{"id":12221,"date":"2016-05-27T09:00:02","date_gmt":"2016-05-27T13:00:02","guid":{"rendered":"https:\/\/www.kaspersky.com.au\/blog\/?p=12221"},"modified":"2020-02-27T04:03:35","modified_gmt":"2020-02-26T17:03:35","slug":"cerber-multipurpose-malware","status":"publish","type":"post","link":"https:\/\/www.kaspersky.com.au\/blog\/cerber-multipurpose-malware\/12221\/","title":{"rendered":"Multipurpose malware: Sometimes Trojans come in threes"},"content":{"rendered":"<p>As if ransomware weren\u2019t bad enough, now it\u2019s metastasizing: not just spreading rapidly but even picking up secondary characteristics. Take <a href=\"https:\/\/threatpost.com\/cerber-ransomware-on-the-rise-fueled-by-dridex-botnets\/118090\/\" target=\"_blank\" rel=\"noopener nofollow\">Cerber<\/a>, ransomware first spotted in the wild back in February 2016.<\/p>\n<p><a href=\"https:\/\/media.kasperskydaily.com\/wp-content\/uploads\/sites\/102\/2016\/05\/06022143\/multi-purpose-malware-fb.jpg\"><img loading=\"lazy\" decoding=\"async\" class=\"aligncenter size-full wp-image-12223\" src=\"https:\/\/media.kasperskydaily.com\/wp-content\/uploads\/sites\/102\/2016\/05\/06022143\/multi-purpose-malware-fb.jpg\" alt=\"Cerber ransomware delivers a secondary payload\" width=\"1280\" height=\"1280\"><\/a><\/p>\n<p>At the time, Cerber was best known for being somewhat spooky \u2014 instead of merely flashing an ominous message at victims, Cerber delivered its ransom \u201cnote\u201d verbally as well. Still, it was a standard modus operandi: Give us money and we\u2019ll give you back your files.<\/p>\n<h3>Second payload<\/h3>\n<p>Now, Cerber and other Trojans encrypt the data of their victims, and most computer users <a href=\"https:\/\/www.kaspersky.com.au\/blog\/ransomware-study-2016\/\" target=\"_blank\" rel=\"noopener\">haven\u2019t a clue how to handle it<\/a>. Sounds like a great diversionary tactic, doesn\u2019t it?<\/p>\n<p>It seems Cerber distributors agree. Some updated versions of the malware \u2014 which, aided by sophisticated delivery methods, has <a href=\"https:\/\/threatpost.com\/cerber-ransomware-on-the-rise-fueled-by-dridex-botnets\/118090\/\" target=\"_blank\" rel=\"noopener nofollow\">positively exploded in recent months<\/a> \u2014 arrive with a second payload. The bonus gift in this case is one designed to add your computer to a malicious botnet army.<\/p>\n<p>Briefly, here is the sequence of events. First, Cerber arrives in the form of an e-mail attachment. Once executed, the virus behaves like any other ransomware, encrypting files and demanding money for their safe return. But then, security researchers are finding, it confirms the computer\u2019s Internet connection and begins using the infected PC for other purposes, such as for a distributed denial-of-service (DDoS) attack or as a spambot.<\/p>\n<blockquote class=\"twitter-tweet\" data-width=\"500\" data-dnt=\"true\">\n<p lang=\"en\" dir=\"ltr\"><a href=\"https:\/\/twitter.com\/hashtag\/Cerber?src=hash&amp;ref_src=twsrc%5Etfw\" target=\"_blank\" rel=\"noopener nofollow\">#Cerber<\/a> ransomware on the rise, fueled by <a href=\"https:\/\/twitter.com\/hashtag\/Dridex?src=hash&amp;ref_src=twsrc%5Etfw\" target=\"_blank\" rel=\"noopener nofollow\">#Dridex<\/a> botnets via <a href=\"https:\/\/twitter.com\/threatpost?ref_src=twsrc%5Etfw\" target=\"_blank\" rel=\"noopener nofollow\">@threatpost<\/a> <a href=\"https:\/\/t.co\/GBEdClImo3\" target=\"_blank\" rel=\"noopener nofollow\">https:\/\/t.co\/GBEdClImo3<\/a> <a href=\"https:\/\/t.co\/cP3ySzx2z8\" target=\"_blank\" rel=\"noopener nofollow\">pic.twitter.com\/cP3ySzx2z8<\/a><\/p>\n<p>\u2014 Kaspersky (@kaspersky) <a href=\"https:\/\/twitter.com\/kaspersky\/status\/732284939945836544?ref_src=twsrc%5Etfw\" target=\"_blank\" rel=\"noopener nofollow\">May 16, 2016<\/a><\/p><\/blockquote>\n<p><script async src=\"https:\/\/platform.twitter.com\/widgets.js\" charset=\"utf-8\"><\/script><\/p>\n<h3>Multipurpose malware on the rise<\/h3>\n<p>\u201cCerber\u201d is actually an apt name for malware that is part of this multipayload trend. Like Cerberus, the three-headed dog of Greek mythology, it is neither simple nor straightforward to vanquish \u2014 and that makes the approach attractive to cybercriminals.