CERBER ransomware has been reported by security researchers to now be able to perform evasion of security software by using new obfuscation technique. Since most security software have machine learning features which block loaders of viruses, like Cerber, the ransomware uses a new tool that evades this.
The obfuscation tool is actually a script that injects code in legitimate processes that are white listed by security programs and via those regular processes, the malicious CERBER code is activated.
E-Mail Spam Not Significantly Changed
The distribution tricks and how CERBER is slithered has not changed much and the same old e-mail spam messages are used. These spammed emails contain a very specific .exe file, though – an SFX (Self Extracting Archive). These type of files extract the malicious executable of CERBER ransomware which is automatically executed.
This executable then uses the legitimate process rundll32.exe to run a .dll file without being detected. This action results in running a binary, after which running another executable via this binary which contains CERBER ransomware in it. The interesting part is the loader itself is contained in CERBER ransomware’s binary and it is more complicated than initially supposed. The loader is configured to detect virtual drives or the following antivirus programs or software.
In the even that these programs are activated onto the computer of the victim, the virus immediately ceases running.
According to Trend Micro researchers, the separate loader, dropped after executing the script from the Rundll32.exe file is dropped primarily because of the machine learning features of most modern anti-malware products. These very extras can detect malicious files not based on their unique SHA or MD5 hashes and signatures but instead using the activity and the code on the files themselves. This separate loading of files by taking advantage of legitimate process can make behavioral blocking of the threat significantly more difficult for machine learning algorithms. Another difficulty also employed is the type of executables being used – SFX.
These self-extracting archives can make the process even more difficult because the files themselves are not illegitimate and can be created by programs, like RARLab, WinRar and others with different signatures every time. And the fact that the activity of those files is the same, means that the machine detects the same behavior of the executable sfx executable file, which it deems legitimate, making it more difficult for the ransomware authors.
Despite this happening, it can still be prevented, if you, the user, have the adequate anti-malware protection and in addition to this have the means of protecting yourself from malicious archives sent in spam e-mails, like the sfx ones.