Researchers said the ransomware is using a new loader that appears to dodge machine learning solutions.
Researchers said the ransomware is using a new loader that appears to dodge machine learning solutions.

Trend Micro researchers have spotted Cerber using new trick to evade machine learning making it harder to detect.

Researchers said the ransomware is using a new loader that appears to dodge machine learning solutions using features that check if it is running in a virtual machine (VM), a sandbox, or if certain analysis tools are running on the machine, or if certain AV products are present, according to a March 28 post.

The malware's engineers also designed the malware to check for Analysis Tools including Msconfig, Regedit, Task Manager, Virtual Machines, Wireshark as well as to recognize security vendors including 360, AVG, Bitdefender, Dr. Web, Kaspersky, Norton and Trend Micro.

Researchers said the malware was repackaged into a self-extracting file and can cause problems for threat detection methods that analyze a file without any execution or emulation because all self-extracting files, and simple straightforward files, may look similar by structure, regardless of the content.

Antimalware approaches that use multiple layers are still able to detect Cerber's new evasion tactics as well as solutions that aren't overly reliant on machine learning can still protect users from this and similar threats.

“This latest version of Cerber essentially breaks up the malware in pieces to avoid some static machine learning implementations,” Trend Micro Vice President of Cloud Research Mark Nunnikhoven told SC Media. “These applications analyze files and look for various attributes that their models show as malicious.”

He added that if the malicious content of the file is hidden, such as encrypted, injected in real-time, or externally referenced, it's never evaluated against the model and that skews the results. Furthermore, Nunnikhoven said the changes in the latest version are only in how the software loads and that once active, it still demonstrates the same behaviors which would more easily be detected.

Not all hope is lost for machine learning techniques, though. Applying a different machine learning behavior while Cerber is running, for example, can be effective as well.

“At its simplest, machine learning is basically a model,” Nunnikhoven said. “You compare a sample against the model and see if it's a match with a set level of certainty.”

Some tools only apply the model to files meaning anything that doesn't fail the model will get the green light. For this reason, a series of techniques are recommended.

Nunnikhoven said he expects the Cerber family of malware to continue to evolve and that we should expect more evasion technique to be rolled out into future versions of the malware.