Hey you,
BE IN THE KNOW!

35,000 ransomware infections per month and you still believe you are protected?

Sign up to receive:

  • alerts
  • news
  • free how-to-remove guides

of the newest online threats - directly to your inbox:


CERBER Ransomware’s Distribution Updated (March 2017)

CERBER ransomware has been reported by security researchers to now be able to perform evasion of security software by using new obfuscation technique. Since most security software have machine learning features which block loaders of viruses, like Cerber, the ransomware uses a new tool that evades this.

The obfuscation tool is actually a script that injects code in legitimate processes that are white listed by security programs and via those regular processes, the malicious CERBER code is activated.

E-Mail Spam Not Significantly Changed

The distribution tricks and how CERBER is slithered has not changed much and the same old e-mail spam messages are used. These spammed emails contain a very specific .exe file, though – an SFX (Self Extracting Archive). These type of files extract the malicious executable of CERBER ransomware which is automatically executed.

This executable then uses the legitimate process rundll32.exe to run a .dll file without being detected. This action results in running a binary, after which running another executable via this binary which contains CERBER ransomware in it. The interesting part is the loader itself is contained in CERBER ransomware’s binary and it is more complicated than initially supposed. The loader is configured to detect virtual drives or the following antivirus programs or software.

360
AVG
Bitdefender
Dr. Web
Kaspersky
Norton
Trend Micro
Msconfig
Sandboxes
Regedit
Task Manager
Virtual Machines
Wireshark

In the even that these programs are activated onto the computer of the victim, the virus immediately ceases running.

According to Trend Micro researchers, the separate loader, dropped after executing the script from the Rundll32.exe file is dropped primarily because of the machine learning features of most modern anti-malware products. These very extras can detect malicious files not based on their unique SHA or MD5 hashes and signatures but instead using the activity and the code on the files themselves. This separate loading of files by taking advantage of legitimate process can make behavioral blocking of the threat significantly more difficult for machine learning algorithms. Another difficulty also employed is the type of executables being used – SFX.

These self-extracting archives can make the process even more difficult because the files themselves are not illegitimate and can be created by programs, like RARLab, WinRar and others with different signatures every time. And the fact that the activity of those files is the same, means that the machine detects the same behavior of the executable sfx executable file, which it deems legitimate, making it more difficult for the ransomware authors.

Despite this happening, it can still be prevented, if you, the user, have the adequate anti-malware protection and in addition to this have the means of protecting yourself from malicious archives sent in spam e-mails, like the sfx ones.

Vencislav Krustev

A network administrator and malware researcher at SensorsTechForum with passion for discovery of new shifts and innovations in cyber security. Strong believer in basic education of every user towards online safety.

More Posts - Website

Share on Facebook Share
Loading...
Share on Twitter Tweet
Loading...
Share on Google Plus Share
Loading...
Share on Linkedin Share
Loading...
Share on Digg Share
Share on Reddit Share
Loading...
Share on Stumbleupon Share
Loading...
Please wait...

Subscribe to our newsletter

Want to be notified when our article is published? Enter your email address and name below to be the first to know.