Ransomware authors have adopted a number of new tactics recently to help avoid detection and stop takedown attempts, and the latest move by the gang behind the Cerber malware is the use of both Google redirection and the Tor network as evasion and obfuscation mechanisms.
Researchers from Cisco’s Talos group have come across a new version of the Cerber ransomware that uses these techniques, combined with pretty rudimentary email messages to trick victims into clicking on links that lead to the malicious files. Typically, sophisticated ransomware crews will use well-crafted emails with malicious attachments that contain the ransomware. But this Cerber campaign isn’t using any attachments in its spam emails and instead is relying on trickery to entice users into following the links, which are obfuscated and lead to sites on the Tor anonymity network.
“The email messages associated with this spam campaign purport to contain hyperlinks to various files that may be of interest to the recipient such as pictures, order details, transaction logs, loan acceptance letters, etc. In all of the messages Talos analyzed, the subject lines of the emails contained the name of the recipient of the email messages which may make them seem more legitimate to unsuspecting victims,” Nick Biasini and Edmund Brumaghin of Cisco Talos said in an analysis of the Cerber campaign.
“Interestingly, the URL contained within the body of the email messages utilizes Google redirection, redirecting the victim to the malicious payload which is actually hosted on the Tor network. The use of the ‘onion.to’ domain in the initial redirect enables the attacker to make use of the Tor2Web proxy service, which enables the access of resources located on Tor from the internet by proxying web requests through an intermediary proxy server.”
The spam messages used in this campaign are basic, containing just the malicious link and a signature line. The links are difficult to parse by sight and when a victim clicks on one, it leads to a site that will download a rigged Word document that acts as a downloader for the actual Cerber file. The ransomware will then encrypt all of the victims’ files and demands a payment of about $1,000. The Cisco researchers said organizations can help protect their users against this specific Cerber variant by filtering Tor traffic.
“Tor is a useful way to browse the web anonymously. However, adversaries are leveraging it heavily to distribute and host malicious content. In this particular instance if all Tor2Web and Tor traffic were blocked the threat would be largely mitigated. Organizations need to decide if the business case for allowing Tor and Tor2Web on the network outweighs the potential risks to its users,” they said.
Image: Redtype, CC BY 2.0 license.