of the
malicious activities are performed by the dropped VBScript. This
method of malware delivery is used instead of sending the VBScript
directly as an email attachment, since some email gateway policies
might block attached scripts.

The dropped VBScript includes obfuscated code that is used to
download the Cerber payload.

The following are some of the obfuscation techniques used, briefly summarized:

  1. Declare several variables that are not used in the code. This
    junk code is added to deter reverse engineering.
  2. A
    subroutine is used for delaying execution. This subroutine will
    increment a counter variable from 1 to 96166237. After completing
    the FOR loop, it compares the value of the variable with 96166237 to
    ensure that the FOR loop executed completely and there was no short
    circuit done (see Figure 3). This is done to detect automated
    analysis systems.

Figure 3. Delay execution routine in VBScript

HTTP Range Request for Internet Connectivity Check

Before downloading the Cerber payload, a check is performed by the
VBScript to ensure that the environment has internet connectivity.

As seen in Figure 4, the VBScript sends an HTTP Range Request to a
benign website. It looks for the string “Partial Content” in the HTTP
response status text, as “206 Partial Content” is the expected
response code for an HTTP Range Request according to RFC7233. If the
response code is not correct, the VBScript calls a function to enter
an infinite loop. In this way, the execution does not complete without
Internet connectivity.

Figure 4. HTTP Range Request check for internet connectivity

Cerber Payload Download Method

After the check for internet connectivity is performed, the VBScript
sends another HTTP Range Request to fetch a JPEG file from the URL: hxxp://bsprint[.]ro/images/karma-autumn/bg-footer-bottom.jpg?ObIpcVG=

In the HTTP Request Headers, it sets the value of Range Header to:
“bytes=11193-“. This indicates to the web server to return
only the content starting at offset 11,193 of the JPG file.

The response content of this request is XORed with the key:
“amfrshakf”. Figure 5 shows the code section corresponding
to the decryption routine.

Figure 5. Payload decoding routine

This technique of downloading the final payload using an HTTP Range
Request check has been leveraged in the past by Dridex and Ursnif. We
have observed similar obfuscation techniques used in the dropped
VBScript as well.

Cerber Ransomware (MD5: 5a2ea6a1d12dcbeb840f5070c7f1e2f8)

There are no significant changes in the behavior of the Cerber
payload in this spam campaign when compared to earlier variants. It
still uses the ‘.cerber’ file extension name for the encrypted files.
In this particular sample it checks for the country location, local
language and whether it is inside a virtual machine environment as per
its decrypted configuration, as seen in Figure 6.

Figure 6. Configuration for country location,
language and virtual environment checks

This variant is also configured to target email, Word documents, and
Steam (gaming) related files. It closes the related processes to have
access to possible opened target files.

Figure 7. Configuration for closing processes

The malware asks the victim to visit any of the following websites
to pay the ransom and receive further steps to decrypt the encrypted files.

  • hxxp://decrypttozxybarc[.]dconnect[.]eu
  • hxxp://decrypttozxybarc[.]tor2web[.]org
  • hxxp://decrypttozxybarc[.]onion[.]cab
  • hxxp://decrypttozxybarc[.]onion[.]to
  • hxxp://decrypttozxybarc[.]onion[.]link

While examining the decrypted configuration file, we found
indications of the possible addition of a spambot module. The malware
operator can set options for the email attachment, subject and the
email body in the configuration, as seen in Figure 8. In this sample,
this feature seems to be in its development or test stage. In order
for the malware to be used as a spambot, it would also need a list of
email addresses to send the spam email.

Figure 8. Possible spambot related configuration


By partnering with the same spam distributor that has proven its
capability by delivering Dridex on a large scale, Cerber is likely to
become another serious email threat similar to Dridex and Locky. This
is in addition to the fact that Cerber is already known to be
delivered through exploit kits. We advise users to be cautious when
opening documents and other files from unknown senders, especially
when asked to enable macros.

Ransomware authors are constantly upgrading their craft in order to
maximize profits. An addition of a spambot module, for example, can
add value to their ransomware, since victim machines will also be used
as spam email distributors.


Spam email


Cerber payload


At L Technology Group, we know technology alone will not protect us from the risks associated with in cyberspace. Hackers, Nation States like Russia and China along with “Bob” in HR opening that email, are all real threats to your organization. Defending against these threats requires a new strategy that incorporates not only technology, but also intelligent personnel who, eats and breaths cybersecurity. Together with proven processes and techniques combines for an advanced next-generation security solution. Since 2008 L Technology Group has develop people, processes and technology to combat the ever changing threat landscape that businesses face day to day.

Call Toll Free (855) 999-6425 for a FREE Consultation from L Technology Group,