Multipurpose malware: Sometimes Trojans come in threes

May 27, 2016

As if ransomware weren’t bad enough, now it’s metastasizing: not just spreading rapidly but even picking up secondary characteristics. Take Cerber, ransomware first spotted in the wild back in February 2016.

Cerber ransomware delivers a secondary payload

At the time, Cerber was best known for being somewhat spooky — instead of merely flashing an ominous message at victims, Cerber delivered its ransom “note” verbally as well. Still, it was a standard modus operandi: Give us money and we’ll give you back your files.

Second payload

Now, Cerber and other Trojans encrypt the data of their victims, and most computer users haven’t a clue how to handle it. Sounds like a great diversionary tactic, doesn’t it?

It seems Cerber distributors agree. Some updated versions of the malware — which, aided by sophisticated delivery methods, has positively exploded in recent months — arrive with a second payload. The bonus gift in this case is one designed to add your computer to a malicious botnet army.

Briefly, here is the sequence of events. First, Cerber arrives in the form of an e-mail attachment. Once executed, the virus behaves like any other ransomware, encrypting files and demanding money for their safe return. But then, security researchers are finding, it confirms the computer’s Internet connection and begins using the infected PC for other purposes, such as for a distributed denial-of-service (DDoS) attack or as a spambot.

Multipurpose malware on the rise

“Cerber” is actually an apt name for malware that is part of this multipayload trend. Like Cerberus, the three-headed dog of Greek mythology, it is neither simple nor straightforward to vanquish — and that makes the approach attractive to cybercriminals.

Cerber is not the first ransomware we’ve seen in 2016 to add an extra payload, either. For example, Petya, ransomware that encrypted victims’ entire hard drive but required users to grant it permission first, added Mischa to its installation routine to guarantee infection. And CryptXXX added the ability to steal information and bitcoins to its otherwise normal ransomware payload.

Ransomware is crime that pays, and pays well. Expect that Cerber is at the head, not the tail, of this trend of multifarious ransomware viruses. Stay informed and protected to maximize your odds of staying safe.

Avoiding Cerber

Malware such as Cerber continues to be delivered in ways that make it fairly easily avoidable. To minimize your chances of falling victim to Cerber — and minimize the damage in case you do encounter it:

  1. Be wary of all emails. Never click on a link in a message that is obviously spam, but also avoid clicking through in what looks like a legitimate business email or even a message that appears to be from someone you know and trust.
  2. Back up your files. Back them up again, and back up them up regularly.
  3. Apply operating system and application patches as soon as they become available. Like spam links, unpatched exploits are a hugely popular point of entry for malware.
  4. Run security solution, like Kaspersky Internet Security — all of the time — and keep it up to date. You need protection on all connected devices, too. Kaspersky Lab solutions detect Cerber as Trojan-Ransom.Win32.Zerber.