Security Experts:

Connect with us

Hi, what are you looking for?


Endpoint Security

Cerber Ransomware Tries to Evade Machine Learning Security

The Cerber ransomware is using new evasion techniques designed elude machine learning security solutions, and has been observed being dropped onto compromised systems alongside the Kovter click-fraud Trojan.

The Cerber ransomware is using new evasion techniques designed elude machine learning security solutions, and has been observed being dropped onto compromised systems alongside the Kovter click-fraud Trojan.

Discovered in March last year, Cerber has grown to become one of the most prevalent ransomware families out there. Not only did the malware receive various enhancements over the past year, but it also used numerous distribution channels, including spam emails and exploit kits, as well as other malware.

In August last year, Invincea researchers discovered that Cerber was being distributed by Betabot, a piece of malware initially designed as a banking information stealing Trojan. Now, Cyren researchers are seeing Cerber being dropped by Kovter, a click-fraud Trojan that was dropping Locky several months ago.

The campaign uses spam emails with a JS downloader inside a .ZIP archive and relies on victims unknowingly activating the downloader, which immediately fetches both malware families. The ransomware encrypts users’ files and announces that via a ransom note, but the Kovter malware remains silent, especially since it is capable of fileless infections.

According to Cyren, Kovter was paired with Cerber to maximize system resources for ad fraud, if the victim leaves the infected system idle; to ensure the malware remains on the system after Cerber is removed (the victim will focus on the ransomware, not on the fileless Trojan); or to diversify revenue.

What the researchers are certain about, however, is that anti-sandbox and anti-detection technology is used to ensure maximum infection success. Similarly, Trend Micro security researchers have observed Cerber using a new loader that can evade not only traditional security mechanisms, but machine learning solutions as well. The loader, they say, has been designed to hollow out a normal process and run Cerber’s code instead.

The observed campaign relies on spam emails to deliver a link to a self-extracting archive that has been uploaded to a Dropbox account controlled by the attackers, and which contains three files: a Visual Basic script, a DLL file, and a binary file that looks like a configuration file. The script was designed to run using the Windows Script Host and to load the DLL file using rundll32.exe with the DLL’s filename.

The DLL, which is not packed or encrypted, reads the configuration file, decrypts part of it, and executes the decrypted code, which contains the loader and configuration settings. The loader checks if it runs in a virtual machine or sandbox, if analysis tools are installed, and if anti-virus software is running and ends the infection process if it finds any. Next, the main payload (the Cerber binary) is injected in another process.

“The new packaging and loading mechanism employed by Cerber can cause problems for static machine learning approaches–i.e, methods that analyze a file without any execution or emulation. Self-extracting files and simple, straightforward files could pose a problem for static machine learning file detection. In other words, the way Cerber is packaged could be said to be designed to evade machine learning file detection,” Trend Micro explains.

The good news, the researchers say, is that this new evasion technique can be defeated by security approaches that employ multiple layers of protection, because the attack has other weaknesses, such as the use of an unpacked .DLL file. Solutions that don’t overly rely on machine learning can still prove effective against this threat.

Related: RIG Exploit Kit Drops New CryptoMix Ransomware Variant

Related: Locky, Sage Ransomware Share Distribution Infrastructure

Related: Malware Increasingly Abusing WMI for Evasion

Written By

Ionut Arghire is an international correspondent for SecurityWeek.

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join this webinar to learn best practices that organizations can use to improve both their resilience to new threats and their response times to incidents.


Join this live webinar as we explore the potential security threats that can arise when third parties are granted access to a sensitive data or systems.


Expert Insights

Related Content


The changing nature of what we still generally call ransomware will continue through 2023, driven by three primary conditions.


No one combatting cybercrime knows everything, but everyone in the battle has some intelligence to contribute to the larger knowledge base.


A recently disclosed vBulletin vulnerability, which had a zero-day status for roughly two days last week, was exploited in a hacker attack targeting the...

Malware & Threats

Threat actors are increasingly abusing Microsoft OneNote documents to deliver malware in both targeted and spray-and-pray campaigns.

CISO Strategy

Varied viewpoints as related security concepts take on similar traits create substantial confusion among security teams trying to evaluate and purchase security technologies.

Malware & Threats

A vulnerability affecting IBM’s Aspera Faspex file transfer solution, tracked as CVE-2022-47986, has been exploited in attacks.

Malware & Threats

Microsoft plans to improve the protection of Office users by blocking XLL add-ins from the internet.

Malware & Threats

Unpatched and unprotected VMware ESXi servers worldwide have been targeted in a ransomware attack exploiting a vulnerability patched in 2021.