In the new version of the Cerber ransomware, one of today’s most feared ransomware threat, malware coders used a new feature in their feared software called “malware factory” to create different versions of Cerber every 15 seconds to bypass security programs on the client’s side.
The ransomware scene has changed a lot since the appearance of the malware. At the beginning, no one was able to create a free decrypter until now, however, coders are using their time and resources to grow operations and evolve their malware payload.
Invincea, a security firm in the US, just reported on Cerber’s most recent mode of operation. According to the company, while they were analyzing a log file of the malware’s latest infection techniques and watching it trying to reproduce the infection chain, the analysts got a Cerber ransomware payload with a different file hash.
Retrying the infection chain after a few moments, the researchers got a third hash, and then a fourth hash, and so on. It didn’t take them long to figure out that Cerber’s C&C servers were churning out Cerber binaries with different file hashes every 15 seconds. This is a clear sign of a “malware factory,” an automated malware assembly line that puts together Cerber payloads, however, it makes small modifications to the file’s internal structure in order to generate files with unique hashes.
A deeper look at the Cerber payloads revealed a connection to a suspicious file sample, which was first collected in September 2015, after being dropped by the Neutrino exploit kit. It could be one of the earliest Cerber ransomware samples, long before researchers discovered it in late February – early March. Invincea’s Patrick Belcher, one of the authors of a research paper on malware factories and polymorphic malware, made this explanation:
“By constantly morphing the same old binary from 2015 [Cerber] is able to evade detection quite easily.”
The security firm also claims to have previously discovered a Cerber sample that had the ability to launch DDoS attacks.