The PolySwarm Blog

Analyze suspicious files and URLs, at scale, millions of times per day. Get real-time threat intel from a crowdsourced network of security experts and antivirus companies competing to protect you.

Cerber2021 Targets Windows and Linux

Jun 30, 2022 10:18:47 AM / by PolySwarm Tech Team

Cerber_Blog

Executive Summary

Cyble recently reported on the resurgence of Cerber2021 ransomware, which targets both Windows and Linux systems.

Key Takeaways

  • Cerber2021 is a ransomware family targeting both Windows and Linux systems.
  • Cerber2021 uses different code and encryption methods than the older versions of Cerber. 
  • Threat actors recently leveraged CVE-2022-26134 (Confluence Server OGNL injection vulnerability) to infect systems with Cerber2021.
What is Cerber2021?

Cerber2021, also known as CerberImposter, is a ransomware family. The original Cerber ransomware is a RaaS (ransomware as a service), first seen in the wild in 2016.  Cerber2021 was identified in late 2021, leveraging CVE-2021-26084 and CVE-2021-22205 to target Confluence and Gitlab servers. This new variant targets both Windows and Linux systems and uses different code and encryption methods than the older versions of Cerber.

According to Cyble, the ransomware is sophisticated, and threat actors are using unpatched or recently patched vulnerabilities to spread Cerber2021. Earlier this month, Microsoft noted CVE-2022-26134 was being leveraged to download and launch Cerber2021. CVE-2022-26134 affects Confluence Server and Data Center. CVE-2022-26134 is an OGNL injection vulnerability allowing an unauthenticated threat actor to execute arbitrary code on a Confluence Server or Data Center instance. CVE-2022-26134 could allow a threat actor to gain remote control of unpatched servers.

Windows Variant
According to an analysis by Cyble, the malicious file in the variant targeting Windows is a 32-bit GUI based binary. When executed, the malware checks for three mutex strings indicating prior Cerber2021 infection and terminates execution if any of the strings are found. Cerber2021 uses the Crypto++ Library for encryption. The malware checks drives “C:\” to “Z:\” and targets a wide range of file types for encryption. Cerber2021 appends the .locked extension to encrypted files. Following encryption, Cerber2021 generates a Tor Onion URL link by appending a dynamically generated key at the end. In the variant targeting Windows, Cerber2021 uses the ShellExecuteA() API function to delete the ransomware file after infection.

Linux Variant
Cyble also analyzed a sample of the Cerber2021 variant targeting Linux systems. They found that the malicious file is a 64-bit UPX-packed ELF binary. The Linux variant operates similarly to the Windows variant.

Following infection from either variant, the victim is presented with a ransom note  __$$RECOVERY_README$$__.html, which instructs them to contact the threat actors through the TOR site. The threat actors use double extortion tactics, threatening to leak stolen data if the victim does not contact them within 30 days.

IOCs

PolySwarm has multiple samples associated with Cerber2021.

46998fe7f03cf9f870d95b6585324bbde64fe0a673382ef571662ca2f40499bb

078de7d019f5f1e546aa29af7123643bd250341af71506e6256dfee8f245a2a7

84cbffb84b7c9ced79b511f82a15414d9202ab68479dfe44cec7b745ed12f973

Eba0482a5b1232db451b1a745dd8e99defb9f1194b070e2f5c20eeb251296a86

772cad26853c7d8ea8f1023f6e3cba219cc9bb1db1cd31ad2b979e59d3d9c631

You can use the following CLI command to search for all Cerber2021 samples in our portal:

$ polyswarm link list -f Cerber2021


Don’t have a PolySwarm account? Go here to sign up for a free Community plan or to subscribe.

Contact us at hivemind@polyswarm.io | Check out our blog | Subscribe to our reports


Topics: Threat Bulletin, Ransomware, Cerber, CerberImposter, CVE-2022-26134, Cerber2021

PolySwarm Tech Team

Written by PolySwarm Tech Team

Subscribe to Email Updates

Lists by Topic

see all

Posts by Topic

See all

Recent Posts