{"id":6346,"date":"2017-01-23T15:50:29","date_gmt":"2017-01-23T23:50:29","guid":{"rendered":"http:\/\/www.palada.net\/index.php\/2017\/01\/23\/news-184\/"},"modified":"2017-01-23T15:50:29","modified_gmt":"2017-01-23T23:50:29","slug":"news-184","status":"publish","type":"post","link":"http:\/\/www.palada.net\/index.php\/2017\/01\/23\/news-184\/","title":{"rendered":"No slowdown in Cerber ransomware activity as 2016 draws to a close"},"content":{"rendered":"

As everybody else winds down for the holidays, the cybercriminals behind Cerber<\/a> are busy ramping up their operations.<\/p>\n

Following our discovery of a spam campaign that takes advantage of holiday shopping<\/a>, we found two new campaigns that continue distributing the latest variants of\u00a0Cerber ransomware<\/a>. These campaigns are the latest in a series of persistent cybercriminal efforts that keep Cerber constantly active.<\/p>\n

\"cerber-machine-encounters\"<\/p>\n

Figure 1. Cerber activity trending\u00a0in the past three months<\/em><\/p>\n

First, we detected a fresh spam campaign that delivers document files in password-protected .zip archives. The emails use simple subject lines like \u201cHowdy\u201d or \u201cHello\u201d, while the email body seem to keep the holiday shopping theme with messages like \u201cyour order should be delivered today\u201d and \u201cStatement is attached\u201d. The password to the archive, which is usually \u201c6666\u201d in this campaign, is in the email body.<\/p>\n

\"cerber-email-1\"<\/p>\n

Figure 2. Sample spam email from recent Donoff campaign that distributes a new version of Cerber<\/em><\/p>\n

When\u00a0extracted, the document files run malicious macro code\u00a0detected by Windows Defender as TrojanDownloader:O97M\/Donoff<\/a>. Donoff is a Trojan downloader that installs malware; in this campaign, it downloads and executes Cerber.<\/p>\n

Our tracking of Donoff activity shows a spike corresponding to the email campaign.<\/p>\n

\"cerber-donoff-activity\"<\/p>\n

Figure 3. Donoff activity for the past 30 days<\/em><\/p>\n

The second campaign that we discovered distributing Cerber ransomware\u00a0uses the RIG exploit kit, which Windows Defender detects as Exploit:HTML\/Meadgive<\/a>. When a user accesses a compromised page or an attacker-controlled website hosting the exploit kit, vulnerabilities like CVE-2015-8651<\/a> are exploited, and Cerber is downloaded and executed on the computer.<\/p>\n

Telemetry from Windows Defender shows that this latest exploit kit attack that leads to Cerber largely affects Asia and Europe.<\/p>\n

\"cerber-rig-exploit-distribution\"<\/p>\n

Figure 4. Geographic distribution of victims of recent RIG exploit kit distributing Cerber<\/em><\/p>\n

The two\u00a0campaigns deliver variants of the new version of Cerber ransomware. These new iterations of the malware sport\u00a0updated configuration and behavior, demonstrating that the cybercriminals behind them are not slowing down in evolving the malware.<\/p>\n

Below are the notable updates seen in the latest version of Cerber:<\/p>\n

    \n
  1. As with the holiday-themed campaign<\/a> from a few weeks ago, these new Cerber variants arrive with a wallpaper that is noticeably modified from previous versions\u2019 green palette to red:
    \"cerber-christmas-wallpaper\"
    Figure 5. New Cerber wallpaper, which changed its color palette <\/em><\/li>\n
  2. Another level of obfuscation is used: UPX on the top of the Nullsoft installer and custom encryption used by older versions.<\/li>\n
  3. The configuration, which contains the most important data that determine the behavior of the ransomware, are encrypted using RC4 just like older versions, but using Crypto APIs instead of custom implementation.<\/li>\n
  4. Threat version information, which has been useful in tracking the evolution of Cerber, is nowhere to be found in the configuration.<\/li>\n
  5. More than 50 new file name extensions are added as targets for encryption; on the other hand, several file name extensions, including .exe., .cmd, and .msi, are exempted from the encryption routine; this latter behavior has been observed in other prominent ransomware families, but we\u2019re seeing it for the first time with Cerber.<\/li>\n
  6. Folders that are prioritized during encryption include new ones, like microsoftonenote<\/em>, microsoftoutlook<\/em>, and microsoftexcel<\/em>, among others; however, folders that are exempted from the encryption routine now include “$windows.~ws”, “intel”, and “windows10upgrade”, among others<\/li>\n
  7. Shadow copies are no longer deleted.<\/li>\n
  8. Payment site provided is now\u00a0a single Tor proxy site, compared to three proxy sites in older versions.<\/li>\n
  9. The cybercriminals added two new sets of IP ranges where command-and-control (C&C) servers\u00a0reside.<\/li>\n<\/ol>\n

