![\"Instructions](\"https:\/\/msdnshared.blob.core.windows.net\/media\/2016\/12\/Cerber-2-word_doc_instructions.png\")
<\/p>\nAs the shopping sprees become increasingly frenetic during holiday season, it\u2019s hard not to worry about how much credit card debt we\u2019re piling. Some of us rely on email notifications from our banks to track the damage to our finances. So what happens when we suddenly get notified about charges for things we never bought?<\/p>\n
Microsoft security researchers have received samples of personalized emails that appear to be MasterCard \u00a0notifications. Although not without flaws, these emails can be very effective malware vectors\u2014they can trigger an urgent need to act and open the attached payload.<\/p>\n
The payload is a macro downloader embedded in a Word document. Starting with Office 2010, documents from untrusted sources are displayed in Protected View and macros are disabled by default. To overcome this security measure, the malware authors crafted the contents of the attached Word document so that unsuspecting users are convinced about enabling macros to see supposedly important content.<\/p>\n
As seen in the screenshot below, the Word document provides step-by-step instructions telling users to leave Protected View and enable macros. One should note that legitimate notifications from MasterCard and other credit card companies do not ask recipients to enable macros.<\/p>\n
<\/p>\n
Figure <\/em>1<\/em>. Instructions in the attached document about enabling macros; these instructions are not from Microsoft<\/em><\/p>\n Once the macro is allowed\u00a0to run, it downloads and launches Cerber, a known ransomware<\/a>. Cerber victims, recipients who don\u2019t have robust antimalware<\/a>, are bound to learn a potentially pricey lesson in computing safety.<\/p>\n Although some aspects of the socially engineered emails are weak, they do have some strong points:<\/p>\n Below is a recreation of one of the sample messages received by Microsoft security researchers. It has been modified to protect the original recipient.<\/p>\n Figure <\/em>2<\/em>. <\/em>Recreated attack email<\/em>\u00a0 (original recipient information has been anonymized)<\/em>\u00a0<\/em><\/p>\n There are some social engineering flaws in the attack emails. In our sample, the sender address does not spoof MasterCard or a bank, making it much less convincing. Also, the apparent use of automated code to copy the recipient local-name to the salutation section of the message and the file name of the attached document is a giveaway. We do concede, however, that this simple attempt at personalization can work and is in fact employed in attacks associated with the highly prevalent Ransom:Win32\/Locky<\/a>.<\/p>\n The email itself is crude and shows almost no attempt to feign legitimacy. It contains some typographical errors, such as the missing number between the dollar sign and the comma in our sample. Also, users who are careful enough will likely notice that the sender address does not match the signatory.<\/p>\n Figure <\/em>3<\/em>. Social engineering flaws in the attack email<\/em><\/p>\n On the technical side, the use of a password-protected Word document allows the embedded macro code to avoid detection by many email scanners. Without password-protection, the macro code is easily detected by antimalware engines\u00a0. (Microsoft detects the macro code in our samples as TrojanDownloader:O97M\/Donoff.CU<\/a>\u00a0.) To an extent, password-protection also makes the attachment appear legitimate\u2014many bank documents are typically transmitted as password-protected files.<\/p>\n When our researchers detonated the payload by opening the attached document and enabling macros, the embedded macro code began downloading a variant of a known ransomware from the following URL:<\/p>\n hxxps:\/\/2cbhkcjhn5suq6t6.onion.to\/explore.exe<\/em><\/p>\n This URL is a hidden Tor web location made available to all web browsers by Tor2web. Hidden Tor web locations allow publishers to stay anonymous and protected from political persecution. However, this anonymity can also be abused by criminals.