There is a new Cerber ransomware variant that has evolved to get around machine learning, researchers said.
The ransomware is using a new loader that appears designed to evade detection by machine learning solutions. This loader can hollow out a normal process where the Cerber code is instead run, according to researchers at Trend Micro.
Cerber, like its ransomware relatives, also goes out via email through a link to a self-extracting archive. Emails that claim to be from various utilities usually end up used, said Gilbert Sison, threats analyst at Trend Micro in a blog post. The emails contain a link to a self-extracting archive, which uploads to a Dropbox account controlled by the attackers. The target then downloads and opens it to infect a system.
In the archive there are three files, one has a Visual Base Script, the second a DLL, and the third a binary file. The script loads the DLL, the DLL reads the binary file and executes it.
Once deployed, the loader checks to see if it is running in a sandbox. If it’s not, it injects the Cerber binary into one of several running processes.
“This new evasion technique does not defeat an anti-malware approach that uses multiple layers of protection,” Sison said. “Cerber has its weaknesses against other techniques. For instance, having an unpacked .DLL file will make it easy to create a one-to-many pattern; alternately having a set structure within an archive will make it easier to identify if a package is suspicious. Solutions that rely on a variety of techniques, and are not overly reliant on machine learning, can still protect customers against these threats.”