<\/p>\n<p>Cerber is not the first ransomware we\u2019ve seen in 2016 to add an extra payload, either. For example, Petya, ransomware that encrypted victims\u2019 entire hard drive but required users to grant it permission first, <a href=\"https:\/\/www.kaspersky.com.au\/blog\/mischa-ransomware\/12135\/\" target=\"_blank\" rel=\"noopener\">added Mischa to its installation routine<\/a> to guarantee infection. And CryptXXX added the ability to <a href=\"https:\/\/www.kaspersky.com.au\/blog\/cryptxxx-ransomware\/11939\/\" target=\"_blank\" rel=\"noopener\">steal information and bitcoins<\/a> to its otherwise normal ransomware payload.<\/p>\n<blockquote class=\"twitter-tweet\" data-width=\"500\" data-dnt=\"true\">\n<p lang=\"en\" dir=\"ltr\">Caught with <a href=\"https:\/\/twitter.com\/hashtag\/CryptXXX?src=hash&amp;ref_src=twsrc%5Etfw\" target=\"_blank\" rel=\"noopener nofollow\">#CryptXXX<\/a> <a href=\"https:\/\/twitter.com\/hashtag\/Ransomware?src=hash&amp;ref_src=twsrc%5Etfw\" target=\"_blank\" rel=\"noopener nofollow\">#Ransomware<\/a>? Our tool can unlock your files without paying.  <a href=\"https:\/\/t.co\/8iRG44Ylui\" target=\"_blank\" rel=\"noopener nofollow\">https:\/\/t.co\/8iRG44Ylui<\/a> <a href=\"https:\/\/twitter.com\/hashtag\/infosec?src=hash&amp;ref_src=twsrc%5Etfw\" target=\"_blank\" rel=\"noopener nofollow\">#infosec<\/a> <a href=\"https:\/\/t.co\/uTHYa7QaEl\" target=\"_blank\" rel=\"noopener nofollow\">pic.twitter.com\/uTHYa7QaEl<\/a><\/p>\n<p>\u2014 Kaspersky (@kaspersky) <a href=\"https:\/\/twitter.com\/kaspersky\/status\/724973379808296962?ref_src=twsrc%5Etfw\" target=\"_blank\" rel=\"noopener nofollow\">April 26, 2016<\/a><\/p><\/blockquote>\n<p><script async src=\"https:\/\/platform.twitter.com\/widgets.js\" charset=\"utf-8\"><\/script><\/p>\n<p>Ransomware is crime that pays, and pays well. Expect that Cerber is at the head, not the tail, of this trend of multifarious ransomware viruses. Stay informed and protected to maximize your odds of staying safe.<\/p>\n<h3>Avoiding Cerber<\/h3>\n<p>Malware such as Cerber continues to be delivered in ways that make it fairly easily avoidable. To minimize your chances of falling victim to Cerber \u2014 and minimize the damage in case you do encounter it:<\/p>\n<ol>\n<li>Be wary of all emails. Never click on a link in a message that is obviously spam, but also avoid clicking through in what looks like a <a href=\"https:\/\/www.kaspersky.com.au\/blog\/phishing-ten-tips\/10550\/\" target=\"_blank\" rel=\"noopener\">legitimate business email<\/a> or even a message that <a href=\"https:\/\/usa.kaspersky.com\/internet-security-center\/threats\/what-to-do-if-your-email-account-has-been-hacked#.V0SXm_krK70\" target=\"_blank\" rel=\"noopener\">appears to be<\/a> from someone you know and trust.<\/li>\n<li>Back up your files. Back them up again, and back up them up regularly.<\/li>\n<li>Apply operating system and application patches as soon as they become available. Like spam links, unpatched exploits are a hugely popular point of entry for malware.<\/li>\n<li>Run security solution, like <a href=\"https:\/\/www.kaspersky.com\/advert\/multi-device-security?redef=1&amp;THRU&amp;reseller=gl_KDpost_pro_ona_smm__onl_b2c_kasperskydaily_lnk____kismd___&amp;_ga=1.23327290.1273636079.1462449050\" target=\"_blank\" rel=\"noopener nofollow\">Kaspersky Internet Security<\/a> \u2014 all of the time \u2014 and keep it up to date. You need protection on all connected devices, too. Kaspersky Lab solutions detect Cerber as Trojan-Ransom.Win32.Zerber.