Recently, we observed a constant influx of spam that distributes two ransomware families, perhaps trying to sneak in while everyone is focused with the recent WannaCry malware. Based on data from our Spam Research Database, an email campaign distributing FakeGlobe ransomware started last May 19th and died down on May 21st . But just a couple hours later it was the Cerber ransomware's turn which subsided three days later.
Figure 1: Volume of FakeGlobe and Cerber related Spam.
The Cerber family started to emerge during the 1st quarter of 2016 and has been seen being distributed via Neutrino or Magnitude exploit kits and spam emails using VBScript files. On the other hand, FakeGlobe ransomware samples were first seen in the last quarter of 2016 via malicious spam and are considered to be closely related to the Globe ransomware families.
This is not a massive campaign, but we did notice almost 31,000 spam emails in our system distributed for both types of malware. While we don't know the botnet origin of these email spams, we can see the majority of the spam originates from Vietnam, India, and Laos. This merely indicates where the compromised computers are located.
Figure 2: FakeGlobe and Cerber Spam Origin.
Infection Vector
The email spam related to FakeGlobe and Cerber comes with a ZIP attachment, a blank Subject and does not include any email body.
Figure 3: Sample Email
For FakeGlobe, the ZIP will extract an obfuscated JS file and there are two variations. As shown in the figure below, the first variation is encoded using MS Script Encoder which uses unique delimiters (#@~^ and ^#~@). There is an available tool to decode this.
Figure 4: MS Encoded Script – FakeGlobe
The second variation uses the eval() and executes both split() and join() functions.
Figure 5: Obfuscated Script – FakeGlobe
A classic way to de-obfuscate the code is to write the output of the eval() function into the document stream by using document.write.
Figure 6: Handling the Obfuscated Script – FakeGlobe
Decoding both of two scripts results in proper JS code which downloads a binary file, uses a random string of digits as a filename and executes it.
Figure 7: Decoded/De-obfuscated Script for FakeGlobe
Download URLs (FakeGlobe):
hxxp://realpolyfv.top/admin.php?f=404
hxxp://realpolyfv.top/admin.php?f=1
hxxp://justgoogkaz.top/admin.php?f=404
Hash Details (FakeGlobe):
MD5: 1BBD2DC9746292C60121865663B287F2
SHA-1: 04644335EF7523274146A4F39AB30621C2A2A9A1
SHA-256: 2815C8CDB02003298F7959FD1CF6EED893DE6652F3861A6A2E3E5744B8AC9234
For the Cerber variants, the ZIP file only holds an obfuscated JS file and decoding it will download a different binary file.
Figure 8: De-obfuscated Script for Cerber
Download URLs (Ceber):
hxxp://zopoaheika.top/admin.php?f=1
Hash Details (Ceber):
MD5: AE5A348B9DD0AC3A6A46E70C82FA9C38
SHA-1: F440EDC4FE35452D0FBEC35A5C352295F3E3BF0C
SHA-256: 73A7497C8FA283B444242259AE061D5CBB705BE04B5F531F1096A2C236BB5204
Executable Payload
The binary files of both FakeGlobe and Cerber still maintain the same behavior of their previous variants where they encrypt files, with just a few minor changes on the ransom note file. Cerber uses a different filename for its ransom note, _R_E_A_D___T_H_I_S___{random}.html or _R_E_A_D___T_H_I_S___{random}.txt. It retains the same old contents of the ransom note except for the details of its URL payments.
Figure 9: Cerber's Ransom Note
FakeGlobe still drops how_to_back_files.html but it has changed the details of the email address used to forward the screenshot of the bitcoin payments.
Conclusion
While everyone is riding the WeCry/WannaCry wave and focused on patching vulnerabilities related to SMB server, FakeGlobe and Cerber ransomware continue a low-profile attack via email. Each of these emails has a unique attachment because of the obfuscated JavaScript code. By the time this script downloads the main ransomware, it is too late. Thus, it is desirable to try and block this at the email gateway.
The Trustwave Secure Email Gateway recognizes and blocks this threat campaign.