Cerber spotted using Magnitude EK, its own gate, and binary padding.
Cerber spotted using Magnitude EK, its own gate, and binary padding.

Cerber ransomware delivering in a Magnitude exploit kit (EK) using an interesting technique, Malwarebyte researchers have discovered.

The Magnitude EK uses its own gate and continues to evolve new tricks and techniques to avoid detection and is notorious for distributing the Cerber ransomware to certain geolocations, such as South Korea. Researchers have noted the EK using Internet Explorer vulnerabilities without needing to use Flash exploits, Malwarebytes Lead Malware Intelligence Analyst Jerome Segura said in an Aug. 9 blog post.

Segura said typically payloads from exploit kits are downloaded in encrypted format using RC4 and then decrypted once on the disk so that they can run albeit exceptions where less advanced kits simply download the payload in clear text.

“With the case of Magnitude EK, the payload is not RC4 encrypted, but again, it is altered by inflating its size before execution,” he said. “So, this is an interesting hybrid method that will most definitely bypass some security products.”

The EK uses a XML configuration to retrieve the Cerber payload and has been seen in the wild before. The EK also uses a binary padding technique in an attempt to bypass certain security scanners.

“Any antivirus scanner that ignores files above a certain size threshold would miss detecting these kinds of binaries,” Segura told SC Media. “A way to circumvent this limitation is to block malware before it gets downloaded or detect its malicious behavior once it has executed.”

He went on to say that any technique that changes the expected delivery method of malware is interesting and can be effective if executed properly. For the latest Cerber Magnitude EK, the malware distributor performed tests to see how much they could grow the file without crashing the system. If the file passed a certain size the delivery and execution would fail or be inefficient, he added.

The malware is spread via malvertising. While Segura hasn't seen the technique adopted by other malware developers, Segura said he's seen exploit kit developers steal ideas, or even code from competitors and that features that typically stick around are driven by the success of infection rates.