Cerber ransomware is infecting unsuspecting users via malspam emails sent out by the "Blank Slate" attack campaign. Blank Slate is known for sending out attack emails with two defining characteristics. First, the emails don't come with any message text. Second, they don't contain any information that gives away the nature of their attachments. Even their subject lines tend to be a seemingly random mess of numbers and characters. Numerous hosts across the globe are responsible for sending out Blank Slate emails. All the email addresses are spoofed. Here's what one such email with a spoofed sender address looks like:
An email from the Blank Slate campaign. (Source: SANS ISC InfoSec Forums) The attachment comes as a zip archive. Clicking on it reveals yet another zip archive that conceals either a Microsoft Word document containing malicious macros or a malicious .js file containing obfuscated script. Brad Duncan, a handler for the SANS Internet Storm Center, explains in a blog post why you don't want to click on either of those files:
"On Monday 2017-03-20, I ran one of the extracted .js files on a vulnerable Windows host. After an initial HTTP GET request for the ransomware binary, post-infection traffic was similar to several other recent examples of Cerber. You'll see UDP traffic from the infected host over port 6892. That's followed by HTTP traffic to a domain starting with p27dokhpz2n7nvgr and ending with .top. IP addresses for the UDP traffic changes every week or two (or longer). Post-infection HTTP domains change more frequently."
Chain of events for a Blank Slate Cerber infection. (Source: SANS ISC InfoSec Forums) Cerber ransomware has been around since at least February 2016. Since then, attackers have created an affiliate scheme for the scourge. They've also incorporated it into numerous campaigns including pseudo-Darkleech infections and exploit kit attacks. Instances of Cerber observed in this assault are demanding 1 Bitcoin (or approximately 1,030 USD) from their victims. Fortunately, it might never get to that point for a user. There are several red flags that should give the campaign away. Duncan elaborates:
"I always wonder how effective campaigns like this are. Potential victims must open an attachment from a blank email, go through two zip archives, then double-click the final file. If the final file is a Word document, the victim must also enable macros."
With that said, users can protect themselves against ransomware-laden malspam by never clicking on suspicious links or email attachments, especially those contained in emails that don't come with any message content. They should also disable macros in Office documents by default. Finally, they should regularly back up their data just in case they ever suffer an infection at the hands of Cerber or another ransomware family.
