Malware News New Cerber Ransomware Variant Pops Up, Brings New Featuresq

Exterminator

Level 85
Thread author
Verified
Top Poster
Well-known
Oct 23, 2012
12,527
Cerber is back with a new variant which has emerged in the past month. This new ransomware variant comes with multipart arrival vectors and new file encryption routines.

For over a year now, Cerber has been a constant threat, climbing to the top of ransomware charts. In the first quarter of 2017, it accounted for about 87% of ransomware attacks, which is an amazing and terrifying statistic.

In April 2017, security researchers from TrendMicro claim Cerber reached its 6th version. All in all, the malware is generating millions of dollars in revenue for operators and developers, especially since it is distributed as ransomware-as-a-service.

Old malware, new features
This new version of Cerber sports multipart arrival vectors and refashioned file encryption routines, along with defense mechanisms that include anti-sandbox and anti-AV techniques.

"We’ve also seen how the latest versions of Cerber employed a number of methods to avoid traditional security solutions. Since its emergence in 2016, Cerber’s evolution has shown how its developers constantly diversified the ransomware’s attack chain while broadening its capabilities to stay ahead of the game," notes TrendMicro's Gilbert Sison, Threats Analyst.

Cerber uses spam emails as a way in people's computers. Version 6 comes with socially engineered emails containing a zipped attachment that includes a malicious JavaScript file. Once opened, the JS file downloads and executes the payload, creates a scheduled task to run Cerber after two minutes or runs an embedded PowerShell script.

As TrendMicro's experts point out, adding a time delay in the attack chain enables the ransomware to elude traditional sandboxes.

Cerber 6 has features that stand out to researchers. One of these features is the fact that it has a routine for terminating processes to ensure encryption of files. Another addition is the fact that it checks on file extensions so it knows what files to avoid during the encryption process.

"Cerber 6 goes beyond identifying them and can now be configured to have Windows firewall rules added in order to block the outbound traffic of all the executable binaries of firewalls, antivirus, and antispyware products installed in the system. This can possibly restrict their detection and mitigation capabilities. This is further exacerbated by how Cerber can also circumvent static machine learning detection on top of self-awareness of analysis tools and virtualized environments that allows it to evade them (by self-destructing)," note the researchers.

Furthermore, Cerber 6 has also eschewed the implementation of RSA and RC4 algorithms in its encryption routine in favor of Cryptographic Application Programming Interface. It also has a function that reads and encrypts the content of the file.
 

About us

  • MalwareTips is a community-driven platform providing the latest information and resources on malware and cyber threats. Our team of experienced professionals and passionate volunteers work to keep the internet safe and secure. We provide accurate, up-to-date information and strive to build a strong and supportive community dedicated to cybersecurity.

User Menu

Follow us

Follow us on Facebook or Twitter to know first about the latest cybersecurity incidents and malware threats.

Top