Magnitude Exploit Kit sends Cerber Ransomware via Malvertising


NOTES:

Below is an example of the Magnitude Exploit Kit used in the latest Malvertising campaign. This profile or fingerprinting gate used to start the infection chain was sent to me by @HenriNurmi. This was my first opportunity to analyze the Magnitude Exploit Kit and the Malvertising campaign, so Thank You very much Henri.


I have added a zipped pcap file for your analysis. The password is the usual used by malware researchers. If you do not know it please email me.
info@broadanalysis.com

PCAP file of the infection traffic: UDP Traffic not included
2016-06-27-Magnitude-EK-pcap.zip


REFERENCES:


 

ASSOCIATED DOMAINS AND IP ADDRESSES:

  • 91.134.161.33 – money-supermarket.org – Profiling GATE to MAGNITUDE EK
  • 91.134.161.33 – terportalbe.vip – Profiling GATE to MAGNITUDE EK
  • 51.255.105.22 – dd1d0b29o.baditems.gdn – Magnitude EK LANDING PAGE
  • 51.255.105.22 – GET /eedc6bf8b6fbbff12fcf69c8a0efed94 – Malicious PAYLOAD
  • 54.88.175.149 – ipinfo.io – GET /json – Cerber IP ADDRESS CHECK
  • 103.208.86.44 – cerberhhyed5frqa.fkri48.win – Cerber POST INFECT TRAFFIC CnC
  • 85.93.0.0 – 85.93.63.255 UDP Source port: 51292 – Destination post: 6892

 

DETAILS OF INFECTION CHAIN:

Shown above: IP addresses and Domains associated with Magnitude EK infection chain, leading to Cerber ransomware infection

 

Shown above: Injected script found on malvertising profiling page leading to a second redirect. The index page was extracted from Wireshark using File => Export Objects => HTTP selecting text/html index page from site and saving as an .htm file.

 

Shown above: Looking at the profile gate in packet view shows a check for Kaspersky software.

 

Shown above: www.domaintools.com shows profiling\fingerprinting gate recently registered on 2016-06-22

 

Shown above: Using Wireshark filter “Follow Stream” shows redirect from money-supermarket.org to terportalbe.vip, which used a 302 Moved Temporarily redirect to reach the Magnitude landing page.

 

Shown above: www.domaintools.com shows profiling\fingerprinting gate recently registered on 2016-06-22

 

Shown above: Using Wireshark filter “Follow Stream” on Magnitude EK landing page shows the start of Magnitude’s infection chain.

 

Shown above: Partial obfuscated script on last stage of Magnitude EK landing page before reaching flash exploit shown below.

 

Shown above: Partial contents of Magnitude exploiting flash

 

Shown above: After Magnitude exploits flash, it begins to send malicious payload. Magnitude EK attempts to mask the delivery of an application “MZ” using “Content-Type: text/html.

 

Shown above: Post infection traffic associated with Cerber ransomware infection.

 

Shown above: UDP post infection traffic associated with Cerber ransomware infection.

 

Shown above: Cerber .HTML ransom note and De-Crypt instructions

 

Shown above: Cerber .TXT ransom note and De-Crypt instructions

 

MALICIOUS PAYLOAD ASSOCIATED WITH MAGNITUDE EXPLOIT: