Cerber ransom note

The Cerber ransomware has received an update that allows it to collect and steal data from a victim's computer, similar to an infostealer.

According to Gilbert Sison and Janus Agcaoili, two security researchers at Trend Micro, the most recent version of the Cerber ransomware can dump browser passwords and can steal files related to Bitcoin wallets.

Cerber adds infostealer features

More precisely, Cerber can dump passwords stored in browsers such as Internet Explorer, Google Chrome, and Mozilla Firefox.

In addition, Cerber also looks for data files related to three Bitcoin wallet apps. It searches and steals files named wallet.dat (used by the official Bitcoin Core wallet), *.wallet (used by the Multibit wallet app), and electrum.dat (used by the Electrum wallet app).

While the browser passwords extracted from the user's browsers will be useful in taking over online accounts, the Bitcoin wallet data may not be of help.

Not all these files store passwords to access the target's Bitcoin wallet. Furthermore, since 2013 the Electrum app no longer uses the electrum.dat file to store wallet information. This suggests the Cerber crew might have copy-pasted the code needed to support the infostealer features from another project without actually knowing its efficiency.

"This new feature shows that attackers are trying out new ways to monetize ransomware," the two researchers say. "Stealing the Bitcoins of targeted users would represent a valuable source of potential income."

Cerber is not the first

Cerber is not the first ransomware with infostealer features. The first one was a ransomware family named Kriptovor, spotted by FireEye in April 2015.

A year later, the CryptXXX ransomware also added support for stealing Bitcoin wallet data, and later for dumping browser credentials.

SHA256 hash: 6c9f7b72c39ae7d11f12dd5dc3fb70eb6c2263eaefea1ff06aa88945875daf27