Monday 3 April 2017

Beware of Cerber in your parcel

New Cerber ransomware comes through parcel delivery notifications with zip attachments.

The zip archive contains a Java script that downloads a Cerber ransomware:

To run, Cerber needs the .NET Framework 2.0. Therefore, the ransomware may download the 'NetFx20SP1_x86.exe' package.

As usual, Cerber creates notification messages in the folder with encrypted files:

As well as, sets the wallpaper:

The cryptolocker takes advantage of Microsoft's CryptoAPI using AES+RSA algorithms and leaves no chances to decrypt files for a victim.


Network IoCs

Yara rule

rule CerberRansomware_mem
        author = "NioGuard Security Lab"
        info = "Detecting the Cerber process"
        reference = ""

        $a1 = "_READ_THIS_FILE_{RAND}_."
        $a2 = "hta"
        $a3 = "txt"
        $a4 = "jpeg"
      $a1 and ($a2 or $a3 or $a4)

No comments:

Post a Comment