Cerber Ransomware Version 6 Gets Anti-Vm and Anti-Sandboxing Features

[CrAKeN]

 

Security researchers have spotted version 6 of the Cerber ransomware, and this new edition continues to add new features, heightening the overall complexity this ransomware family has been showing.

 

First detected at the end of March, version 6 comes with new distribution vectors, a revised encryption routine, and anti-sandbox and anti-AV defensive features.

 

These features, added a few months after Cerber 4 and Cerber 5 also came with a bunch of improvements, show the ransomware is continuing to grow, most likely fueled by the financial success it's been having since Locky has gone dark over the winter, leaving a void to fill.

 

Cerber 6 distribution vectors diversify

Cerber 6 distribution is the same as before, the ransomware still relying on massive spam campaigns to reach its victims, albeit other distribution channels such as exploit kits and manual installation scenarios have been spotted.

 

While most of the spam emails follow the classic ZIP -> JavaScript -> PowerShell trick, security researchers also reported seeing some Cerber operators experimenting with other email attachment types.

 

The most prevalent of these experimental tricks was via self-extracting archives (SFX files), which unzipped and executed a collection of VBS and DLL files for a pretty intricate attack chain.

 

Simpler infection methods were also spotted, when some Cerber operators took a page out of Locky's book and started distributing HTML application (HTA) files and even binary (BIN) files to infect victims.

 

According to Trend Micro, a reason for this surge in different distribution tactics is that Cerber became very popular on the underground market, where its operators have been selling access to their RaaS (Ransomware-as-a-Service) portal, especially since March.

 

This Cerber RaaS, the new Cerber 6 version, and the Necurs botnet downtime were one of the main factors why Cerber became the most popular variant on the ransomware scene last month.

 

New encryption routine

But running the most successful ransomware operation on the market is hard. The Cerber source code and the infrastructure used to deliver it are constantly under surveillance and scrutiny.

 

To keep security researchers away, most professional ransomware operations evolve every few months. We've seen this with CryptoLocker, TeslaCrypt, Locky, and we're now seeing it with Cerber.

 

The biggest change in the Cerber 6 version is its new encryption routine which now uses Microsoft's Cryptographic Application Programming Interface (CryptoAPI), similar to Spora.

 

Cerber gets anti-VM and anti-sandboxing features

Another major new feature discovered in Cerber 6 is the addition of anti-VM and anti-sandboxing techniques to detect when security researchers or security products are trying to identify a Cerber infection.

 

These new features, along with the introduction of a time delay before the execution of the actual Cerber payload makes detecting infections much harder.

 

In late February, in an earlier version, Cerber started avoiding encrypting files belonging to antivirus programs. Starting with version 6, Cerber blocks the execution of EXE files belonging to security software via Windows firewall rules.

 

Cerber is by far the most sophisticated threat

All of these new features show that the Cerber crew is taking ransomware development to the next level. While Verizon and Proofpoint highlighted in recent reports that the number of ransomware families kept going up, most of those are just junk products, mostly based on low-quality open-sourced code.

 

On the other hand, Cerber is using high-tech features and has also cannibalized the distribution market, making it by far the most dangerous ransomware on the market today, regardless of how many new ransomware variants other security companies spot.

 

At the time of writing, there is no known way to defeat the Cerber 6 encryption and recover files.

Below is a table put together by Trend Micro, showcasing Cerber's evolution across all its versions.

 

	Cerber v1, v2 and v3	Cerber v4	Cerber v5	Cerber SFX	Cerber v6
File Type	EXE	EXE	EXE	SFX (Loader) VBS, DLL	EXE
Exceptions(Cerber doesn’t execute if it detects certain components in the system)	Language in v1 and v3*   Language and antivirus (AV) for v2*	Language*	Language*	AV, VM, Sandbox (Loader*), and Language*	Language*
Anti-AV Routine	None	None	None	None	EXE files of AV, Firewall and Antispyware products set to be blocked by Windows firewall rules*
Anti-sandbox	None	None	None	VM and Sandbox (Loader*)	VM and Sandbox (Loader*)
Backup Deletion	Yes (vsadmin, WMIC, BCDEdit)*	Yes (WMIC)*	Yes (WMIC)*   Removed in v5.02	Varies (some samples have backup deletion capabilities)	Varies (some samples have backup deletion capabilities)
Exclusion List  (directories and file types Cerber doesn’t encrypt)	Folder and file*	Folder and file*	Folder and file*; and AV, Antispyware, and Firewall directories	Folder and file*; and AV, Antispyware, and Firewall directories	Folder and file*

 

* option can be configured by customers of Cerber RaaS

 

Source

[straycat19]

Cerber is really late to the anti sandbox and vm game.  Most malware went that route 5-6 years ago if not earlier.

[steven36]

3 hours ago, straycat19 said:

Cerber is really late to the anti sandbox and vm game.  Most malware went that route 5-6 years ago if not earlier.

Ransomware  use too didn't  have too be as smart as  old Malware no way  and this is not new . malware tried to detect debug environment  for 20 years and now it tries to detect VM . Anti malware has been around a longtime too.. But  most Ransomware  is malware for  idiots  it can be prevented by not clicking on spam emails  Malware tries to stay hidden so it can keep collecting info Ransomware if you are a  victim  its going rear it's ugly head and tell you too  pay up  and this strain can even talk too you  so sorry but there not the same thing old types of malware wants to stay hidden and ransomware wants too be paid.

 

Before Malware most Virus were just created for fun .But Malware wants info for whatever reason for personal gain and Ransomware wants money so it normally would not be hiding . That's like comparing a spy to a bank robber there not the same thing a lot of malware was so stupid it would  call out too the internet and you could block it with a firewall  tell you removed it and ransomware  it locks down you're whole OS.  

 

Malware is not very much different than what Google ,Microsoft , Facebook and others do by harvesting data. Only difference is  it's legal because you agree too it . Even some  Paid Anti malware  programs act like Malware because they collect you're info for personal gain.  Even some free VPNs before turned you into a botnet if you used them .The internet is just one big black hole full of malware and every since I came on the internet it always has been that way. 

 

Microsoft's Software is Malware

https://www.gnu.org/proprietary/malware-microsoft.en.html

Google's Software Is Malware

https://www.gnu.org/proprietary/malware-google.en.html

Google warns entire Internet is malware

https://www.cnet.com/news/google-warns-entire-internet-is-malware/

At lest Google was honest and warned us about it  When the US and UK got together and created the WWW they said let there be malware  and they seen  it made them lots of money and they was pleased Before the WWW the internet belonged too the government  So It's always had a baked in backdoor  !!!