Cerber Ransomware: Dissecting the three heads

Cado Security analysed a Linux variant of the Cerber ransomware deployed via CVE-2023-22518 against Confluence, revealing a three-stage, UPX-packed C++ payload chain that downloads and decodes additional components from a remote C2. The chain uses a web-shell-installed admin module for execution, performs a write-check sandbox/permission test, decodes and runs an ELF encryptor that overwrites files and appends .L0CK3D ransom extensions. #Cerber #Confluence #CVE-2023-22518 #agttydcb #agttydck

Keypoints

Initial access achieved by exploiting CVE-2023-22518 in Confluence to create an administrator account and upload a web shell plugin.
Attack installs the Effluence web shell to execute arbitrary commands and launch the primary Cerber stager as the confluence user.
Three UPX-packed C++ payloads: primary stager, log-checker (agttydck), and encryptor (agttydcb); primary fetches secondary stages from a C2 at 45[.]145[.]6[.]112.
Primary stager decodes an encoded/packed agttydcb into a valid ELF in /tmp and executes it, then deletes on-disk artifacts while running in memory.
Log-checker (agttydck) writes “success” to /tmp/ck.log as a permission/sandbox check before encryption proceeds.
Encryptor walks the root filesystem, writes a ransom note (read-me3.txt), overwrites files in-place with encrypted data, and renames them with a .L0CK3D extension.
Observed IOCs include three SHA-256 hashes and the C2 IP 45[.]145[.]6[.]112; no evidence of observed exfiltration was found.

MITRE Techniques

[T1190] Exploit Public-Facing Application – Used to gain initial access by exploiting CVE-2023-22518 to reset Confluence and create an admin account (‘allows an attacker to reset the Confluence application and create a new administrator account using an unprotected configuration restore endpoint’).
[T1136] Create Account – The exploit creates a new administrator account in Confluence to maintain access (‘create a new administrator account’).
[T1059.004] Command and Scripting Interpreter: Unix Shell – A web shell plugin provides a web UI to execute arbitrary commands on the host (‘Effluence web shell plugin … provides a web UI for executing arbitrary commands on the host’).
[T1105] Ingress Tool Transfer – Primary payload downloads secondary payloads from a remote server (C2) and writes them to /tmp (‘connects to the C2 server at 45[.]145[.]6[.]112 and pulls down the secondary payload … writing the payload body out to /tmp/agttydck.bat’).
[T1027] Obfuscated Files or Information – All payloads are highly obfuscated and packed with UPX to hinder detection and analysis (‘Written in C++, highly obfuscated, and packed with UPX’).
[T1071] Application Layer Protocol – Uses HTTP GET requests to retrieve payloads from the command-and-control server (‘doing a simple GET /agttydcki64 request to the server using HTTP’).
[T1083] File and Directory Discovery – The encryptor walks the root filesystem to identify directories and files to encrypt (‘Walks the root directory looking for directories it can encrypt’).
[T1486] Data Encrypted for Impact – The encryptor overwrites file contents in-place and renames files with a .L0CK3D extension to render data inaccessible (‘Overwrites all files in directory with their encrypted content, and adds a .L0CK3D extension’).
[T1070] Indicator Removal on Host – Payloads delete their on-disk copies after execution to reduce artifacts (‘Deletes itself off disk upon execution’).

Indicators of Compromise

[SHA256 hash] payload hashes – 4ed46b98d047f5ed26553c6f4fded7209933ca9632b998d265870e3557a5cdfe, 1849bc76e4f9f09fc6c88d5de1a7cb304f9bc9d338f5a823b7431694457345bd, and 1 more hash
[IP address] Command & Control (defunct) – 45[.]145[.]6[.]112 (used to download agttydcki64/agttydcb)
[File paths / filenames] temporary payloads and artifacts – /tmp/agttydck.bat, /tmp/agttydcb.bat, /tmp/ck.log, and ransom note read-me3.txt (ransom extension .L0CK3D)
[Vulnerability] initial access vector – CVE-2023-22518 (Confluence improper authorization exploit used to create admin account)

The technical flow: attackers exploited CVE-2023-22518 on Confluence to create an administrator account and upload the Effluence web shell, which they used to execute the primary Cerber stager as the confluence user. The primary UPX-packed C++ stager unpacks in memory, attempts a lock-file at /var/lock/0init-ld.lo, fetches a log-checker (agttydck) via HTTP from 45[.]145[.]6[.]112 and writes it to /tmp/agttydck.bat, then executes it to validate writability/sandbox conditions by having it write “success” to /tmp/ck.log.

After the log check succeeds, the primary stager deletes on-disk stager artifacts, downloads an encoded payload (agttydcb) to /tmp/agttydcb.bat, decodes/overwrites that file with a valid ELF image and then executes it. The decoding process is performed in-place (read, lseek to start, write decoded ELF), indicating a custom encoding layer atop an apparent DOS-like wrapper and high-entropy blob that is converted into an ELF binary before execution.

The encryptor thread creates /tmp/log.0 at start and /tmp/log.1 on completion, walks the root filesystem to identify writable directories, writes a read-me3.txt ransom note to each target directory, then opens each target file, reads it fully into memory, encrypts the buffer, seeks back to the file start, overwrites the original content with the ciphertext, and renames the file with a .L0CK3D suffix. The payload deletes its binary artifacts and exits; Cado did not observe any data exfiltration behavior.

SHARE THIS STORY

WhatsApp X (Twitter)Telegram Bluesky Facebook LinkedIn Threads Email Print