    For cybercriminals, releasing a new version of malware not only increases likelihood of evading antivirus detection; it\u2019s also a way of increasing the complexity of malware. Cerber\u2019s long list of updated behavior indicates that the cybercriminals are highly motivated to continue improving the malware and the campaigns that deliver it.<\/p>\n

    It is important to note that one of the most critical updates in this latest version of Cerber is the new folders it prioritizes during encryption. The added folders, which include microsoftonenote<\/em>, microsoftoutlook<\/em>, and microsoftexcel<\/em> among others, is further indication that the malware is designed to look for critical Microsoft\u00a0Office files to encrypt in enterprise environments.<\/p>\n

    Stopping Cerber infection in Windows 10<\/h2>\n

    Windows 10 has security technologies that can detect this new batch of updated Cerber ransomwre. Keep your computers up-to-date in order to get the benefits from the latest features and proactive mitigation built into the latest versions of Windows.<\/p>\n

    Windows Defender<\/a> detects the new version of Cerber ransomware as Win32\/Cerber<\/a>. It also detects files related to the two campaigns that deliver the ransomware: the malicious attachments used in the spam campaign as TrojanDownloader:O97M\/Donoff<\/a>, and the RIG exploit kit as Exploit:HTML\/Meadgive<\/a>.<\/p>\n

    Microsoft Edge<\/a> can help prevent exploit kits from running and executing ransomware on computers. SmartScreen Filter<\/a> uses URL reputation to block access to malicious sites, such as those hosting exploit kits.<\/p>\n

    Office 365 Advanced Threat Protection<\/a> blocks malicious emails that spread malicious documents that could eventually install Cerber.<\/p>\n

    Device guard<\/a> protects systems from malicious applications like ransomware\u00a0by maintaining a custom catalog of known good applications and stopping kernel-level malware with virtualization-based security.<\/p>\n

    IT administrators can use Group Policy in Office 2016<\/a> to block known malicious macros, such as the documents in password-protected email attachments used in this campaign, from running. They can also use AppLocker group policy<\/a>\u00a0to prevent dubious software from running.<\/p>\n

    IT administrators can also use Windows Defender Advanced Threat Protection<\/a> to get alerts when suspicious activities are observed in the network, allowing them detect, investigate, and respond to ransomware infection and other advanced attacks on enterprise networks.<\/p>\n

    An in-depth look at the spam campaign<\/h2>\n

    Beyond providing protection, Microsoft Malware Protection Center (MMPC)\u00a0monitors and analyzes\u00a0Cerber and related campaigns in-depth\u00a0in order\u00a0to discern trends and gain deeper understanding of cybercriminal activity. This is how we were able to trace the evolution of Cerber and see the signs that it\u2019s not letting up.<\/p>\n

    Cerber has historically heavily used email as a primary infection vector. It is no different in this campaign.<\/p>\n

    \"cerber-email-2\"<\/p>\n

    Figure 6. Another sample spam email from recent Donoff campaign that distributes a new version of Cerber<\/em><\/p>\n

    The attachment is usually a password-protected .zip archive that contains a macro malware in the form of a Microsoft Word document. When opened, the archive prompts for a password, which is indicated in the email body. This is a change from past campaigns, which password-protected the document, rather than the .zip file itself.<\/p>\n

