Security Alert
Jonathan Crowe
Mar 2017

Alert: New Technique is Getting Cerber Ransomware Past Machine Learning Detection

Key Details

  • Type of attack: New evasive version of Cerber ransomware
  • Attack vector: Email
  • Damage: As of yet unknown, but companies with security solutions that rely on machine learning to detect malware pre-execution may be at risk
  • empty
  • empty
  • empty
  • empty
  • empty

See how Barkly stops Cerber ransomware during runtime, before it encrypts files.
See how

Attackers behind Cerber ransomware, currently one of the most active ransomware families, have adopted a new technique designed to sneak their malicious code past machine learning security solutions.

According to researchers at Trend Micro, the key lies in the utilization of self-extracting archives (SFX), programs that contain compressed data along with executable instructions for extracting the data.

The trouble that machine-learning solutions run into, at least ones designed to detect malware by looking at static files, is that they aren't able to see past the shell of the self-extracting archive into its contents.

As Trend Micro Data Scientist Dr. Jonathan Oliver puts it...

"The problem with self-extracting archives, such as WinRAR, is that they hide the fundamental content of the file. So machine learning, with all that information hidden from it, is more likely to give inappropriate answers."

Jonathan Oliver, Trend Micro

In the case of these new Cerber attacks, the danger is that an "inappropriate answer" could allow the self-extracting archive to unload hidden malicious cargo that encrypts an unsuspecting victim's files.

How these Cerber attacks are infecting victims

The primary attack vector appears to be email, with victims receiving phishing emails disguised to look like messages or invoices from various utility companies.

The emails are tricking victims into clicking a link to download the self-extracting archive. Rather than hosting the SFX on a compromised site that may already be flagged or blocked by security tools, however, the attackers have instead been able to upload it to Dropbox accounts they have control of.

A look inside the self-extracting archive


The self-extracting archive is hiding several basic scripts and files that queue up one another and eventually launch Cerber by hollowing out a legitimate process and injecting the Cerber code into it.

New Cerber attacks are bypassing pre-execution detection. / Trend Micro

Before performing the final process-hollowing step, the loader (contained in file X) checks to see if it is running on a virtual machine or in a sandbox, and whether or not certain analysis and security tools are present. Once it determines the coast is clear, it injects the Cerber code into otherwise legitimate processes, and the ransomware is off and running.

For details on how Cerber operates once it's been executed, see our blog post, "Stopping Cerber Ransomware at Runtime."

The real problem is NOT with machine learning, it's with pre-execution defense

Trend Micro's assertion that this new evasion technique is specifically effective against machine learning isn't entirely accurate. After all, machine learning is really just a tool security solutions can use to augment any number of different processes and approaches (in fact, Barkly uses machine learning to help analyze malicious behaviors at runtime).

The real blindspot Trend is referring to is any attempt to detect malware solely by looking at static files.

Without any runtime activity to analyze, the determination of whether or not a file is malicious has to be based purely on its appearance. And as this new technique shows, appearances can be deceiving.

To Trend's credit, they do make this point more clear towards the end of their write-up, stating, "The new packaging and loading mechanism employed by Cerber can cause problems for static machine learning approaches —i.e, methods that analyze a file without any execution or emulation..... All self-extracting files may look similar by structure, regardless of the content. Unpacked binaries with limited features may not look malicious either."

(Note: Emphasis mine)

These attacks may be getting past pre-execution defenses, but you can block them at runtime


The good news is, while this technique may be giving antivirus and next-gen antivirus programs trouble, Barkly has been able to block these new Cerber attacks thanks to its use of runtime malware defense (RMD).

That's because RMD allows us to monitor various levels of system activity for suspicious behavior and block malware at the earliest stages of execution, before any harm is done.

The truth is, trying to guess the intent of static files is incredibly tricky. No matter how well-educated or machine-learning-informed the guess is, it's still a guess.

Actions, on the other hand, don't lie. By analyzing them in real-time we can more definitively determine what's malicious and what's not. That's why RMD is such a crucial layer of defense. Without it, security solutions are operating with important information still missing.

Find out more about how RMD works in our Complete Guide to Runtime Malware Defense.

To see RMD in action, check out our post, "Stopping Cerber During Runtime".

Jonathan Crowe

Jonathan Crowe

Jonathan covers the latest threats and cybersecurity trends from a practical perspective.


Close the gaps in your security

Stop paying for AV, get the strongest protection instead. See how Barkly blocks attacks that are getting past AV.

See a demo


Stay informed!

Get the latest security news, tips, and trends straight to your inbox.

Stay informed!

Get the latest security news, tips, and trends straight to your inbox.