![]() ![]() js file and a server hosting the Cerber ransomware.įigure 6: Traffic from February 2nd 2017 of a. Line icon slate download#In both cases, once the malicious script executes, it launches a PowerShell process to download and run ransomware on the Windows host as shown in Figure 5.įigure 5: Communications between malicious script and server hosting ransomware.įigure 6 shows an example of the traffic between a malicious. js file has malicious JavaScript that will execute within Windows Script Host when it is double-clicked. The Word document macro has malicious Visual Basic for Applications (VBA) script that will execute after the user has opened the document and enabled macros. js file as shown in Figure 4.įigure 3: Example of a malspam attachment with a double-zipped Word document.įigure 4 Example of a malspam attachment with a double-zipped. Line icon slate archive#That second zip archive contains either a Microsoft Word document with a malicious macro as shown in Figure 3, or it contains a. However, we believe the attackers decided this was less of a risk than detection by antispam/antimalware technologies. With an additional layer of user interaction, some intended victims may become frustrated or distracted, and this might lead to an increased failure/abandon rate. We believe the attackers chose to use a double-zip tactic as a countermeasure against antispam/antimalware technologies. The malspam's zip attachment is actually a double-zipped file, meaning it contains another zip archive which itself holds the malicious active content. As shown in Figure 2, these email messages have no text whatsoever, only an attachment that intended victims are meant to open.įigure 2: One of the malspam email messages. The emails only consist of a zip archive sent as a file attachment. Sending email addresses are always spoofed, and they have no relation to the actual botnet host sending the message. These Blank Slate emails come from a botnet consisting of numerous compromised hosts across the globe. js file executes the ransomware on the user's computer in the user's security context.įigure 1: The user receives an email from a host in the botnet. js file retrieves a ransomware executable from a web server.
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |