CERBER Ransomware’s Distribution Updated (March 2017) - How to, Technology and PC Security Forum | SensorsTechForum.com

CERBER Ransomware’s Distribution Updated (March 2017)

CERBER ransomware has been reported by security researchers to now be able to perform evasion of security software by using new obfuscation technique. Since most security software have machine learning features which block loaders of viruses, like Cerber, the ransomware uses a new tool that evades this.

The obfuscation tool is actually a script that injects code in legitimate processes that are white listed by security programs and via those regular processes, the malicious CERBER code is activated.

E-Mail Spam Not Significantly Changed

The distribution tricks and how CERBER is slithered has not changed much and the same old e-mail spam messages are used. These spammed emails contain a very specific .exe file, though – an SFX (Self Extracting Archive). These type of files extract the malicious executable of CERBER ransomware which is automatically executed.

This executable then uses the legitimate process rundll32.exe to run a .dll file without being detected. This action results in running a binary, after which running another executable via this binary which contains CERBER ransomware in it. The interesting part is the loader itself is contained in CERBER ransomware’s binary and it is more complicated than initially supposed. The loader is configured to detect virtual drives or the following antivirus programs or software.

Dr. Web
Trend Micro
Task Manager
Virtual Machines

In the even that these programs are activated onto the computer of the victim, the virus immediately ceases running.

According to Trend Micro researchers, the separate loader, dropped after executing the script from the Rundll32.exe file is dropped primarily because of the machine learning features of most modern anti-malware products. These very extras can detect malicious files not based on their unique SHA or MD5 hashes and signatures but instead using the activity and the code on the files themselves. This separate loading of files by taking advantage of legitimate process can make behavioral blocking of the threat significantly more difficult for machine learning algorithms. Another difficulty also employed is the type of executables being used – SFX.

These self-extracting archives can make the process even more difficult because the files themselves are not illegitimate and can be created by programs, like RARLab, WinRar and others with different signatures every time. And the fact that the activity of those files is the same, means that the machine detects the same behavior of the executable sfx executable file, which it deems legitimate, making it more difficult for the ransomware authors.

Despite this happening, it can still be prevented, if you, the user, have the adequate anti-malware protection and in addition to this have the means of protecting yourself from malicious archives sent in spam e-mails, like the sfx ones.


Ventsislav Krastev

Ventsislav has been covering the latest malware, software and newest tech developments at SensorsTechForum for 3 years now. He started out as a network administrator. Having graduated Marketing as well, Ventsislav also has passion for discovery of new shifts and innovations in cybersecurity that become game changers. After studying Value Chain Management and then Network Administration, he found his passion within cybersecrurity and is a strong believer in basic education of every user towards online safety.

More Posts - Website

Follow Me:

Leave a Comment

Your email address will not be published. Required fields are marked *

Time limit is exhausted. Please reload CAPTCHA.

Share on Facebook Share
Share on Twitter Tweet
Share on Google Plus Share
Share on Linkedin Share
Share on Digg Share
Share on Reddit Share
Share on Stumbleupon Share