2017-04-20 - "BLANK SLATE" MALSPAM STILL PUSHING CERBER

ASSOCIATED FILES:

• ZIP archive of the pcap:  2017-04-20-Cerber-from-badwerkad.top.pcap.zip   303 kB (302,582 bytes)
• ZIP archive of the spreadsheet tracker:  2017-04-20-Blank-Slate-malspam-tracker.csv.zip   0.9 kB (940 bytes)
• ZIP archive of the malware:  2017-04-20-Blank-Slate-malspam-and-artifacts.zip   333 kB (333,331 bytes)

 

BACKGROUND:

• For background on this campaign, see the Palo Alto Networks Unit 42 Blog:  "Blank Slate" Campaign Takes Advantage of Hosting Providers to Spread Ransomware.
• I wrote a follow-up for the Internet Storm Center (ISC) titled:  "Blank Slate" malspam still pushing Cerber ransomware.

 

OTHER NOTES:

• Just the normal round of Blank Slate emails seen today.
• Normal Blank Slate emails only consist of zip attachments containing .js files designed to download and install (Cerber) ransomware.
• I didn't find any fake Microsoft emails linking to fake Google Chrome pages today.

 

Shown above:  Flow chart for these emails.

 

Shown above:  Didn't see any malspam for them, even if those fake Google Chrome pages are still active.

 

EMAILS

Shown above:  Data from the spreadsheet tracker (image 1 of 3).

 

Shown above:  Data from the spreadsheet tracker (image 2 of 3).

 

Shown above:  Data from the spreadsheet tracker (image 3 of 3).

 

(READ: Date/Time   --   Sending mail server   --   Sending address (spoofed)   --   Subject   --   Attachment)

• 2017-04-20 05:47 UTC   --   candw.ag   --   gateway1@twcny.rr.com   --   (blank)   --   EMAIL_954724398860721_[recipient].zip
• 2017-04-20 06:14 UTC   --   ctinets.com   --   (recipient's email address)   --   (blank)   --   EMAIL_4546735537_[recipient].zip
• 2017-04-20 07:10 UTC   --   188.16.77.141   --   kristinatoye@aim.com   --   61348 [recipient]   --   2552150.zip
• 2017-04-20 09:53 UTC   --   31.131.85.4   --   [recipient]@rma.usda.gov   --   (blank)   --   EMAIL_1874513753_[recipient].zip
• 2017-04-20 13:51 UTC   --   122.191.90.62   --   balaji@mcs.anl.gov   --   (blank)   --   EMAIL_1045549183911_[recipient].zip
• 2017-04-20 14:39 UTC   --   cpc5-duns7-2-0-cust384.9-3.cable.virginm.net   --   thiti.b@gmail.com   --   30613 [recipient]   --   4766159.zip

 

TRAFFIC

Shown above:  Traffic from the infection filtered in Wireshark.

 

URLS GENERATED BY THE EXTRACTED .JS FILES:

• 47.91.76.28 port 80 - badwerkad.top - GET/admin.php?f=404
• [Domain did not resolve] - resettinfgd1991.pw - GET/search.php
• [Domain did not resolve] - resettinfgd1991.club - GET/search.php

CERBER POST-INFECTION TRAFFIC:

• 94.21.172.0 - 94.21.172.31 (94.21.172.0/27) UDP port 6893
• 94.22.172.0 - 94.22.172.31 (94.22.172.0/27) UDP port 6893
• 94.23.172.0 - 94.23.175.255 (94.23.172.0/22) UDP port 6893
• 193.169.135.155 port 80 - p27dokhpz2n7nvgr.1jpb8w.top

 

SHA256 HASHES

EMAIL ATTACHMENTS:

• 95a5d63799245f364ffca436db6db1f6ef8b3a737bbe69db0773580b4f62c8e9 - 2552150.zip
ab77f2127019eb940328598fcdd0610131a1a15ee159a58a6cb4f01ce20359a8 - 4766159.zip
• 984c467750c0bdf6666a19bb58ba977f438abe3f96f2f807c62919ddc05119ea - EMAIL_1874513753_[recipient].zip
• fb190e7e7fa8b1edae1b7aa881b7433fa9a02e0038a9cacc555db6f9c4ee85ad - EMAIL_4546735537_[recipient].zip
• 8ad6aadd2cf5412293df5088d965ee60642cb9e32172874a50021a5969d1fa3c - EMAIL_1045549183911_[recipient].zip
• 8b37015b6b2d0cf72cd6eb4dce34888235e16f3ffc67a5bdca743588936edc23 - EMAIL_954724398860721_[recipient].zip

 

EXTRACTED .JS FILES:

• 70e6d68813fd3de20c9a606b66af2829d24ae398e16d22a70e7d4dc28ee12f35 - 2856.js
• ed3d344d3b3977c53607d8168acd020e33749e0f34e7e27424a5a6a5814f5bb3 - 7755.js
• 5d02f1a90802b1e04fe2aca7806903aa98b575380a225b5cf5e3f7dea14bd772 - 18092.js
• b7c277ed5b60020818f657ca4319b807086550bf1d160b552caaac379347deee - 25891.js
• a6a0c883159cd43852ac041f43f8b0629a3afce930c986f25d821b370be3bd06 - 31369.js
• 911a21e84ba7fb5f1d579caa5a1e0dc54032b80020fda344cf7ea77df7c9d41c - 31380.js

 

CERBER RANSOMWARE:

• SHA256 hash:  44674a537e498f64aeb16b5d304da93f0d91fcce644b7917a0f8fd4302f4a4b0
  File description:  Cerber ransomware downloaded from badwerkad.top on 2017-04-20

 

IMAGES

Shown above:  Desktop of an infected Windows host.

 

Shown above:  The ransom price when I checked was 1 Bitcoin.

 

FINAL NOTES

Once again, here are the associated files:

• ZIP archive of the pcap:  2017-04-20-Cerber-from-badwerkad.top.pcap.zip   303 kB (302,582 bytes)
• ZIP archive of the spreadsheet tracker:  2017-04-20-Blank-Slate-malspam-tracker.csv.zip   0.9 kB (940 bytes)
• ZIP archive of the malware:  2017-04-20-Blank-Slate-malspam-and-artifacts.zip   333 kB (333,331 bytes)

ZIP files are password-protected with the standard password.  If you don't know it, look at the "about" page of this website.

Click here to return to the main page.