This blog was co-written by Sapna Juneja.
Cerber is a quickly evolving type of malware called crypto-ransomware. Cerber encrypts files on an infected computer and demands a ransom to restore them. (Read more about Cerber in this post.)
Cerber ransomware first appeared in early 2016 and remains hard to detect. It uses multicomponent behavior (installing several malicious files on the victim’s machine) that shows similarities to families such as Gamarue. Recent variants have added a loader component that appears to be designed to evade detection.
Cerber infects systems via social media tricks such as spam email with malicious links or documents, malvertising campaigns, exploits of vulnerable websites, and takes advantage of exploit kits Angler, Nuclear, and others. Recently we have seen self-extracting archives.
Cerber’s infection path.
The SFX archive contains three files: VBS script, DLL, and an X component. The SFX file runs a VBS script using wscript.exe. The script executes a DLL-export function through rundll32.exe, which further decrypts and executes the encrypted X component. The last component checks for reversing environment techniques and injects the loader component into either Regasm.exe, Csc.exe or WerFault.exe.
The extracted archive:
The opening script, N3W7MN.VBS, has the following command:
The X component is fully encrypted and looks like this:
This DLL loads the first encrypted part (see next image) of the x component in memory; a second part looks for anti-reversing techniques. The first encrypted component:
This component does following:
- Checks for antimalware engines.
- Checks whether WireShark, a virtual machine, or VBox is running.
- Adds the content of the VBS file into a run entry and runs one time.
- The malware uses run entries to add the VBS script into the startup sequence so that the malicious VBS script executes at every reboot.
- Adds an entry to the task scheduler to reside on the system for a long time. Tasks are by default stored in %WinDir%\Tasks or %WinDir%\System32\Tasks.
- Decrypts the second component (see next image) from the X component and injects it into Regasm.exe or WerFault.exe to hide itself.
The decrypted second component checks for the .Net framework. If found, the malware checks the available version and injects code into it. If .Net is not found, it injects code into WerFault.exe. In this way, Cerber is effective against 32-bit and 64-bit machines:
The injected component has some interesting methods to bypass user account control, a feature that prevents unauthorized changes to a computer. Via notification, UAC assures that these changes are made only with the permission of the administrator. If a standard user account is in the local admin group, then damage is limited. Installing services, writing to secure locations, etc. are denied. To make these changes, users would need to interact with the desktop, such as with a right-click and run as administrator or accepting the UAC elevation prompt. There are number of ways to bypass UAC; one of them follows:
In the preceding code the value of “pszname” is “elevation:Administrator!new:{guid}”.
Summary
Cerber uses several key techniques:
- Multicomponents to perform its tasks.
- Uses several anti-debugging, anti-emulation techniques.
- Bypasses UAC to gain elevated access.
Cerber uses these techniques to try to evade machine learning defenses. Defenders cannot rely on static machine learning; the security industry must adapt with dynamic machine learning or consider multiple technologies to proactively protect systems.
McAfee advises users to always keep their antimalware signatures up to date. McAfee products detect all versions of this malware as Ransom-Cerber!, with DAT Versions 8489 and later.
Hashes used in this analysis:
- 352f1ac1407a551e42c270a8d381ed7c2d74718356cee3c2206bb4836ea6349f: SFX
- 4d66976a9c20c859d44ea0df2d3325d35ed4556d83d5251384dbd4b790537d11: DLL