2017-04-27 - "BLANK SLATE" CAMPAIGN STILL PUSHING CERBER RANSOMWARE, ALSO EXPLOITING CVE-2017-0199
NOTICE:
- The zip archives on this page have been updated, and they now use the new password scheme. For the new password, see the "about" page of this website.
ASSOCIATED FILES:
- 2017-04-27-Blank-Slate-campaign-5-pcaps.zip 1.1 MB (1,127,345 bytes)
- 2017-04-27-Blank-Slate-malspam-tracker.csv.zip 1.6 kB (1,634 bytes)
- 2017-04-27-Blank-Slate-emails-and-Cerber-ransomware.zip 1.5 MB (1,459,587 bytes)
BACKGROUND:
- For background on this campaign, see the Palo Alto Networks Unit 42 Blog: "Blank Slate" Campaign Takes Advantage of Hosting Providers to Spread Ransomware.
- I wrote a follow-up for the Internet Storm Center (ISC) titled: "Blank Slate" malspam still pushing Cerber ransomware.
TODAY'S NOTES:
- Today is the first time I've seen CVE-2017-0199 associated with this campaign (RTF files with a .doc file extension that exploit CVE-2017-0199).
- Here is a nice write-up here about how it works.
- However, none of the three .doc (RTF) files I found infected any of the hosts in my lab when I tried them.
Shown above: Flow chart for these emails.
EMAILS
Shown above: Data from the spreadsheet tracker (image 1 of 3).
Shown above: Data from spreadsheet (image 2 of 3) CVE-2017-0199 files highlighted in yellow.
Shown above: Data from the spreadsheet tracker (image 3 of 3) CVE-2017-0199 files highlighted in yellow.
(READ: Date/Time -- Sending address (spoofed) -- Subject -- Attachment)
- 2017-04-26 18:15 UTC -- honigbiermeier@t-online[.]de -- 25911 [recipient] -- 9910124.zip
- 2017-04-26 20:44 UTC -- ennerson@iusd[.]org -- 45376 [recipient] -- 409317.zip
- 2017-04-26 21:45 UTC -- ikucukyumuk@iics.k12[.]tr -- 38638 [recipient] -- 8010246017929.zip
- 2017-04-26 23:52 UTC -- yc14e12@soton[.]ac[.]uk -- 17894 [recipient] -- 972472.zip
- 2017-04-27 00:24 UTC -- pat@thebearsinthecity[.]com -- 55957 [recipient] -- 5658650569.zip
- 2017-04-27 03:00 UTC -- dino.mattia@alice[.]it -- 9346 [recipient] -- 63043088778557.zip
- 2017-04-27 07:15 UTC -- jennifer.rose@davey[.]com -- 45462 [recipient] -- 993051853636.zip
- 2017-04-27 09:54 UTC -- ebba.de.faire@auktionsverket[.]se -- 61883 [recipient] -- 687181587431.zip
- 2017-04-27 11:07 UTC -- f.jung@shetlands-du-sanon[.]fr -- 24007 [recipient] -- 1473818521163.zip
- 2017-04-27 11:32 UTC -- alan@heliosfans[.]co[.]uk -- 15962 [recipient] -- 507586924764.zip
- 2017-04-27 11:55 UTC -- pat@thebearsinthecity[.]com -- 50138 [recipient] -- 84296497.zip
- 2017-04-27 14:04 UTC -- dhaks0705@naver[.]com -- 33544 [recipient] -- 24800.zip
- 2017-04-27 15:36 UTC -- mats.bergquist@home[.]se -- 31172 [recipient] -- 7668442274917.zip
- 2017-04-27 16:00 UTC -- chazy@baby200.wanadoo[.]co[.]uk -- 56820 [recipient] -- 38.zip
- 2017-04-27 16:26 UTC -- miriampostan@yahoo[.]com -- 59512 [recipient] -- 20881.zip
- 2017-04-27 17:43 UTC -- bristol@tcmail[.]eu -- 46166 [recipient] -- 241921421406.zip
- 2017-04-27 18:00 UTC -- eeeljux@inbox[.]lv -- 26567 [recipient] -- 3.zip
- 2017-04-27 19:50 UTC -- rcoburn@partners[.]org -- 26433 [recipient] -- 4529703655442.zip
- 2017-04-27 20:17 UTC -- xa0aaguirre@keoghhealth[.]org -- 55019 [recipient] -- 10762210455416.zip
- 2017-04-27 20:35 UTC -- domenico@msps[.]org -- 3132 [recipient] -- 153348269837.zip
TRAFFIC
Shown above: Traffic from a .js file-based infection filtered in Wireshark.
