Content

Cerber ransomware using Magnitude EK and binary padding

Cerber ransomware delivering in a Magnitude exploit kit (EK) using an interesting technique, Malwarebyte researchers have discovered.

The Magnitude EK uses its own gate and continues to evolve new tricks and techniques to avoid detection and is notorious for distributing the Cerber ransomware to certain geolocations, such as South Korea. Researchers have noted the EK using Internet Explorer vulnerabilities without needing to use Flash exploits, Malwarebytes Lead Malware Intelligence Analyst Jerome Segura said in an Aug. 9 blog post.

Segura said typically payloads from exploit kits are downloaded in encrypted format using RC4 and then decrypted once on the disk so that they can run albeit exceptions where less advanced kits simply download the payload in clear text.

“With the case of Magnitude EK, the payload is not RC4 encrypted, but again, it is altered by inflating its size before execution,” he said. “So, this is an interesting hybrid method that will most definitely bypass some security products.”

The EK uses a XML configuration to retrieve the Cerber payload and has been seen in the wild before. The EK also uses a binary padding technique in an attempt to bypass certain security scanners.

“Any antivirus scanner that ignores files above a certain size threshold would miss detecting these kinds of binaries,” Segura told SC Media. “A way to circumvent this limitation is to block malware before it gets downloaded or detect its malicious behavior once it has executed.”

He went on to say that any technique that changes the expected delivery method of malware is interesting and can be effective if executed properly. For the latest Cerber Magnitude EK, the malware distributor performed tests to see how much they could grow the file without crashing the system. If the file passed a certain size the delivery and execution would fail or be inefficient, he added.

The malware is spread via malvertising. While Segura hasn't seen the technique adopted by other malware developers, Segura said he's seen exploit kit developers steal ideas, or even code from competitors and that features that typically stick around are driven by the success of infection rates.

Related

DevSecOps Scanning Challenges & Tips

There are many ways to do DevSecOps, and each organization — each security team, even — uses a different approach. Questions such as how many environments you have and the frequency of deployment of those environments are important in understanding how to integrate a security scanner into your DevSecOps machinery. The ultimate goal is speed […]

It Should Be ‘Cybersecurity Culture Month’

It’s Cybersecurity Awareness Month, but security awareness is about much more than just dedicating a month to a few activities. Security awareness is a journey, requiring motivation along the way. And culture. Especially culture.That’s the point Proofpoint Cybersecurity Evangelist Brian Reed drove home in a recent appearance on Business Security Weekly.“If your security awareness program […]

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms and Conditions and Privacy Policy.