At the beginning of last week we noticed a spam campaign delivering a double zipped JScript file. The campaign started on September 8th. The email had the subject line of “RE: [name of recipient]” with an empty body, and an attached zip file named “[recipient name][a-z]{4}.zip”.
The characteristics of the mail, naming of the attached item, and obfuscation used in the sample were similar to what has been previously seen with the distribution of Cerber ransomware. Testing one of the samples lead to an unpleasant surprise looking nothing like Cerber.
Definitely not Cerber
The final payload of that particular sample was Locky ransomware. It was an odd discovery, especially as Locky is known to be distributed by the Necurs botnet in totally different campaigns with higher prevalence. This campaign spanned over a week, with no more than a few dozen samples per day. Further analysis of the campaign revealed minor tweaks and updates to the attached item during the week.
The first delivered attachment type on the evening of the 8th was an obfuscated JScript downloader. Distributing this type continued for few days. The next surge two days later delivered a similarly obfuscated JScript downloader in a JScript encoded script file (.jse). Later, the campaign continued by spamming encrypted JScript files, but changed the obfuscation to support custom XOR encryption on critical strings. In the last update the size of the downloader was doubled with comments, and the distribution spiked a little.
The contacted URLs were also following the format observed in previous Cerber campaigns. In total, the samples contacted 7 domains registered under the .top domain (TLD), resolving to two IP addresses, each with 7 different query parameters in format of ?f=[1-7]{1}.bin. The query was hard-coded on the distributed samples, and 25% of the samples were contacting the domains with query parameter 1. (By comparison, if the parameters were randomly generated the distribution share would be 14% instead of 25%.)
Further analysis on the URLs revealed that same sample of Locky was delivered on all domains with query parameters from 2 to 7. Query parameter 1 was allocated to serve Cerber ransomware.
Probably Cerber
This is not the first time Cerber has been distributed in the same campaigns with other nasty malware. Last May Cerber shared distribution framework with Dridex banking trojan. Though the campaign seems to be on a test phase based on the multiple minor updates on the dropper during the week, so far seeing two different ransomware on same campaign is unusual.
IoCs:
aerosmitxozoz.top doctornetosa.top ispchoresa.top poperfast.top sonysoftn.top topguckser.top zapodewac.top 23.95.37.113 192.3.150.196 9b461c53d82cdb7804489a2703e166fd788cbde7 a8f3089a17be5fa2ba696fd7ca7a0b9bd13738d9 fea29d207b23cc5677da9f24bf0bf287656121cd c1d8e15e98063a81aef9c4d6e0419c5a7795e7f9 10dec91c5a839569a4fe90c8cb1287f5296f79f0
Categories