Microsoft Office 365 targeted with massive Cerber ransomware 0-day campaign

Pierluigi Paganini June 28, 2016

Cloud security provider Avanan discovered a number of Cerber Ransomware variants targeting corporate Office 365 users with malicious emails.

Cloud security provider Avanan spotted a number of Cerber Ransomware variants that are targeting corporate Office 365 users with spam or phishing emails leveraging on malicious file attachments.

Threat actors sent an Office document that embedded malicious macros to download the ransomware.

Cerber ransomware zero day campaign

According to a report published by Avanan, threat actors exploited a zero-day vulnerability to deliver the Cerber ransomware,

The ransomware campaign started on June 22, the day after Microsoft started blocking the attachment used in the attacks.

“Starting June 22 at 6:44 a.m. UTC, Avanan’s Cloud Security Platform started to detect a massive attack against its customers that were using Office 365. The attack included a very nasty ransomware virus called Cerber, which was spread through email and encrypted users’ files.” states the report.

Experts from Avanan revealed that the attackers behind the campaign tried to send messages to 57 per cent of the organisations on its security platform using Office 365.

“While difficult to precisely measure how many users got infected, Avanan estimates that roughly 57 percent of organizations using Office 365 received at least one copy of the malware into one of their corporate mailboxes during the time of the attack.”

This specific ransomware encrypts files with AES-256 and requests a 1.24 Bitcoin ransom for unblock the user’s documents.

The experts noticed that strain of the Cerber ransomware used in the attack also takes over the host audio system to read out its ransom note.

Unfortunately, macro-based attacks are still effective, early 2015 the Microsoft Malware Protection Center (MMPC) issued an alert about a surge in the infections of malware using macros to spread their malicious code. The researchers at Microsoft observed a major increase in enable-macros based malware, the most active codes included Adnel and Tarbir.

Recently the campaigns conducted to deliver the Locky and Dridex ransomware malware also leveraged on malicious macros to spread the threat.

[adrotate banner=”9″]

Pierluigi Paganini

(Security Affairs – Google Widevine DRM, piracy)

you might also like

leave a comment