2017-04-27 - "BLANK SLATE" CAMPAIGN STILL PUSHING CERBER RANSOMWARE, ALSO EXPLOITING CVE-2017-0199

NOTICE:

• The zip archives on this page have been updated, and they now use the new password scheme.  For the new password, see the "about" page of this website.

ASSOCIATED FILES:

• 2017-04-27-Blank-Slate-campaign-5-pcaps.zip   1.1 MB (1,127,345 bytes)
• 2017-04-27-Blank-Slate-malspam-tracker.csv.zip   1.6 kB (1,634 bytes)
• 2017-04-27-Blank-Slate-emails-and-Cerber-ransomware.zip   1.5 MB (1,459,587 bytes)

BACKGROUND:

• For background on this campaign, see the Palo Alto Networks Unit 42 Blog:  "Blank Slate" Campaign Takes Advantage of Hosting Providers to Spread Ransomware.
• I wrote a follow-up for the Internet Storm Center (ISC) titled:  "Blank Slate" malspam still pushing Cerber ransomware.

TODAY'S NOTES:

• Today is the first time I've seen CVE-2017-0199 associated with this campaign (RTF files with a .doc file extension that exploit CVE-2017-0199).
• Here is a nice write-up here about how it works.
• However, none of the three .doc (RTF) files I found infected any of the hosts in my lab when I tried them.

 

Shown above:  Flow chart for these emails.

 

EMAILS

Shown above:  Data from the spreadsheet tracker (image 1 of 3).

 

Shown above:  Data from spreadsheet (image 2 of 3) CVE-2017-0199 files highlighted in yellow.

 

Shown above:  Data from the spreadsheet tracker (image 3 of 3) CVE-2017-0199 files highlighted in yellow.

 

(READ: Date/Time   --   Sending address (spoofed)   --   Subject   --   Attachment)

• 2017-04-26 18:15 UTC   --   honigbiermeier@t-online[.]de   --   25911 [recipient]   --   9910124.zip
• 2017-04-26 20:44 UTC   --   ennerson@iusd[.]org   --   45376 [recipient]   --   409317.zip
• 2017-04-26 21:45 UTC   --   ikucukyumuk@iics.k12[.]tr   --   38638 [recipient]   --   8010246017929.zip
• 2017-04-26 23:52 UTC   --   yc14e12@soton[.]ac[.]uk   --   17894 [recipient]   --   972472.zip
• 2017-04-27 00:24 UTC   --   pat@thebearsinthecity[.]com   --   55957 [recipient]   --   5658650569.zip
• 2017-04-27 03:00 UTC   --   dino.mattia@alice[.]it   --   9346 [recipient]   --   63043088778557.zip
• 2017-04-27 07:15 UTC   --   jennifer.rose@davey[.]com   --   45462 [recipient]   --   993051853636.zip
• 2017-04-27 09:54 UTC   --   ebba.de.faire@auktionsverket[.]se   --   61883 [recipient]   --   687181587431.zip
• 2017-04-27 11:07 UTC   --   f.jung@shetlands-du-sanon[.]fr   --   24007 [recipient]   --   1473818521163.zip
• 2017-04-27 11:32 UTC   --   alan@heliosfans[.]co[.]uk   --   15962 [recipient]   --   507586924764.zip
• 2017-04-27 11:55 UTC   --   pat@thebearsinthecity[.]com   --   50138 [recipient]   --   84296497.zip
• 2017-04-27 14:04 UTC   --   dhaks0705@naver[.]com   --   33544 [recipient]   --   24800.zip
• 2017-04-27 15:36 UTC   --   mats.bergquist@home[.]se   --   31172 [recipient]   --   7668442274917.zip
• 2017-04-27 16:00 UTC   --   chazy@baby200.wanadoo[.]co[.]uk   --   56820 [recipient]   --   38.zip
• 2017-04-27 16:26 UTC   --   miriampostan@yahoo[.]com   --   59512 [recipient]   --   20881.zip
• 2017-04-27 17:43 UTC   --   bristol@tcmail[.]eu   --   46166 [recipient]   --   241921421406.zip
• 2017-04-27 18:00 UTC   --   eeeljux@inbox[.]lv   --   26567 [recipient]   --   3.zip
• 2017-04-27 19:50 UTC   --   rcoburn@partners[.]org   --   26433 [recipient]   --   4529703655442.zip
• 2017-04-27 20:17 UTC   --   xa0aaguirre@keoghhealth[.]org   --   55019 [recipient]   --   10762210455416.zip
• 2017-04-27 20:35 UTC   --   domenico@msps[.]org   --   3132 [recipient]   --   153348269837.zip

 

TRAFFIC

Shown above:  Traffic from a .js file-based infection filtered in Wireshark.

