One of the most common forms of ransomware is evolving a new technique in order to become even more effective and harder to detect: the ability to evade detection by cybersecurity tools which use machine learning to identify threats.
Identified by Trend Micro, the new Cerber variant is, like most ransomware, delivered by a malicious phishing email. But rather than encouraging the victim to click on a link to download a file, these emails contain a link to Dropbox which downloads and self-extracts the Cerber payload.
However, in order to evade detection and monitoring by cybersecurity researchers, this version of Cerber will check to see if it's running on a virtual machine, sandbox, or if certain products are running on the machine -- and if it spots any of these, it'll stop running. Why? Because it's in the best interests of the criminals behind it that their code doesn't get analysed.
It's because of this that the actors behind Cerber have gone to the trouble of repackaging the delivery method and loader in order to get around cybersecurity products which can detect malicious files based on features instead of signatures.
But by deploying a self-extracting mechanism, it's possible for the file to not look malicious, even to machine learning tools.
"Self-extracting files and simple, straightforward files could pose a problem for static machine learning file detection. All self-extracting files may look similar by structure, regardless of the content. Unpacked binaries with limited features may not look malicious either," says a Trend Micro blog post about the Cerber update.
Ultimately, when a new way to detect malware arrives, cybercriminals do all they can to get around it so they can continue to deliver payloads.
The best way to ensure networks are protected against sophisitcated threats, says Trend Micro, is not to rely on just one single layer of defence. "Threats will always try to get around the latest solutions, and users should avoid relying on any single approach to security. A proactive, multilayered approach to security is more effective -- from the gateway, endpoints, networks, and servers," it explains.
The researchers also provided a list of malicious Dropbox URLs to the cloud storage provider's security team. The links are no longer active and Dropbox has banned the accounts involved.