2017-03-31 - "BLANK SLATE" MALSPAM STILL PUSHING CERBER
ASSOCIATED FILES:
- ZIP archive of a pcaps: 2017-03-31-blank-slate-malspam.pcaps.zip 4.5 MB (4,530,452 bytes)
- ZIP archive of the spreadsheet tracker: 2017-03-31-blank-slate-malspam-tracker.csv.zip 2.9 kB (2,896 bytes)
- ZIP archive of the emails, malware, and artifacts: 2017-03-31-blank-slate-emails-malware-and-artifacts.zip 3.6 MB (3,591,121 bytes)
BACKGROUND:
- For background on this campaign, see the Palo Alto Networks Unit 42 Blog: "Blank Slate" Campaign Takes Advantage of Hosting Providers to Spread Ransomware.
- I wrote a follow-up for the Internet Storm Center (ISC) titled: "Blank Slate" malspam still pushing Cerber ransomware.
OTHER NOTES:
- I haven't seen any more Microsoft-themed Blank Slate malspam with links to a fake Chrome install page as noted last week on 2017-03-24.
- However, I checked URLs for the fake Chrome install page, and they're still active for Blank Slate domains using the www. prefix (see below).
- Haven't seen any Blank Slate emails using Word documents. I've only seen .js files lately.
EMAILS
Shown above: Screen shot from the spreadsheet tracker. Review that document for more details.
TRAFFIC
HTTP TRAFFIC FOR THE RANSOMWARE:
- 35.166.163.174 port 80 - truemityunituistep.top - GET /search.php
- 35.166.163.174 port 80 - truemityunituistep.top - GET /__files__/1
- 47.90.205.113 port 80 - www.chromefastl.top - GET /user.php?f=2.gif
- 47.90.205.113 port 80 - www.chromehakc.top - GET /user.php?f=2.gif
- 47.90.205.113 port 80 - www.fffgooaldq.top - GET /user.php?f=2.gif
- 47.90.205.113 port 80 - www.ffjoleedas.top - GET /user.php?f=2.gif
- 47.90.205.113 port 80 - www.hoopcinezc.top - GET /user.php?f=2.gif
- 47.90.205.113 port 80 - www.newsectorbs.top - GET /user.php?f=2.gif
- 54.149.101.37 port 80 - jhdgh.trade - GET /search.php
- 54.149.101.37 port 80 - jhdgh.site - GET /search.php
- 54.149.101.37 port 80 - polkiuj.bid - GET /search.php
HTTP TRAFFIC FOR RANSOMWARE DOWNLOAD FROM FAKE CHROME INSTALL PAGE:
- 47.90.205.113 port 80 - www.chromefastl.top - GET /site/chrome_update.html
- 47.90.205.113 port 80 - www.chromefastl.top - GET /site/download.php
- 47.90.205.113 port 80 - www.chromehakc.top - GET /site/chrome_update.html
- 47.90.205.113 port 80 - www.chromehakc.top - GET /site/download.php
- 47.90.205.113 port 80 - www.fffgooaldq.top - GET /site/chrome_update.html
- 47.90.205.113 port 80 - www.fffgooaldq.top - GET /site/download.php
- 47.90.205.113 port 80 - www.ffjoleedas.top - GET /site/chrome_update.html
- 47.90.205.113 port 80 - www.ffjoleedas.top - GET /site/download.php
- 47.90.205.113 port 80 - www.newsectorbs.top - GET /site/chrome_update.html
- 47.90.205.113 port 80 - www.newsectorbs.top - GET /site/download.php
MALWARE
SHA256 HASHES FOR RANSOMWARE SAMPLES:
- 66fc3e7027cabc29c6ef9bcd40eb92e36530175a89c33dfb4a210ef868af13e0 - Cerber from chromefastl.top on 2017-03-27
- 66fc3e7027cabc29c6ef9bcd40eb92e36530175a89c33dfb4a210ef868af13e0 - Cerber from chromehakc.top on 2017-03-27
- 59118ff55d6c20a08c6d4422972f9741de8b77755695cef9bc95126d46fb0026 - Cerber from hoopcinezc.top on 2017-03-27
- d4dbc24e07aca11e53f1bb733852e4416a8fc7db1c0c947994ec271895fdb0a4 - Cerber from truemityunituistep.top on 2017-03-27
- 8ea494bd84bea2617922a9ed488db44937199b3764ab6cb9f64e49d7e6945a3b - Cerber from truemityunituistep.top on 2017-03-28
- 07be83b0e9ed748c11d16afbd42b5582f192539706f3996a6debebdb575ad259 - Cerber from newsectorbs.top.exe on 2017-03-29
- b0e6d0e366494f94fd05756ec4b6245c74eee8f1c0ea65b21ba5e5f1c79d69c8 - Cerber from polkiuj.bid.exe on 2017-03-29
- 2e3652afd5d79020dd5aa1d95a61fa6c8e67271f16ccb15aacf11accdd9cc790 - Cerber from fffgooaldq.top.exe on 2017-03-31
- 434d95079877a99fc7cf9c01faabe37c185656bd5ffebe627a756641e41e1f5b - Cerber from ffjoleedas.top.exe on 2017-03-31
- 5bcb16e6dd8a023f7daef3cf2193ec4d8b911e3af677be3ebfbe58dbaf6e6d41 - Cerber from jhdgh.site.exe on 2017-03-31
- 0a7786e86d3df2548e12176b5d8aa6db0de9e556450a90f7c36fdbab1392b48f - Cerber from jhdgh.trade.exe on 2017-03-31
IMAGES
Shown above: No more emails seen, but these fake Chrome install pages are still a thing.
FINAL NOTES
Once again, here are the associated files:
- ZIP archive of a pcaps: 2017-03-31-blank-slate-malspam.pcaps.zip 4.5 MB (4,530,452 bytes)
- ZIP archive of the spreadsheet tracker: 2017-03-31-blank-slate-malspam-tracker.csv.zip 2.9 kB (2,896 bytes)
- ZIP archive of the emails, malware, and artifacts: 2017-03-31-blank-slate-emails-malware-and-artifacts.zip 3.6 MB (3,591,121 bytes)
ZIP files are password-protected with the standard password. If you don't know it, look at the "about" page of this website.
Click here to return to the main page.