Locky, Cerber ransomware still expecting, targeting UAC

By | April 29, 2016

Today was a heavy spam day, with the bad guys installing Locky and Cerber crypto-ransomware (among other things) where they could. Ransomware like Locky and Cerber are novelties again after dropping off the mainstream news radar long enough, but they never left the stage. Today’s Locky and Cerber samples show they are still defeating the “Admin Culture” of Windows, even while they are targeting the minority of users that don’t run as full admins.

Locky and Cerber are still targeting User Account Control (UAC), but their success lies with users that are still running Windows XP or have turned off security in Windows 7, 8, and 10 so they run like XP. Today’s samples demonstrate that the bad guys still need our help (and all the news stories suggest they still get our help).

As usual, the infection starts with an email that was faked to get the user to hurry up and run the attachment already. Sadly, this remains a trivial exercise; broken English works, and we are often in so big a hurry that we follow the bad guys instructions. These emails are spammed out throughout the work week and are documented almost instantly online; for example, the Locky sample I tested came from an infection email documented this morning:
https://myonlinesecurity.co.uk/fw-invoice-js-malware/
http://blog.dynamoo.com/2016/04/malware-spam-fw-invoice-from-multiple.html

Today’s Locky sample is delivered by a newer downloader that ProofPoint documented a few weeks ago that they call RockLoader. The email attachment first downloads and starts RockLoader and then RockLoader takes over and downloads and starts Locky.

The Cerber sample comes from an attached MSWord document; once we’re inevitably tricked into turning off Word’s security, the embedded macros in the document download Cerber, start it, and then Cerber takes over from there.

Both Locky and Cerber want full admin control of the machine, so much so that they don’t encrypt anything without it. Though unpopular, the precaution of using the maximum UAC setting and having all security patches applied — stop both.

Locky

Locky UAC prompt via IFileOperation

Locky UAC prompt via IFileOperation

Locky-keeps-trying

2nd Locky UAC prompt minimized on the taskbar

In Locky’s case, today’s sample depends on the RockLoader downloader, which is relatively new and still needs some seasoning. While it accounts for whether it is started on a 64-bit or 32-bit machine, in both cases RockLoader focuses on full admin control first, trying a sequence of UAC bypasses (as Proofpoint detailed in their post linked above). On a fully patched Windows 7 machine, a UAC prompt comes up on every attempt; unless the user lets the malware go, it stops there. Ironically, when run in a non-admin session RockLoader just goes ahead with the infection.

Cerber

Impatiently waiting Cerber UAC prompts

Impatiently waiting Cerber UAC prompts

Not-so-subtle Cerber elevation request

Not-so-subtle Cerber elevation request

As MalwareBytes observed, Cerber is also relatively new.. Nevertheless, Cerber still needs help from an admin user if UAC is in its maximum setting. Cerber doesn’t even wait for the user to take action on elevation to full admin — after it thinks it’s been long enough, it starts another elevation attempt. This goes on for a while as the screenshot below shows. Eventually, it loses patience for this and tries a direct elevation.

Cerber has even less patience for non-admin sessions than Locky: having installed itself, it immediately turns around and uninstalls itself without scrambling any files. It’s probably not intentional, but one of the head-scratchers for both of these ransomware families is turning down infection opportunities.

These examples continue to demonstrate both that Windows is stuck with the “Admin Culture” from its DOS days and that running without full admin control annoys and confuses users and malware alike.