Saturday, March 2, 2024

Cerber 5.0.1 ransomware spreading via Google and Tor

What is cerber?
Cerber is a ransomware-type malware that infiltrates the system and encrypts various file types including .jpg, .doc, .raw, .avi, etc. Cerber adds a .cerber extension to each encrypted file. Following successful infiltration, Cerber demands a ransom payment to decrypt these files.
 

A spam campaign is using a Tor2Web proxy service in an attempt to infect users with Cerber ransomware without raising any red flags.

Researchers at Cisco Talos are accustomed to coming across malicious spam campaigns that leverage email attachments and professionally written emails to trick unsuspecting users. They’ve seen it with Locky and lots of other ransomware.

HOW IT WORKS…

A user receives an email containing a hyperlink claiming to be a file of interest such as a picture or transaction logs. Some of the emails’ subject lines contain the recipient’s first names, a technique which enhances the spam message’s claim to legitimacy.

Even so, the campaign’s spam is quite simplistic.

sp1

As you can see in the image above, the campaign is making use of Google redirection. But it’s not linking to any normal site. It’s redirecting the victim to a malicious payload that’s hosted on the Tor network.

Why is that important?

By hosting their malicious payloads on the Tor network, there is less of a chance that blacklisting services or other traditional detection tools will pick up on them. That means a victim’s AV software won’t block the redirect locations and that the payloads could remain active for quite some time.

Following the initial redirection, users are prompted to download a Microsoft Word document that – you guessed it! – contains malicious macros.

sp2

Enabling content activates a downloader that invokes Powershell, which in turn downloads the executable for the Cerber ransomware.

sp3

To protect yourself against this campaign, including the US $1,000 ransom fee it demands, users should securely and regularly backup their files, keep their systems up to date, and not click on suspicious links.REMOVE CERBER Ransomware 

Website

Latest articles

AI Worm Developed by Researchers Spreads Automatically Between AI Agents

Researchers have developed what they claim to be one of the first generative AI...

20 Million+ Cutout.Pro User Records Leaked On Hacking Forums

CutOut.Pro, an AI-powered photo and video editing platform, has reportedly suffered a data breach,...

CWE Version 4.14 Released: What’s New!

The Common Weakness Enumeration (CWE) project, a cornerstone in the cybersecurity landscape, has unveiled...

RisePro Stealer Attacks Windows Users Steals Sensitive Data

A new wave of cyber threats has emerged as the RisePro information stealer targets...

Golden Corral Restaurant Chain Hacked: 180,000+ Users’ Data Stolen

The Golden Corral Corporation, a popular American restaurant chain, has suffered a significant data...

CISA Warns Of Hackers Exploiting Multiple Flaws In Ivanti VPN

Threat actors target and abuse VPN flaws because VPNs are often used to secure...

BEAST AI Jailbreak Language Models Within 1 Minute With High Accuracy

Malicious hackers sometimes jailbreak language models (LMs) to exploit bugs in the systems so...
Balaji
Balaji
BALAJI is an Ex-Security Researcher (Threat Research Labs) at Comodo Cybersecurity. Editor-in-Chief & Co-Founder - Cyber Security News & GBHackers On Security.

Live Account Takeover Attack Simulation

Live Account Take Over Attack

Live Webinar on How do hackers bypass 2FA ,Detecting ATO attacks, A demo of credential stuffing, brute force and session jacking-based ATO attacks, Identifying attacks with behaviour-based analysis and Building custom protection for applications and APIs.

Related Articles