Key Takeaways
What is C3RB3R?
For the initial compromise, the threat actors use a specially crafted HTTP-POST command directed at the exposed Confluence instance, more specifically to the setup-restore.action configuration. Once the threat actor creates an administrative account, they execute scripts that download and execute the desired payload. A webshell with the name web.shell.Plugin is used for script execution.
Next, the threat actors use PowerShell scripts to determine whether they should use an available proxy server for Confluence server communications. Depending on the environment, one of several download methods is used to deliver the next stage payloads. The initial payloads are stored on the C2 using inconspicuous names.
Linux Variant
In the case of the Linux variant, the Confluence parent process, Java, is used for command injection. Following a series of commands, including Python scripts, qnetd is downloaded, which in turn downloads and executes the final payload.
Windows Variant
In the case of the Windows variant, the -b 9 argument is used, leveraging a hidden window controlled via scripts on the remote C2. C3RB3R tries to remove volume shadow copies using WMIC.EXE. The ransomware encrypts both local drives and connected SMB shares. Encrypted files are appended with the .L0CK3D extension.
The C3RB3R ransom note is delivered as a .txt file, and victims are issued a unique portal TOR-based URL. The threat actors use a double extortion model, warning that the encrypted data has also been exfiltrated and that it will be sold if the ransom is not paid.
What is CVE-2023-22518?
CVE-2023-22518 is an improper authorization vulnerability affecting Atlassian’s Confluence Datacenter and Server software. The vulnerability allows an unauthenticated threat actor to reset Confluence and create a Confluence instance administrator account. Once the account is created, the threat actor can perform administrator-level activities, including actions that lead to full loss of confidentiality, integrity, and availability.
The vulnerability was first disclosed on October 31. After observing several active exploits that leverage CVE-2023-22518, Atlassian escalated CVE-2023-22518 from CVSS 9.1 to 10, which is the highest critical rating.
IOCs
PolySwarm has multiple samples of C3RB3R and continues to track Cerber ransomware and its emerging variants.
Fb5a2d1be8b66c6eb1112f36b8c5ed7db9703f31ea7c77b56cbb05bc8c04758f
1849bc76e4f9f09fc6c88d5de1a7cb304f9bc9d338f5a823b7431694457345bd
4ed46b98d047f5ed26553c6f4fded7209933ca9632b998d265870e3557a5cdfe
D338734230d4cd151308d6dd0fcbb3150b2f2ad27ee0f166872e1a10d326e39d
F2e17ec85c3f8ee26a3be3ce52c6e140448941d705a9bdedb7c1aa82a9d9707f
PolySwarm analysts discovered the C3RB3R sample with the hash f2e17ec85c3f8ee26a3be3ce52c6e140448941d705a9bdedb7c1aa82a9d9707f that is not listed in the source report.
You can use the following CLI command to search for C3RB3R samples in our portal:
$ polyswarm link list -t C3RB3R
You can use the following CLI command to search for all Cerber ransomware family samples in our portal, including previous variants:
$ polyswarm link list -f Cerber
Don’t have a PolySwarm account? Go here to sign up for a free Community plan or to subscribe.
Contact us at hivemind@polyswarm.io | Check out our blog | Subscribe to our reports.