• News
  • Security
  • Products
  • About Seqrite
Seqrite Blog Blog
  • News
  • Security
  • Products
  • About Seqrite
Home  /  Uncategorized  /  An analysis of the Blank Slate Malspam Campaign by Quick Heal Security Labs
04 August 2017

An analysis of the Blank Slate Malspam Campaign by Quick Heal Security Labs

Written by Ankita Ashesh
Ankita Ashesh
Uncategorized
Estimated reading time: 4 minutes

Malspam email or malicious spam email is considered as one of the favorite malware delivery channels for attackers to deliver their malware to their targeted victims. Attackers also run spam email campaigns to distribute their malware to a large number of users.

For attackers to succeed, two things are important – first is to get through the installed security product’s spam email filters and the secondly, the attachment should be opened by the user. To accomplish the second task, attackers use different social engineering tactics to make their malicious email look as legitimate as possible in order to trick users into opening such attachments.

About the Blank Slant Malspam Campaign

Since March 2017 we have been observing this campaign where the attacker has used emails leaving the body blank and subject line blank or unclear; hence the name ‘Blank Slate’. We found the sender’s email ID to be spoofed. Users are receiving emails with attachments only. Due to the absence of these fields, other than looking for an attachment, there is no way for the user to understand what the email is about. This tricks the user into opening the malicious attachments out of curiosity and this triggers an infection. A typical malspam used in the Blank Slate Campaign looks like the below figure.

1-image

Fig 1: Blank Slate Email

Infection Routine:

Attachments of these email campaigns contain a nested zip file – a zip file inside a zip file. Inside the second zip file, the actual malware downloader is placed. For now, we have observed that either a JavaScript (.js) file or Microsoft Word Document (.doc) file is delivered via this malspam. The Blank Slate Campaign follows the below infection routine.

2-imageFig 2: Blank Slate Infection Routine

The final infection in both the cases (JavaScript or Word) was observed to be a variant of a ransomware. In some instances, doc files also were observed to be trying to exploit CVE-2017-0199 on MS-Office vulnerable systems.

Blank Slate Delivering Ransomware Variants

Cerber Ransomware

The Blank Slate Campaign was first observed in March 2017 and was used further to spread Cerber Ransomware for a long period of time. The spam email used in this particular campaign is the one shown in fig 1. The zip attachment in the spam email contained another zip file with the name “45214_ZIP.zip’. This file contained an actual malware downloader with the name 44582.js. When the user clicks on this .js file, it automatically downloads and executes the Cerber Ransomware. This ransomware was getting downloaded from a domain whose name ends with “.top”. Cerber has been one of the most dominating ransomware families for the last 2 years. After successful encryption, this variant appends the .aeac extension to the encrypted files.

3-image

Fig 3: Cerber infected System with Ransom Note and Encrypted Files

Some other instances of spam emails were also observed where doc files were getting delivered. These files were trying to exploit CVE-2017-0199 that downloads and executes malware on the victim’s computer.

Aleta – a variant of BTCWare Ransomware

In the last week of July 2017, the Aleta variant of BTCWare ransomware was getting delivered via the Blank Slate Campaign. Once inside a computer, it encrypts its data and appends “.aleta” to the encrypted files. We also observed that the Aleta variant using RDP (Remote Desktop Protocol) brute-forcing attack to infect the victim. In both the cases, its encryption activity remains the same irrespective of the change in its infection vector.

Globeimposter Ransomware also used Blank Slate

Globeimposter Ransomware has been active in the wild since last month. It appends different extensions like .HappyDayzz, .707, .700, .GOTHAM, and .crypt to the encrypted files. This ransomware is delivered to the users via malicious spam emails.

In the case of the “.crypt” variant, it has been observed that the ransomware is delivered using the Blank Slate Campaign via .js files contained in nested zip files. Once encryption is complete, it drops the below ransom note file with the name “!back_files!.html”, containing instructions on how to pay the ransom to get the decryption keys.

4-image

Fig 4: globimposter Ransom Note

Seqrite Endpoint Security Detection

Seqrite Endpoint Security’s Email Protection successfully detects and blocks this campaign at its initial level.

image-5

Fig 5: Seqrite Endpoint Security’s email protection detects Blank Slate Campaign

Stay away from ransomware with these security tips

  • Do not download attachments that arrive in emails from unwanted or unexpected sources. Even if such emails seem to be from a known source, it is better to call up the sender and verify them first.
  • If you get an email that seems unclear or strange, do not let your curiosity get the better of you. Do not respond to the email.
  • Back up your files on a regular basis. Remember to disconnect the Internet while you are backing up on an external hard drive. Unplug the drive before you go online again. Several free and paid Cloud backup services available on the market that can take data backup periodically.
  • Provide read/write privileges to network shares only when required. Try not to keep open shares as they are likely to fall prey to encryption if there is a ransomware infection.
  • Use an antivirus software that gives multilayered protection against infected emails, malicious websites, and stop infections that can spread through USB drives. Keep the software up-to-date.
  • Apply recommended security updates for your computer’s Operating System and all other programs such as Adobe, Java, Internet browsers, etc.

