CERBER Ransomware’s Distribution Updated (March 2017) - How to, Technology and PC Security Forum | SensorsTechForum.com
THREAT REMOVAL

CERBER Ransomware’s Distribution Updated (March 2017)

OFFER

SCAN YOUR PC
with SpyHunter

Scan Your System for Malicious Files
Note! Your computer might be affected by CERBER and other threats.
Threats such as CERBER may be persistent on your system. They tend to re-appear if not fully deleted. A malware removal tool like SpyHunter will help you to remove malicious programs, saving you the time and the struggle of tracking down numerous malicious files.
SpyHunter’s scanner is free but the paid version is needed to remove the malware threats. Read SpyHunter’s EULA and Privacy Policy

CERBER ransomware has been reported by security researchers to now be able to perform evasion of security software by using new obfuscation technique. Since most security software have machine learning features which block loaders of viruses, like Cerber, the ransomware uses a new tool that evades this.

The obfuscation tool is actually a script that injects code in legitimate processes that are white listed by security programs and via those regular processes, the malicious CERBER code is activated.

E-Mail Spam Not Significantly Changed

The distribution tricks and how CERBER is slithered has not changed much and the same old e-mail spam messages are used. These spammed emails contain a very specific .exe file, though – an SFX (Self Extracting Archive). These type of files extract the malicious executable of CERBER ransomware which is automatically executed.

This executable then uses the legitimate process rundll32.exe to run a .dll file without being detected. This action results in running a binary, after which running another executable via this binary which contains CERBER ransomware in it. The interesting part is the loader itself is contained in CERBER ransomware’s binary and it is more complicated than initially supposed. The loader is configured to detect virtual drives or the following antivirus programs or software.

360
AVG
Bitdefender
Dr. Web
Kaspersky
Norton
Trend Micro
Msconfig
Sandboxes
Regedit
Task Manager
Virtual Machines
Wireshark

In the even that these programs are activated onto the computer of the victim, the virus immediately ceases running.

According to Trend Micro researchers, the separate loader, dropped after executing the script from the Rundll32.exe file is dropped primarily because of the machine learning features of most modern anti-malware products. These very extras can detect malicious files not based on their unique SHA or MD5 hashes and signatures but instead using the activity and the code on the files themselves. This separate loading of files by taking advantage of legitimate process can make behavioral blocking of the threat significantly more difficult for machine learning algorithms. Another difficulty also employed is the type of executables being used – SFX.

These self-extracting archives can make the process even more difficult because the files themselves are not illegitimate and can be created by programs, like RARLab, WinRar and others with different signatures every time. And the fact that the activity of those files is the same, means that the machine detects the same behavior of the executable sfx executable file, which it deems legitimate, making it more difficult for the ransomware authors.

Despite this happening, it can still be prevented, if you, the user, have the adequate anti-malware protection and in addition to this have the means of protecting yourself from malicious archives sent in spam e-mails, like the sfx ones.

Ventsislav Krastev

Ventsislav has been covering the latest malware, software and newest tech developments at SensorsTechForum for 3 years now. He started out as a network administrator. Having graduated Marketing as well, Ventsislav also has passion for discovery of new shifts and innovations in cybersecurity that become game changers. After studying Value Chain Management and then Network Administration, he found his passion within cybersecrurity and is a strong believer in basic education of every user towards online safety.

More Posts - Website

Leave a Comment

Your email address will not be published. Required fields are marked *

Time limit is exhausted. Please reload CAPTCHA.

Share on Facebook Share
Loading...
Share on Twitter Tweet
Loading...
Share on Google Plus Share
Loading...
Share on Linkedin Share
Loading...
Share on Digg Share
Share on Reddit Share
Loading...
Share on Stumbleupon Share
Loading...