In March 2017, Palo Alto Networks Unit 42 published research on a new malicious spam campaign dubbed "Blank Slate." Named as such because the malspam message is empty. Only the malicious attachment is present, as seen in Figure 1.
Figure 1: Blank Slate malspam e-mail
In this specific attack, two malware-serving domains, or malware servers, were used:
The first, unityqueryzouneasty[.]pw, serves the malware directly as an executable file (Figure 2).
Figure 2: Traffic from unityqueryzouneasty[.]pw
We can quickly identify the executable traversing the network from the TCP stream. This executable is the Cerber ransomware about to be installed on the target system.
The second malware-serving domain, momendfakol[.]top, behaves differently, as seen in Figure 3 and Figure 4.
Figure 3: Traffic from momendfakol[.]top
Figure 4: HTTP Object list
The TCP stream in Figure 3 shows that, instead of downloading a straight binary, it downloads chunks of data. These chunks are observed in Figure 4. There are 68 chunks, each around one kilobyte in size. Initially, I thought reassembling these chunks would result in the actual Cerber executable, but this proved not to be the case. Rather, this sample is an encrypted version of Cerber downloaded to a temporary location and then decrypted during the installation process. This is the same technique used in a recent Locky ransomware attack using HTA files as an infection vector I discussed in a previous blog.
The result of this latest Blank Slate campaign is the same as the earlier iterations of Blank Slate deployments, a system compromised by Cerber ransomware. It is unclear why this latest campaign utilizes two different methods, but it is possible the threat actors used two different malware-serving domains owned by different malicious hosting service providers. The first one serving malware in the traditional way while the second one operates in a paranoid mode.
Learn more about the different technologies used by a malware attack and the people or service providers behind them