 

Shown above:  Traffic when I tried one of the .doc files (CVE-2017-0199 RTF files) filtered in Wireshark.

 

URLS GENERATED BY THE EXTRACTED FILES:

• 51.15.77[.]124 port 80 - 37kddsserrt[.]xyz - GET /search.php
• 46.173.214[.]214 port 80 - castrokolaz[.]top - GET /admin.php?f=1.exe
• 46.173.214[.]214 port 80 - wowaskopoq[.]top - GET /admin.php?f=1.xls
• 46.173.214[.]214 port 80 - wowaskopoq[.]top - GET /admin.php?f=404
• 46.173.214[.]214 port 80 - wowaskopoq[.]top - GET /1.xls

CERBER POST-INFECTION TRAFFIC:

• 94.21.172[.]0 - 94.21.172[.]31 (94.21.172[.]0/27) UDP port 6893
• 94.22.172[.]0 - 94.22.172[.]31 (94.22.172[.]0/27) UDP port 6893
• 94.23.172[.]0 - 94.23.175[.]255 (94.23.172[.]0/22) UDP port 6893
• 23.249.163[.]4 port 80 - p27dokhpz2n7nvgr.1kyjw7[.]top

 

SHA256 HASHES

EMAIL ATTACHMENTS:

• c31a4e0fb58b3eeed32f0e355e3f4fd925264e89d60f95aa04f099ca7d2d8bdf - 3.zip
• 7c8eec000dbd1da7b2996dd55c904e0bb12494ea88464bfcf84d174a3e2fbd57 - 38.zip
• 836541d45e2eeaa2aabedb9849133f2fe981b3fef0c203e8fb5485783feea6cf - 20881.zip
• 3c3937ee2631253e1221cc807c5f7084cca0da26018942ddc69223bf4dd95c1b - 24800.zip
• b02e226c7e80e18f0274ac2219c4585e9d77e019bc36668a5894fede354b54c0 - 409317.zip
• 33f34b14df63d80b194da349d0505860b9381a306e2ec783633dbaac5602e798 - 972472.zip
• fe596acfcaa2e75fb33e63ed35eac75ee5ed27790acb29861a24a7a09bc04b7e - 9910124.zip
• e876f2ff5eccc807487a99346c018ac71cb4ba8487bbe30f36f189bd8c0f33ab - 84296497.zip
• 6444627e10831f0dea1d4ac0b166a388d8c6817d58e1644e803c0babdce16cff - 5658650569.zip
• 2291038ee6b01b3f3ab0575fc086066f7a4124897110ae39dcb3aa30721fd911 - 153348269837.zip
• 5cd95e174766f563cb9e5ee476c078b216ca5f1fbcb485c794756f56d81b1ebb - 241921421406.zip
• 06d59e45783582f8db1ad5ff2689c6dc00e0d022c737e0bb793144f91d623cfe - 507586924764.zip
• 66e35e9c4a01c5b88e938a12bd50ec6f7d3e3c7c72d971732411de4b95350e30 - 687181587431.zip
• 9141660d59b041442f7d38c8533b7fb9889a94be84906a36b7c0fe1af0b8317d - 993051853636.zip
• 6c796c76e1bd381ab13c4d8d32c29ad688d377788439fda55c062302076bc405 - 1473818521163.zip
• 5d86da18cd5dce66f4dac2c34eaa55a353f2ea8a2cf84eb2f4f141f1141adb97 - 4529703655442.zip
• 70f278964a1064eb826ba08d48bf3913c56e344ac4efac0f5de0e2fd35375b4f - 7668442274917.zip
• 38f84f0f20bb28be1bec1b7b363b43b016b61913d74fa7dcd20f8336e7aa3f8f - 8010246017929.zip
• b2f5067a73e658767ce81a011e00413c7f7e860240a705d3f40a7a01eb90586a - 10762210455416.zip
• 37af9564426047092d6ced6ad232793036831168569bab4f96ea65e39b8a2422 - 63043088778557.zip

