2016-12-22 - FAKE WALGREENS MALSPAM DISTRIBUTES CERBER RANSOMWARE

ASSOCIATED FILES:

  • 2016-12-22-Cerber-from-malspam-traffic.pcap   (534,456 bytes)
  • 2016-12-22-Cerber-downloaded-from-Word-macro.exe   (297,642 bytes)
  • 2016-12-22-Cerber-from-malspam_README_FGS6_.hta   (66,409 bytes)
  • 2016-12-22-Cerber-from-malspam_README_FGS6_.jpg   (236,916 bytes)
  • 2016-12-22-Cerber-malspam-0823-UTC.eml   (4,217 bytes)
  • 2016-12-22-fake-invoice-with-malicious-Word-macro.doc   (179,200 bytes)

 


Shown above:  Flowchart for this infection.

 

THE EMAIL


Shown above:  Screenshot of the email.

 


Shown above:  Screenshot of the header information.

 

EMAIL HEADER LINES:

 

MESSAGE TEXT:

Walgreens Co.

This message has been auto-generated in connection with the disputed transactions on your account

Transaction ID: J009112693932
Tran.Date   Service Date   Description   Type   Status   Amount
22/12/2016   22/12/2016   WALGREENS#3235   Card   Authorized   127.75 GBP

walgreens.com/J009112693932

Note: to view a full list of transactions, follow this link and open document using Microsoft Word

 

TRAFFIC


Shown above:  Pcap of the infection traffic filtered in Wireshark.

 

ASSOCIATED DOMAINS:

 

FILE HASHES

WORD DOCUMENT FROM THE EMAIL LINK:

CERBER RANSOMWARE AFTER ENABLING MACROS:

 

IMAGES


Shown above:  Clicking on the email link gave me a Word document.

 


Shown above:  Opening the Word document shows a message to enable macros, if they're not already enabled.

 


Shown above:  Desktop of the infected Windows host.

 


Shown above:  74 US dollars as a ransom payment?  Seem cheap compared to what I'm used to seeing.

 

FINAL NOTES

Once again, here are the associated files:

ZIP files are password-protected with the standard password.  If you don't know it, look at the "about" page of this website.

Click here to return to the main page.