App Review JS/Cerber.S!Eldorado Ransomware

It is advised to take all reviews with a grain of salt. In extreme cases some reviews use dramatization for entertainment purposes.
L

Lucent Warrior

Thread author
This short video is a demonstration of a Ransomware attack for those unaware of what they are,
and or what they do, and why it is necessary to make regular backups of your personal files.

Note the detection of the sample VT 5/57.
Also Note it bypassed Smartscreen & UAC.



Sample courtesy of @_CyberGhosT_ , thank you for the great catch.
 
Last edited by a moderator:
  • Like
Reactions: silversurfer, shukla44, Logethica and 14 others
H

hjlbx

Thread author
From Malwarebytes Blog

CERBER UAC Bypass
Cerber uses tricks to bypass Windows User Account Controll (UAC) and deploy itself with elevated privileges. It is achieved by the following steps:
  1. Search an executable in C:\Windows\system32, that can auto elevate it’s privileges.
  2. Search in it’s import table a DLL that can be hijacked
  3. Copy the DLL into %TEMP% folder and patch it – add a code in a new section and patch entry point in order to redirect execution there. It will be used in order to run the cerber sample with elevated privileges. It uses: WinExec(“[cerber_path] -eval 2524“, SW_SHOWNORMAL)
  4. Inject the code into explorer.exe – it is responsible for executing the UAC bypass. Creates a new folder in C:\Windows\system32 and copy there both files – an EXE and the patched DLL – under original names, then it deploys the EXE causing DLL to load and execute the malicious code.
  5. When the UAC bypass is executed successfully, it is signalized to the original cerber sample by setting a property cerber_uac_status – added to a Shell_TrayWnd. Then, the original sample deletes dropped files and exits. Otherwise, it tries the same trick with different pair of EXE + DLL.
NOTE (Mine): User Space processes should not be permitted to copy any files in System Space and paste them to User Space. This copying of System Space objects and pasting them to User Space is used by malware types other than Cerber.
* * * * *

If you want further details see here: Cerber Ransomware – New, But Mature
 
Last edited by a moderator:
  • Like
Reactions: shukla44, Logethica, yigido and 10 others
_CyberGhosT_

_CyberGhosT_

Level 53
Verified
Honorary Member
Top Poster
Content Creator
Well-known
Aug 2, 2015
4,286
Awesome, Thank you L'dub, you and Jack, and Av Gurus were an integral part of the
successful upload of this to the Hub and for that I am grateful.
I received this in my inbox at ProtonMail from a spammer that has been sending me Emails 2 to 3 times a week
for the past 3 months.
I sent the security team at ProtonMail an email explaining the situation and I hope they can block this sender from their servers.
Thank you for your time & patience in assisting me L'dub it has left an impression of the most positive nature.
It's just more proof positive of the type of community we are blessed to have here at MT.
PeAcE brother.
 
Last edited:
  • Like
Reactions: shukla44, Logethica, askmark and 8 others
D

Der.Reisende

Level 45
Honorary Member
Top Poster
Content Creator
Malware Hunter
Dec 27, 2014
3,423
hjlbx said:
From Malwarebytes Blog

CERBER UAC Bypass
Cerber uses tricks to bypass Windows User Account Controll (UAC) and deploy itself with elevated privileges. It is achieved by the following steps:
  1. Search an executable in C:\Windows\system32, that can auto elevate it’s privileges.
  2. Search in it’s import table a DLL that can be hijacked
  3. Copy the DLL into %TEMP% folder and patch it – add a code in a new section and patch entry point in order to redirect execution there. It will be used in order to run the cerber sample with elevated privileges. It uses: WinExec(“[cerber_path] -eval 2524“, SW_SHOWNORMAL)
  4. Inject the code into explorer.exe – it is responsible for executing the UAC bypass. Creates a new folder in C:\Windows\system32 and copy there both files – an EXE and the patched DLL – under original names, then it deploys the EXE causing DLL to load and execute the malicious code.
  5. When the UAC bypass is executed successfully, it is signalized to the original cerber sample by setting a property cerber_uac_status – added to a Shell_TrayWnd. Then, the original sample deletes dropped files and exits. Otherwise, it tries the same trick with different pair of EXE + DLL.
NOTE (Mine): User Space processes should not be permitted to copy any files in System Space and paste them to User Space. This copying of System Space objects and pasting them to User Space is used by malware types other than Cerber.
* * * * *

If you want further details see here: Cerber Ransomware – New, But Mature
Click to expand...
Awesome addition, thank you for sharing!
@_CyberGhosT_ thank you for sharing the sample, keep it up :)

@Lucent Warrior Nice piece of breakfast TV, thank you for the work and the share ;)
Like the idea of you and others grabbing emerging threats and packing them into educational moving pictures :)
Keep it up also please!
 
  • Like
Reactions: shukla44, Logethica, askmark and 5 others
L

Lucent Warrior

Thread author
Balrog said:
...and this is why the backup is so important o_O
Click to expand...
So tell me, this sample just bypassed your security "including the OS built in" and encrypted all your files, there is no decryptor yet for this variety, or your just novice enough to not know that some of them exist, what do you do?

If you regularly back up your personal files, you would not have to sweat this, you have lost nothing but time fixing your system. So yes, backups are very important. That is unless you don't mind paying to get access back to your files. ;)
 
  • Like
Reactions: _CyberGhosT_, shukla44, Der.Reisende and 6 others
Viking

Viking

Level 26
Verified
Honorary Member
Top Poster
Well-known
Oct 2, 2011
1,553
main.jpg
 
  • Like
Reactions: _CyberGhosT_, shukla44, Der.Reisende and 5 others

Similar threads

Trident
    • Like
    • Applause
    • +Reputation
  • Poll
Serious Discussion Pre-execution vs post-execution protections explained
Replies
6
Views
1,068
General Security Discussions
Trident
Trident
SeriousHoax
    • Like
    • Wow
Magniber ransomware now infects Windows users via JavaScript files
Replies
17
Views
1,913
News Archive
vtqhtr413
vtqhtr413
D
    • Like
Night Sky is the latest ransomware targeting corporate networks (BleepingComputer)
Replies
0
Views
657
News Archive
Der.Reisende
D

About us

  • MalwareTips is a community-driven platform providing the latest information and resources on malware and cyber threats. Our team of experienced professionals and passionate volunteers work to keep the internet safe and secure. We provide accurate, up-to-date information and strive to build a strong and supportive community dedicated to cybersecurity.

Quick Navigation

Forum Rules Warning System Welcome Guide Two-factor Authentication

User Menu

Login

Follow us

Follow us on Facebook or Twitter to know first about the latest cybersecurity incidents and malware threats.

Top