Cerber Crypto-Ransomware Now Uses Malicious Windows Script Files via Email Campaigns

The Cerber cypto-ransomware which made the rounds in early March this year has upped its ante by using email as another way to distribute the malware,  according to a report from computer security firm Forcepoint.

The firm’s researchers were able to track an email campaign distributing the malware through double-zipped files serving as email attachments. The files contain Windows Script Files (WSFs), text documents that have Extensible Markup Language code (XML) and executed by Windows’ wscript.exe utility. According to the report, the WSF files contained an obfuscated Jscript code whose final payload is the Cerber ransomware.

Forcepoint’s Nicholas Griffin noted that the unusual use of a double-zipped file containing a WSF allowed the malware to bypass an email client’s spam filter and some security software, especially those that utilize machine learning. It also attempts to evade heuristic analysis by including authentic-looking email content, particularly those related to billing and invoicing. It also adds an ‘unsubscribe’ button that also redirects to the same ZIP file.

The Cerber crypto-ransomware (identified by Trend Micro as RANSOM_CERBER.A) infects a system as a file dropped by another malware or as a file downloaded and executed unsuspectingly by users visiting malicious websites. Since its reported discovery last March, its typical distribution method was through malvertisements (malicious advertisements) using a Nuclear exploit kit that attacked vulnerable or unpatched programs and applications.

[Related: How malvertising works and how it can infect you with malware]

Upon infection, the user’s files are encrypted and rendered inaccessible. The user is then instructed to pay 1.24 bitcoin (around $523 as of March 4, 2016), which will increase by $1,046 after a week. Interestingly, Cerber queries the location of the computer and terminates itself if found running in countries from the Commonwealth of Independent States (Azerbaijan, Armenia, Belarus, Georgia, Kazakhstan, Kyrgyzstan, Moldova, Russia, Tajikistan, Turkmenistan, Uzbekistan and Ukraine).

Cerber was notable for its use of a computer-generated voice instead of displaying the ransom note as an image to warn that the user’s files have been encrypted. The intrusion technique resembles how the famous ransomware Locky infiltrates a computer through malicious macro embedded in Word documents that are sent as email attachments trying to pass off as an invoice.

[Read: What can you do to avoid being a ransomware victim?]

Trend Micro’s further analysis of Cerber showed that the ransomware comes with a customizable configuration file which allows the distributor to modify components in the malware such as the ransom note, targeted user and files they wish to encrypt.

Cerber also serves as an example of how malware in general is increasingly becoming more accessible to the masses, as it has been reported to be sold in the Russian online black market. Offered as ransomware-as-a-service (RaaS), attackers buy the license to use the ransomware while the malware’s authors earn commissions for every paid ransom. As such, there is no specific threat actor using the malware but rather several ‘affiliates’ distributing their own builds of the Cerber ransomware in different ways.

According to Griffin, a majority of the observed victims of this email campaign are currently within the United Kingdom and is projected to expand to other countries over time.


Like it? Add this infographic to your site:
1. Click on the box below.   2. Press Ctrl+A to select all.   3. Press Ctrl+C to copy.   4. Paste the code into your page (Ctrl+V).

Image will appear the same size as you see above.