Trojan:Win32/Cerber

Trojan:Win32/Cerber Malware Analysis
Trojan:Win32/Cerber detection may flag an active ransomware sample in the system

Trojan:Win32/Cerber is a detection name that Microsoft Defender uses to flag ransomware. Its name was once associated with a specific malware family, but as it ceased its activity, this name has been used for a wide range of ransomware samples. It is common to see this malware type in attacks on corporations, though all of them are able to harm individuals to the same degree.

Trojan:Win32/Cerber Overview

Trojan:Win32/Cerber is an older type of malware classified as ransomware. It first appeared in 2016 and quickly became one of the most common types of ransomware. Cerber encrypts files on the infected computer and demands a ransom (usually in Bitcoin) to provide the decryption key. The main spreading way of this malware is phishing emails, but it’s also common to see its loader hidden in pirated software.

Trojan:Win32/Cerber detection screenshot
Trojan:Win32/Cerber detection

As I’ve mentioned in the introduction, the detection name Trojan:Win32/Cerber was once referring to a specific ransomware family, Cerber. But after it stopped its activity in 2018, Microsoft started using its name for similar ransomware samples. Usually, those are some small-batch ransomware families that share code similarities with Cerber (or possibly are its direct descendants).

After infecting a victim’s PC, Win32/Cerber performs some basic checks and begins encrypting data. The malware adds its custom extension that differs from one sample to another; among the examples are .cerber, “.ba99”, “.98a0”, “.a37b”, “.a563”, or “.beef”. After finishing the encryption, it publishes a ransom demand note, which the victim is about to pay off.

One unusual tactic that I’ve seen in Trojan:Win32/Cerber is the use of a voice notification. After the encryption process is complete, each folder with encrypted data contains a ransom note titled #DECRYPT MY FILES#.txt. Additionally, these folders include #DECRYPT MY FILES#.html and #DECRYPT MY FILES#.vbs files. The latter contains a VBScript that, when executed, states the following:

Attention. Attention. Attention. Your documents, photos, databases and other important files have been encrypted!“.

Technical Analysis

Let’s examine how Trojan:Win32/Cerber behaves using a real-world example. As a sample, let’s take one representative of this malware family. This file masquerades as an IObit utility, and even has all the file data rows filled with correct information.

Cerber Signature info screenshot
Cerber Signature info on the VirusTotal

Upon infiltrating the system, the malware performs specific checks to ensure it’s not running in a virtual environment. The next step involves checking the location of the current system to avoid infecting specific regions.

HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\ComputerName\ActiveComputerName
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\AppID\WMIC.exe
\REGISTRY\MACHINE\Software\Policies\Microsoft\Windows\System

To place its files, Cerber Trojan uses system temporary folders, particularly AppData\Local\Temp. Upon execution, the malware creates its copy in the said folder, and directs all the persistence hooks towards this file. Then, the original sample deletes itself, covering the tracks, and requests the system reboot. This looks as a rather organic maneuver considering that the cover for the reviewed sample is a system tuning utility.

Execution

After conducting its checks, the malware begins its primary task: encrypting data. It utilizes legitimate Windows tools, such as the command prompt, to automate actions and conceal traces. It performs the following processes:

C:\Users\\AppData\Local\Temp\Ahpdate.exe
C:\Windows\System32\taskkill.exe
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s WdiSystemHost
C:\Windows\system32\svchost.exe -k DcomLaunch -p
C:\Windows\System32\schtasks.exe

The first command executes the executable file located in the temporary folder. Then, there are system commands aimed at terminating active processes (such as antivirus software), adding the malware to the Windows scheduler, and initiating certain functions.

Like any ransomware, Cerber invariably deletes shadow copies. This is done to maximize the difficulty of file restoration. To achieve this, the malware executes the following commands:

IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT * FROM Win32_ShadowCopy
C:\Windows\System32\svchost.exe -k swprv
C:\Windows\system32\vssvc.exe
C:\Windows\system32\wbem\wmic.exe shadowcopy delete

In short, Cerber requests access to all objects from the Win32_ShadowCopy class (information about all existing shadow copies) and then proceeds to delete them.

Is Trojan:Win32/Cerber False Positive?

In most cases, such detections are true, but there are rare instances when Trojan:Win32/Cerber may be a false positive. Surprisingly, this flag pops up to game files installed via Steam or other official platforms. It may happen because the endpoint code of the file may coincide with the endpoint code of typical virus endpoints. Typically, when this happens with a legitimate file, updating the signature databases to the latest version resolves the issue.

Trojan:win32.Cerber False Positive
Sometimes Trojan:win32.Cerber may be a False Positive Detection

However, as for mods, add-ons, and game hacks, the situation is different. In this case, the likelihood of getting the Trojan:Win32/Cerber is much higher. While the first two options are developed by third-party developers and may be distributed through third-party websites, the last one generally illegal. Embedding malware into hacks, cheats, and game cracks is a common practice among malicious actors.

How To Remove Trojan:Win32/Cerber?

To completely remove Trojan:Win32/Cerber, it’s essential to utilize an advanced anti-malware solution. However, more importantly, this malware should neutralize ransomware during the download stage. Otherwise, it will execute its irreversible actions. I recommend GridinSoft Anti-Malware because its engine can detect most threats, and its Internet Security module blocks potentially malicious websites, significantly reducing the attack vector.

GridinSoft Anti-Malware main screen

Download and install Anti-Malware by clicking the button below. After the installation, run a Full scan: this will check all the volumes present in the system, including hidden folders and system files. Scanning will take around 15 minutes.

After the scan, you will see the list of detected malicious and unwanted elements. It is possible to adjust the actions that the antimalware program does to each element: click "Advanced mode" and see the options in the drop-down menus. You can also see extended information about each detection - malware type, effects and potential source of infection.

Scan results screen

Click "Clean Now" to start the removal process. Important: removal process may take several minutes when there are a lot of detections. Do not interrupt this process, and you will get your system as clean as new.

Removal finished

By Stephanie Adlam

I write about how to make your Internet browsing comfortable and safe. The modern digital world is worth being a part of, and I want to show you how to do it properly.

Leave a comment

Your email address will not be published. Required fields are marked *