Story image

Unit 42 reports 'Blank Slate' malspam campaign pummels hosting providers in 'cycle of abuse'

14 Mar 2017

Palo Alto Networks’ Unit 42 has provided an inside look at how a malicious spam campaignis using double-zipped Word files to spread ransomware on Windows computers.

The company revealed that the malspam campaign, dubbed ‘Blank Slate’ because the emails have no message content and just attachments, is the latest in a series of attempts to spread malware.

The Blank Slate campaign was also active in spreading Microsoft Word documents to spread malware. While the domains associated with that particular campaign were taken down, new ones were quickly made.

The latest Blank Slate campaign works by receiving malspam from a botnet. The victim opens the attachment, which is double zipped, and then downloads ransomware. 

Unit 42 believes that the ransomware is double zipped to avoid detection by antimalware systems, although the tactic may also encourage victims to get frustrated and abandon the attempted opening of the file. That file is a Microsoft Word document with a malicious macro, or a .js file. 

Unit 42 says the process works as below:

  • Attacker’s botnet sends malspam to the intended recipient.
  • User ignores security warnings and opens the zip archive included in the malspam.
  • User ignores security warnings and manually extracts either a Microsoft Word document or a JavaScript (.js) file.
  • User ignores warnings and manually enables macros for the Word document or user double-clicks the .js file.
  • Word macro or .js file retrieves a ransomware executable from a web server.
  • Word macro or .js file executes the ransomware on the user’s computer in the user’s security context.

The Word macro has a script that will execute once the victim has enabled macro, while the .js file uses malicious JavaScript content that will execute.  Both methods use PowerShell to then execute the ransomware. 

Unit 42 says the similarity between this campaign and other Word macro compromises has been ongoing for at least seven months. This is because the attackers continue to abuse more than 555 domains, with new ones popping up all the time.

Some of the domains have lasted more than seven days until hosting providers were notified. Because registering a domain is so easy for criminals, it can also be easy and cheap for them to use disposable credentials to set one up, Unit 42 says.

When one domain gets taken down, a ‘cycle of abuse’ continues as criminals set new domains and IP addresses up.

“With the current popularity of ransomware, we continue to see malspam daily in both targeted attacks and wide-scale distribution. We expect this trend will continue,” the blog says.

Aerohive launches guide to cloud-managed network access control
NAC for Dummies teaches the key aspects of network access control within enterprise IT networks and how you can secure all devices on the network.
Sungard AS named DRaaS leader by Forrester
It was noted for its disaster-recovery-as-a-service solution’s ability to “serve client needs at all stages of their need for business continuity.”
Gartner: The five priorities of privacy executives
The priorities highlight the need for strategic approaches to engage with shifting regulatory, technology, customer and third-party risk trends.
emt Distribution adds risk intelligence vendor
Flashpoint has signed emt Distribution to provide channel partners in Oceania and South East Asia a solution for illicit threat actor communities.
CrowdStrike: Improving network security with cloud computing solutions
Australian spending on public cloud services is expected to reach $6.5 billion this year according to Gartner
Thycotic debunks top Privileged Access Management myths
Privileged Access encompasses access to computers, networks and network devices, software applications, digital documents and other digital assets.
Veeam reports double-digit Q1 growth
We are now focussed on an aggressive strategy to help businesses transition to cloud with Backup and Cloud Data Management solutions.
Paving the road to self-sovereign identity using blockchain
Internet users are often required to input personal information and highly-valuable data from contact numbers to email addresses to make use of the various platforms and services available online.