A malicious campaign is spreading a new version of the Cerber ransomware, using the Tor anonymizing network.
Researchers from Cisco Talos have uncovered a few novel ways that adversaries are leveraging Google and Tor2Web proxies to spread Cerber 5.0.1. As ever though, the infection cycle starts with email.
“This campaign did not use advanced techniques that we sometimes see used by adversaries that include well written, professional looking emails, with legitimate signature blocks or other identifying characteristics,” researchers said in an analysis. “In this campaign, the emails were anything but professional. However, they did vary significantly with what we typically see from a ransomware distribution perspective.”
To wit: The majority of spam messages out there use various types of script-based file extensions to download the Locky ransomware. In this Cerber campaign, the messages didn't contain an attachment and were extremely short and basic.
The email messages associated with this spam campaign purport to contain hyperlinks to various files that may be of interest to the recipient such as pictures, order details, transaction logs, loan acceptance letters and so on. The subject lines of the emails contained the name of the recipient of the email messages which may make them seem more legitimate to unsuspecting victims.
“What we found was a potential next evolution for ransomware distribution that relies more heavily on Tor to obfuscate their activity and hinder the ability to shut down servers that are hosting the malicious content,” the researchers said.
Interestingly, the URL contained within the body of the email messages utilizes Google redirection, redirecting the victim to the malicious payload, which is actually hosted on the Tor network. The use of the "onion.to" domain in the initial redirect enables the attacker to make use of the Tor2Web proxy service, which enables the access of resources located on Tor from the internet by proxying web requests through an intermediary proxy server. Using proxy services like Tor2Web enables access to the Tor network without requiring a Tor client to be installed locally on the victim system.
“[This] shows an increasingly sophisticated infection process as attackers continue to implement new methods to attempt to evade detection and make analysis more difficult,” researchers said. “Cerber continues to release new versions very quickly and will likely continue to do so in the future. This campaign demonstrates the importance of ensuring that organizations use defense-in-depth defensive architectures to protect their environments as well as the importance of ensuring that employees are properly trained on the email-based threats and proper hygiene.”
Photo © Carlos Amarillo