2017-03-31 - "BLANK SLATE" CAMPAIGN STILL PUSHING CERBER RANSOMWARE
NOTICE:
- The zip archives on this page have been updated, and they now use the new password scheme. For the new password, see the "about" page of this website.
ASSOCIATED FILES:
- 2017-03-31-Blank-Slate-activity-14-pcaps.zip 4.5 MB (4,532,118 bytes)
- 2017-03-31-Blank-Slate-malspam-tracker.csv.zip 2.9 kB (2,896 bytes)
- 2017-03-31-Blank-Slate-emails-and-Cerber-ransomware.zip 3.6 MB (3,605,659 bytes)
BACKGROUND:
- For background on this campaign, see the Palo Alto Networks Unit 42 Blog: "Blank Slate" Campaign Takes Advantage of Hosting Providers to Spread Ransomware.
- I wrote a follow-up for the Internet Storm Center (ISC) titled: "Blank Slate" malspam still pushing Cerber ransomware.
EMAILS
Shown above: Screen shot from the spreadsheet tracker. Review that document for more details.
TRAFFIC
HTTP TRAFFIC FOR THE RANSOMWARE:
- 35.166.163[.]174 port 80 - truemityunituistep[.]top - GET /search.php
- 35.166.163[.]174 port 80 - truemityunituistep[.]top - GET /__files__/1
- 47.90.205[.]113 port 80 - www.chromefastl[.]top - GET /user.php?f=2.gif
- 47.90.205[.]113 port 80 - www.chromehakc[.]top - GET /user.php?f=2.gif
- 47.90.205[.]113 port 80 - www.fffgooaldq[.]top - GET /user.php?f=2.gif
- 47.90.205[.]113 port 80 - www.ffjoleedas[.]top - GET /user.php?f=2.gif
- 47.90.205[.]113 port 80 - www.hoopcinezc[.]top - GET /user.php?f=2.gif
- 47.90.205[.]113 port 80 - www.newsectorbs[.]top - GET /user.php?f=2.gif
- 54.149.101[.]37 port 80 - jhdgh[.]trade - GET /search.php
- 54.149.101[.]37 port 80 - jhdgh[.]site - GET /search.php
- 54.149.101[.]37 port 80 - polkiuj[.]bid - GET /search.php
HTTP TRAFFIC FOR RANSOMWARE DOWNLOAD FROM FAKE CHROME INSTALL PAGE:
- 47.90.205[.]113 port 80 - www.chromefastl[.]top - GET /site/chrome_update.html
- 47.90.205[.]113 port 80 - www.chromefastl[.]top - GET /site/download.php
- 47.90.205[.]113 port 80 - www.chromehakc[.]top - GET /site/chrome_update.html
- 47.90.205[.]113 port 80 - www.chromehakc[.]top - GET /site/download.php
- 47.90.205[.]113 port 80 - www.fffgooaldq[.]top - GET /site/chrome_update.html
- 47.90.205[.]113 port 80 - www.fffgooaldq[.]top - GET /site/download.php
- 47.90.205[.]113 port 80 - www.ffjoleedas[.]top - GET /site/chrome_update.html
- 47.90.205[.]113 port 80 - www.ffjoleedas[.]top - GET /site/download.php
- 47.90.205[.]113 port 80 - www.newsectorbs[.]top - GET /site/chrome_update.html
- 47.90.205[.]113 port 80 - www.newsectorbs[.]top - GET /site/download.php
MALWARE
SHA256 HASHES FOR RANSOMWARE SAMPLES:
- 66fc3e7027cabc29c6ef9bcd40eb92e36530175a89c33dfb4a210ef868af13e0 - Cerber ransomware from chromefastl[.]top on 2017-03-27
- 66fc3e7027cabc29c6ef9bcd40eb92e36530175a89c33dfb4a210ef868af13e0 - Cerber ransomware from chromehakc[.]top on 2017-03-27
- 59118ff55d6c20a08c6d4422972f9741de8b77755695cef9bc95126d46fb0026 - Cerber ransomware from hoopcinezc[.]top on 2017-03-27
- d4dbc24e07aca11e53f1bb733852e4416a8fc7db1c0c947994ec271895fdb0a4 - Cerber ransomware from truemityunituistep[.]top on 2017-03-27
- 8ea494bd84bea2617922a9ed488db44937199b3764ab6cb9f64e49d7e6945a3b - Cerber ransomware from truemityunituistep[.]top on 2017-03-28
- 07be83b0e9ed748c11d16afbd42b5582f192539706f3996a6debebdb575ad259 - Cerber ransomware from newsectorbs[.]top on 2017-03-29
- b0e6d0e366494f94fd05756ec4b6245c74eee8f1c0ea65b21ba5e5f1c79d69c8 - Cerber ransomware from polkiuj[.]bid on 2017-03-29
- 2e3652afd5d79020dd5aa1d95a61fa6c8e67271f16ccb15aacf11accdd9cc790 - Cerber ransomware from fffgooaldq[.]top on 2017-03-31
- 434d95079877a99fc7cf9c01faabe37c185656bd5ffebe627a756641e41e1f5b - Cerber ransomware from ffjoleedas[.]top on 2017-03-31
- 5bcb16e6dd8a023f7daef3cf2193ec4d8b911e3af677be3ebfbe58dbaf6e6d41 - Cerber ransomware from jhdgh[.]site on 2017-03-31
- 0a7786e86d3df2548e12176b5d8aa6db0de9e556450a90f7c36fdbab1392b48f - Cerber ransomware from jhdgh[.]trade on 2017-03-31
IMAGES
Shown above: No more emails seen, but these fake Chrome install pages are still a thing.
Click here to return to the main page.