The Cerber ransomware has gained an ability to steal Bitcoin wallets and browser passwords from host computers, according to a security report. This is done aside from the usual encryption process.
The infamous Cerber ransomware has received a new update, gaining an ability to steal browser passwords and Bitcoin credentials, aside from its usual job of encrypting a victim’s files.
In a recent blog post by Glibert Sison and Janus Agcaoili, security researchers at Trend Micro, the malware is still distributed the old-fashioned way: spam emails. The JavaScript attachment inside it will be responsible for downloading the new Cerber variant, which now reportedly attacks Bitcoin wallets.
To be able to achieve this, it steals three wallet files from three Bitcoin clients: wallet.dat from Bitcoin Core, *.wallet from Multibit, and electrum.dat from Electrum. It’s worth noting, however, that simply acquiring these files won’t mean that Bitcoins can be stolen. The thief would still need to get the password that protects the wallets. Also, the Electrum client has stopped using the above file name since 2013.
Making things worse, the new Cerber variant now attempts to steal passwords saved from browsers like Internet Explorer, Mozilla Firefox, and Google Chrome.
These steps are carried out way before the usual encryption process takes place. All the stolen data will be sent to a Command & Control (C&C) server, and the wallet files will be deleted on the host computer after they have been transferred.
The Cerber ransomware is one of the many crypto-malware strains that have successfully extorted money from victims. A year ago, it was found that it was raking in almost $1 million per year, despite only 0.3% of victims paid. The malware also became capable of detecting virtual machines, which in turn prevents analysis by security researchers.
As always, it helps to be careful in opening the emails we receive, especially attachments within them. Some files are disguised as important or innocuous content, but in reality unleashes dangerous code that could compromise the security of our computers.
Source: Trend Micro via BleepingComputer