Shown above: Traffic when I tried one of the .doc files (CVE-2017-0199 RTF files) filtered in Wireshark.
URLS GENERATED BY THE EXTRACTED FILES:
- 51.15.77[.]124 port 80 - 37kddsserrt[.]xyz - GET /search.php
- 46.173.214[.]214 port 80 - castrokolaz[.]top - GET /admin.php?f=1.exe
- 46.173.214[.]214 port 80 - wowaskopoq[.]top - GET /admin.php?f=1.xls
- 46.173.214[.]214 port 80 - wowaskopoq[.]top - GET /admin.php?f=404
- 46.173.214[.]214 port 80 - wowaskopoq[.]top - GET /1.xls
CERBER POST-INFECTION TRAFFIC:
- 94.21.172[.]0 - 94.21.172[.]31 (94.21.172[.]0/27) UDP port 6893
- 94.22.172[.]0 - 94.22.172[.]31 (94.22.172[.]0/27) UDP port 6893
- 94.23.172[.]0 - 94.23.175[.]255 (94.23.172[.]0/22) UDP port 6893
- 23.249.163[.]4 port 80 - p27dokhpz2n7nvgr.1kyjw7[.]top
SHA256 HASHES
EMAIL ATTACHMENTS:
- c31a4e0fb58b3eeed32f0e355e3f4fd925264e89d60f95aa04f099ca7d2d8bdf - 3.zip
- 7c8eec000dbd1da7b2996dd55c904e0bb12494ea88464bfcf84d174a3e2fbd57 - 38.zip
- 836541d45e2eeaa2aabedb9849133f2fe981b3fef0c203e8fb5485783feea6cf - 20881.zip
- 3c3937ee2631253e1221cc807c5f7084cca0da26018942ddc69223bf4dd95c1b - 24800.zip
- b02e226c7e80e18f0274ac2219c4585e9d77e019bc36668a5894fede354b54c0 - 409317.zip
- 33f34b14df63d80b194da349d0505860b9381a306e2ec783633dbaac5602e798 - 972472.zip
- fe596acfcaa2e75fb33e63ed35eac75ee5ed27790acb29861a24a7a09bc04b7e - 9910124.zip
- e876f2ff5eccc807487a99346c018ac71cb4ba8487bbe30f36f189bd8c0f33ab - 84296497.zip
- 6444627e10831f0dea1d4ac0b166a388d8c6817d58e1644e803c0babdce16cff - 5658650569.zip
- 2291038ee6b01b3f3ab0575fc086066f7a4124897110ae39dcb3aa30721fd911 - 153348269837.zip
- 5cd95e174766f563cb9e5ee476c078b216ca5f1fbcb485c794756f56d81b1ebb - 241921421406.zip
- 06d59e45783582f8db1ad5ff2689c6dc00e0d022c737e0bb793144f91d623cfe - 507586924764.zip
- 66e35e9c4a01c5b88e938a12bd50ec6f7d3e3c7c72d971732411de4b95350e30 - 687181587431.zip
- 9141660d59b041442f7d38c8533b7fb9889a94be84906a36b7c0fe1af0b8317d - 993051853636.zip
- 6c796c76e1bd381ab13c4d8d32c29ad688d377788439fda55c062302076bc405 - 1473818521163.zip
- 5d86da18cd5dce66f4dac2c34eaa55a353f2ea8a2cf84eb2f4f141f1141adb97 - 4529703655442.zip
- 70f278964a1064eb826ba08d48bf3913c56e344ac4efac0f5de0e2fd35375b4f - 7668442274917.zip
- 38f84f0f20bb28be1bec1b7b363b43b016b61913d74fa7dcd20f8336e7aa3f8f - 8010246017929.zip
- b2f5067a73e658767ce81a011e00413c7f7e860240a705d3f40a7a01eb90586a - 10762210455416.zip