    \"cerber-zip-password\"<\/p>\n

    Figure 7. Attachment is a password-protected .zip archive<\/em><\/p>\n

    When extracted and executed, the document attempts to run its malicious macro code. Thus, Microsoft Office warns users\u00a0about manually enabling macro, empowering users to block infection at this point. The document lures users to enable macro by faking a Microsoft Word message.<\/p>\n

    \"cerber-macro\"<\/p>\n

    Figure 8. Malicious document lures users into enabling macro<\/em><\/p>\n

    The macro code contains obfuscated downloading routines, as seen below.<\/p>\n

    \"cerber-macro-code\"<\/p>\n

    Figure 9. Malware code showing obfuscated download link<\/em><\/p>\n

    The macro code executes the following PowerShell command to attempt to download and execute Cerber in the %AppData%<\/em> folder:<\/p>\n

    \"cerber-macro-powershell\"<\/p>\n

    Figure 10. Malware code showing PowerShell command<\/em><\/p>\n

    An in-depth look at the new Cerber version<\/h2>\n

    The latest version of Cerber\u00a0protects the configuration data embedded in the malware binary using RC4. However, while older versions use custom codes to implement RC4, this new version uses Crypto APIs. The RC4 key is still embedded in the malware binary.<\/p>\n

    \"cerber-malware-code-1\"<\/p>\n

    Figure 11. Code to pass RC4key and encrypted config data to the decryptor<\/em><\/p>\n