<\/li>\n<\/ol>\n","protected":false},"excerpt":{"rendered":"<p>Ransomware is a tough nut to crack \u2014 and while it\u2019s distracting you by encrypting your files, it may also be turning your computer into a zombie.<\/p>\n","protected":false},"author":2045,"featured_media":12224,"comment_status":"open","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"_acf_changed":false,"footnotes":""},"categories":[2646,9],"tags":[1852,1640,180,36,192,420,97,422,241,145],"class_list":{"0":"post-12221","1":"post","2":"type-post","3":"status-publish","4":"format-standard","5":"has-post-thumbnail","7":"category-threats","8":"category-tips","9":"tag-advice","10":"tag-cerber","11":"tag-kaspersky-internet-security","12":"tag-malware-2","13":"tag-protection","14":"tag-ransomware","15":"tag-security-2","16":"tag-threats","17":"tag-trojan","18":"tag-virus"},"hreflang":[{"hreflang":"en-au","url":"https:\/\/www.kaspersky.com.au\/blog\/cerber-multipurpose-malware\/12221\/"},{"hreflang":"en-us","url":"https:\/\/usa.kaspersky.com\/blog\/cerber-multipurpose-malware\/7201\/"},{"hreflang":"en-gb","url":"https:\/\/www.kaspersky.co.uk\/blog\/cerber-multipurpose-malware\/7248\/"},{"hreflang":"es-mx","url":"https:\/\/latam.kaspersky.com\/blog\/cerber-multipurpose-malware\/7177\/"},{"hreflang":"es","url":"https:\/\/www.kaspersky.es\/blog\/cerber-multipurpose-malware\/8401\/"},{"hreflang":"it","url":"https:\/\/www.kaspersky.it\/blog\/cerber-multipurpose-malware\/8272\/"},{"hreflang":"ru","url":"https:\/\/www.kaspersky.ru\/blog\/cerber-multipurpose-malware\/12046\/"},{"hreflang":"x-default","url":"https:\/\/www.kaspersky.com\/blog\/cerber-multipurpose-malware\/12221\/"},{"hreflang":"fr","url":"https:\/\/www.kaspersky.fr\/blog\/cerber-multipurpose-malware\/5719\/"},{"hreflang":"pt-br","url":"https:\/\/www.kaspersky.com.br\/blog\/cerber-multipurpose-malware\/6344\/"},{"hreflang":"de","url":"https:\/\/www.kaspersky.de\/blog\/cerber-multipurpose-malware\/7851\/"},{"hreflang":"ja","url":"https:\/\/blog.kaspersky.co.jp\/cerber-multipurpose-malware\/11557\/"},{"hreflang":"ru-kz","url":"https:\/\/blog.kaspersky.kz\/cerber-multipurpose-malware\/12046\/"},{"hreflang":"en-za","url":"https:\/\/www.kaspersky.co.za\/blog\/cerber-multipurpose-malware\/12221\/"}],"acf":[],"banners":"","maintag":{"url":"https:\/\/www.kaspersky.com.au\/blog\/tag\/advice\/","name":"#advice"},"_links":{"self":[{"href":"https:\/\/www.kaspersky.com.au\/blog\/wp-json\/wp\/v2\/posts\/12221","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/www.kaspersky.com.au\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.kaspersky.com.au\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.kaspersky.com.au\/blog\/wp-json\/wp\/v2\/users\/2045"}],"replies":[{"embeddable":true,"href":"https:\/\/www.kaspersky.com.au\/blog\/wp-json\/wp\/v2\/comments?post=12221"}],"version-history":[{"count":2,"href":"https:\/\/www.kaspersky.com.au\/blog\/wp-json\/wp\/v2\/posts\/12221\/revisions"}],"predecessor-version":[{"id":26887,"href":"https:\/\/www.kaspersky.com.au\/blog\/wp-json\/wp\/v2\/posts\/12221\/revisions\/26887"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/www.kaspersky.com.au\/blog\/wp-json\/wp\/v2\/media\/12224"}],"wp:attachment":[{"href":"https:\/\/www.kaspersky.com.au\/blog\/wp-json\/wp\/v2\/media?parent=12221"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.kaspersky.com.au\/blog\/wp-json\/wp\/v2\/categories?post=12221"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.kaspersky.com.au\/blog\/wp-json\/wp\/v2\/tags?post=12221"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}