Cerber Ransomware Found on a U.S. Government Website

September 08, 2017
The U.S. National Wildfire Coordinating Group’s (NWCG) website was discovered hosting a JavaScript downloader used to deliver the infamous Cerber ransomware. Ankit Anubhav, the security researcher who made the discovery, said that the website was hosting a .zip archive that contained a JavaScript file with an obfuscated PowerShell. The PowerShell downloads the Cerber executable, disguised as a gif file.

It hasn’t been determined how attackers were able to host the malware on the website and if any visitors were infected. It's possible that the site was hacked, or the site stored archives of email attachments that probably contained a malware-carrying file.

The variant found unwittingly hosted on the website has similarities to Cerber Version 6, the socially engineered spam emails loaded with a zipped attachment that contains a malicious JavaScript file. The various JavaScript files analyzed by Trend Micro revealed a three-pronged approach: directly download and execute its payload, create a scheduled task to run Cerber after two minutes, or run an embedded PowerShell script.
Figure 1. Infection chain of Cerber Version 6

Anubhav tweeted the discovery, and within hours, the link to the malware was taken down.

Every IT/system administrator should adopt these ransomware best practices to defend against threats like Cerber. In addition, an effective multilayered security solution adds to the strong security posture of systems and networks.

Trend MicroSmart Protection Suites and Worry-FreeBusiness Security can protect users and businesses from ransomware threats by detecting malicious files and spammed messages as well as blocking all related malicious URLs. Trend MicroDeep Discovery™ has an email inspection layer that can protect enterprises by detecting malicious attachment and URLs.

Trend Micro OfficeScan™ with XGen™ endpoint security actively detects this Cerber variant. It infuses high-fidelity machine learning with other detection technologies and global threat intelligence for comprehensive protection against ransomware and advanced malware. Our machine learning capabilities are tuned to account for attacks using techniques employed by ransomware like Cerber.

Like it? Add this infographic to your site:
1. Click on the box below.   2. Press Ctrl+A to select all.   3. Press Ctrl+C to copy.   4. Paste the code into your page (Ctrl+V).

Image will appear the same size as you see above.