{"id":84137,"date":"2017-04-14T10:15:19","date_gmt":"2017-04-14T04:45:19","guid":{"rendered":"https:\/\/blogs_admin.quickheal.com\/?p=84137"},"modified":"2017-04-14T11:07:47","modified_gmt":"2017-04-14T05:37:47","slug":"cerber-ransomware-kovter-trojan-team-together","status":"publish","type":"post","link":"https:\/\/www.quickheal.com\/blogs\/cerber-ransomware-kovter-trojan-team-together\/","title":{"rendered":"Cerber Ransomware and Kovter Trojan Team up Together"},"content":{"rendered":"

For the last 2 weeks, we have been observing a malware campaign using spam emails that look like they are from United States Postal Service (USPS) or FedEx. These emails are distributing the Cerber Ransomware along with Kovter Trojan – a lethal combination!<\/p>\n

The spam email contains a malicious script file linked to compromised websites from where additional components can be downloaded. We have come across about 300 such websites used in this malware campaign that are hacked and compromised by attackers.<\/p>\n

How the attack works
\n<\/strong>The victim first opens the email attachment containing a script file<\/strong> expecting it to be the document mentioned in the received email.<\/p>\n

\"cerber-and-kovter1\"<\/p>\n

Fig 1. Malicious script file<\/p>\n

The script gets executed by Window\u2019s Wscript and connects to one of the compromised websites for downloading a \u2018counter.js\u2019 file which gets executed from the temp directory itself. The counter.js file then downloads another doc file which is responsible for downloading the Cerber Ransomware payload. The payload is dropped in Windows temp directory (%temp%) from where it gets executed and starts encrypting the victim\u2019s files.<\/p>\n

\"Cerber<\/p>\n

Fig 2. Ransom note of Cerber Ransomware<\/p>\n

Cerber encrypt the user\u2019s data with a random name extension and demands a ransom in exchange for a key that can decrypt the data.<\/p>\n

\"cerber-and-kovter3\"<\/p>\n

Fig 3. Files encrypted by Cerber with random characters<\/p>\n

The attack, however, does not stop at data encryption. The script file <\/strong>(mentioned earlier) then proceeds to install the Kovter fileless malware that hides in Windows Registry making its presence undetectable. Like other Trojans, Kovter gathers the user\u2019s data and sends it to its Command & Control server (CnC) which is controlled by the attacker. Kovter is also used for click fraud campaigns where a computer or a person is maliciously used to click on online ads to generate revenue.<\/p>\n

Read more about Koveter in our blog post: Kovter: the fileless click fraud malware <\/a><\/p>\n

Quick Heal Detection<\/strong><\/p>\n

    \n
  1. Quick Heal Email Protection feature successfully blocks such malicious attachments (the script file, in this case) even before they are executed.<\/li>\n
  2. Quick Heal Web Security feature successfully blocks the malicious websites linked to these attachments.<\/li>\n<\/ol>\n

    Precautionary Measures<\/strong><\/p>\n

      \n
    1. Never open email attachments with double extensions such as .doc.js and doc.vbs – these are most likely to contain malware. Set \u2018systems folder\u2019 options to show extensions for known file types, to identify such files.<\/li>\n
    2. Never download attachments or click on links in emails received from unknown, unwanted or unexpected sources.<\/li>\n
    3. Don\u2019t respond to pop-up notifications or alerts while visiting unfamiliar websites.<\/li>\n
    4. Apply all recommended security updates to your OS, software, and Internet browsers, if not already.<\/li>\n
    5. Have an antivirus software<\/a> installed on your computer that efficiently blocks spam and malicious emails, and automatically restricts access to malicious websites.<\/li>\n<\/ol>\n

       <\/p>\n

      Acknowledgment<\/strong><\/p>\n

        \n
      • Prashant Tilekar
        \nThreat Research and Response Team<\/li>\n<\/ul>\n","protected":false},"excerpt":{"rendered":"

        For the last 2 weeks, we have been observing a malware campaign using spam emails that look like they are from United States Postal Service (USPS) or FedEx. These emails are distributing the Cerber Ransomware along with Kovter Trojan – a lethal combination! The spam email contains a malicious script file linked to compromised websites […]<\/p>\n","protected":false},"author":29,"featured_media":84139,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[24,910],"tags":[1139,1428,1429],"class_list":["post-84137","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-malware","category-ransomware","tag-banking-trojan","tag-cerber-ransomware","tag-kovter-trojan"],"aioseo_notices":[],"_links":{"self":[{"href":"https:\/\/www.quickheal.com\/blogs\/wp-json\/wp\/v2\/posts\/84137"}],"collection":[{"href":"https:\/\/www.quickheal.com\/blogs\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.quickheal.com\/blogs\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.quickheal.com\/blogs\/wp-json\/wp\/v2\/users\/29"}],"replies":[{"embeddable":true,"href":"https:\/\/www.quickheal.com\/blogs\/wp-json\/wp\/v2\/comments?post=84137"}],"version-history":[{"count":4,"href":"https:\/\/www.quickheal.com\/blogs\/wp-json\/wp\/v2\/posts\/84137\/revisions"}],"predecessor-version":[{"id":84142,"href":"https:\/\/www.quickheal.com\/blogs\/wp-json\/wp\/v2\/posts\/84137\/revisions\/84142"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/www.quickheal.com\/blogs\/wp-json\/wp\/v2\/media\/84139"}],"wp:attachment":[{"href":"https:\/\/www.quickheal.com\/blogs\/wp-json\/wp\/v2\/media?parent=84137"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.quickheal.com\/blogs\/wp-json\/wp\/v2\/categories?post=84137"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.quickheal.com\/blogs\/wp-json\/wp\/v2\/tags?post=84137"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}