Acknowledgment

Subject Matter Expert

  • Prashil Moon | Quick Heal Security Labs

 Previous PostDangers of hackers breaking into your printer
Next Post  Who’s hacking your network? Know more about cyber criminals
Ankita Ashesh
About Ankita Ashesh

...

Articles by Ankita Ashesh »

Related Posts

  • Gorgon APT fractures India’s Industrial Backbone

    Gorgon APT targeting MSME sector in India

    August 10, 2020
  • Way Out of The MAZE: A Quick Guide For Defending Against Maze Ransomware

    May 21, 2020
  • The-need-for-businesses-to-empower-the-CISO

    Why do boards need to empower their CISO?

    October 22, 2019

No Comments

Leave a Reply.Your email address will not be published.

Cancel reply

CAPTCHA Image
Refresh Image

Popular Posts

  • The Data breach inferno burning big-ticket businesses The Data breach inferno burning big-ticket businesses February 5, 2021
  • Pharma Sector needs to streamline its insides to avoid cyberattacks Pharma Sector needs to streamline its insides to avoid cyberattacks February 12, 2021
  • Turn the Page: Cybersecurity Predictions for 2021 & beyond Turn the Page: Cybersecurity Predictions for 2021 & beyond February 18, 2021

Featured Authors

  • Seqrite
    Seqrite

    Follow us for the latest updates and insights related to security for...

    Read more..
  • Viraj Talikotkar
    Viraj Talikotkar

    Viraj is a Lead Technical Writer at Quick Heal Technologies. He is always on...

    Read more..
  • Sanjay Katkar
    Sanjay Katkar

    Sanjay Katkar is the Joint Managing Director and Chief Technology Officer of...

    Read more..

Latest Posts

  • Businesses now worried about the surge in COVID-19 infodemic

    Businesses now worried about the surge in COVID-19 infodemic

    February 26, 2021
  • Turn the Page: Cybersecurity Predictions for 2021 & beyond

    Turn the Page: Cybersecurity Predictions for 2021 & beyond

    February 18, 2021
  • Pharma Sector needs to streamline its insides to avoid cyberattacks

    Pharma Sector needs to streamline its insides to avoid cyberattacks

    February 12, 2021

Stay Updated!

Topics

Antivirus For Linux (10) apt (9) BYOD (9) COVID-19 (10) Cyber-attack (31) cyber-attacks (56) cyberattacks (12) Cybersecurity (279) cyber security (25) Cyber threat (29) cyber threats (44) Data (11) data breach (50) data breaches (27) data loss (28) data loss prevention (33) data protection (21) data security (13) DLP (49) Encryption (16) endpoint security (102) Enterprise security (14) EPS (9) Exploit (12) firewall (11) hackers (9) IoT (10) malware (58) malware attack (22) malware attacks (12) MDM (25) mobile device management (9) Network security (18) Patch Management (12) phishing (16) Ransomware (56) ransomware attack (29) ransomware attacks (30) ransomware protection (12) Seqrite (24) Seqrite Encryption (27) Seqrite EPS (33) Seqrite Services (16) UTM (34) Vulnerability (10)

Products

  • Endpoint Security (EPS)
  • Seqrite Encryption Manager
  • Seqrite Endpoint Security Cloud
  • Cloud Security
  • Seqrite mSuite
  • Seqrite MobiSMART
  • Unified Threat Management
  • Seqrite Secure Web Gateway
  • Antivirus for Server
  • Antivirus for Linux

Resources

  • White Papers
  • Datasheets
  • Threat Reports
  • Manuals
  • Case Studies

About Us

  • Company Overview
  • Leadership
  • Why choose SEQRITE?
  • Awards & Certifications
  • Newsroom

Archives

  • By Date
  • By Category

© 2020 Quick Heal Technologies Ltd. (Formerly Known as Quick Heal Technologies Pvt. Ltd.) Cookie Policies Privacy Policies

Our website uses cookies. Cookies enable us to provide the best experience possible and help us understand how visitors use our website.
By browsing this website, you agree to our cookie policy.