Ransomware Avoids Machine Learning

There is a new Cerber ransomware variant that has evolved to get around machine learning, researchers said.

The ransomware is using a new loader that appears designed to evade detection by machine learning solutions. This loader can hollow out a normal process where the Cerber code is instead run, according to researchers at Trend Micro.

RELATED STORIES
Ransomware Stars in Blank Slate Attack
Spock, Kirk, Star in Ransomware
New Ways to Hide Ransomware
Ransomware Hit 61% of Companies

Cerber, like its ransomware relatives, also goes out via email through a link to a self-extracting archive. Emails that claim to be from various utilities usually end up used, said Gilbert Sison, threats analyst at Trend Micro in a blog post. The emails contain a link to a self-extracting archive, which uploads to a Dropbox account controlled by the attackers. The target then downloads and opens it to infect a system.

In the archive there are three files, one has a Visual Base Script, the second a DLL, and the third a binary file. The script loads the DLL, the DLL reads the binary file and executes it.

Once deployed, the loader checks to see if it is running in a sandbox. If it’s not, it injects the Cerber binary into one of several running processes.

“This new evasion technique does not defeat an anti-malware approach that uses multiple layers of protection,” Sison said. “Cerber has its weaknesses against other techniques. For instance, having an unpacked .DLL file will make it easy to create a one-to-many pattern; alternately having a set structure within an archive will make it easier to identify if a package is suspicious. Solutions that rely on a variety of techniques, and are not overly reliant on machine learning, can still protect customers against these threats.”