Brand new evasion techniques developed to elude machine learning security solutions have been registered lately. The techniques were noticed onto compromised machines together with the Kovter click-fraud Trojan.
Since its appearance in March 2016, Cerber ransomware has become one of the most prevalent ransomware families worldwide. Apart from receiving a number of enhancements during the past year, the malware also used various distribution channels, including exploit kits and spam emails, as well as some other infections.
Last August, the security experts from Invincea found out that Cerber was distributed by a piece of malware initially developed as a banking information stealing Trojan, called Betabot.
At present, the Cyren security experts are observing Cerber being dropped by a click-fraud Trojan named Kovter, which was distributing Locky ransomware a few months ago. The spam campaign is using emails that contain a JS downloader inside a .ZIP archive and it relies on victims to activate the downloader, which fetches both malware families at once. After that, the ransomware encrypts the victims’ files and displays a ransom note. Though, considering the fact that the Kovter malware is capable of fileless infections, it remains silent.
Cyren security team claims that Kovter was paired with Cerber in order to maximize the system resources for adding fraud, in case the PC user leaves the infected system idle. Besides, it wants to make sure that the malware remains on the system after Cerber is removed, as well as to gain profit.
In any case, the experts are convinced that the anti-sandbox and anti-detection technology are used to ensure maximum infection success.
Meanwhile, Trend Micro researchers have also noticed that Cerber was using a new loader that can evade not only traditional security mechanisms, but machine learning solutions as well. According to the experts, the loader has been created to hollow out a normal process and run Cerber’s code instead.
The campaign relies on spam emails to deliver a link to a self-extracting archive that has been uploaded to a Dropbox account controlled by the hackers, and containing three files: a Visual Basic script, a DLL file, and a binary file which looks like a configuration file. The script was developed to run using the Windows Script Host and to load the DLL file using rundll32.exe with the DLL’s filename.
In this case, the DLL is not packed or encrypted and it reads the configuration file, decrypts part of it, and executes the decrypted code, which contains the loader and configuration settings. Then, the loader checks if it runs in a virtual machine or sandbox, if analysis tools are installed, and if anti-virus software is running and ends the infection process if it finds any. In the end, the main payload (or the Cerber binary) is injected in another process.
“The new packaging and loading mechanism employed by Cerber can cause problems for static machine learning approaches–i.e, methods that analyze a file without any execution or emulation. Self-extracting files and simple, straightforward files could pose a problem for static machine learning file detection. In other words, the way Cerber is packaged could be said to be designed to evade machine learning file detection,” Trend Micro says.
According to the experts, the good news here is that the new evasion techniques can be defeated by security approaches which employ multiple layers of protection, due to the fact that the attack has other weaknesses, like the use of an unpacked .DLL file, for instance. Also, any solutions that don’t rely on machine learning so much, can prove effective against this malware.