Cerber Ransomware Updates Configuration File

McAfee Labs has recently analyzed Version 2 of Cerber, one of the leading ransomware programs. Cerber infects systems via social media tricks such as spam email with malicious links or documents, malvertising campaigns, exploits of vulnerable websites, and also takes advantages of exploit kits like Angler, Nuclear, and others.

During our analysis of the new version, we found some new fields in the configuration file. In this post, we highlight the changes in the configuration files of Cerber Versions 1 and 2.
This snapshot shows a machine infected with Cerber 2.

20160815 Cerber 1

Machine infected with Cerber Version 2.

The extensions of encrypted files has changed from .cerber to .cerber2.

20160815 Cerber 220160815 Cerber 3

Partial lists of files infected with Cerber 1 and 2.

Why an update?
The ransomware author may have upgraded the malware because of the release of a decryption tool. The ransomware’s detection rate may have also increased; this version has a new packer (wrapper) to make it harder for security products and analysts to find and examine the malware.

Our analysis did not find many significant changes. This version likes to keep its component files (containing the public key and other data) on disk after the encryption process, whereas the previous version kept the component files only in the registry entries. Files and registry entries have the same content.

20160815 Cerber 4

Version 2’s component files in %appdata% and registry entries.

The location of the encrypted configuration file is updated from the resource section to the last section. We will discuss this further in a future post.

The configuration file
We observed some changes in the configuration files of the two versions. Most are related to encryption tags and antimalware products.

The first change that caught our eye is the addition of rc4_key_size in the encrypt tag. This value was previously calculated at runtime but now is included in the file. The author also updated the infected-files extension to .cerber2 and also modified the value of the rsa_key_size field. The following snippets show some of the changes.

20160815 Cerber 520160815 Cerber 6

Version 1 (left) and Version 2 encryption tags.

Version 2 includes a blacklist to fight against the security products. The av_blacklist tag in the configuration file contains a list of several vendors’ names.

20160815 Cerber 7

Version 2’s av_blacklist tag.

The new av_blacklist tag is reflected in the check tag as a flag in the configuration file.

20160815 Cerber 8

Check tag in Version 1.

20160815 Cerber 9

Check tag in Version 2.

Close_process list enhancements
Some applications use a locking mechanism to prevent other application from accessing or making changes in the files they access to maintain data integrity. Word for Windows does this, for example. To stop a locking mechanism from preventing the encryption of files, Cerber terminates such processes. The list of these processes is kept under the close_process list tag. In this version, Cerber enhances this list significantly, as shown below:

20160815 Cerber 10

The close_process tag in Version 1.

20160815 Cerber 11

The close_process tag in Version 2.

Wallpaper template
Version 2 adds a wallpaper tag, which is a template to create the desktop background on the victim’s machine. The variable fields—including TOR, SITE_N, and PC_ID—is updated at runtime.

20160815 Cerber 12

The wallpaper tag in Version 2.

Anti-VM techniques
Cerber is one of the most comprehensive malware in fighting virtual machines. Cerber detects popular VMs such as Parallel, QEMU, VMware, and VBox. One of the most interesting techniques (in both versions) is Cerber’s enumeration of the registry key “HKLM\\SYSTEM\\CurrentControlSet\\Enum\\PCI”:

20160815 Cerber 13
Accessing the registry: HKLM\\SYSTEM\\CurrentControlSet\\Enum\\PCI.

Each subkey of HKLM\\SYSTEM\\CurrentControlSet\\Enum\\PCI represents a PCI-bus connected device with the following format:

    where VEN stands for Vendor ID in hexadecimal view and DEV stands for Device ID in hexadecimal view.

A table of virtual machines with known hardware vendor IDs:

Vendor Vendor ID
VMware 0x15AD
VBox 0x80EE
Parallel 0x1AB8

The following code snippet compares the subkey name with the VBox vendor ID.

20160815 Cerber 14
Checking the VBox vendor ID.

If Cerber finds any of the vendor IDs among registry key names, it stops and terminates itself.

Cerber is a popular form of ransomware. Given the changes we have observed in the configuration file, we also expect to see change in Cerber’s encryption techniques. We’ll discuss those soon in a further analysis.

Intel Security products detect Cerber under generic names such as Generic.* and BehavesLike.Win32.*.

4 comments on “Cerber Ransomware Updates Configuration File

Leave a Comment

5 − 3 =