SecurityBrief Australia - Technology news for CISOs & cybersecurity decision-makers
Australia
Guides
#
cloud security
#
cybersecurity
#
endpoint protection
#
firewall
#
ransomware
Search
Story image
#
Breach Prevention
#
Cybersecurity
#
Firewall
Unit 42 reports 'Blank Slate' malspam campaign pummels hosting providers in 'cycle of abuse'
Tue, 14th Mar 2017
FYI, this story is more than a year old
Author image
By Sara Barker, Copywriter and Senior News Editor
Follow us

Palo Alto Networks' Unit 42 has provided an inside look at how a malicious spam campaignis using double-zipped Word files to spread ransomware on Windows computers.

The company revealed that the malspam campaign, dubbed ‘Blank Slate' because the emails have no message content and just attachments, is the latest in a series of attempts to spread malware.

The Blank Slate campaign was also active in spreading Microsoft Word documents to spread malware. While the domains associated with that particular campaign were taken down, new ones were quickly made.

The latest Blank Slate campaign works by receiving malspam from a botnet. The victim opens the attachment, which is double zipped, and then downloads ransomware.

Unit 42 believes that the ransomware is double zipped to avoid detection by antimalware systems, although the tactic may also encourage victims to get frustrated and abandon the attempted opening of the file. That file is a Microsoft Word document with a malicious macro, or a .js file.

Unit 42 says the process works as below:

  • Attacker's botnet sends malspam to the intended recipient.
  • User ignores security warnings and opens the zip archive included in the malspam.
  • User ignores security warnings and manually extracts either a Microsoft Word document or a JavaScript (.js) file.
  • User ignores warnings and manually enables macros for the Word document or user double-clicks the .js file.
  • Word macro or .js file retrieves a ransomware executable from a web server.
  • Word macro or .js file executes the ransomware on the user's computer in the user's security context.

The Word macro has a script that will execute once the victim has enabled macro, while the .js file uses malicious JavaScript content that will execute.  Both methods use PowerShell to then execute the ransomware.

Unit 42 says the similarity between this campaign and other Word macro compromises has been ongoing for at least seven months. This is because the attackers continue to abuse more than 555 domains, with new ones popping up all the time.

Some of the domains have lasted more than seven days until hosting providers were notified. Because registering a domain is so easy for criminals, it can also be easy and cheap for them to use disposable credentials to set one up, Unit 42 says.

When one domain gets taken down, a ‘cycle of abuse' continues as criminals set new domains and IP addresses up.

“With the current popularity of ransomware, we continue to see malspam daily in both targeted attacks and wide-scale distribution. We expect this trend will continue,” the blog says.

Related stories
Illumio unveils AI enhancements for faster Zero Trust Segmentation adoption
RiverSafe teams up with Cribl to boost IT & data security services
Half of online traffic in 2024 generated by bots, report finds
Axis unveils hybrid cloud platform for adaptable security solutions
Keeper Security launches user-friendly passphrase generator
Top stories
Fortinet recognised as Challenger in Gartner's 2024 Magic Quadrant for SSE
Coalition integrates cyber risk platform with top cloud services providers
Secolve & Asimily join forces to boost Australia's IoT security
Armis warns of major cyber-attack risk to 2024 global elections
i-PRO to support Genetec SaaS with new AI-enabled camera models