Cerber Ransomware and Kovter Trojan Team up Together

For the last 2 weeks, we have been observing a malware campaign using spam emails that look like they are from United States Postal Service (USPS) or FedEx. These emails are distributing the Cerber Ransomware along with Kovter Trojan – a lethal combination!

The spam email contains a malicious script file linked to compromised websites from where additional components can be downloaded. We have come across about 300 such websites used in this malware campaign that are hacked and compromised by attackers.

How the attack works
The victim first opens the email attachment containing a script file expecting it to be the document mentioned in the received email.

Fig 1. Malicious script file

The script gets executed by Window’s Wscript and connects to one of the compromised websites for downloading a ‘counter.js’ file which gets executed from the temp directory itself. The counter.js file then downloads another doc file which is responsible for downloading the Cerber Ransomware payload. The payload is dropped in Windows temp directory (%temp%) from where it gets executed and starts encrypting the victim’s files.

Fig 2. Ransom note of Cerber Ransomware

Cerber encrypt the user’s data with a random name extension and demands a ransom in exchange for a key that can decrypt the data.

Fig 3. Files encrypted by Cerber with random characters

The attack, however, does not stop at data encryption. The script file (mentioned earlier) then proceeds to install the Kovter fileless malware that hides in Windows Registry making its presence undetectable. Like other Trojans, Kovter gathers the user’s data and sends it to its Command & Control server (CnC) which is controlled by the attacker. Kovter is also used for click fraud campaigns where a computer or a person is maliciously used to click on online ads to generate revenue.

Read more about Koveter in our blog post: Kovter: the fileless click fraud malware

Quick Heal Detection

1. Quick Heal Email Protection feature successfully blocks such malicious attachments (the script file, in this case) even before they are executed.
2. Quick Heal Web Security feature successfully blocks the malicious websites linked to these attachments.

Precautionary Measures

1. Never open email attachments with double extensions such as .doc.js and doc.vbs – these are most likely to contain malware. Set ‘systems folder’ options to show extensions for known file types, to identify such files.
2. Never download attachments or click on links in emails received from unknown, unwanted or unexpected sources.
3. Don’t respond to pop-up notifications or alerts while visiting unfamiliar websites.
4. Apply all recommended security updates to your OS, software, and Internet browsers, if not already.
5. Have an antivirus software installed on your computer that efficiently blocks spam and malicious emails, and automatically restricts access to malicious websites.

Acknowledgment

• Prashant Tilekar
  Threat Research and Response Team

Quick Heal Security Labs