The latest technique used by cyber criminals behind Cerber ransomware is called “malware factory”. It is used for creating new versions of the ransomware every 15 seconds in order to bypass the victims’ security software.
Presently, Cerber ransomware is considered as one of the most active ransomware threats, backed by a group which has put in the time and resources to grow operations and evolve their malware payload.
Since the beginning of this year, Cerber has constantly changed, and no one was able to create a free decrypter by this time.
The security company Invincea reports on the latest change in Cerber’s mode of operation. Invincea claims that while it was analyzing a log file of Cerber’s most recent infection techniques and thus trying to reproduce the infection chain, the company’s researchers got a Cerber ransomware payload with a different file hash.
When reproducing the infection chain a bit later, the experts got a third hash, a fourth hash after that, and so on. Soon, the researchers came to the conclusion that Cerber’s C&C servers were churning out Cerber binaries with different file hashes every 15 seconds.
It became crystal clear that it was a tell-tale sign of a “malware factory,” an automated malware assembly line which puts together Cerber payloads but makes small modifications to the file’s internal structure in order to generate files with unique hashes.
When analyzing the Cerber payloads deeper, they showed a connection to a suspicious file sample first collected in September, last year, after being dropped by the Neutrino exploit kit.
It is supposed to be one of the earliest Cerber ransomware samples, long before researchers discovered it in February – March, this year. “By constantly morphing the same old binary from 2015 [Cerber] is able to evade detection quite easily,” said Patrick Belcher from Invincea.
Belcher is one of the authors of a research paper on the malware factories and polymorphic malware. In addition, Invincea says that it has discovered a Cerber sample before, which included the ability to launch DdoS attacks.
