Executive SummaryTalos is continuously analyzing email based malware always looking at how adversaries change and the new techniques that are being added on an almost constant basis. Recently we noticed some novel ways that adversaries are leveraging Google and Tor2Web proxies to spread a ransomware variant, Cerber 5.0.1.
This particular campaign looks to have started on November 24th and has been ongoing for the past several days. This campaign did not use advanced techniques that we sometimes see used by adversaries that include well written, professional looking emails, with legitimate signature blocks or other identifying characteristics. In this campaign, the emails were anything but professional. However, they did vary significantly with what we typically see from a ransomware distribution perspective.
Today, spam based ransomware infections are heavily skewed toward Locky. The majority of spam messages we see today are affiliates producing large amounts of spam that leverage various types of script-based file extensions to download the Locky executable and infect systems. This campaign looked different in that the messages didn't contain an attachment and were extremely short and basic. What we found was a potential next evolution for ransomware distribution that relies more heavily on Tor to obfuscate their activity and hinder the ability to shut down servers that are hosting the malicious content.
The email messages associated with this spam campaign purport to contain hyperlinks to various files that may be of interest to the recipient such as pictures, order details, transaction logs, loan acceptance letters, etc. In all of the messages Talos analyzed, the subject lines of the emails contained the name of the recipient of the email messages which may make them seem more legitimate to unsuspecting victims.
Once the initial redirection and Tor2Web proxying occurs, the victim's system will download a malicious MS Word document, which functions as a malware downloader for the Cerber ransomware itself. Below is an example of a malicious MS Word document associated with this campaign.
|Sample Word Document|
The use of a folder path containing greater than the maximum number of characters allowed for a folder name, causes the code execution to simply skip these commands and continue along the code execution path. The highlighted portion of the image below shows some of this code. Everything before the '&' will result in an error, but execution continues.
|CMD.exe Command Calling Powershell|
A video demonstrating the entire infection process is included below:
Indicators of CompromiseEmail Subjects (Some Customization to Individual Usernames was found):
How are you
ConclusionThe Cerber ransomware family has continued to evolve very rapidly over the past several months. This latest distribution campaign highlights how ransomware based threats are continuing to evolve and mature over time, and shows an increasingly sophisticated infection process as attackers continue to implement new methods to attempt to evade detection and make analysis more difficult. Cerber continues to release new versions very quickly and will likely continue to do so in the future. This campaign demonstrates the importance of ensuring that organizations use defense-in-depth defensive architectures to protect their environments as well as the importance of ensuring that employees are properly trained on the email-based threats and proper hygiene.
Tor is a useful way to browse the web anonymously. However, adversaries are leveraging it heavily to distribute and host malicious content. In this particular instance if all Tor2Web and Tor traffic were blocked the threat would be largely mitigated. Organizations need to decide if the business case for allowing Tor and Tor2Web on the network outweighs the potential risks to its users.
CoverageAdditional ways our customers can detect and block this threat are listed below.
AMP) is ideally suited to prevent the execution of the malware used by these threat actors.
CWS or WSA web scanning prevents access to malicious websites and detects malware used in these attacks.
The Network Security protection of IPS and NGFW have up-to-date signatures to detect malicious network activity by threat actors.
Email Security can block malicious emails sent by threat actors as part of their campaign.