    \"cerber-malware-code-2\"<\/p>\n

    Figure 12. RC4 decryption using crypto APIs<\/em><\/p>\n

    Cerber adds more than 50 file name extensions to its file encryption routine, bringing the total number of target file types to 493:<\/p>\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n
    .123<\/td>\n.1cd<\/td>\n.3dm<\/td>\n.3ds<\/td>\n.3fr<\/td>\n.3g2<\/td>\n.3gp<\/td>\n.3pr<\/td>\n.602<\/td>\n<\/tr>\n
    .7z<\/td>\n.7zip<\/td>\n.aac<\/td>\n.ab4<\/td>\n.abd<\/td>\n.acc<\/td>\n.accdb<\/td>\n.accde<\/td>\n.accdr<\/td>\n<\/tr>\n
    .accdt<\/td>\n.ach<\/td>\n.acr<\/td>\n.act<\/td>\n.adb<\/td>\n.adp<\/td>\n.ads<\/td>\n.aes<\/td>\n.agdl<\/td>\n<\/tr>\n
    .ai<\/td>\n.aiff<\/td>\n.ait<\/td>\n.al<\/td>\n.aoi<\/td>\n.apj<\/td>\n.apk<\/td>\n.arc<\/td>\n.arw<\/td>\n<\/tr>\n
    .ascx<\/td>\n.asf<\/td>\n.asm<\/td>\n.asp<\/td>\n.aspx<\/td>\n.asset<\/td>\n.asx<\/td>\n.atb<\/td>\n.avi<\/td>\n<\/tr>\n
    .awg<\/td>\n.back<\/td>\n.backup<\/td>\n.backupdb<\/td>\n.bak<\/td>\n.bank<\/td>\n.bat<\/td>\n.bay<\/td>\n.bdb<\/td>\n<\/tr>\n
    .bgt<\/td>\n.bik<\/td>\n.bin<\/td>\n.bkp<\/td>\n.blend<\/td>\n.bmp<\/td>\n.bpw<\/td>\n.brd<\/td>\n.bsa<\/td>\n<\/tr>\n
    .bz2<\/td>\n.c<\/td>\n.cash<\/td>\n.cdb<\/td>\n.cdf<\/td>\n.cdr<\/td>\n.cdr3<\/td>\n.cdr4<\/td>\n.cdr5<\/td>\n<\/tr>\n
    .cdr6<\/td>\n.cdrw<\/td>\n.cdx<\/td>\n.ce1<\/td>\n.ce2<\/td>\n.cer<\/td>\n.cfg<\/td>\n.cfn<\/td>\n.cgm<\/td>\n<\/tr>\n
    .cib<\/td>\n.class<\/td>\n.cls<\/td>\n.cmd<\/td>\n.cmt<\/td>\n.config<\/td>\n.contact<\/td>\n.cpi<\/td>\n.cpp<\/td>\n<\/tr>\n
    .cr2<\/td>\n.craw<\/td>\n.crt<\/td>\n.crw<\/td>\n.cry<\/td>\n.cs<\/td>\n.csh<\/td>\n.csl<\/td>\n.csr<\/td>\n<\/tr>\n
    .css<\/td>\n.csv<\/td>\n.d3dbsp<\/td>\n.dac<\/td>\n.das<\/td>\n.dat<\/td>\n.db<\/td>\n.db3<\/td>\n.db_journal<\/td>\n<\/tr>\n
    .dbf<\/td>\n.dbx<\/td>\n.dc2<\/td>\n.dch<\/td>\n.dcr<\/td>\n.dcs<\/td>\n.ddd<\/td>\n.ddoc<\/td>\n.ddrw<\/td>\n<\/tr>\n
    .dds<\/td>\n.def<\/td>\n.der<\/td>\n.des<\/td>\n.design<\/td>\n.dgc<\/td>\n.dgn<\/td>\n.dif<\/td>\n.dip<\/td>\n<\/tr>\n
    .dit<\/td>\n.djv<\/td>\n.djvu<\/td>\n.dng<\/td>\n.doc<\/td>\n.docb<\/td>\n.docm<\/td>\n.docx<\/td>\n.dot<\/td>\n<\/tr>\n
    .dotm<\/td>\n.dotx<\/td>\n.drf<\/td>\n.drw<\/td>\n.dtd<\/td>\n.dwg<\/td>\n.dxb<\/td>\n.dxf<\/td>\n.dxg<\/td>\n<\/tr>\n
    .edb<\/td>\n.eml<\/td>\n.eps<\/td>\n.erbsql<\/td>\n.erf<\/td>\n.exf<\/td>\n.fdb<\/td>\n.ffd<\/td>\n.fff<\/td>\n<\/tr>\n
