Several Exploit Kits Now Deliver Cerber 4.0

We have tracked three malvertising campaigns and one compromised site campaign using Cerber ransomware after version 4.0 (detected as as Ransom_CERBER.DLGE) was released a month after version 3.0. More details of this latest iteration of Cerber are listed in a ransomware advertisement provided by security researcher Kafeine.

The upgrades include shifting their ransom note to .hta format from html. The ransomware authors have also stopped using the consistent string “.cerber3” as the extension for encrypted files, and have turned to using random string generated for each infection as the new file extension. Based on the speedy adoption of Cerber 4.0—which has been seen in the wild since the start of October—the upgrades seem to have caught the attention of cybercriminals.

The advertisement reads:

Cerber Ransomware 4.0 Cerber Ransomware 4.0 (translated)
– FUD на топовых антивирусах (скантайм / рантайм) – FUD at the top antivirus (skantaym / runtime)
– Обход мониторинга активности (массовое изменение, обход ханипотов итд.) – Bypass activity monitoring (weight change, bypassing the Honeypot, etc.)
– Обход всех известных anti-ransomware программ – Bypass all known anti-ransomware programs
– Работает 5 крипторов 7 дней в неделю – Works 5 cryptors 7 days a week
– Обновленный морф – Updated morph
– Новые инструкции на 13 языках + новый фон – New instructions in 13 languages + new background
– Синхронизация доменов через блокчейн (больше не важно забанили домен лендинга или нет) – Synchronization via the domain blokcheyn (no longer important domain Landing banned or not)
– Рандомное расширение для шифрованных файлов, обновленный алгоритм шифрования – Randomly extension for encrypted files, the updated encryption algorithm
– Новые типы файлов для шифрования – New types of files to encrypt
– Закрытие запущенных процессов всех топовых баз данных – Closing all running processes top database
– Обновленный JS Loader – Updated JS Loader
– Новые onion домены и многое другое. – New onion domains and much more.


The quick popularity of Cerber 4.0  

As we reported previously, Cerber has become one of the most prominent ransomware families of 2016. It has a wide range of capabilities and is often bought and sold as a service (ransomware-as-a-service or RaaS)—even earlier versions were peddled as RaaS in underground markets. The rapid release of Cerber updates have made it an increasingly popular payload for several exploit kits. This follows our research, which shows exploit kits continuously adopt ransomware families to target new vulnerabilities.

One campaign that seems to favor the latest version of Cerber is PseudoDarkleech, a continuously changing campaign that mostly delivers ransomware through compromised sites. It previously distributed CrypMIC and CryptXXX, but Trend Micro researchers noted that PseudoDarkleech switched to Cerber 4.0 last October 1.

Figure 1. This version of PseudoDarkleech directly injects the RIG EK link onto the compromised site

Figure 1. This version of PseudoDarkleech directly injects the RIG exploit kit link onto the compromised site

Figure 2. Another variety of PseudoDarkleech directs visitors to a redirect server, which will direct them to a RIG exploit kit

Two older malvertisement campaigns also use Cerber 4.0. One campaign employs the Magnitude exploit kit, which is a long time carrier of Cerber. Magnitude upgraded on October 3 and is continuously pushing Cerber 4.0 into countries in Asia, specifically Taiwan, Korea, Hong Kong, Singapore and China.

The second campaign typically employs a casino-themed fake advertisement, and researchers previously found it delivering the Andromeda or Betabot (detected by Trend Micro as Neurevt) malware to many countries. On October 4, Trend Micro researchers saw the campaign change their payload to Cerber 4.0 as well. This was the first instance that we detected it delivering Cerber 4.0, and it used the RIG exploit kit—another exploit kit that has a previous history with Cerber.

Figure 3. RIG exploit kit malversting delivers new Cerber ransomware

Figure 4. The casino-themed fake advertisement

Neutrino exploit kit still live, now with Cerber 4.0

A new malvertisement campaign we first identified on September 8 was found distributing Cerber 3.0, before it upgraded to Cerber 4.0 on October 3. It was distributed to the US, Germany, Spain, Taiwan and Korea. Interestingly, the campaign used the Neutrino exploit kit to deliver this ransomware, despite claims by the Neutrino team that they stopped their service. Security researcher Kafeine reported a message from the Neutrino account on September 9: “we are closed, no new rents, no extends more”. Though it appears that Neutrino has retreated; one speculation is that the crew is afraid of being exposed by cybersecurity firms. Another theory is that they have gone into “private” mode, meaning the exploit kit is only available for VIP clients handling larger operations.

Figure 5. Neutrino malvertising serves Cerber ransomware

Solutions and Mitigation Tactics

Ransomware is an evolving threat, and the most fundamental defense is having proper backup processes in place. Follow the 1-2-3 rule: 3 copies, 2 devices, and 1 stored in a secure location. Data loss is manageable as long as regular backups are maintained.

Malvertising and exploit kits in general are being developed and improved constantly by cybercriminals, so keeping software updated with the latest security patches is critical for users and enterprises. This includes both the operating system and all applications being used. Make sure there is a security system in place that can proactively provide a comprehensive defense against attackers targeting new vulnerabilities.

Trend Micro offers gateway, endpoint, network, and even server solutions that protect enterprises and consumers.


  • Endpoint Protection

    Trend Micro Smart Protection Suites detects and stops suspicious behavior and exploits associated with ransomware at the endpoint level.

    Ransomware Behavior Monitoring
    Application Control
    Vulnerability Shielding
    Web Security
  • Network Protection

    Trend Micro Deep Discovery Inspector detects malicious traffic, communications, and other activities associated with attempts to inject ransomware into the network.

    Network Traffic Scanning
    Malware Sandbox
    Lateral Movement Prevention
  • Server Protection

    Trend Micro Deep SecurityTM detects and stops suspicious network activity and shields servers and applications from exploits.

    Webserver Protection
    Vulnerability Shielding


  • Protection for Home Users

    Trend Micro Security 10 provides robust protection against ransomware by blocking malicious websites, emails, and files associated with this threat.

    IP/Web Reputation
    Ransomware Protection

Post from: Trendlabs Security Intelligence Blog – by Trend Micro

Several Exploit Kits Now Deliver Cerber 4.0

Read more: Several Exploit Kits Now Deliver Cerber 4.0

Story added 12. October 2016, content source with full text you can find at link above.