Unit 42 reports 'Blank Slate' malspam campaign pummels hosting providers in 'cycle of abuse'
Palo Alto Networks' Unit 42 has provided an inside look at how a malicious spam campaignis using double-zipped Word files to spread ransomware on Windows computers.
The company revealed that the malspam campaign, dubbed 'Blank Slate' because the emails have no message content and just attachments, is the latest in a series of attempts to spread malware.
The Blank Slate campaign was also active in spreading Microsoft Word documents to spread malware. While the domains associated with that particular campaign were taken down, new ones were quickly made.
The latest Blank Slate campaign works by receiving malspam from a botnet. The victim opens the attachment, which is double zipped, and then downloads ransomware.
Unit 42 believes that the ransomware is double zipped to avoid detection by antimalware systems, although the tactic may also encourage victims to get frustrated and abandon the attempted opening of the file. That file is a Microsoft Word document with a malicious macro, or a .js file.
Unit 42 says the process works as below:
- Attacker's botnet sends malspam to the intended recipient.
- User ignores security warnings and opens the zip archive included in the malspam.
- User ignores security warnings and manually extracts either a Microsoft Word document or a JavaScript (.js) file.
- User ignores warnings and manually enables macros for the Word document or user double-clicks the .js file.
- Word macro or .js file retrieves a ransomware executable from a web server.
- Word macro or .js file executes the ransomware on the user's computer in the user's security context.
The Word macro has a script that will execute once the victim has enabled macro, while the .js file uses malicious JavaScript content that will execute. Both methods use PowerShell to then execute the ransomware.
Unit 42 says the similarity between this campaign and other Word macro compromises has been ongoing for at least seven months. This is because the attackers continue to abuse more than 555 domains, with new ones popping up all the time.
Some of the domains have lasted more than seven days until hosting providers were notified. Because registering a domain is so easy for criminals, it can also be easy and cheap for them to use disposable credentials to set one up, Unit 42 says.
When one domain gets taken down, a 'cycle of abuse' continues as criminals set new domains and IP addresses up.
"With the current popularity of ransomware, we continue to see malspam daily in both targeted attacks and wide-scale distribution. We expect this trend will continue," the blog says.