    .fh<\/td>\n.fhd<\/td>\n.fla<\/td>\n.flac<\/td>\n.flb<\/td>\n.flf<\/td>\n.flv<\/td>\n.forge<\/td>\n.fpx<\/td>\n<\/tr>\n
    .frm<\/td>\n.fxg<\/td>\n.gbr<\/td>\n.gho<\/td>\n.gif<\/td>\n.gpg<\/td>\n.gray<\/td>\n.grey<\/td>\n.groups<\/td>\n<\/tr>\n
    .gry<\/td>\n.gz<\/td>\n.h<\/td>\n.hbk<\/td>\n.hdd<\/td>\n.hpp<\/td>\n.html<\/td>\n.hwp<\/td>\n.ibank<\/td>\n<\/tr>\n
    .ibd<\/td>\n.ibz<\/td>\n.idx<\/td>\n.iif<\/td>\n.iiq<\/td>\n.incpas<\/td>\n.indd<\/td>\n.info<\/td>\n.info_<\/td>\n<\/tr>\n
    .iwi<\/td>\n.jar<\/td>\n.java<\/td>\n.jnt<\/td>\n.jpe<\/td>\n.jpeg<\/td>\n.jpg<\/td>\n.js<\/td>\n.json<\/td>\n<\/tr>\n
    .k2p<\/td>\n.kc2<\/td>\n.kdbx<\/td>\n.kdc<\/td>\n.key<\/td>\n.kpdx<\/td>\n.kwm<\/td>\n.laccdb<\/td>\n.lay<\/td>\n<\/tr>\n
    .lay6<\/td>\n.lbf<\/td>\n.lck<\/td>\n.ldf<\/td>\n.lit<\/td>\n.litemod<\/td>\n.litesql<\/td>\n.lock<\/td>\n.ltx<\/td>\n<\/tr>\n
    .lua<\/td>\n.m<\/td>\n.m2ts<\/td>\n.m3u<\/td>\n.m4a<\/td>\n.m4p<\/td>\n.m4u<\/td>\n.m4v<\/td>\n.ma<\/td>\n<\/tr>\n
    .mab<\/td>\n.mapimail<\/td>\n.max<\/td>\n.mbx<\/td>\n.md<\/td>\n.mdb<\/td>\n.mdc<\/td>\n.mdf<\/td>\n.mef<\/td>\n<\/tr>\n
    .mfw<\/td>\n.mid<\/td>\n.mkv<\/td>\n.mlb<\/td>\n.mml<\/td>\n.mmw<\/td>\n.mny<\/td>\n.money<\/td>\n.moneywell<\/td>\n<\/tr>\n
    .mos<\/td>\n.mov<\/td>\n.mp3<\/td>\n.mp4<\/td>\n.mpeg<\/td>\n.mpg<\/td>\n.mrw<\/td>\n.ms11<\/td>\n.msf<\/td>\n<\/tr>\n
    .msg<\/td>\n.mts<\/td>\n.myd<\/td>\n.myi<\/td>\n.nd<\/td>\n.ndd<\/td>\n.ndf<\/td>\n.nef<\/td>\n.nk2<\/td>\n<\/tr>\n
    .nop<\/td>\n.nrw<\/td>\n.ns2<\/td>\n.ns3<\/td>\n.ns4<\/td>\n.nsd<\/td>\n.nsf<\/td>\n.nsg<\/td>\n.nsh<\/td>\n<\/tr>\n
    .nvram<\/td>\n.nwb<\/td>\n.nx2<\/td>\n.nxl<\/td>\n.nyf<\/td>\n.oab<\/td>\n.obj<\/td>\n.odb<\/td>\n.odc<\/td>\n<\/tr>\n
    .odf<\/td>\n.odg<\/td>\n.odm<\/td>\n.odp<\/td>\n.ods<\/td>\n.odt<\/td>\n.ogg<\/td>\n.oil<\/td>\n.omg<\/td>\n<\/tr>\n
    .one<\/td>\n.onenotec2<\/td>\n.orf<\/td>\n.ost<\/td>\n.otg<\/td>\n.oth<\/td>\n.otp<\/td>\n.ots<\/td>\n.ott<\/td>\n<\/tr>\n
    .p12<\/td>\n.p7b<\/td>\n.p7c<\/td>\n.pab<\/td>\n.pages<\/td>\n.paq<\/td>\n.pas<\/td>\n.pat<\/td>\n.pbf<\/td>\n<\/tr>\n
    .pcd<\/td>\n.pct<\/td>\n.pdb<\/td>\n.pdd<\/td>\n.pdf<\/td>\n.pef<\/td>\n.pem<\/td>\n.pfx<\/td>\n.php<\/td>\n<\/tr>\n
    .pif<\/td>\n.pl<\/td>\n.plc<\/td>\n.plus_muhd<\/td>\n.pm!<\/td>\n.pm<\/td>\n.pmi<\/td>\n.pmj<\/td>\n.pml<\/td>\n<\/tr>\n
    .pmm<\/td>\n.pmo<\/td>\n.pmr<\/td>\n.pnc<\/td>\n.pnd<\/td>\n.png<\/td>\n.pnx<\/td>\n.pot<\/td>\n.potm<\/td>\n<\/tr>\n
