The Cerber family of ransomware has added a new trick: It can now evade detection by machine learning solutions.
According to Trend Micro, a new loader has been added that is designed to hollow out a normal process, where the code of Cerber is instead run.
Cerber is still being delivered via email, with malicious links to a self-extracting Dropbox archive that downloads the ransomware. The new loader has features that check if the target is running in a virtual machine (VM), if it is running in a sandbox, if certain analysis tools are running on the machine or if certain AV products are present. If any of these checks fail, the malware stops running.
Meanwhile, “the main payload of the loader is the injection of code in another process. In this case, the injected code is the whole Cerber binary, and it can be injected into [normal processes],” the firm said, in an analysis. “The new packaging and loading mechanism employed by Cerber can cause problems for static machine learning approaches—i.e., methods that analyze a file without any execution or emulation….Self-extracting files and simple, straightforward files could pose a problem for static machine learning file detection. All self-extracting files may look similar by structure, regardless of the content. Unpacked binaries with limited features may not look malicious either.”
For every new malware detection technique, an equivalent evasion technique is created out of necessity.
“This is a typical game of cat and mouse,” said Travis Smith, senior security research engineer for Tripwire, via email. “Criminals make an innovation in their techniques, so defenders follow suit. Once the criminal’s activities are being slowed by defensive measures, they continue to change their tactics. As far as the seriousness of these evasion techniques, they pose no additional risk to the end-user when it comes to protecting themselves. The best practices continue to follow safe internet browsing habits and back up critical files in the case of an infection.”
This new evasion technique does not defeat an anti-malware approach that uses multiple layers of protection, Trend Micro stressed.
“Cerber has its weaknesses against other techniques,” the firm said. “For instance, having an unpacked .DLL file will make it easy to create a one-to-many pattern; alternately having a set structure within an archive will make it easier to identify if a package is suspicious. Solutions that rely on a variety of techniques, and are not overly reliant on machine learning, can still protect customers against these threats.”