Trustwave achieves verified MXDR solution and FastTrack ready partner status from Microsoft. Learn More

Trustwave achieves verified MXDR solution and FastTrack ready partner status from Microsoft. Learn More

Managed Detection & Response

Eradicate cyberthreats with world-class intel and expertise

Managed Security Services

Expand your team’s capabilities and strengthen your security posture

Consulting & Professional Services

Tap into our global team of tenured cybersecurity specialists

Penetration Testing

Subscription- or project-based testing, delivered by global experts

Database Security

Get ahead of database risk, protect data and exceed compliance requirements

Email Security & Management

Catch email threats others miss with layered security & maximum control

Co-Managed SOC (SIEM)

Eliminate alert fatigue, focus your SecOps team, stop threats fast, and reduce cyber risk

Microsoft Exchange Server Attacks
Stay protected against emerging threats
Rapidly Secure New Environments
Security for rapid response situations
Securing the Cloud
Safely navigate and stay protected
Securing the IoT Landscape
Test, monitor and secure network objects
Why Trustwave
The Trustwave Approach
Awards and Accolades
Trustwave SpiderLabs Team
Trustwave Fusion Platform
SpiderLabs Fusion Center
Security Operations Centers
Technology Alliance Partners
Key alliances who align and support our ecosystem of security offerings
Trustwave PartnerOne Program
Join forces with Trustwave to protect against the most advance cybersecurity threats

FakeGlobe and Cerber Ransomware: Sneaking under the radar while WeCry

Recently, we observed a constant influx of spam that distributes two ransomware families, perhaps trying to sneak in while everyone is focused with the recent WannaCry malware. Based on data from our Spam Research Database, an email campaign distributing FakeGlobe ransomware started last May 19th and died down on May 21st . But just a couple hours later it was the Cerber ransomware's turn which subsided three days later.


Figure 1: Volume of FakeGlobe and Cerber related Spam.

The Cerber family started to emerge during the 1st quarter of 2016 and has been seen being distributed via Neutrino or Magnitude exploit kits and spam emails using VBScript files. On the other hand, FakeGlobe ransomware samples were first seen in the last quarter of 2016 via malicious spam and are considered to be closely related to the Globe ransomware families.

This is not a massive campaign, but we did notice almost 31,000 spam emails in our system distributed for both types of malware. While we don't know the botnet origin of these email spams, we can see the majority of the spam originates from Vietnam, India, and Laos. This merely indicates where the compromised computers are located.


Figure 2: FakeGlobe and Cerber Spam Origin.

Infection Vector

The email spam related to FakeGlobe and Cerber comes with a ZIP attachment, a blank Subject and does not include any email body.


Figure 3: Sample Email

For FakeGlobe, the ZIP will extract an obfuscated JS file and there are two variations. As shown in the figure below, the first variation is encoded using MS Script Encoder which uses unique delimiters (#@~^ and ^#~@). There is an available tool to decode this.


Figure 4: MS Encoded Script – FakeGlobe

The second variation uses the eval() and executes both split() and join() functions.


Figure 5: Obfuscated Script – FakeGlobe

A classic way to de-obfuscate the code is to write the output of the eval() function into the document stream by using document.write.


Figure 6: Handling the Obfuscated Script – FakeGlobe

Decoding both of two scripts results in proper JS code which downloads a binary file, uses a random string of digits as a filename and executes it.


Figure 7: Decoded/De-obfuscated Script for FakeGlobe

Download URLs (FakeGlobe):




Hash Details (FakeGlobe):

MD5: 1BBD2DC9746292C60121865663B287F2

SHA-1: 04644335EF7523274146A4F39AB30621C2A2A9A1

SHA-256: 2815C8CDB02003298F7959FD1CF6EED893DE6652F3861A6A2E3E5744B8AC9234

For the Cerber variants, the ZIP file only holds an obfuscated JS file and decoding it will download a different binary file.


Figure 8: De-obfuscated Script for Cerber

Download URLs (Ceber):


Hash Details (Ceber):

MD5: AE5A348B9DD0AC3A6A46E70C82FA9C38

SHA-1: F440EDC4FE35452D0FBEC35A5C352295F3E3BF0C

SHA-256: 73A7497C8FA283B444242259AE061D5CBB705BE04B5F531F1096A2C236BB5204

Executable Payload

The binary files of both FakeGlobe and Cerber still maintain the same behavior of their previous variants where they encrypt files, with just a few minor changes on the ransom note file. Cerber uses a different filename for its ransom note, _R_E_A_D___T_H_I_S___{random}.html or _R_E_A_D___T_H_I_S___{random}.txt. It retains the same old contents of the ransom note except for the details of its URL payments.


Figure 9: Cerber's Ransom Note

FakeGlobe still drops how_to_back_files.html but it has changed the details of the email address used to forward the screenshot of the bitcoin payments.



While everyone is riding the WeCry/WannaCry wave and focused on patching vulnerabilities related to SMB server, FakeGlobe and Cerber ransomware continue a low-profile attack via email. Each of these emails has a unique attachment because of the obfuscated JavaScript code. By the time this script downloads the main ransomware, it is too late. Thus, it is desirable to try and block this at the email gateway.

  • Use an email gateway with multiple layers of protection, including anti-spam, and anti-malware layers with up to date signatures
  • At a policy level, consider blocking inbound *.js files at the email gateway – we are currently seeing many malicious email campaigns that use *.js files

The Trustwave Secure Email Gateway recognizes and blocks this threat campaign.