Cerber Ransomware Spreads Via Blank Emails

The Updated Red Cerber ransomware has been used as the primary payload in a series of blank email spam campaigns operated by computer hackers.

The Cerber Ransomware Tries A New Infection Strategy

Computer security researchers have observed several waves of dangerous spam campaigns which target users worldwide. According to them a possible reason is a recent information harvesting attack which was reported last month. The incident was done using several popular ransomware strains (including Sage) which have managed to extract strings which correspond to victim and contact emails. The ransomware became a popular tool among criminals as it uses a lot of C&C servers and domains.

To initiate the campaigns the hackers have devised a complex scheme which is comprised of two parts:

  1. Email Messages Customization and Delivery – The hackers use a botnet to customize and send out the relevant spam messages to the predefined targets gathered from previously infected hosts.

  2. Infection – The second phase is the infection of the target hosts using infected Microsoft Office documents.

The Cerber ransomware infections uses the known document infection strategy. It relies on email messages that deliver dangerous attachments in the form of Microsoft Word files. When the victims open it up they are presented with a prompt which asks them to execute the built-in macros. If this is done the included payload is downloaded and executed to the system. The current wave of attacks carries the dangerous Red Cerber ransomware (click here for more information).

Other files that have been identified in the attack campaign include JavaScript (.js) files and archives. The characteristics associated with the new wave is that the new wave consists of emails without any body text. They include only attached files (archives, documents or JavaScript files) that contain scripts that lead to the infection. During the analysis one of the discovered archives included another archive, an example of the “doublezipping” technique which is used to counter detection by most anti-virus products. The infection requires an additional layer of user interaction. The dangerous macros employed is of the VBA type (Visual Basic for Applications) which executes after the user has interacted with the necessary prompt. The JavaScript executes within the Windows Script Host when it is opened.

Upon infection network communication is done with the remote C&C servers which already possess a long list of infrastructure in place. This campaign dubbed “Blank Slate” has been active since July 2016 and it has been used to distribute a wide variety of ransomware such as Sage. Exploit Kits and botnet networks are the primary generators which are used to direct the emails. The security experts note that one of the key factor’s of the success rate and longevity of the campaign is that the hackers have been able to obtain access to over 500 domains. Some of the domain names were registered only a few days before thy were used as the C&C servers. The operators are quick to change the hosts as they keep a constantly long list of attack infrastructure. The experts note that it is very simple to register a domain name and use it as an attack server. Registration can be easily automated and the necessary can easily be spoofed or bought from underground black markets (credit card data).

This leads to an effective “Abuse Cycle” as detailed below:

  1. The hackers create new accounts on various hosting providers for infrastructure use.

  2. The necessary servers are configured to run and deploy the spam messages against a list of predefined targets.

  3. The hosting providers suspends the accounts when they detect abuse.

  4. The relevant URLs are reported to the various security experts.

As always the hackers have have used the Red Cerber ransomware strain as it has proven to be one of the successful virus ever since its inception a few months ago. Exploit kits such as RIG are used in combination with the spam messages to boost the infections worldwide. While all of the messages contain empty bodies and only single file attachments, the hackers can the subject titles to attempt to deliver warnings or other types of information that may be of user interest.

We recommend that all users employ a quality anti-spyware solution to protect their computers from possible intrusions or attacks and easily remove infections with a few mouse clicks.

SpyHunter anti-malware tool will diagnose all current threats on the computer. By purchasing the full version, you will be able to remove all malware threats instantly. Additional information about SpyHunter / Help to uninstall SpyHunter

Was this content helpful?

Author : Martin Beltov

Martin graduated with a degree in Publishing from Sofia University. As a cyber security enthusiast he enjoys writing about the latest threats and mechanisms of intrusion.

Related Posts

Leave a Reply

Your email address will not be published. Required fields are marked *