Experts observed several malvertising campaigns deliver Cerber 4.0

Cerber 4.0 is the latest variant of the Cerber ransomware family that is becoming even more common in the malvertising campaign in the wild.

Another variant of the notorious Cerber ransomware, the Cerber 4.0, appeared in the wild delivered by several exploit kits, including RIG, Neutrino, and Magnitude EKs.

According to the experts from Trend Micro, the Cerber 4.0 first appeared in October and became very popular in the criminal ecosystem where it is still used to power several malvertising campaigns.

The Cerber ransomware has rapidly evolved since its first apparition, it is considered one of the greatest success of the Ransomware-as-a-service (RaaS).

The Cerber 4.0 was released in the wild a few weeks after the version 3.0, it encrypts files and appends a randomly generated file extension (while the previously used extensions were .cerber3, .cerber2, .cerber).

The newest variant has shifted from an HTML ransom note to an HTA one.

The experts noticed that recently Cerber 4.0 is mainly dropped by the RIG toolkit, which is also the most active Exploit kit in this period.

The RIG toolkit was observed for example in the PseudoDarkleech malvertising campaign that was previously seen distributing ransomware such as CrypMIC and CryptXXX.

“As we reported previously, Cerber has become one of the most prominent ransomware families of 2016. It has a wide range of capabilities and is often bought and sold as a service (ransomware-as-a-service or RaaS)—even earlier versions were peddled as RaaS in underground markets. The rapid release of Cerber updates have made it an increasingly popular payload for several exploit kits. ” reported TrendMicro.

The experts also noticed another malvertising campaign dropping the Cerber 4.0 via the Magnitude exploit kit. The campaign has been seen targeting devices in numerous Asian countries, including Taiwan, Korea, Hong Kong, Singapore, and China.

The experts noticed many  other campaigns leveraging on the Cerber 4.0 including one that usually employs a casino-themed fake advertisement.

Another campaign started on October 3 is leveraging the Neutrino exploit kit to target users in the US, Germany, Spain, Taiwan, and Korea.

“Malvertising and exploit kits in general are being developed and improved constantly by cybercriminals, so keeping software updated with the latest security patches is critical for users and enterprises. This includes both the operating system and all applications being used. Make sure there is a security system in place that can proactively provide a comprehensive defense against attackers targeting new vulnerabilities,” Trend Micro researchers note.

[adrotate banner=”9″]

Pierluigi Paganini

(Security Affairs – Cerber 4.0, ransomware)