December 15, 2016
Just in time for the Christmas holiday shopping spree, the group behind the Cerber ransomware has launched a spam campaign that uses fake credit card reports to trick users into opening a Word file that under certain circumstances will download and install the deadly Cerber ransomware.
Detected by the staff of the Microsoft Malware Protection Center, the emails in this spam campaign pretend to be pending payments for MasterCard credit cards.
Below is a breakdown of the email used in the spam campaign, with annotated errors that give it away as a fake.
Analysis of the spam email's message [Source: Microsoft]
The email's clever design is obvious because it plays on everyone's fear of getting billed for items they haven't purchased.
The email uses a sense of urgency to trick victims into opening a password-protected Word document that contains instructions on how to cancel this operation.
The usage of password-protected files is because most banks send customers password-protected files, but also because email scanning systems and anti-malware products can't open to scan the email's attachment.
Word files uses macro and PowerShell scripts to install latest Cerber version
The Word file that comes with these emails contains an attached macro script, which if the user allows to execute, will infect the user with the Cerber ransomware.
When users open the Word document, they see instructions made to look like a Microsoft tech support page, telling the user to Enable Editing, which allows the macro script to execute.
Instructions found inside the Word file [Source: Microsoft]
While most tech-savvy users know to stay away from Word files with macro scripts, when most users see a message like the one above, they generally tend to follow the embedded instructions.
Once users allow the macro script to execute, it's game over, as in a matter of seconds, the macro runs a PowerShell script that downloads and installs the Cerber ransomware, which immediately starts to encrypt the user's files.
According to security researcher @MalwareHunterTeam, who was shown a copy of the ransom note, this is the most recent version of the Cerber ransomware, currently uncrackable.
Ransom note shown by the Cerber ransomware spread via this spam campaign [Source: Microsoft]
It's not a surprise that we're seeing the Cerber gang switch from their classic invoice-themed spam and malvertising campaigns to this fake credit card report.
Other cybercrime operations have also adopted their tactics and intensified operations for the winter holidays season.
For example, according to Proofpoint, the activity surrounding the NewPOSthings and ZeusPOS malware families that target Point-of-Sale terminals has quadrupled for the Thanksgiving holiday, and the subsequent Black Friday events.