Last month on 2016-11-22, I saw 10 items of malicious spam (malspam) sent to my spam folder. The messages all had links to malware. Unfortunately, by the time I examined those emails, the links were no longer active. I sent a tweet about it and moved on to other things .
Flash forward to this week. On Tuesday 2016-12-13, @malwrhunterteam noticed the same type of malspam . I checked my spam folder and found another four similar messages. This time, the links were still active, and I generated a full chain of infection traffic. That wave of malspam distributed Cerber ransomware.
The very next day on Wednesday 2016-12-14, I noticed another two messages in my spam folder with the same characteristics using a different domain. This wave of malspam also distributed Cerber ransomware.
Today's diary looks at indicators from these three waves of malspam. Perhaps we can get a better idea of the actor behind this activity.
Chain of events
The four emails from 2016-12-13 have links that downloaded a .js file. In my lab environment, double-clicking the .js file downloaded and installed Cerber ransomware. The two emails from 2016-12-14 have a link for a Microsoft Word document. The Word document has a malicious macro. In my lab environment, enabling the macro also downloaded and installed Cerber ransomware.
Below are the recipient email addresses in the malspam I received during all three waves:
Below are the subject lines I saw for each of the three waves:
For each wave I saw, the emails all came from the same mail server. These servers also hosted the malicious links within the malspam. The servers were:
Based on the domain names and IP addresses, the criminals likely abused commercially available services. Below is the registration info and date registered for each domain.
All domains used a privacy guard service for the registration info, and all domains used name servers from cloudflare.com. Below is information on the IP addresses hosting the malspam domains:
Links from the emails were unique for each email during the first two waves. The two messages from third wave I saw on 2016-12-14 had the same URL that led directly to a Word document.
For details, see the spreadsheet available here.
In both waves I have traffic for, the same URL for the Cerber ransomware executable was generated, whether it was the .js file from 2016-12-13 or the .doc macro from 2016-12-14. Below are images from the pcaps of the traffic in Wireshark that help illustrate the chain of events.
The ransomware was different each day, each with a different file hash, and each with different IP addresses and domains during the post-infection traffic. Both Cerber samples had .8637 for the file extension in the files they encrypted.
Below are indicators of compromise (IOCs) for traffic generated from the 2016-12-13 wave of malspam:
Below are IOCs for traffic generated from the 2016-12-14 wave of malspam:
Below is information for the associated .js file, .doc file, and Cerber ransomware executables:
File name: Domain_Abuse_Report_Viewer.js
File description: Cerber downloaded by .js file from ggjghhfhfh.com on 2016-12-13
File name: Invoice_349KL.doc
File description: Cerber downloaded by Word macro from ggjghhfhfh.com on 2016-12-14
A copy of the infection traffic, associated emails, malware, and artifacts can be found here.
Other people have noticed these malspam runs, and they've gotten some public attention through various blogs [3, 4, 5]. They never last long. I assume that's because the associated IOCs are reported fairly quickly, and the emails I've seen always get flagged as spam.
Fortunately, best security practices will help prevent infections like the ones in today's diary. A good email filtering system, properly administered Windows hosts, and an educated workforce mean users are much less likely to be infected.
Nonetheless, I assume this activity is somehow profitable for the people behind it. The criminals must be having some sort of success with these Cerber ransomware malspam runs. Why else would it keep happening?
Dec 15th 2016
3 years ago