Criminals behind the latest Cerber ransomware variant are leveraging Google redirects and Tor2Web proxies in a new and novel way to evade detection.
Researchers with Cisco Talos spotted the shifting tactic last week when it began tracking the latest Cerber (5.0.1) ransomware variant. The technique defies Cerber’s typical attack strategy of spam campaigns, malicious attachments and well written, professional looking emails, according to Talos researchers.
“This campaign looked different in that the messages didn’t contain an attachment and were extremely short and basic,” wrote Cisco Talos researchers in a report posted Monday. According Talos, the Cerber spam campaign resembled something more closely associated with Locky ransomware, which relies heavily on script-based file extensions used to download the Locky executable.
Talos describes this latest Cerber campaign as a “potential next evolution for ransomware distribution” that relies heavily on the Tor network and Dark Web to obfuscate the attacker’s activity and thwart mitigation efforts.
According to Talos, the Cerber 5.0.1 variant forgoes the use of malicious attachments in exchange for emails that contain hyperlinks. Targets are enticed to click hyperlinks that are disguised as various files of potential interest to recipients such as pictures, order details, transaction logs and loan acceptance letters.
“When a victim clicks on a hyperlink they are taken to a Google redirect that points (the browser) to a malicious Word document hosted on the Dark Web. But because you need a Tor browser to access the Dark Web, attackers use the Google redirect service to connect targets to a Tor2Web proxy service first,” said Nick Biasini, researcher with the Cisco Talos team.
Use of the Tor2Web proxy service allows adversaries to host files on the Dark Web, making it extremely difficult to know where files are hosted and shut down the offending server, Biasini said. “Using proxy services like Tor2Web enables access to the Tor network without requiring a Tor client to be installed locally on the victim’s system,” researchers point out.
“We have seen Tor used in ransomware quite a bit. But it has been used primarily for command-and-control communications and retrieving ransom notes for the victims to get Bitcoin wallets. What makes this most recent Cerber (5.0.1) variant so interesting to researchers is the fact the hosting of all the malicious activity is on Tor,” Biasini said.
That’s not so say earlier incarnations and techniques associated with Cerber ransomware have been abandoned. Still the bulk of Cerber, Biasini said, is distributed using traditional techniques such as the RIG exploit kit and malicious attachments sent via spam campaigns. “The reason this campaign is important is because it signals an evolution for Cerber adversaries,” Biasini said.
Cerber, which is best known for its high-creep factor in using text-to-speech to “speak” its ransom note to victims, was first spotted in the wild in February. Its typical distribution method was via exploit kits, with Magnitude and Nuclear Pack exploiting a zero day in Adobe Flash Player (CVE-2016-1019). In May, researchers at FireEye reported, Cerber was part spam campaigns linked to Dridex botnets. In August, researchers reported a new Cerber variant, dubbed Cerber 2, they said was part of a ransomware-as-a-service ring.
“Cerber has continued to shift its tactics and evolve rapidly over just the past several months,” Biasini said.
In this most recent campaign, once the initial redirection and Tor2Web proxying occurs, the victim’s system will download a malicious Word document. If a potential victim chooses to open the file attachment they are prompted via a Word document to “enable content” or the macro.
“If the victim opens the malicious MS Word document and enables macros, the downloader will use the Windows Command Processor to invoke Powershell which will then download (using Tor2Web) and execute the actual Cerber PE32 executable,” Talos describes.
This version of Cerber demands 1.4 bitcoins ($1,000). If the ransom demand is not met within five days the ransom payment amount doubles.
“This latest distribution campaign highlights how ransomware based threats are continuing to evolve and mature over time, and shows an increasingly sophisticated infection process as attackers continue to implement new methods to attempt to evade detection and make analysis more difficult,” Talos researchers wrote.
Talos recommends that all Tor2Web and Tor traffic be blocked in organization as the most effective way to mitigate risk to this latest Cerber threat. “Organizations need to decide if the business case for allowing Tor and Tor2Web on the network outweighs the potential risks to its users,” Cisco Talos wrote.