Blank Slate is the nickname for a malicious spam (malspam) campaign pushing ransomware targeting Windows hosts. Ive already discussed this campaign in a previous diary back in March 2017. It has consistently sent out malspam since then. Today I collected 11 Blank Slate emails, so this diary examines recent developments from the Blank Slate campaign.
Today border-width:2px" />
Shown above: border-width:2px" />
Shown above: border-width:2px" />
Shown above: Screenshot of spreadsheet tracking for the 11 emails (image 3 of 3).
Normally, emails from this campaign are blank messages with vague subject lines and attachments that dont indicate what it is. Thats why Ive been calling it the Blank Slate border-width:2px" />
Shown above: Example of a typical Blank Slate email from today, Wednesday 2017-06-28.
However, since yesterday, the Blank Slate campaign has sent several Microsoft-themed messages. Weve seen this before. As recently as 2017-04-13, I documented Blank Slate malspam using fake Microsoft messages that led to fake Chrome installation pages. border-width:2px" />
Shown above: Microsoft-themed Blank Slate email from April 2017.
Today however, this time they dont have links to a fake Chrome page. border-width:2px" />
Shown above: Microsoft-themed Blank Slate email from today, Wednesday 2017-06-28.
Otherwise, these emails are similar to previous waves of Blank Slate malspam.
As usual, the zip attachments are double-zipped, and they contain a .js file designed to infect a Windows computer with ransomware. I saw two types of .js files. One was about 9 kB in size, and it ran the downloaded ransomware from the users AppData\Local\Temp directory. The other type of .js file was about 31 kB in size, and it ran the downloaded ransomware from the user border-width:2px" />
Shown above: Example of a 9 kB .js file from this wave of malspam.
Traffic is also typical of what weve seen before with Blank Slate malspam. border-width:2px" />
Shown above: Ransomware binary downloaded by one of the .js files.
No post-infection traffic was noted for todays GlobeImposter ransomware. I saw the typical post-infection for today border-width:2px" />
Shown above: Traffic generated by a Cerber sample from todays malspam, filtered in Wireshark.
As others have noted Twitter and elsewhere, recent Cerber samples use CRBR as their name in the decryption instructions. border-width:2px" />
Shown above: Desktop of a Windows host infected with one of today border-width:2px" />
Shown above: Based on the above MachineGuid, and all my encrypted files end with .BRAD
GlobeImposter also acts the same as weve seen before. border-width:2px" />
Shown above: Desktop from a Windows host infected with todays GlobeImposter sample.
Indicators of Compromise (IOCs)
The following are SHA256 hashes for the todays extracted .js files:
- 10358fb055b8d8e0d486eafc66be180d52481667fb63bf4e37bf9cafe5a0dbdb - 7941.js
- 153b11ae2df30b671bd0bd54af55f83fd2a69e47c8bb924b842bc1b44be65859 - 25601.js
- 1cbf043831b16ca83eeaff24f70b1a3ea4973d2609e64db33fd82cc0629f1976 - 6935.js
- 567bb9c835306e02dbedc5f10e32c77a2c6f1c2f28ff49c753f963776a9378b5 - 30085.js
- 7ecd1253aad0935df1249d6504d3f4090a00466fa159c2ec4e2d141b4b75068f - 9177.js
- 8b7202a672290e651f9d3c175daaf2b8a3635eba193e925da41bd880a611f2af - 13521.js
- 8ec6455eb9f8a72fef35e9a330e59153f76b8ebd848c340024669e52589ceb18 - 23288.js
- b6ab00337d1e40f894ca3959ee9a19e4c9e59605ed1f2563f0bde4df5f76981b - 27465.js
- c9f71912dd39d4d4ed9f54f6a51f99ee0687e084c2e8782f0b0d729b743e7281 - 3047.js
- d19233fd99213f5a1d299662d9693eb6bc108d72ce676893bc69c8d309caa54a - 26715.js
- ed855d0b4cfd5150a4b44a1d3b6c26224e2990743d977804bab926d569aa963b - 24703.js
The following are SHA256 hashes for ransomware samples downloaded by the extracted .js files:
- 0dc831b502f29d4a6a68da9e511feb8c646af4fcfdeaaee301cb5b0dbaf47c5f - Cerber
- 703b1ea2b0310efdc194b178c777c2e63d5ad1b7f2ac629c01ffa1b36859ba2f - GlobeImposter
- b1be5af4169014508b17d2de5aa581ea62988cc4d3570ed2ed7f9fb931a5902b - Cerber
- d1ed3742380539fbef51804e1335c87dd0ef24a6de7f0aa09ce26ad1efe4bcef - Cerber
The following are domains, HTTP requests, and IP addresses associated with todays Blank Slate malspam:
- 220.127.116.11 port 80 - coolfamerl.top - GET /1 [returned Cerber]
- 18.104.22.168 port 80 - clippodoops.top - GET /403 [returned GlobeImposter]
- 22.214.171.124 port 80 - clippodoops.top - GET /1 [returned Cerber]
- 126.96.36.199 thru 188.8.131.52 (184.108.40.206/27) UDP port 6893 [Cerber post-infection scan]
- 220.127.116.11 thru 18.104.22.168 (22.214.171.124/27) UDP port 6893 [Cerber post-infection scan]
- 126.96.36.199 thru 188.8.131.52 (184.108.40.206/22) UDP port 6893 [Cerber post-infection scan]
- 220.127.116.11 port 80 - xpcx6erilkjced3j.1t2jhk.top - Domain leading to the Cerber decryptor
Email from the GlobeImposter decryption instructions: [email protected]
As I noted last time, potential victims must open the zip attachment, open the enclosed zip archive, then double-click the final .js file. That works on default Windows configurations, but properly-administered Windows hosts and decent email filtering are enough, I think, to keep most people from worrying about Blank Slate.
This is definitely not as serious the recent Petya/NotPetya ransomware outbreak on 2017-06-27. I still wonder how many people are fooled by Blank Slate malspam. Does anyone know someone who was actually infected from these emails? If so, please share your story in the comments section below.
Pcap and malware samples for this ISC diary can be found here.
brad [at] malware-traffic-analysis.net
© SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.
Article Link: https://isc.sans.edu/diary/rss/22570