|
In March 2017, Palo Alto Networks Unit 42 published research on a new malicious spam campaign dubbed “Blank Slate.” Named as such because the malspam message is empty. Only the malicious attachment is present, as seen in Figure 1.
Figure 1: Blank Slate malspam e-mail Recently, Blank Slate struck deploying Cerber ransomware once again, affording me the opportunity to obtain the latest samples courtesy of malware-traffic-analysis.net. The malspam e-mails contained zipped JavaScript files, which, when executed, download Cerber ransomware. In this specific attack, two malware-serving domains, or malware servers, were used:
As expected, the malicious JavaScript file connects to one of these malware servers, downloads and installs the ransomware, passing control to it. While it appears to be a typical malware installation there is a difference in how the malware is hosted from these servers. The first, unityqueryzouneasty[.]pw, serves the malware directly as an executable file (Figure 2).
Figure 2: Traffic from unityqueryzouneasty[.]pw We can quickly identify the executable traversing the network from the TCP stream. This executable is the Cerber ransomware about to be installed on the target system. The second malware-serving domain, momendfakol[.]top, behaves differently, as seen in Figure 3 and Figure 4.
Figure 3: Traffic from momendfakol[.]top
Figure 4: HTTP Object list The TCP stream in Figure 3 shows that, instead of downloading a straight binary, it downloads chunks of data. These chunks are observed in Figure 4. There are 68 chunks, each around one kilobyte in size. Initially, I thought reassembling these chunks would result in the actual Cerber executable, but this proved not to be the case. Rather, this sample is an encrypted version of Cerber downloaded to a temporary location and then decrypted during the installation process. This is the same technique used in a recent Locky ransomware attack using HTA files as an infection vector I discussed in a previous blog.
The result of this latest Blank Slate campaign is the same as the earlier iterations of Blank Slate deployments, a system compromised by Cerber ransomware. It is unclear why this latest campaign utilizes two different methods, but it is possible the threat actors used two different malware-serving domains owned by different malicious hosting service providers. The first one serving malware in the traditional way while the second one operates in a paranoid mode. Learn more about the different technologies used by a malware attack and the people or service providers behind them The post Blank Slate: A Tale of Two Malware Servers appeared first on Speaking of Security - The RSA Blog. |
