Malspam email or malicious spam email is considered as one of the favorite malware delivery channels for attackers to deliver their malware to their targeted victims. Attackers also run spam email campaigns to distribute their malware to a large number of users.
For attackers to succeed, two things are important – first is to get through the installed security product’s spam email filters and the secondly, the attachment should be opened by the user. To accomplish the second task, attackers use different social engineering tactics to make their malicious email look as legitimate as possible in order to trick users into opening such attachments.
About the Blank Slant Malspam Campaign
Since March 2017 we have been observing this campaign where the attacker has used emails leaving the body blank and subject line blank or unclear; hence the name ‘Blank Slate’. We found the sender’s email ID to be spoofed. Users are receiving emails with attachments only. Due to the absence of these fields, other than looking for an attachment, there is no way for the user to understand what the email is about. This tricks the user into opening the malicious attachments out of curiosity and this triggers an infection. A typical malspam used in the Blank Slate Campaign looks like the below figure.
Blank Slate Delivering Ransomware Variants
The Blank Slate Campaign was first observed in March 2017 and was used further to spread Cerber Ransomware for a long period of time. The spam email used in this particular campaign is the one shown in fig 1. The zip attachment in the spam email contained another zip file with the name “45214_ZIP.zip’. This file contained an actual malware downloader with the name 44582.js. When the user clicks on this .js file, it automatically downloads and executes the Cerber Ransomware. This ransomware was getting downloaded from a domain whose name ends with “.top”. Cerber has been one of the most dominating ransomware families for the last 2 years. After successful encryption, this variant appends the .aeac extension to the encrypted files.
Some other instances of spam emails were also observed where doc files were getting delivered. These files were trying to exploit CVE-2017-0199 that downloads and executes malware on the victim’s computer.
Aleta – a variant of BTCWare Ransomware
In the last week of July 2017, the Aleta variant of BTCWare ransomware was getting delivered via the Blank Slate Campaign. Once inside a computer, it encrypts its data and appends “.aleta” to the encrypted files. We also observed that the Aleta variant using RDP (Remote Desktop Protocol) brute-forcing attack to infect the victim. In both the cases, its encryption activity remains the same irrespective of the change in its infection vector.
Globeimposter Ransomware also used Blank Slate
Globeimposter Ransomware has been active in the wild since last month. It appends different extensions like .HappyDayzz, .707, .700, .GOTHAM, and .crypt to the encrypted files. This ransomware is delivered to the users via malicious spam emails.
In the case of the “.crypt” variant, it has been observed that the ransomware is delivered using the Blank Slate Campaign via .js files contained in nested zip files. Once encryption is complete, it drops the below ransom note file with the name “!back_files!.html”, containing instructions on how to pay the ransom to get the decryption keys.
Quick Heal Detection
Quick Heal Email Protection successfully detects and blocks the Blank Slate campaign at its initial level.
Stay away from ransomware with these security tips