2017-04-06 - "BLANK SLATE" MALSPAM STILL PUSHING CERBER, STILL USING FAKE CHROME PAGE

ASSOCIATED FILES:

• ZIP archive of a pcaps:  2017-04-06-blank-slate-malspam.pcaps.zip   4.9 MB (4,931,890 bytes)
• ZIP archive of the spreadsheet tracker:  2017-04-06-blank-slate-malspam-tracker.csv.zip   3.0 kB (3,000 bytes)
• ZIP archive of the emails, malware, and artifacts:  2017-04-06-blank-slate-emails-malware-and-artifacts.zip   4.1 MB (4,146,785 bytes)

 

BACKGROUND:

• For background on this campaign, see the Palo Alto Networks Unit 42 Blog:  "Blank Slate" Campaign Takes Advantage of Hosting Providers to Spread Ransomware.
• I wrote a follow-up for the Internet Storm Center (ISC) titled:  "Blank Slate" malspam still pushing Cerber ransomware.

OTHER NOTES:

• I've collected 52 emails from the Blank Slate campaign during the past few days.
• Of these 52 emails, I found one Microsoft-themed message linking to a fake Chrome install page similar to the one seen on 2017-03-24.
• All the other emails were blank with zip attachments containing .js files.
• This time, the fake Chrome page sent a zip archive instead of an executable.

 

FAKE CHROME PAGE

Shown above:  Screen shot from the fake Microsoft email.

 

Shown above:  Letting the fake Chrome page send a fake Chrome update as a zip archive.

 

Shown above:  Zip acrhive sent by the fake Chrome page contains (Cerber) ransomware.

 

TRAFFIC

HTTP TRAFFIC FOR THE RANSOMWARE FOR THE PAST FEW DAYS:

• 47.91.76.28 port 80 - www.gerbnopesa.top - GET /user.php?f=2.gif
• 47.91.76.28 port 80 - www.opennewsnz.top - GET /user.php?f=2.gif
• 52.37.58.18 port 80 - jhdgh.club - GET /search.php
• 52.37.58.18 port 80 - jhdgh.download - GET /search.php
• 52.37.58.18 port 80 - resettinfgd1991.gdn - GET /search.php
• 52.37.58.18 port 80 - resettinfgd1991.trade - GET /search.php
• 54.149.101.37 port 80 - jhdgh.online - GET /search.php
• 185.195.24.180 port 80 - www.bkasioqpz.top - GET /user.php?f=2.gif
• 185.195.24.180 port 80 - www.nowsunnygk.top - GET /user.php?f=2.gif

RANSOMWARE DOWNLOAD FROM FAKE CHROME INSTALL PAGE ON THURSDAY 2017-04-06:

• 47.91.76.28 port 80 - sunfloridjk.top - GET /site/chrome_update_zip.html
• 47.91.76.28 port 80 - sunfloridjk.top - GET /site/download_zip.php

 

MALWARE

SHA256 HASHES FOR RANSOMWARE SAMPLES:

• fb46fcb91063ce81a904bbf344cd96edb9f2a4858bec25970a7eb7cdfd962ed0 - Cerber from from-bkasioqpz.top
• d204d9b20ccac6f0345d60dffaa69f0e0f9aabf3e308c762a72771c1c1a828fc - Cerber from jhdgh.online
• fb46fcb91063ce81a904bbf344cd96edb9f2a4858bec25970a7eb7cdfd962ed0 - Cerber from nowsunnygk.top
• 7c8889178b79d5622179d20ac6b139ebbab2faa0b2a5577b6b4795b3091275c4 - Cerber from gerbnopesa.top
• feb092e7a07320c9a68d3a3c533dea8bc5a31dfea287c693efe88ac093e8005b - Cerber from jhdgh.club
• bc3a50dad8fcb284cdcaa8a2390a82718b98736fbcece22fcb17a83fc6de192d - Cerber from jhdgh.download
• 4ece34e4bdea5fa3013dbc98783c6814216b8b4b0d02f4a7ecb9177147878de7 - Cerber from opennewsnz.top
• cfedf50077efbe8ea47a9feb13ef6b35f491f0ecc17755f94bc407b415d10f78 - Cerber from resettinfgd1991.gdn
• ec34f6c58ad5788dd4b26d7d51bd5818144ea2774a188310da8ccb3bbc20e46c - Cerber from resettinfgd1991.trade

• bea332be44718de8640c5bee195704e5f713102f89e9fbc8fcb115770c5627bb - chrome_update.zip from sunfloridjk.top
• 9e78cbd01966ae356ccfafb9c753a08fce648b6e157b017d43ce6497c9d761f6 - extracted Cerber from chrome_update.zip

 

IMAGES

Shown above:  Desktop of an infected Windows host.  Note the dollar signs used for the letter S.

 

FINAL NOTES

Once again, here are the associated files:

• ZIP archive of a pcaps:  2017-04-06-blank-slate-malspam.pcaps.zip   4.9 MB (4,931,890 bytes)
• ZIP archive of the spreadsheet tracker:  2017-04-06-blank-slate-malspam-tracker.csv.zip   3.0 kB (3,000 bytes)
• ZIP archive of the emails, malware, and artifacts:  2017-04-06-blank-slate-emails-malware-and-artifacts.zip   4.1 MB (4,146,785 bytes)

ZIP files are password-protected with the standard password.  If you don't know it, look at the "about" page of this website.

Click here to return to the main page.