The Cerber ransomware is using new evasion techniques designed elude machine learning security solutions, and has been observed being dropped onto compromised systems alongside the Kovter click-fraud Trojan.
Discovered in March last year, Cerber has grown to become one of the most prevalent ransomware families out there. Not only did the malware receive various enhancements over the past year, but it also used numerous distribution channels, including spam emails and exploit kits, as well as other malware.
In August last year, Invincea researchers discovered that Cerber was being distributed by Betabot, a piece of malware initially designed as a banking information stealing Trojan. Now, Cyren researchers are seeing Cerber being dropped by Kovter, a click-fraud Trojan that was dropping Locky several months ago.
The campaign uses spam emails with a JS downloader inside a .ZIP archive and relies on victims unknowingly activating the downloader, which immediately fetches both malware families. The ransomware encrypts users’ files and announces that via a ransom note, but the Kovter malware remains silent, especially since it is capable of fileless infections.
According to Cyren, Kovter was paired with Cerber to maximize system resources for ad fraud, if the victim leaves the infected system idle; to ensure the malware remains on the system after Cerber is removed (the victim will focus on the ransomware, not on the fileless Trojan); or to diversify revenue.
What the researchers are certain about, however, is that anti-sandbox and anti-detection technology is used to ensure maximum infection success. Similarly, Trend Micro security researchers have observed Cerber using a new loader that can evade not only traditional security mechanisms, but machine learning solutions as well. The loader, they say, has been designed to hollow out a normal process and run Cerber’s code instead.
The observed campaign relies on spam emails to deliver a link to a self-extracting archive that has been uploaded to a Dropbox account controlled by the attackers, and which contains three files: a Visual Basic script, a DLL file, and a binary file that looks like a configuration file. The script was designed to run using the Windows Script Host and to load the DLL file using rundll32.exe with the DLL’s filename.
The DLL, which is not packed or encrypted, reads the configuration file, decrypts part of it, and executes the decrypted code, which contains the loader and configuration settings. The loader checks if it runs in a virtual machine or sandbox, if analysis tools are installed, and if anti-virus software is running and ends the infection process if it finds any. Next, the main payload (the Cerber binary) is injected in another process.
“The new packaging and loading mechanism employed by Cerber can cause problems for static machine learning approaches–i.e, methods that analyze a file without any execution or emulation. Self-extracting files and simple, straightforward files could pose a problem for static machine learning file detection. In other words, the way Cerber is packaged could be said to be designed to evade machine learning file detection,” Trend Micro explains.
The good news, the researchers say, is that this new evasion technique can be defeated by security approaches that employ multiple layers of protection, because the attack has other weaknesses, such as the use of an unpacked .DLL file. Solutions that don’t overly rely on machine learning can still prove effective against this threat.
Related: RIG Exploit Kit Drops New CryptoMix Ransomware Variant
Related: Locky, Sage Ransomware Share Distribution Infrastructure