Cyber security researchers identified that the Magnitude exploit kit is being used to spread Cerber ransomware samples worldwide. The hackers behind the large-scale campaign are using a different strategy with the hope of increasing the infection ratio.
Cerber Ransomware Hacker Operators Opt for Magnitude Exploit Kit
The Magnitude Exploit kit is one of the popular hacking tools of late. Hackers have used it in the several past months to distribute different kinds of malware. Security experts found out that computer criminals are now using it to spread various Cerber ransomware strains. The primary reason for doing this is that the exploit kit allows the hackers to customize the samples according to the targets. One of the reasons why the Magnitude exploit kit attacks carrying the Cerber ransomware grew in popularity is that large attacks have been initiated in the past. Famous hacker attempts were made against South Korea via a redirection attack powered by the malware known as “Magnigate”.
In essence this strategy aims to achieve two end results:
- Setting up a counterfeit site that redirects to malware-infected scripts.
- Used with conjunction with elaborate exploit kit operations making it possible to send several different types of malware to the potential victims.
The Magnitude exploit kit makes it possible for criminals to infect the targets using popular vulnerabilities. Examples include popular software such as the Internet Explorer web browser or the Adobe Flash plugin. An interesting feature associated with this particular threat is the fact that it uses a XML configuration file along with embedded JavaScript code. This makes it possible for the hackers to easily customize the strains according to the targets and the intended end results.
Users can get redirected to the Cerber instances by falling victim to one of the usual distribution strategies:
- Email Spam Messages ‒ The hackers can generate email spam campaigns that may include social engineering tricks to try and make the targets infect themselves. Usually the Cerber ransomware variants are linked in the body contents or attached as files to the messages. Depending on the hacker campaign they may also be disguised as legitimate installers or documents.
- Infected Software Installers ‒ It is possible to distribute infected software installers using fake site redirects. The hackers can modify well-known software packages and include the Cerber ransomware as payloads.
- Infected Documents ‒ Vulnerabilites that lead to Cerber ransomware infections are often built-in in malicious documents. They may be of different types according to the case scenario: rich text documents, spreadsheets, databases and etc.
How the Cerber Ransomware Is Handled by the Magnitude Exploit Kit
The captured Magnitude Exploit kit samples that deliver the Cerber ransomware were found to use different infection strategies. This means that the hackers behind the operation seek to create an optimized approach that would be most suitable to the intended victims.
A binary file called regsvr32.exe has been used to retrieve a remote file from the hacker-controlled servers. Numerous versions of this behavior were observed: the payload may be downloaded to a temporary folder, the user desktop or another location. Newer versions employ JavaScript code in order to try and hide the instances from anti-virus products.
WARNING: Software vulnerability exploits are among the most popular ways of getting infected with dangerous viruses such as the Cerber ransomware. We recommend that all users utilize a quality anti-spyware solution and perform frequent updates to defend themselves from intrusions.
The redirection sites and the newer versions of the malicious scripts result in the download and execution of the Cerber ransomware on the local computers.
Magnitude Exploit Kit Evolves Along With The Cerber Strains
According to the available research the Magnitude exploit kit remains one of the few hacker tools that are still updated constantly by the hacker underground. And even though it has been known for quite some time no information about the identities of its developers is known. The newer versions found in the last attack campaigns showcase binary padding stealth techniques as well as a customizable configuration file.
The ongoing attacks are customized and operated in an campaign style. The hackers generate a configuration file that contains the “rules” and general behavior patterns and then the Magnitude Exploit Kit is used to generate the required payloads. Next the hackers distribute the malware through various channels: emails, web sites, ad networks, redirects and browser hijackers.
A potential danger is the use of the platform to launch a series of malware or a combined new threat. To a larger degree the success of the ransomware infections depend on the tools and strategies used to infect the predefined targets. The fact that the Magnitude exploit kit grows in popularity every month makes it a worthwhile contender among the premier hacking tools.
How To Protect From The Magnitude Exploit Kit and Cerber Ransomware Attacks
Dangerous payload downloaders like the Magnitude exploit kit are used to both infiltrate the system and install malware on the target hosts. We revealed that the kit can be used to deliver the dangerous Cerber ransomware but it can also cause other potential security threats as well:
- Trojan Function ‒ Malicious threats such as Magnitude can include a virus component that is able to take over control of the host computer. Trojan modules allow the remote operators to spy on the users in real time and download arbitrary files and data. The consequences of such actions can result in credentials theft or serious financial crimes and abuse.
- Botnet Recruitment ‒ Exploit kits are a possible source for recruiting computers into worldwide zombie networks. When the users fall for the exploit the script does not infiltrate them with the Cerber ransomware code, but to a C&C (command and control) server that infiltrates the operating system and key processes. This allows the criminals to take over control of the machine and utilize its resources as they see fit.
- Further Malware Attacks ‒ The infected hosts can be used to send viruses and attempt to infiltrate other computers on the same network or over the Internet. This is usually done by preconfiguring scripts embedded in the payload.
The best protection against possible hacker attacks is to employ a quality anti-spyware solution. Using a state of the art security product guarantees that you will be protected by all known and upcoming computer viruses and intrusion attempts.
Spy Hunter scanner will only detect the threat. If you want the threat to be automatically removed, you need to purchase the full version of the anti-malware tool.Find Out More About SpyHunter Anti-Malware Tool / How to Uninstall SpyHunter
Martin Beltov
Martin graduated with a degree in Publishing from Sofia University. As a cyber security enthusiast he enjoys writing about the latest threats and mechanisms of intrusion.
Follow Me: