14 DAY TRIAL // As if ransomware weren't bad enough, there's a new Cerber variant out there that can now evade machine learning.
According to researchers from security firm Trend Micro, this new variant has been broken into separate components that look harmless on their own in order to fool machine learning-based detection systems.
Every new variant of malware brings something extra to the table, a new way to avoid detection, a new capability, and so on. In fact, if it weren't for their nefarious purposes, the inventiveness of these individuals would be something we praise. That, however, is not the case with the Cerber ransomware which has been known to do quite a bit of damage.
"The Cerber changes are really interesting as they're a direct response to changes in how some products are detecting malware," said Mark Nunnikhoven, Trend Micro VP of cloud research.
This new version was built by separating the different stages of the malware into multiple files and dynamically injecting them into a running process, which helps conceal the ransomware from various detection methods.
How it works
Cerber, like many of its ransomware relatives, is also distributed via email through a link to a self-extracting archive stored in a Dropbox account controlled by attackers.
In the archive there are three files - one has a Visual Base Script, the second a DLL, and the third a binary file. The script loads the DLL, the DLL reads the binary file and executes it.
Once deployed, the loader checks to see if it is running in a sandbox. If it's not, it injects the Cerber binary into one of several running processes.
"This new evasion technique does not defeat an anti-malware approach that uses multiple layers of protection. Cerber has its weaknesses against other techniques. For instance, having an unpacked .DLL file will make it easy to create a one-to-many pattern; alternately having a set structure within an archive will make it easier to identify if a package is suspicious. Solutions that rely on a variety of techniques, and are not overly reliant on machine learning, can still protect customers against these threats," reads the advisory.