2016-12-29 - ANOTHER CERBER MALSPAM RUN

NOTES:

• I've seen this actor before.  I most recently published an ISC diary about it on 2016-12-15 titled Domaincop malspam.
• Pcap and malware for that previous ISC diary are here.
• I saw some more emails, but I didn't get to them in time, and I was unable to retrieve the associated malicious Word documents.
• An example of the malicious Word documents from the email links can be found here on the reverse.it sandbox.
• Although I don't have any traffic, these Word documents are designed to download and install Cerber ransomware, just like last time.

 

ASSOCIATED FILES:

• ZIP archive of the data:  2016-12-29-Cerber-malspam-run-data.zip   14 kB (13,949 bytes)

• 2016-12-29-Cerber-ransomware-malspam-info.csv   (1,584 bytes)
• 2016-12-29-fake-Credit-card-email-143244-UTC.eml   (2,721 bytes)
• 2016-12-29-fake-Credit-card-email-143559-UTC.eml   (2,723 bytes)
• 2016-12-29-fake-ICANN-email-141409-UTC.eml   (4,459 bytes)
• 2016-12-29-fake-ICANN-email-161553-UTC.eml   (4,547 bytes)
• 2016-12-29-fake-ICANN-email-161728-UTC.eml   (4,555 bytes)
• 2016-12-29-fake-ICANN-email-161740-UTC.eml   (4,552 bytes)

 

EMAIL DATA

Shown above:  Data on the emails I found (part 1 of 2).

 

Shown above:  Data on the emails I found (part 2 of 2).

 

Shown above:  Example of the fake ICANN emails.

 

Shown above:  Example of the fake credit card emails.

 

FAKE ICANN EMAIL HEADERS:

• Sending mail server:  185.169.229.97 - mail.icann-monitor.org
• Subject line:  Domain Abuse Notice: [your domain name]
• Malicious link:  report.icann-monitor.org - GET /view/Domain_Abuse_Report.doc

 

FAKE CREDIT CARD EMAIL HEADERS:

• Sending mail server:  185.169.229.104 - mail.ccreceipt.com
• Subject line:  Alert - Your Credit Card has been charged
• Malicious link:  receipt.ccreceipt.com - GET /view/Payment_receipt.doc

 

EXAMPLE OF FAKE ICANN EMAIL TEXT:

Dear Domain Owner,


Our system has detected that your domain: [your domain name] is being used for spamming and spreading malware recently.
You can download the detailed abuse report of your domain along with date/time of incidents. Click Here

We have also provided detailed instruction on how to delist your domain from our blacklisting.

Please download the report immediately and take proper action within 24 hours otherwise your domain will be suspended permanently.

There is also possibility of legal action depend on severity and persistence of your abuse case.

Three Simple Steps:
1. Download your abuse report.
2. Check your domain abuse incidents along with date and time.
3. Take few simple steps for prevention and to avoid domain suspension.

Click Here to Download your Report

Please look into it and contact us.


Best Regards,
Domain Abuse Dept.
ICANN Inc.
Tel.: (139) 756-26-91

 

EXAMPLE OF FAKE CREDIT CARD EMAIL TEXT:

Dear Customer,


We have just processed your payment against Invoice no.KW1521 ( Download Receipt).
The payment details are:

Order Value: $1500
Sales Tax: $189
---------------------
Total Amount Received: $1689


For Payment details and Order information, please download Invoice copy and payment receipt from here: CLICK HERE


Should you have any Invoice related queries please do not hesitate to contact either your designated Credit Controller or the main Billing Dept.

For Pricing or other general enquiries please contact your local Sales Team.



Yours Faithfully,
CC Billing Dept.
Tel.: (139) 723-31-04

 

FINAL NOTES

Once again, here is the associated file:

• ZIP archive of the data:  2016-12-29-Cerber-malspam-run-data.zip   14 kB (13,949 bytes)

ZIP files on this site are password-protected with the standard password.  If you don't know it, look at the "about" page of this website.

Click here to return to the main page.