A new version of the notorious Cerber ransomware has been discovered that is harder to detect than ever because it can evade machine learning.

Discovered by researchers at Trend Micro Inc., the new version is said to use a new loader that is designed to evade detection by machine learning solutions by separating the different stages of the malware into multiple file, then dynamically injecting them into running processes.

The new version of Cerber also differs from previous versions in that though it’s still delivered by a malicious phishing email, the emails contain a link to Dropbox that downloads and self-extracts the malware payload.

Once installed, the new malware version checks to see if it is running on a virtual machine or sandbox or if certain products are running on the machine. Should any of those be detected, it immediately stops running to avoid the Cerber code being analyzed. This is because cybersecurity researchers usually analyze malware code using these methods to prevent its spread throughout a network, so that causing it not to run under these circumstances prevents detection.

“The new packaging and loading mechanism employed by Cerber can cause problems for static machine learning approaches–i.e, methods that analyze a file without any execution or emulation,” Trend Micro’s Gilbert Sison explained in a blog post. “Self-extracting files and simple, straightforward files could pose a problem for static machine learning file detection.”

“All self-extracting files may look similar by structure, regardless of the content. Unpacked binaries with limited features may not look malicious either,” he added. “In other words, the way Cerber is packaged could be said to be designed to evade machine learning file detection. For every new malware detection technique, an equivalent evasion technique is created out of necessity.”

Cerber was discovered in March 2016 and has previously evolved, including a new version discovered in October that can kill database processes.

While the new version of Cerber does attempt to evade detection methods including machine learning, all hope is not lost. Sison notedg that applying a different machine learning behavior while Cerber is running can be effective as well and that the new version “does not defeat an anti-malware approach that uses multiple layers of protection.”

Image: Trend Micro