by RSS Sarah (Qi) Wu, Jacob (Kuan Long) Leong  |  Dec 09, 2016  |  Filed in: Security Research

Introduction

A new unversioned Cerber has surfaced! It appears that the author(s) of Cerber is working hard to make more money during Christmas season. This latest version has relatively more changes as compared to the previous versions. The version number has now been removed from the desktop wallpapers of the infected machines, and this new Cerber release no longer has an apparent version number, which might make the tracking of the Cerber family more difficult than before. Another noticeable change is that the modified wallpaper now comes with a Christmas colour theme. It also appears to have improved the efficiency of searching for and encrypting files.  Moreover, it extends its encryption coverage by adding more file extensions to the file extension list. 

Updated Wallpaper

The version number of this new Ceber is no longer displayed on the desktop wallpaper. The text highlight is now red and the text is white, as shown in the figure below. Cerber versions 4 and 5 used to have fluorescent green text highlighted in black. The wallpaper of Cerber 5.0.1 is also shown below for comparison.  

Figure-1. The New Cerber Wallpaper

Figure-2. The Cerber 5.0.1 Wallpaper

Modified Instruction Filename

Just as before, this new version of Cerber drops instruction files to notify the user that their files have been encrypted, and also tells the user how to pay for and get the decryptor. However, the name of the instruction file has been changed from “_README_.hta” (Cerber 5.0.1) to “_README_{random string}_.hta”.  Appending random characters or numbers to the instruction filename would disable some simple AV detections, such as the detection of hardcoded filenames.

Figure-3. New Instruction Filename

Enhanced Multithreading Approach

This new Cerber release has further improved its multithreading approach. The new multithreading approach consists of two units: the file list generation unit and the file encryption unit. The file list generation unit searches files and adds them to a file list, which is a shared resource among all threads of both units. The file encryption unit fetches files from the file list and encrypts them. 

The file list generation unit creates one file searching thread per drive. Each thread is only responsible for searching the files in its corresponding drive. If a valid file is found and certain conditions are met, the file will be added to a file list. It is important to note that all threads share and add files to the same file list if there are multiple threads. 

The file encryption unit creates two threads for every processor of the infected machine. The number of processors is obtained by calling the API GetSystemInfo.  Each encryption thread fetches a file from the shared file list one at a time, and then encrypts the file. 

Both units run concurrently so that the file encryption unit begins to fetch files as soon as the file list generation unit adds files to the shared file list. This new multithreading approach appears to be more efficient at searching for and encrypting files as compared to its previous versions. The reason behind this is that the most time-consuming components are now run in separate threads and run in parallel. If interested, you can find more information here [1] about how the previous versions of Cerber handled multithreading. A flowchart illustrating the new file searching and encryption multithreading approach is shown below.           

Figure-4. A Flowchart of the New Multithreading Approach

More Target Files

This new version of Cerber is also able to encrypt additional file types, including more document files, database files, and graphic files. It now targets Linux backup files as well. To make software developers’ lives even more miserable, it also encrypts more script file types.  

Types

Added Extensions

Linux backup files

.gz, .tgz, .tar

Document files

.xlc, .wks, .wk1, .123, .602

Graphic files

.dip, .djv

Database files

frm, .myi, .onenotec2

Script files

.vb, .vbs, .bat, .cmd

Table-1. Added Extensions and Types

Conclusion

Many versions of the Cerber ransomware have been released since its first appearance.  Despite the high frequency of updates, some previous versions had few changes as compared to their respective predecessors. However, this new unversioned Cerber release appears to have more significant changes. We expect to see more aggressive updates soon. The Advanced Research Team will continue to track this family and share our findings with readers once new things come into light.

References

[1]  https://blog.fortinet.com/2016/12/02/cerber-5-0-1-arrives-with-new-multithreading-method

 

Sample Information

MD5: 7e799ba1a1b60c0f744a76f063bd2910

SHA256: ddaef49d0deefcdd5439ec5317f07f2a3dfafca6e51c75ce229c21870d15e00f               

Fortinet AV Detection: W32/Zerber.ANUG!tr

 

 

by RSS Sarah (Qi) Wu, Jacob (Kuan Long) Leong  |  Dec 09, 2016  |  Filed in: Security Research