2017-07-29 - "BLANK SLATE" CAMPAIGN PUSHES BTCWARE (ALETA VARIANT) RANSOMWARE
NOTICE:
- The zip archives on this page have been updated, and they now use the new password scheme. For the new password, see the "about" page of this website.
ASSOCIATED FILES:
- 2017-07-29-BTCware-ransomware-from-cabeiriscout_faith.pcap.zip 139 kB (138,830 bytes)
- 2017-07-29-Blank-Slate-email-tracker.csv.zip 0.8 kB (806 bytes)
- 2017-07-29-Blank-Slate-emails-and-BTCware-files.zip 305.0 kB (304,950 bytes)
BACKGROUND:
- 2017-03-02 - Palo Alto Networks Unit 42 Blog: "Blank Slate" Campaign Takes Advantage of Hosting Providers to Spread Ransomware.
- 2017-03-22 - Internet Storm Center (ISC): "Blank Slate" malspam still pushing Cerber ransomware.
- 2017-06-29 - ISC: Catching up with Blank Slate: a malspam campaign still going strong.
TODAY'S NOTES:
- In the past two or three weeks, I've seen a lot of BTCware ransomware from the Blank Slate campaign.
- This is the Aleta variant of BTCware, using the .aleta file extension for encrypted files.
- More information on this "Aleta" variant of BTCware can be found here.
- No post-infection traffic for this ransomware.
EMAILS
Shown above: Example of the emails seen.
Shown above: Samples collected as noted in the spreadsheet tracker.
TRAFFIC
Shown above: Traffic from an infection filtered in Wireshark.
URLS GENERATED BY THE EXTRACTED .JS FILES TO GET THE RANSOMWARE:
- 119.28.78[.]131 port 80 - cabeiriscout[.]faith - GET /support.php?f=1.dat
EMAIL FROM THE DECRYPTION INSTRUCTIONS:
- chines34@protonmail[.]ch
SHA256 HASHES
FILE ATTACHMENTS (ZIP ARCHIVES):
- 45c0a3a39459334c25bc82f2c9da40f7837750f28414d4ab667fd619c225e36e - EMAIL_20688570373232_[recipient].zip
- e4a210b6a0c9b3bcb5d43880ec150a5f3a42206c31ec553c9309c4b336419a24 - EMAIL_25183581302350_[recipient].zip
- fd474697a5a81c82589012a859318f0232717575476f7819af8b4c7f50acc21f - EMAIL_29947_[recipient].zip
- a23cb27fd3354d2e0f5ad898ad482196ab32fb571ab7edb02fba50fe35f718b5 - EMAIL_537710951959_[recipient].zip
- a52b3db623f2b2a9cedf0e4c0a6358a0791d65e50cb0229425c4bacd0888f361 - EMAIL_709519255837_[recipient].zip
EXTRACTED .JS FILES:
- 9b5697e2341ccb16a9c70f15daf3e0b6d890e974ccd3c6a594daa7753aec050e - DIy.js
- b335f7e2416d76f457147ce1550560890e7582840a246d95cdf08d64f0384056 - WywP.js
- d5afe2e525f2d8810cfbdec709353e79a21b5f7b2c9999fc108a4a0bbb0ceb45 - bToVk9U5.js
- ef1f4c5a5581333f3091fa13cec4a1fc94609bad92e2de3c7cd045329e34bf45 - jPWwTL89A.js
- 5141a89e6fed2838a8107c83b218b2dd158a03623cd12b3e781bdb3342d559c8 - sowga.js
BTCWARE (ALETA VARIANT) RANSOMWARE SAMPLE:
- SHA256 hash: 8c137b7ea011e0ecd9e7ad76536e6c50c29bea3a0f277a132bfe48af1b7b8958
File size: 431,616 bytes
File description: BTCware from cabeiriscout[.]faith on 2017-07-29
IMAGES
Shown above: Desktop of a Windows host infected with today's BTCware sample.
Click here to return to the main page.