Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Endpoint Security

Cerber Ransomware Tries to Evade Machine Learning Security

The Cerber ransomware is using new evasion techniques designed elude machine learning security solutions, and has been observed being dropped onto compromised systems alongside the Kovter click-fraud Trojan.

The Cerber ransomware is using new evasion techniques designed elude machine learning security solutions, and has been observed being dropped onto compromised systems alongside the Kovter click-fraud Trojan.

Discovered in March last year, Cerber has grown to become one of the most prevalent ransomware families out there. Not only did the malware receive various enhancements over the past year, but it also used numerous distribution channels, including spam emails and exploit kits, as well as other malware.

In August last year, Invincea researchers discovered that Cerber was being distributed by Betabot, a piece of malware initially designed as a banking information stealing Trojan. Now, Cyren researchers are seeing Cerber being dropped by Kovter, a click-fraud Trojan that was dropping Locky several months ago.

The campaign uses spam emails with a JS downloader inside a .ZIP archive and relies on victims unknowingly activating the downloader, which immediately fetches both malware families. The ransomware encrypts users’ files and announces that via a ransom note, but the Kovter malware remains silent, especially since it is capable of fileless infections.

According to Cyren, Kovter was paired with Cerber to maximize system resources for ad fraud, if the victim leaves the infected system idle; to ensure the malware remains on the system after Cerber is removed (the victim will focus on the ransomware, not on the fileless Trojan); or to diversify revenue.

What the researchers are certain about, however, is that anti-sandbox and anti-detection technology is used to ensure maximum infection success. Similarly, Trend Micro security researchers have observed Cerber using a new loader that can evade not only traditional security mechanisms, but machine learning solutions as well. The loader, they say, has been designed to hollow out a normal process and run Cerber’s code instead.

The observed campaign relies on spam emails to deliver a link to a self-extracting archive that has been uploaded to a Dropbox account controlled by the attackers, and which contains three files: a Visual Basic script, a DLL file, and a binary file that looks like a configuration file. The script was designed to run using the Windows Script Host and to load the DLL file using rundll32.exe with the DLL’s filename.

The DLL, which is not packed or encrypted, reads the configuration file, decrypts part of it, and executes the decrypted code, which contains the loader and configuration settings. The loader checks if it runs in a virtual machine or sandbox, if analysis tools are installed, and if anti-virus software is running and ends the infection process if it finds any. Next, the main payload (the Cerber binary) is injected in another process.

Advertisement. Scroll to continue reading.

“The new packaging and loading mechanism employed by Cerber can cause problems for static machine learning approaches–i.e, methods that analyze a file without any execution or emulation. Self-extracting files and simple, straightforward files could pose a problem for static machine learning file detection. In other words, the way Cerber is packaged could be said to be designed to evade machine learning file detection,” Trend Micro explains.

The good news, the researchers say, is that this new evasion technique can be defeated by security approaches that employ multiple layers of protection, because the attack has other weaknesses, such as the use of an unpacked .DLL file. Solutions that don’t overly rely on machine learning can still prove effective against this threat.

Related: RIG Exploit Kit Drops New CryptoMix Ransomware Variant

Related: Locky, Sage Ransomware Share Distribution Infrastructure

Related: Malware Increasingly Abusing WMI for Evasion

Written By

Ionut Arghire is an international correspondent for SecurityWeek.

Click to comment

Trending

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Understand how to go beyond effectively communicating new security strategies and recommendations.

Register

Join us for an in depth exploration of the critical nature of software and vendor supply chain security issues with a focus on understanding how attacks against identity infrastructure come with major cascading effects.

Register

Expert Insights

Related Content

Cybercrime

The changing nature of what we still generally call ransomware will continue through 2023, driven by three primary conditions.

Cybercrime

A recently disclosed vBulletin vulnerability, which had a zero-day status for roughly two days last week, was exploited in a hacker attack targeting the...

Malware & Threats

The NSA and FBI warn that a Chinese state-sponsored APT called BlackTech is hacking into network edge devices and using firmware implants to silently...

Endpoint Security

Today, on January 10, 2023, Windows 7 Extended Security Updates (ESU) and Windows 8.1 have reached their end of support dates.

Application Security

Virtualization technology giant VMware on Tuesday shipped urgent updates to fix a trio of security problems in multiple software products, including a virtual machine...

Malware & Threats

Unpatched and unprotected VMware ESXi servers worldwide have been targeted in a ransomware attack exploiting a vulnerability patched in 2021.

Cyberwarfare

An engineer recruited by intelligence services reportedly used a water pump to deliver Stuxnet, which reportedly cost $1-2 billion to develop.

Malware & Threats

Apple’s cat-and-mouse struggles with zero-day exploits on its flagship iOS platform is showing no signs of slowing down.