Malware coders behind the Cerber ransomware are now using a technique called “malware factory” to create a different version of their ransomware every 15 seconds in order to bypass client-side security software.

Cerber is one of today’s most active ransomware threats, backed by a group that has put in the time and resources to grow operations and evolve their malware payload.

The ransomware has constantly changed since the beginning of the year when it was first spotted, and nobody was able to create a free decrypter until now.


Cerber joins the ranks of polymorphic malware families

US security firm Invincea is reporting on the most recent change in Cerber’s mode of operation. The company says that while it was analyzing a log file of Cerber’s latest infection techniques, while trying to reproduce the infection chain, their analysts got a Cerber ransomware payload with a different file hash.

Retrying the infection chain after a few moments, the researchers got a third hash, and then a fourth hash, and so on. It didn’t take them long to figure out that Cerber’s C&C servers were churning out Cerber binaries with different file hashes every 15 seconds.

This was a tell-tale sign of a “malware factory,” an automated malware assembly line that puts together Cerber payloads but makes small modifications to the file’s internal structure so to generate files with unique hashes.

Having files with unique hashes allows Cerber to infect computers that feature antivirus products. Even if the antivirus has seen the Cerber ransomware before, it detects the threat using a list of hashes in an internal virus signature database. Because Cerber payloads get a new and unique hash every 15 seconds, it allows them to bypass basic scanning techniques.

Was Cerber created in September 2015?

A deeper look at the Cerber payloads showed a connection to a suspicious file sample first collected in September 2015, after being dropped by the Neutrino exploit kit.

This might be one of the earliest Cerber ransomware samples, long before researchers discovered Cerber in late February, early March.

“By constantly morphing the same old binary from 2015 [Cerber] is able to evade detection quite easily,” Invincea’s Patrick Belcher explained, who is coincidentally one of the authors of a research paper on malware factories and polymorphic malware.

Previously, Invincea also claims to have discovered a Cerber sample that included the ability to launch DDoS attacks.

The infection chain of a recent Cerber ransomware sample

The infection chain of a recent Cerber ransomware sample

Let’s block ads! (Why?)

Related Posts

Facebook Comments

Return to Top ▲Return to Top ▲