2017-03-31 - "BLANK SLATE" MALSPAM STILL PUSHING CERBER

ASSOCIATED FILES:

• ZIP archive of a pcaps:  2017-03-31-blank-slate-malspam.pcaps.zip   4.5 MB (4,530,452 bytes)
• ZIP archive of the spreadsheet tracker:  2017-03-31-blank-slate-malspam-tracker.csv.zip   2.9 kB (2,896 bytes)
• ZIP archive of the emails, malware, and artifacts:  2017-03-31-blank-slate-emails-malware-and-artifacts.zip   3.6 MB (3,591,121 bytes)

 

BACKGROUND:

• For background on this campaign, see the Palo Alto Networks Unit 42 Blog:  "Blank Slate" Campaign Takes Advantage of Hosting Providers to Spread Ransomware.
• I wrote a follow-up for the Internet Storm Center (ISC) titled:  "Blank Slate" malspam still pushing Cerber ransomware.

OTHER NOTES:

• I haven't seen any more Microsoft-themed Blank Slate malspam with links to a fake Chrome install page as noted last week on 2017-03-24.
• However, I checked URLs for the fake Chrome install page, and they're still active for Blank Slate domains using the www. prefix (see below).
• Haven't seen any Blank Slate emails using Word documents.  I've only seen .js files lately.

 

EMAILS

Shown above:  Screen shot from the spreadsheet tracker.  Review that document for more details.

 

TRAFFIC

HTTP TRAFFIC FOR THE RANSOMWARE:

• 35.166.163.174 port 80 - truemityunituistep.top - GET /search.php
• 35.166.163.174 port 80 - truemityunituistep.top - GET /__files__/1
• 47.90.205.113 port 80 - www.chromefastl.top - GET /user.php?f=2.gif
• 47.90.205.113 port 80 - www.chromehakc.top - GET /user.php?f=2.gif
• 47.90.205.113 port 80 - www.fffgooaldq.top - GET /user.php?f=2.gif
• 47.90.205.113 port 80 - www.ffjoleedas.top - GET /user.php?f=2.gif
• 47.90.205.113 port 80 - www.hoopcinezc.top - GET /user.php?f=2.gif
• 47.90.205.113 port 80 - www.newsectorbs.top - GET /user.php?f=2.gif
• 54.149.101.37 port 80 - jhdgh.trade - GET /search.php
• 54.149.101.37 port 80 - jhdgh.site - GET /search.php
• 54.149.101.37 port 80 - polkiuj.bid - GET /search.php

HTTP TRAFFIC FOR RANSOMWARE DOWNLOAD FROM FAKE CHROME INSTALL PAGE:

• 47.90.205.113 port 80 - www.chromefastl.top - GET /site/chrome_update.html
• 47.90.205.113 port 80 - www.chromefastl.top - GET /site/download.php
• 47.90.205.113 port 80 - www.chromehakc.top - GET /site/chrome_update.html
• 47.90.205.113 port 80 - www.chromehakc.top - GET /site/download.php
• 47.90.205.113 port 80 - www.fffgooaldq.top - GET /site/chrome_update.html
• 47.90.205.113 port 80 - www.fffgooaldq.top - GET /site/download.php
• 47.90.205.113 port 80 - www.ffjoleedas.top - GET /site/chrome_update.html
• 47.90.205.113 port 80 - www.ffjoleedas.top - GET /site/download.php
• 47.90.205.113 port 80 - www.newsectorbs.top - GET /site/chrome_update.html
• 47.90.205.113 port 80 - www.newsectorbs.top - GET /site/download.php

 

MALWARE

SHA256 HASHES FOR RANSOMWARE SAMPLES:

• 66fc3e7027cabc29c6ef9bcd40eb92e36530175a89c33dfb4a210ef868af13e0 - Cerber from chromefastl.top on 2017-03-27
• 66fc3e7027cabc29c6ef9bcd40eb92e36530175a89c33dfb4a210ef868af13e0 - Cerber from chromehakc.top on 2017-03-27
• 59118ff55d6c20a08c6d4422972f9741de8b77755695cef9bc95126d46fb0026 - Cerber from hoopcinezc.top on 2017-03-27
• d4dbc24e07aca11e53f1bb733852e4416a8fc7db1c0c947994ec271895fdb0a4 - Cerber from truemityunituistep.top on 2017-03-27
• 8ea494bd84bea2617922a9ed488db44937199b3764ab6cb9f64e49d7e6945a3b - Cerber from truemityunituistep.top on 2017-03-28
• 07be83b0e9ed748c11d16afbd42b5582f192539706f3996a6debebdb575ad259 - Cerber from newsectorbs.top.exe on 2017-03-29
• b0e6d0e366494f94fd05756ec4b6245c74eee8f1c0ea65b21ba5e5f1c79d69c8 - Cerber from polkiuj.bid.exe on 2017-03-29
• 2e3652afd5d79020dd5aa1d95a61fa6c8e67271f16ccb15aacf11accdd9cc790 - Cerber from fffgooaldq.top.exe on 2017-03-31
• 434d95079877a99fc7cf9c01faabe37c185656bd5ffebe627a756641e41e1f5b - Cerber from ffjoleedas.top.exe on 2017-03-31
• 5bcb16e6dd8a023f7daef3cf2193ec4d8b911e3af677be3ebfbe58dbaf6e6d41 - Cerber from jhdgh.site.exe on 2017-03-31
• 0a7786e86d3df2548e12176b5d8aa6db0de9e556450a90f7c36fdbab1392b48f - Cerber from jhdgh.trade.exe on 2017-03-31

 

IMAGES

Shown above:  No more emails seen, but these fake Chrome install pages are still a thing.

 

FINAL NOTES

Once again, here are the associated files:

• ZIP archive of a pcaps:  2017-03-31-blank-slate-malspam.pcaps.zip   4.5 MB (4,530,452 bytes)
• ZIP archive of the spreadsheet tracker:  2017-03-31-blank-slate-malspam-tracker.csv.zip   2.9 kB (2,896 bytes)
• ZIP archive of the emails, malware, and artifacts:  2017-03-31-blank-slate-emails-malware-and-artifacts.zip   3.6 MB (3,591,121 bytes)

ZIP files are password-protected with the standard password.  If you don't know it, look at the "about" page of this website.

Click here to return to the main page.