Friday, July 15, 2016

Feedly:Security Intelligence | TrendLab.... Cerber: A Case in Point of Ransomware Leveraging Cloud Platforms

from Security Intelligence | TrendLab...

As cloud services become increasingly adopted by end users, cybercriminals are equally finding ways to abuse them, using them as vectors to host and deliver malware. Conversely, by targeting cloud-based productivity platforms utilized by many enterprises, the malefactors are hoping to victimize users who handle sensitive corporate data that when denied access to can mean serious repercussions for their business operations.

A case in point: the Cerber ransomware. Its latest variant—detected by Trend Micro as RANSOM_CERBER.CAD—was found to have targeted Office 365 users, particularly home users and businesses.


Figure 1. Cerber’s latest variant drops four ransom notes: a VBS file which serves as the audio version of the ransom note, a .url file which opens the default web browser to its payment site, as well as .html and .txt files (seen above).

Since making the rounds in March, the Cerber ransomware family has since been updated, adding capabilities such as distributed denial-of-service (DDoS), as well as leveraging double-zipped Windows Script Files (WSFs) to evade heuristic analysis and bypass the spam filter of email hygiene. It was unique in that it is one of the few to have a ransom note also read by a computer-generated voice. Its source code is even traded in the Russian underground under a ransomware-as-a-service business model to further monetize the cybercriminals’ operations. The malware was primarily distributed through a combination of malvertising campaigns relying on exploits used by the Nuclear exploit kit.

Sample of Cerber-carrying spam email

Sample of Cerber-carrying spam email

Figure 2. Samples of spam emails with the malicious attachments (in this case a Word template file) passing off as an invoice or a debt promissory note.

Cerber’s latest variant targeted Office 365 customers via malicious, macro-laced Office documents attached in spam emails. Microsoft has security measures in place for Office 365 and Office applications locally installed on computers. As part of those, macros are disabled by default to prevent macro-based malware from infecting the system. Like other ransomware families, Cerber relies on the end user to bypass this security feature, using social engineering to trick users to manually enable the macros embedded in the file.

Enabling the macro in the document (W2KM_CERBER.CAD) will drop a VBS-coded Trojan downloader (VBS_CERBER.CAD) which then fetches RANSOM_CERBER.CAD from the malicious URLs:


This variant of Cerber is able to encrypt 442 file types using a combination of AES-265 and RSA, modify the machine’s Internet Explorer Zone Settings, delete shadow copies, disable Windows Startup Repair and terminate processes from Outlook, The Bat!, Thunderbird and Microsoft Word. After querying the affected system’s country, the ransomware terminates itself if found running in countries under the Commonwealth of Independent States.

Decryption routine of the malicious macro
Figure 3. Part of the decryption routine of the malicious macro, including the command to drop a trojan downloader, VBS_CERBER.CAD,on %Application Data%\{random file name}.vbs. The trojan saves the files it downloads using the name, %Application Data%\{random file name}.tmp.

Trend Micro has already been seeing Cerber-carrying spam emails since May 2016. There was a noticeable surge in June: from over 800 spam messages seen in May to more than 12,000 spam messages in June. The highest spam activity was observed in June 22, when over 9,000 Cerber-related spammed messages were seen. This new Cerber variant has also been discovered to be pushed by Rig and Magnitude exploit kits, both recently reported to be leveraging zero-day vulnerabilities and dropping other ransomware families.

Ransomware authors such as Cerber’s will continue to use seemingly new tactics in order to increase the distribution of their malware. This time they are leveraging cloud-based platforms to infect home users and enterprises alike, even though these platforms are as secure as their desktop counterparts. Given Cerber’s socially engineered technique, end-users are recommended to disable macros on Office programs and exercise caution when opening email attachments from unknown and unsolicited senders. A solid back-up strategy is also an effective defense against ransomware.

Trend Micro Solutions:

Trend Micro’s Cloud App Security (CAS) can help enhance the security of Office 365 apps and other cloud services by using cutting-edge sandbox malware analysis for ransomware and other advanced threats. CAS uses document exploit detection to find hidden malware embedded in Office files, while Deep Discovery™ uses behavioral analysis to detect unknown malware. CAS builds on top of the security measures included with Microsoft® Office 365™ and to date CAS has detected and blocked more than four million additional malicious files and URLs.

CAS also scans internal email to uncover malicious attempts to use email as gateway to migrate within corporate networks from already compromised user accounts or devices. CAS integrates directly with cloud services such as Office 365 via APIs to preserve the apps’ user and administrative features and functions.

Enterprises can benefit from a multi-layered, step-by-step approach in order to best mitigate the risks brought by these threats. Email and web gateway solutions such as Trend Micro™ Deep Discovery™ Email Inspector, and InterScan™ Web Security prevents ransomware from ever reaching end users. At the endpoint level, Trend Micro Smart Protection Suites provide application control, vulnerability shielding and high-performance security solutions against ransomware and other attacks at multiple layers using the broadest range of anti-malware techniques available. Trend Micro Deep Discovery Inspector detects and blocks ransomware on networks, while Trend Micro Deep Security™ stops ransomware from reaching enterprise server—whether physical, virtual or in the cloud.

Trend Micro also provides security solutions for SMBs via Worry-Free™ Services Advanced cloud security, behavior monitoring and real-time web reputation for devices and emails. Trend Micro Security 10 provides home users robust protection against ransomware and other malware by blocking malicious websites, emails and related files.

Related Hashes:

  • 55852EE512521BB189C59405435BB0808BCB26D2 – VBS_CERBER.CAD
  • 8D8E41774445096B68C702DC02E6B2F49D2D518D – W2KM_CERBER.CAD
  • C8F3F0A33EFE38E9296EF79552C4CADF6CF0BDE6 – Ransom_CERBER.CAD

With analysis from Joseph C. Chen, Yi Zhou, Isabel Segismundo, Franklynn Uy and Francis Antazo.

Post from: Trendlabs Security Intelligence Blog - by Trend Micro

Cerber: A Case in Point of Ransomware Leveraging Cloud Platforms

Web Analytics