- Oct 23, 2012
- 12,527
Cerber is back with a new variant which has emerged in the past month. This new ransomware variant comes with multipart arrival vectors and new file encryption routines.
For over a year now, Cerber has been a constant threat, climbing to the top of ransomware charts. In the first quarter of 2017, it accounted for about 87% of ransomware attacks, which is an amazing and terrifying statistic.
In April 2017, security researchers from TrendMicro claim Cerber reached its 6th version. All in all, the malware is generating millions of dollars in revenue for operators and developers, especially since it is distributed as ransomware-as-a-service.
For over a year now, Cerber has been a constant threat, climbing to the top of ransomware charts. In the first quarter of 2017, it accounted for about 87% of ransomware attacks, which is an amazing and terrifying statistic.
In April 2017, security researchers from TrendMicro claim Cerber reached its 6th version. All in all, the malware is generating millions of dollars in revenue for operators and developers, especially since it is distributed as ransomware-as-a-service.
Old malware, new features
This new version of Cerber sports multipart arrival vectors and refashioned file encryption routines, along with defense mechanisms that include anti-sandbox and anti-AV techniques.
"We’ve also seen how the latest versions of Cerber employed a number of methods to avoid traditional security solutions. Since its emergence in 2016, Cerber’s evolution has shown how its developers constantly diversified the ransomware’s attack chain while broadening its capabilities to stay ahead of the game," notes TrendMicro's Gilbert Sison, Threats Analyst.
Cerber uses spam emails as a way in people's computers. Version 6 comes with socially engineered emails containing a zipped attachment that includes a malicious JavaScript file. Once opened, the JS file downloads and executes the payload, creates a scheduled task to run Cerber after two minutes or runs an embedded PowerShell script.
As TrendMicro's experts point out, adding a time delay in the attack chain enables the ransomware to elude traditional sandboxes.
Cerber 6 has features that stand out to researchers. One of these features is the fact that it has a routine for terminating processes to ensure encryption of files. Another addition is the fact that it checks on file extensions so it knows what files to avoid during the encryption process.
"Cerber 6 goes beyond identifying them and can now be configured to have Windows firewall rules added in order to block the outbound traffic of all the executable binaries of firewalls, antivirus, and antispyware products installed in the system. This can possibly restrict their detection and mitigation capabilities. This is further exacerbated by how Cerber can also circumvent static machine learning detection on top of self-awareness of analysis tools and virtualized environments that allows it to evade them (by self-destructing)," note the researchers.
Furthermore, Cerber 6 has also eschewed the implementation of RSA and RC4 algorithms in its encryption routine in favor of Cryptographic Application Programming Interface. It also has a function that reads and encrypts the content of the file.