- 37af9564426047092d6ced6ad232793036831168569bab4f96ea65e39b8a2422 - 63043088778557.zip
EXTRACTED .JS FILES:
- fc07eee0030736ed9b82fc53bbba25c7516d3ec4654bd75fa5542a607d92c1da - 247.js
- bb170d05eae75224aa175adea42fe3e2d8dd8a64b6562fb1ca66ac9c27214e7a - 2892.js
- 4c5f9212c4f15a4e1fc0a37b2384d12b6fb4b27168063316cf0dbb28bfd44d2c - 6307.js
- 30795ddfed979f7da41fe6793200e305a2ad29efa20ef1a4d9089827f291f67b - 8313.js
- aa5c9523e3fe34744280af767132efcb9c3de8d091c25bab581592b3acdb8416 - 9281.js
- b3537c42a6c731b751cad723fad294041b2fdf92487ff071cc775e2779cdebb1 - 9826.js
- 9547ed41f13909cf8627d7df4e4f40c4b90bf60f6984b8d5a6355a9e36c97707 - 9843.js
- 43dfb2a6e37dac424b49b9d99a00860bee08d70cf8791330b46959e31b371989 - 12998.js
- 72816fa42341c8f5d741b45de7ff255970f7f047c63728f01e5d7c94e244cb10 - 13860.js
- 1a2640214ce17d990d6e213c3ab3130c130c304b289bef2b15051709ed4cd242 - 16324.js
- a08f07636990c1f4d9bea326c41ceeeca09bef876a077f00c7ecbb6b49b6ccc8 - 17779.js
- 20ffb283d1af44cb42afbee43c2b386021e7dedb9c59c1d5a95ac3e05fce9742 - 19643.js
- 4cc79f18949dc2b001cee31ddc8dc19977536a1bf1d21a4dfa5424bca5a1e7e0 - 20255.js
- 8b7ae1813df97391c030c78aa52b3c373e89e506444408ada6cbb8cf04afb821 - 21107.js
- 9d4b93f82a14f94949ea9cf520966d803bbc18c6f48ab573eeaf7e8ae8c6ab5a - 21361.js
- 7fcf85fccec3f7786666924b0d1d55122754a1b9b76ee50c7eb005aecceb5636 - 23759.js
- 9e30565aa8299a6f6d5b0eb94aeeaa52304d5b7e0891a6b4d576803665875f8a - 28050.js
EXTRACTED RTF FILES DESIGNED TO EXPLOIT CVE-2017-0199:
- 837863fcc9a1486ede37f802274df03004b6a91f6dca12ce128cce34bf99e701 - 1.doc
- ddecdb041448d6681e7f6c66ada006777f4e7436a3e51cf74a3cb20fa7a01988 - 9714.doc
- 0fbd5be8921c361bdc647adad10ff91fcc7f88bfa42a373debe95c75a4fdb328 - 18480.doc
CERBER RANSOMWARE SAMPLES:
- SHA256 hash: 7f2335466ecca7be6888f92b5ba260780ce0a38039ceb54ac99b0485b3b086de
File description: Cerber ransomware downloaded from 37kddsserrt[.]xyz on 2017-04-27
- SHA256 hash: 1c00cfd9ce9b139c738ac32e7cf824bfb921e51d03fb2540439953ea0d81f56a
File description: Cerber ransomware downloaded from castrokolaz[.]top on 2017-04-27
- SHA256 hash: 17dc23974cf210b4f7a361004fa623642638cc0ce6cd7a39ec296c171d1b058d
File description: Cerber ransomware downloaded from wowaskopoq[.]top on 2017-04-27 (1 of 2)
- SHA256 hash: 4b7b6475caad196d3288801932db077af155479d5df2f85a040a5088765aefbc
File description: Cerber ransomware downloaded from wowaskopoq[.]top on 2017-04-27 (2 of 2)
Click here to return to the main page.