The latest variant of the notorious Cerber ransomware family is currently featured in several infection campaigns, security researchers warn.
Dubbed Cerber 4.0, the malware version emerged in early October and appears to have already become highly popular among cybercriminals for use in malvertising campaigns. What’s more, three of the most used exploit kits (EKs) at the moment, namely RIG, Neutrino, and Magnitude, have all switched to Cerber 4.0 recently.
Released one month after Cerber 3.0, the new malware variant is using a randomly generated file extension – previously, the ransomware was using the .cerber3 extension (.cerber and .cerber2 before that), and has shifted from an HTML ransom note to an HTA one.
Already one of the most prominent ransomware families of 2016 – a highly successful Ransomware-as-a-service (RaaS) – Cerber has received rapid updates that increased its popularity among EKs, Trend Micro security researchers say.
Most recently, Cerber 4.0 was seen being dropped by the RIG toolkit, currently the most active EK, in a malvertising campaign known as PseudoDarkleech. Continuously changing, the campaign was previously seen distributing ransomware such as CrypMIC and CryptXXX, but has switched to Cerber 4.0 last on Oct. 1, researchers say.
Another malvertising campaign now dropping Cerber 4.0 is leveraging the Magnitude exploit kit, which has been long used to deliver Cerber variants. Starting with October 3, Magnitude has been continuously dropping Cerber 4.0 onto target devices in Asia: Taiwan, Korea, Hong Kong, Singapore and China.
Additionally, a campaign that usually employs a casino-themed fake advertisement which previously delivered the Andromeda or Betabot malware switched to Cerber 4.0 on Oct. 4. The campaign, which never before distributed Cerber, was using RIG to drop the new ransomware variant, researchers say. Previously, Betabot was seen dropping Cerber as a secondary payload.
Another interesting campaign focused on distributing Cerber 4.0 starting with October 3 is leveraging the Neutrino exploit kit and targets users in the US, Germany, Spain, Taiwan and Korea. Recently, Neutrino’s operators said they were closing shop, but it appears that they might have merely entered a private mode, where only VIP clients handling larger operations would have access to the toolkit.
“Malvertising and exploit kits in general are being developed and improved constantly by cybercriminals, so keeping software updated with the latest security patches is critical for users and enterprises. This includes both the operating system and all applications being used. Make sure there is a security system in place that can proactively provide a comprehensive defense against attackers targeting new vulnerabilities,” Trend Micro researchers note.