 

EXTRACTED .JS FILES:

• fc07eee0030736ed9b82fc53bbba25c7516d3ec4654bd75fa5542a607d92c1da - 247.js
• bb170d05eae75224aa175adea42fe3e2d8dd8a64b6562fb1ca66ac9c27214e7a - 2892.js
• 4c5f9212c4f15a4e1fc0a37b2384d12b6fb4b27168063316cf0dbb28bfd44d2c - 6307.js
• 30795ddfed979f7da41fe6793200e305a2ad29efa20ef1a4d9089827f291f67b - 8313.js
• aa5c9523e3fe34744280af767132efcb9c3de8d091c25bab581592b3acdb8416 - 9281.js
• b3537c42a6c731b751cad723fad294041b2fdf92487ff071cc775e2779cdebb1 - 9826.js
• 9547ed41f13909cf8627d7df4e4f40c4b90bf60f6984b8d5a6355a9e36c97707 - 9843.js
• 43dfb2a6e37dac424b49b9d99a00860bee08d70cf8791330b46959e31b371989 - 12998.js
• 72816fa42341c8f5d741b45de7ff255970f7f047c63728f01e5d7c94e244cb10 - 13860.js
• 1a2640214ce17d990d6e213c3ab3130c130c304b289bef2b15051709ed4cd242 - 16324.js
• a08f07636990c1f4d9bea326c41ceeeca09bef876a077f00c7ecbb6b49b6ccc8 - 17779.js
• 20ffb283d1af44cb42afbee43c2b386021e7dedb9c59c1d5a95ac3e05fce9742 - 19643.js
• 4cc79f18949dc2b001cee31ddc8dc19977536a1bf1d21a4dfa5424bca5a1e7e0 - 20255.js
• 8b7ae1813df97391c030c78aa52b3c373e89e506444408ada6cbb8cf04afb821 - 21107.js
• 9d4b93f82a14f94949ea9cf520966d803bbc18c6f48ab573eeaf7e8ae8c6ab5a - 21361.js
• 7fcf85fccec3f7786666924b0d1d55122754a1b9b76ee50c7eb005aecceb5636 - 23759.js
• 9e30565aa8299a6f6d5b0eb94aeeaa52304d5b7e0891a6b4d576803665875f8a - 28050.js

 

EXTRACTED RTF FILES DESIGNED TO EXPLOIT CVE-2017-0199:

• 837863fcc9a1486ede37f802274df03004b6a91f6dca12ce128cce34bf99e701 - 1.doc
• ddecdb041448d6681e7f6c66ada006777f4e7436a3e51cf74a3cb20fa7a01988 - 9714.doc
• 0fbd5be8921c361bdc647adad10ff91fcc7f88bfa42a373debe95c75a4fdb328 - 18480.doc

 

CERBER RANSOMWARE SAMPLES:

• SHA256 hash:  7f2335466ecca7be6888f92b5ba260780ce0a38039ceb54ac99b0485b3b086de
  File description:  Cerber ransomware downloaded from 37kddsserrt[.]xyz on 2017-04-27

• SHA256 hash:  1c00cfd9ce9b139c738ac32e7cf824bfb921e51d03fb2540439953ea0d81f56a
  File description:  Cerber ransomware downloaded from castrokolaz[.]top on 2017-04-27

• SHA256 hash:  17dc23974cf210b4f7a361004fa623642638cc0ce6cd7a39ec296c171d1b058d
  File description:  Cerber ransomware downloaded from wowaskopoq[.]top on 2017-04-27 (1 of 2)

• SHA256 hash:  4b7b6475caad196d3288801932db077af155479d5df2f85a040a5088765aefbc
  File description:  Cerber ransomware downloaded from wowaskopoq[.]top on 2017-04-27 (2 of 2)

 

Click here to return to the main page.