Cerber Ransomware On The Rise, Fueled By Dridex Botnet

Starting in April security experts at FireEye spotted a massive uptick in Cerber ransomware attacks delivered via a rolling wave of spam. Researchers there link the Cerber outbreaks to the fact that attackers are now leveraging the same spam infrastructure credited for making the potent Dridex financial Trojan extremely dangerous.

Cerber, which is best known for its high-creep factor in using text-to-speech to “speak” its ransom note to victims, was first spotted in the wild in February. Its typical distribution method was via exploit kits, with Magnitude and Nuclear Pack exploiting a zero day in Adobe Flash Player (CVE-2016-1019). But as recently as May 4, FireEye reports, Cerber is now part of a spam campaign linked to Dridex botnets.

“By partnering with the same spam distributor that has proven its capability by delivering Dridex on a large scale, Cerber is likely to become another serious email threat similar to Dridex and Locky,” wrote FireEye security analysts in a research blog posted Thursday.

Dridex is a financial Trojan that has emerged as a significant threat to consumers and business, targeting the acquisition of financially related credentials. Its chief means of distribution is Dridex botnets that have been behind massive spam campaigns since February and are responsible for pushing out millions of targeted spam messages a day.

Cerber ransomware, according to FireEye, follows the same spam framework as Dridex. Targets are sent emails with an attachment disguised as an invoice that contains malicious VBScript. Once the user opens the document, they’re encouraged to enable macros.

In the case of Cerber, the malicious attachment obfuscates the offending VBScript that may be detected by an email gateway or spam filter. Instead, the macro downloads and installs the VBScript in the %appdata% path of the targeted PC. The VBScript is further manipulated to avoid detection and reverse engineering through the injection of junk code.

Next, Cerber sniffs out whether a victim has an internet connection. If it does, the last piece of the Cerber ransomware is delivered. That’s when the VBScript sends an HTTP Range Request to fetch a JPEG file from a URL. “In the HTTP Request Headers, it sets the value of Range Header to: “bytes=11193-“. This indicates to the web server to return only the content starting at offset 11,193 of the JPG file,” FireEye wrote.

This multi-stage technique of delivering the Cerber payload, FireEye said, is similar to HTTP Range Request checks leveraged by Dridex and Ursnif Trojans.

Other similarities that Cerber has to Dridex include the fact that spam campaigns are typically English language only and are financially motivated booby-trapped with invoice, receipt, and order attachments.

Once Cerber goes to work on a system, it targets email, Word documents, and Steam (gaming) related files appending encrypted files with the ‘.cerber’ file extension. Victims are directed to visit various versions of the “decrypttozxybarc” domain. In some instances, FireEye said, Cerber also installs a spambot module on the host PC. Attackers, FireEye suspect, are in the test stages of using infected PCs for distributing spam.