Researchers say that Cerber Ransomware`s newest version – Cerber 4.1.4 is currently being spread with the help for Word documents with malicious macros. The macros are the one responsible for the download and the installment processes. Cybercriminals are using spam emails to send the Word documents in zipped attachments to their victims. Usually, the emails come with subjects like “RE: Invoice 257224”.
Moreover, another feature that version has and which was not seen in the previous ones is the usage of many IP ranges. The ransomware uses them to send information and statistics about its victims to its Command and Control servers.
The name of the Word docs includes only numbers in it, for example, “566474170.doc”. However, the malicious macros needed for Cerber to be downloaded and installed are not enabled by default in some current Word versions. In such cases, the doc contains a message to trick the victims into enabling them manually by clicking on the Enable Content button.
Once macros are enabled, the AutoOpen() documents will be executed. At first, the malicious macros will be obfuscated so the victims cannot understand what they are actually doing. After the obfuscation process is over, a PowerShell command will execute a base64 encoded string. When base64 is further decoded, we are able to read commands which are about to the executed.
For instance, we could see that a winx64.exe file will be downloaded from a remote site, saved to %AppData%\winx64.exe and then executed. This file is the main executable of Cerber Ransomware so once it is executed on the victims` computers it will start encrypting their data.
Like in older Cerber variants, an extension will be appended to all encrypted data. It is based on the computer’s MachineGuid value found in the HKLM\Software\Microsoft\Cryptography registry key. Also, the ransomware creates and drops a ransom note, named “Readme.hta”.
As mentioned above, Cerber 4.1.4 uses multiple IPs to send statistical information to the C&C. Previous versions use only one but this variant relies on the following three: 220.127.116.11/27, 18.104.22.168/27, 22.214.171.124/22.