Cerber ransomware learns to detect virtual machines

relemedf5w23 · Post by **relemedf5w23** » Thu Feb 13, 2025 5:50 am

Sergey Stelmakh | 03/30/2017
Trend Micro has provided Dropbox's security team with a list of links used to download Cerber. The provider has already blocked them along with the accounts involved.
Trend Micro has provided Dropbox's security team with a list of links used to download Cerber. The provider has already blocked them along with the accounts involved.
Trend Micro has discovered a new version of the well-known Cerber malware that encrypts files on an infected computer. Modifications made to the downloader allow the program to evade the attention of heuristic antivirus tools that use machine learning to detect unknown malicious code. However, the researchers note that the malware can be detected by security solutions that use a variety of techniques and do not rely too much on machine learning.

Like other ransomware, the updated Cerber is distributed via uae whatsapp data emails that entice the recipient to click on a link, but instead of an executable file, a self-extracting archive is downloaded from a Dropbox folder controlled by the scammers. It includes three files: a VBS script, a DLL file , and a configuration file. The latter contains various configuration settings, as well as a loader that checks whether it is in a virtual machine or a sandbox, what analysis tools and antiviruses are running on the victim's computer. According to Trend Micro, the structure of all self-extracting files is similar regardless of their content and does not look malicious, so they do not arouse suspicion in security solutions.

Cerber was first discovered in early 2016. In addition to encrypting files, the ransomware also makes ransom demands out loud. Its first attack began on June 22 last year and lasted for more than a day. Millions of corporate Office 365 users fell victim to the attackers.

The attack was revealed by Avanan, a company that specializes in protecting cloud users (some of the victims were its clients). It claimed that traditional antivirus applications did not notice anything suspicious because the Trojan was distributed via cloud applications, not regular email applications.