2016-12-22 - FAKE WALGREENS MALSPAM DISTRIBUTES CERBER RANSOMWARE

ASSOCIATED FILES:

• ZIP archive of the pcap:  2016-12-22-Cerber-from-malspam-traffic.pcap.zip   363 kB (363,460 bytes)

• 2016-12-22-Cerber-from-malspam-traffic.pcap   (534,456 bytes)

• ZIP archive of the malware:  2016-12-22-Cerber-from-malspam-malware-and-artifacts.zip   621 kB (621,297 bytes)

• 2016-12-22-Cerber-downloaded-from-Word-macro.exe   (297,642 bytes)
• 2016-12-22-Cerber-from-malspam_README_FGS6_.hta   (66,409 bytes)
• 2016-12-22-Cerber-from-malspam_README_FGS6_.jpg   (236,916 bytes)
• 2016-12-22-Cerber-malspam-0823-UTC.eml   (4,217 bytes)
• 2016-12-22-fake-invoice-with-malicious-Word-macro.doc   (179,200 bytes)

 

Shown above:  Flowchart for this infection.

 

THE EMAIL

Shown above:  Screenshot of the email.

 

Shown above:  Screenshot of the header information.

 

EMAIL HEADER LINES:

• Date:  Thursday, 2016-12-22 at 08:23 UTC
• Subject:  Transaction ID: J009112693932
• From:  "Walsgreens Co." <admin@welsgreen.club>
• Received from mail server at:  welsgreen.club - 52.169.29.188
• Message-ID:  <9F9A2C7F74A08E1DC1C48D33C7EF59E1@welsgreen.club>
• X-Mailer: Microsoft Windows Live Mail 15.4.3538.513

 

MESSAGE TEXT:

Walgreens Co.

This message has been auto-generated in connection with the disputed transactions on your account

Transaction ID: J009112693932
Tran.Date   Service Date   Description   Type   Status   Amount
22/12/2016   22/12/2016   WALGREENS#3235   Card   Authorized   127.75 GBP

walgreens.com/J009112693932

Note: to view a full list of transactions, follow this link and open document using Microsoft Word

 

TRAFFIC

Shown above:  Pcap of the infection traffic filtered in Wireshark.

 

ASSOCIATED DOMAINS:

• 75.126.81.66 port 80 - 1sajl3933.mybluemix.net - GET /redirector_bcc     [Link from the malicious email]
• 13.77.0.166 port 80 - 13.77.0.166 - GET /?1     [redirects to Word document]
• 192.52.167.64 port 80 - 192.52.167.64 - GET /Invoice.doc     [Word document download]
• 13.77.0.166 port 80 - 13.77.0.166 - GET /encrypted.exe     [Word macro retrieving Cerber ransomware]
• 77.4.1.0 to 77.4.1.31 UDP port 6892     [Cerber post-infection UDP traffic]
• 77.15.1.0 to 77.15.1.26 UDP port 6892     [Cerber post-infection UDP traffic]
• 91.239.24.6 to 91.239.25.255 UDP port 6892     [Cerber post-infection UDP traffic]
• 23.152.0.167 port 80 - ftoxmpdipwobp4qy.199ovv.top     [Cerber post-infection HTTP traffic]

 

FILE HASHES

WORD DOCUMENT FROM THE EMAIL LINK:

• SHA256 hash:  957ac9651ff18e086ab354499fcb6ceb5443213f549b041f1735d6e883b8be11   (179,200 bytes)
  File name:  Invoice.doc

CERBER RANSOMWARE AFTER ENABLING MACROS:

• SHA256 hash:  2e30967573a013437579ba420147878ea20a941e451ad0fe4d9444a3955e80a4   (297,642 bytes)
  File path:  C:\Users\[Username]\AppData\Local\Temp\14876.exe

 

IMAGES

Shown above:  Clicking on the email link gave me a Word document.

 

Shown above:  Opening the Word document shows a message to enable macros, if they're not already enabled.

 

Shown above:  Desktop of the infected Windows host.

 

Shown above:  74 US dollars as a ransom payment?  Seem cheap compared to what I'm used to seeing.

 

FINAL NOTES

Once again, here are the associated files:

• ZIP archive of the pcap:  2016-12-22-Cerber-from-malspam-traffic.pcap.zip   363 kB (363,460 bytes)
• ZIP archive of the malware:  2016-12-22-Cerber-from-malspam-malware-and-artifacts.zip   621 kB (621,297 bytes)

ZIP files are password-protected with the standard password.  If you don't know it, look at the "about" page of this website.

Click here to return to the main page.