A new spam campaign is using Google and Tor2Web proxies to spread a ransomware variant.
A new spam campaign is using Google and Tor2Web proxies to spread a ransomware variant.

A new iteration of Cerber ransomware, v5.0.1, has been taking a novel approach in its dissemination methods, according to a post from Talos, the threat intelligence organization, part of Cisco.

The miscreants behind a new spam campaign have been spreading the malware variant using Google and Tor2Web proxies.

The researchers first detected this campaign on November 24. While the emails lack a sophisticated veneer, the researchers reported that the spam distinguishes itself by its distribution method. Rather than depend on attachments with script-based file extensions to deliver the Locky executable to infect systems, as has been the primary method used previously, this new campaign is "a potential next evolution for ransomware distribution," the researchers claimed.

Cerber 5.0.1 ransomware relies on redirects via Google and the use of a Tor2Web proxy service to disguise its activity and block attempts to shutter servers hosting the malicious content.

Emails arrive with the recipient's name in the subject line, giving them the appearance of legitimacy, and present hyperlinks to the usual subjects of potential interest: pictures, order details, transaction logs, loan acceptance letters, etc. But hidden within the message, a URL employs Google redirection leading unwitting victims to the malicious payload hosted on the Tor network. 

Because the attackers use the Tor2Web proxy service, they're able to proxy web requests through an intermediary proxy server. This means a Tor client is not required to be loaded locally on the target machine. Additionally, because the ransomware is hosted on a Tor server, it is less likely to be removed and enables those behind the malware to rapidly alter the redirection chain so as to evade detection by reputation-based blacklisting technologies, the researchers said.

Clicking the bad link delivers a Word document containing the malware downloader with the Cerber variant.

The researchers said that over the past few months the Cerber ransomware family has continued to evolve very rapidly. "This latest distribution campaign highlights how ransomware based threats are continuing to evolve and mature over time, and shows an increasingly sophisticated infection process as attackers continue to implement new methods to attempt to evade detection and make analysis more difficult."

The researchers predict that Cerber will continue to evolve.

A defense-in-depth defensive architectures is key to defending operations, they advised, as well as educating employees about potential threats from email.

Plus, while arguing that the Tor network serves a useful purpose in allowing users to browse the web anonymously, the researchers posit whether employees should be allowed to use it as it is being used by attackers to host and deliver malicious content.

“Malware is just software that is written for a malicious purpose and as such the authors are continually working to improve their software," Nick Biasini, a threat researcher at Cisco Talos and co-author of the post, told SC Media on Tuesday. 

This is another key reason not to pay the ransom, he added. "By paying the adversaries you are directly funding additional software development that will go both to the malware and the means with which it is being distributed.  Both of these are evidenced by this particular campaign.”

As far as what is different about the delivery mechanism used in this iteration of Cerber, Edmund Brumaghin, a threat researcher at Cisco Talos and co-author of the post, told SC Media on Tuesday that historically, email-based ransomware campaigns have leveraged malicious file attachments. However, in this campaign, Talos saw a shift to the use of Tor for hosting both the malicious documents as well as the actual ransomware payload. "Tor2Web proxies allowed systems that normally would not be able to natively access Tor to download these malicious files even though they are hosted on Tor,” Brumaghin said.

And what does this new delivery method tell about the coders? “Attackers recognize that by hosting these malicious files on Tor, it is much more difficult to get them removed or taken down," Brumaghin told SC. "They are then able to move them around and host them on servers within the Tor network and make them accessible using proxy services like Tor2Web.”

Biasini added that this is yet another example of the impact Tor is – and will continue to have – on the threat landscape. "By using Tor, adversaries are able to keep their malicious files hosted longer and makes it increasingly difficult to identify the systems and individuals behind the attacks."

This is the first of likely many attacks that are going to increasingly rely on Tor2Web proxies to get access to malware hidden on the dark web, said Biasini.