FakeGlobe and Cerber Ransomware: Sneaking under the radar while WeCry

Recently, we observed a constant influx of spam that distributes two ransomware families, perhaps trying to sneak in while everyone is focused with the recent WannaCry malware. Based on data from our Spam Research Database, an email campaign distributing FakeGlobe ransomware started last May 19th and died down on May 21st . But just a couple hours later it was the Cerber ransomware's turn which subsided three days later.

Graph3

Figure 1: Volume of FakeGlobe and Cerber related Spam.

The Cerber family started to emerge during the 1st quarter of 2016 and has been seen being distributed via Neutrino or Magnitude exploit kits and spam emails using VBScript files. On the other hand, FakeGlobe ransomware samples were first seen in the last quarter of 2016 via malicious spam and are considered to be closely related to the Globe ransomware families.

This is not a massive campaign, but we did notice almost 31,000 spam emails in our system distributed for both types of malware. While we don't know the botnet origin of these email spams, we can see the majority of the spam originates from Vietnam, India, and Laos. This merely indicates where the compromised computers are located.

SpamByCountry

Figure 2: FakeGlobe and Cerber Spam Origin.

Infection Vector

The email spam related to FakeGlobe and Cerber comes with a ZIP attachment, a blank Subject and does not include any email body.

Fakeglobe_mail1

Figure 3: Sample Email

For FakeGlobe, the ZIP will extract an obfuscated JS file and there are two variations. As shown in the figure below, the first variation is encoded using MS Script Encoder which uses unique delimiters (#@~^ and ^#~@). There is an available tool to decode this.

Fakeglobe_JS31

Figure 4: MS Encoded Script – FakeGlobe

The second variation uses the eval() and executes both split() and join() functions.

Fakeglobe_encoded

Figure 5: Obfuscated Script – FakeGlobe

A classic way to de-obfuscate the code is to write the output of the eval() function into the document stream by using document.write.

Fakeglobe_decoding

Figure 6: Handling the Obfuscated Script – FakeGlobe

Decoding both of two scripts results in proper JS code which downloads a binary file, uses a random string of digits as a filename and executes it.

Decoded_script1

Figure 7: Decoded/De-obfuscated Script for FakeGlobe

Download URLs (FakeGlobe):

hxxp://realpolyfv.top/admin.php?f=404

hxxp://realpolyfv.top/admin.php?f=1

hxxp://justgoogkaz.top/admin.php?f=404

Hash Details (FakeGlobe):

MD5: 1BBD2DC9746292C60121865663B287F2

SHA-1: 04644335EF7523274146A4F39AB30621C2A2A9A1

SHA-256: 2815C8CDB02003298F7959FD1CF6EED893DE6652F3861A6A2E3E5744B8AC9234

For the Cerber variants, the ZIP file only holds an obfuscated JS file and decoding it will download a different binary file.

Cerber_decoded

Figure 8: De-obfuscated Script for Cerber

Download URLs (Ceber):

hxxp://zopoaheika.top/admin.php?f=1

Hash Details (Ceber):

MD5: AE5A348B9DD0AC3A6A46E70C82FA9C38

SHA-1: F440EDC4FE35452D0FBEC35A5C352295F3E3BF0C

SHA-256: 73A7497C8FA283B444242259AE061D5CBB705BE04B5F531F1096A2C236BB5204

Executable Payload

The binary files of both FakeGlobe and Cerber still maintain the same behavior of their previous variants where they encrypt files, with just a few minor changes on the ransom note file. Cerber uses a different filename for its ransom note, _R_E_A_D___T_H_I_S___{random}.html or _R_E_A_D___T_H_I_S___{random}.txt. It retains the same old contents of the ransom note except for the details of its URL payments.

CerberNote

Figure 9: Cerber's Ransom Note

FakeGlobe still drops how_to_back_files.html but it has changed the details of the email address used to forward the screenshot of the bitcoin payments.

Fakeglobe_rnote2

Conclusion

While everyone is riding the WeCry/WannaCry wave and focused on patching vulnerabilities related to SMB server, FakeGlobe and Cerber ransomware continue a low-profile attack via email. Each of these emails has a unique attachment because of the obfuscated JavaScript code. By the time this script downloads the main ransomware, it is too late. Thus, it is desirable to try and block this at the email gateway.

  • Use an email gateway with multiple layers of protection, including anti-spam, and anti-malware layers with up to date signatures
  • At a policy level, consider blocking inbound *.js files at the email gateway – we are currently seeing many malicious email campaigns that use *.js files

The Trustwave Secure Email Gateway recognizes and blocks this threat campaign.

Trustwave reserves the right to review all comments in the discussion below. Please note that for security and other reasons, we may not approve comments containing links.