Experts observed several malvertising campaigns deliver Cerber 4.0

Cerber 4.0 is the latest variant of the Cerber ransomware family that is becoming even more common in the malvertising campaign in the wild.

Another variant of the notorious Cerber ransomware, the Cerber 4.0, appeared in the wild delivered by several exploit kits, including RIG, Neutrino, and Magnitude EKs.

According to the experts from Trend Micro, the Cerber 4.0 first appeared in October and became very popular in the criminal ecosystem where it is still used to power several malvertising campaigns.

The Cerber ransomware has rapidly evolved since its first apparition, it is considered one of the greatest success of the Ransomware-as-a-service (RaaS).

The Cerber 4.0 was released in the wild a few weeks after the version 3.0, it encrypts files and appends a randomly generated file extension (while the previously used extensions were .cerber3, .cerber2, .cerber).

The newest variant has shifted from an HTML ransom note to an HTA one.

The experts noticed that recently Cerber 4.0 is mainly dropped by the RIG toolkit, which is also the most active Exploit kit in this period.

The RIG toolkit was observed for example in the PseudoDarkleech malvertising campaign that was previously seen distributing ransomware such as CrypMIC and CryptXXX.

“As we reported previously, Cerber has become one of the most prominent ransomware families of 2016. It has a wide range of capabilities and is often bought and sold as a service (ransomware-as-a-service or RaaS)—even earlier versions were peddled as RaaS in underground markets. The rapid release of Cerber updates have made it an increasingly popular payload for several exploit kits. ” reported TrendMicro.

The experts also noticed another malvertising campaign dropping the Cerber 4.0 via the Magnitude exploit kit. The campaign has been seen targeting devices in numerous Asian countries, including Taiwan, Korea, Hong Kong, Singapore, and China.

The experts noticed many other campaigns leveraging on the Cerber 4.0 including one that usually employs a casino-themed fake advertisement.

Another campaign started on October 3 is leveraging the Neutrino exploit kit to target users in the US, Germany, Spain, Taiwan, and Korea.

“Malvertising and exploit kits in general are being developed and improved constantly by cybercriminals, so keeping software updated with the latest security patches is critical for users and enterprises. This includes both the operating system and all applications being used. Make sure there is a security system in place that can proactively provide a comprehensive defense against attackers targeting new vulnerabilities,” Trend Micro researchers note.

[adrotate banner=”9″]

Pierluigi Paganini

(Security Affairs – Cerber 4.0, ransomware)

Pierluigi Paganini

Pierluigi Paganini is member of the ENISA (European Union Agency for Network and Information Security) Threat Landscape Stakeholder Group and Cyber G7 Group, he is also a Security Evangelist, Security Analyst and Freelance Writer. Editor-in-Chief at "Cyber Defense Magazine", Pierluigi is a cyber security expert with over 20 years experience in the field, he is Certified Ethical Hacker at EC Council in London. The passion for writing and a strong belief that security is founded on sharing and awareness led Pierluigi to find the security blog "Security Affairs" recently named a Top National Security Resource for US. Pierluigi is a member of the "The Hacker News" team and he is a writer for some major publications in the field such as Cyber War Zone, ICTTF, Infosec Island, Infosec Institute, The Hacker News Magazine and for many other Security magazines. Author of the Books "The Deep Dark Web" and “Digital Virtual Currency and Bitcoin”.