    .potx<\/td>\n.ppam<\/td>\n.pps<\/td>\n.ppsm<\/td>\n.ppsx<\/td>\n.ppt<\/td>\n.pptm<\/td>\n.pptx<\/td>\n.prf<\/td>\n<\/tr>\n
    .private<\/td>\n.ps<\/td>\n.psafe3<\/td>\n.psd<\/td>\n.pspimage<\/td>\n.pst<\/td>\n.ptx<\/td>\n.pub<\/td>\n.pwm<\/td>\n<\/tr>\n
    .py<\/td>\n.qba<\/td>\n.qbb<\/td>\n.qbm<\/td>\n.qbr<\/td>\n.qbw<\/td>\n.qbx<\/td>\n.qby<\/td>\n.qcow<\/td>\n<\/tr>\n
    .qcow2<\/td>\n.qed<\/td>\n.qtb<\/td>\n.r3d<\/td>\n.raf<\/td>\n.rar<\/td>\n.rat<\/td>\n.raw<\/td>\n.rb<\/td>\n<\/tr>\n
    .rdb<\/td>\n.re4<\/td>\n.rm<\/td>\n.rtf<\/td>\n.rvt<\/td>\n.rw2<\/td>\n.rwl<\/td>\n.rwz<\/td>\n.s3db<\/td>\n<\/tr>\n
    .safe<\/td>\n.sas7bdat<\/td>\n.sav<\/td>\n.save<\/td>\n.say<\/td>\n.sch<\/td>\n.sd0<\/td>\n.sda<\/td>\n.sdb<\/td>\n<\/tr>\n
    .sdf<\/td>\n.secret<\/td>\n.sh<\/td>\n.sldm<\/td>\n.sldx<\/td>\n.slk<\/td>\n.slm<\/td>\n.sql<\/td>\n.sqlite<\/td>\n<\/tr>\n
    .sqlite-shm<\/td>\n.sqlite-wal<\/td>\n.sqlite3<\/td>\n.sqlitedb<\/td>\n.sr2<\/td>\n.srb<\/td>\n.srf<\/td>\n.srs<\/td>\n.srt<\/td>\n<\/tr>\n
    .srw<\/td>\n.st4<\/td>\n.st5<\/td>\n.st6<\/td>\n.st7<\/td>\n.st8<\/td>\n.stc<\/td>\n.std<\/td>\n.sti<\/td>\n<\/tr>\n
    .stl<\/td>\n.stm<\/td>\n.stw<\/td>\n.stx<\/td>\n.svg<\/td>\n.swf<\/td>\n.sxc<\/td>\n.sxd<\/td>\n.sxg<\/td>\n<\/tr>\n
    .sxi<\/td>\n.sxm<\/td>\n.sxw<\/td>\n.tar<\/td>\n.tax<\/td>\n.tbb<\/td>\n.tbk<\/td>\n.tbn<\/td>\n.tex<\/td>\n<\/tr>\n
    .tga<\/td>\n.tgz<\/td>\n.thm<\/td>\n.tif<\/td>\n.tiff<\/td>\n.tlg<\/td>\n.tlx<\/td>\n.txt<\/td>\n.uop<\/td>\n<\/tr>\n
    .uot<\/td>\n.upk<\/td>\n.usr<\/td>\n.vb<\/td>\n.vbox<\/td>\n.vbs<\/td>\n.vdi<\/td>\n.vhd<\/td>\n.vhdx<\/td>\n<\/tr>\n
    .vmdk<\/td>\n.vmsd<\/td>\n.vmx<\/td>\n.vmxf<\/td>\n.vob<\/td>\n.vpd<\/td>\n.vsd<\/td>\n.wab<\/td>\n.wad<\/td>\n<\/tr>\n
    .wallet<\/td>\n.war<\/td>\n.wav<\/td>\n.wb2<\/td>\n.wk1<\/td>\n.wks<\/td>\n.wma<\/td>\n.wmf<\/td>\n.wmv<\/td>\n<\/tr>\n
    .wpd<\/td>\n.wps<\/td>\n.x11<\/td>\n.x3f<\/td>\n.xis<\/td>\n.xla<\/td>\n.xlam<\/td>\n.xlc<\/td>\n.xlk<\/td>\n<\/tr>\n
    .xlm<\/td>\n.xlr<\/td>\n.xls<\/td>\n.xlsb<\/td>\n.xlsm<\/td>\n.xlsx<\/td>\n.xlt<\/td>\n.xltm<\/td>\n.xltx<\/td>\n<\/tr>\n
    .xlw<\/td>\n.xml<\/td>\n.xps<\/td>\n.xxx<\/td>\n.ycbcra<\/td>\n.yuv<\/td>\n.zip<\/td>\n<\/td>\n<\/td>\n<\/tr>\n<\/tbody>\n<\/table>\n

     <\/p>\n

    However, new to this version is a list of file name extensions exempted from encryption:<\/p>\n