Cerber Ransomware Actors Shift to Password-Protected Documents

Cloudmark has recently observed a shift in tactics from the actors behind the Cerber family of ransomware. The actors behind the Cerber malware attacks have shifted to using password protected documents to deliver their malware. The use of encrypted documents is not a new tactic and has been around for many years. As we reported, a similar tactic was used by the Russian Cosy Bear hackers in politically motivated spear phishing attacks. However, this is relatively new behaviour for the Cerber gang. The Cerber ransomware family is one of many that have emerged over the past few years riding the wave of popularity of ransomware as a means of generating income for cyber criminals. Cerber actors have been increasingly shifting tactics in the past few weeks. One tactic that has recently emerged is the use of the TOR-to-web proxy: .onion.to. TOR is an anonymity network that makes it easy for criminals to anonymously host content using what are called "TOR hidden services." TOR hidden services are hosted on the .onion domain and generally require users to have a TOR client installed in order to access the network. The .onion.to proxy essentially allows users to view content hosted on the TOR anonymity network without have a TOR client installed. We've seen many variations of abuse by the Cerber actors of the .onion.to proxy service to link to their malicious payloads. In this case they have used a combination of a couple of techniques:

• password-protected .doc file with embedded macro code
• embedded macro code using Windows Powershell to download the Cerber payload

Encrypting the macro-enabled document is an effective technique because it blocks the ability of automated systems to detect the presence of macro code in the document. The attack initiates as a typical social engineering email with a .doc attachment:

Note the password for the document in the email. Upon opening the attachment, the user is presented with the following password screen:

If the user successfully enters the correct password we see a typical Cerber document encouraging the user to reduce their security settings by enabling macro content:

Finally, the macro code downloads the Cerber payload using Windows Powershell. As mentioned the payload is hosted on the TOR network and accessed using the .onion.to proxy via the following links: hxxps://6ffnownlcnzlrn7w.onion[.]to/explore.exe hxxps://qgwe5vzczhrjwien.onion[.]to/querty.exe At the time of analysis the .onion.to proxy links were down, and the .onion.to operators can be given credit for disabling access to malicious content. Having content removed from a hidden service is more difficult than just blocking the proxy, and as a result Cloudmark researchers were able to retrieve the payload directly from TOR, which is the Cerber ransomware binary: MD5: a09f4041f9c8ac4b5d0de2a8d73a7ed7 [VirusTotal] When the Cerber binary is executed, the user will be presented with the classic Cerber desktop message:

As always, Cloudmark Authority customers are protected from this threat and other similar ransomware threats delivered by email. Remember to follow best practices for email. including do not open emails from unknown sources, and never enable macro content in an untrusted document.