<\/p>\n Once the download completes, the macro runs PowerShell commands to launch the downloaded ransomware.<\/p>\n The ransomware component is a variant of Ransom:Win32\/Cerber<\/a>. Like most ransomware, Cerber encrypts files to render them inaccessible. Unfortunate users who detonate the macro end up with a lot of encrypted files as shown below. Note that the extension name of the encrypted files is not static\u2014Cerber uses a pseudorandom extension.<\/p>\n Figure <\/em>4<\/em>. Inaccessible user files encrypted by Cerber <\/em><\/p>\n Cerber behavior has not changed much compared to earlier versions. After encrypting the files, Cerber attempts to collect ransom by opening a window that displays its ransom note.<\/p>\n Figure <\/em>5<\/em>. Cerber ransom note<\/em><\/p>\n As an additional reminder to its victims, Cerber modifies the desktop wallpaper:<\/p>\n Figure <\/em>6<\/em>. Cerber wallpaper serves a painful reminder to victims<\/em><\/p>\n In the ransom note, users are reassured that their files are intact and are told to purchase the Cerber Decryptor from a list of URLs. Victims who do not purchase the decryption tool are left unable to access the contents of their files.<\/p>\n Victims who do go to the URLs find the same features that the scammers have had on their website since the early versions of Cerber:<\/p>\n Below are screenshots of the ransomware website.<\/p>\n Figure <\/em>7<\/em>. Language options on the ransomware website<\/em><\/p>\n Figure <\/em>8<\/em>. Anti-robot CAPTCHA on the ransomware website<\/em><\/p>\n Figure <\/em>9<\/em>. Special rate countdown on the ransomware website<\/em><\/p>\n An effective way to avoid this ransomware attack is to be extremely wary of unsolicited emails and emails coming from unknown sources. Check the sender name and consider contacting the company or institution represented by the unsolicited email to verify the email\u2019s authenticity.<\/p>\n Ransomware may also come from other sources, including pirated software and along with legitimate applications that have been repackaged inside a software bundler<\/a>. Obtain software from trustworthy sources, such as the Windows Store, or directly from the software vendor\u2019s website.<\/p>\n Microsoft recommends\u00a0running robust antimalware, like Windows Defender, to help stop ransomware and other malicious code from causing irreversible or costly damage. Windows Defender uses behavioral heuristics\u2014it actively checks for suspicious behavior and references advanced algorithms in the cloud. By using behavioral heuristics, Windows Defender can detect ransomware even before specific signatures become available.<\/p>\n The screenshot below shows Windows Defender detecting Cerber ransomware using only behavioral heuristics.<\/p>\n Figure <\/em>10<\/em>. Windows Defender behavior-based proactive detection of Cerber ransomware<\/em><\/p>\n Here are some more tips:<\/p>\nEngineering an urgent response<\/h2>\n
\n
![\"Recreated](\"https:\/\/msdnshared.blob.core.windows.net\/media\/2016\/12\/Cerber-1-email.png\")
<\/p>\nSocial engineering flaws<\/h2>\n
![\"Social](\"https:\/\/msdnshared.blob.core.windows.net\/media\/2016\/12\/Cerber-3-annotated_email_SE.png\")
<\/p>\nScanner evasion and anonymization<\/h2>\n
Classic case of ransomware<\/h2>\n
![\"Inaccessible](\"https:\/\/msdnshared.blob.core.windows.net\/media\/2016\/12\/Cerber-4-inaccessible_files.png\")
<\/p>\n![\"Cerber](\"https:\/\/msdnshared.blob.core.windows.net\/media\/2016\/12\/Cerber-5-ransom.png\")
<\/p>\n![\"Cerber](\"https:\/\/msdnshared.blob.core.windows.net\/media\/2016\/12\/Cerber-6-wallpaper-1024x543.png\")
<\/p>\n\n
![\"Language](\"https:\/\/msdnshared.blob.core.windows.net\/media\/2016\/12\/Cerber-7-languages-1024x652.png\")
<\/p>\n![\"Anti-robot](\"https:\/\/msdnshared.blob.core.windows.net\/media\/2016\/12\/Cerber-8-captcha1-1024x807.png\")
<\/p>\n![\"Special](\"https:\/\/msdnshared.blob.core.windows.net\/media\/2016\/12\/Cerber-9-sale_countdown1-1024x617.png\")
<\/p>\nBe safe and save<\/h2>\n
![\"Windows](\"https:\/\/msdnshared.blob.core.windows.net\/media\/2016\/12\/Cerber-10-BMDetection.png\")
<\/p>\nFor end users<\/strong><\/h3>\n
\n
For IT administrators<\/strong><\/h3>\n
\n