For the last 2 weeks, we have been observing a malware campaign using spam emails that look like they are from United States Postal Service (USPS) or FedEx. These emails are distributing the Cerber Ransomware along with Kovter Trojan – a lethal combination!
The spam email contains a malicious script file linked to compromised websites from where additional components can be downloaded. We have come across about 300 such websites used in this malware campaign that are hacked and compromised by attackers.
How the attack works
The victim first opens the email attachment containing a script file expecting it to be the document mentioned in the received email.
Fig 1. Malicious script file
The script gets executed by Window’s Wscript and connects to one of the compromised websites for downloading a ‘counter.js’ file which gets executed from the temp directory itself. The counter.js file then downloads another doc file which is responsible for downloading the Cerber Ransomware payload. The payload is dropped in Windows temp directory (%temp%) from where it gets executed and starts encrypting the victim’s files.
Fig 2. Ransom note of Cerber Ransomware
Cerber encrypt the user’s data with a random name extension and demands a ransom in exchange for a key that can decrypt the data.
Fig 3. Files encrypted by Cerber with random characters
The attack, however, does not stop at data encryption. The script file (mentioned earlier) then proceeds to install the Kovter fileless malware that hides in Windows Registry making its presence undetectable. Like other Trojans, Kovter gathers the user’s data and sends it to its Command & Control server (CnC) which is controlled by the attacker. Kovter is also used for click fraud campaigns where a computer or a person is maliciously used to click on online ads to generate revenue.
Read more about Koveter in our blog post: Kovter: the fileless click fraud malware
Quick Heal Detection