sb-as logo
Story image

Unit 42 reports 'Blank Slate' malspam campaign pummels hosting providers in 'cycle of abuse'

14 Mar 2017

Palo Alto Networks’ Unit 42 has provided an inside look at how a malicious spam campaignis using double-zipped Word files to spread ransomware on Windows computers.

The company revealed that the malspam campaign, dubbed ‘Blank Slate’ because the emails have no message content and just attachments, is the latest in a series of attempts to spread malware.

The Blank Slate campaign was also active in spreading Microsoft Word documents to spread malware. While the domains associated with that particular campaign were taken down, new ones were quickly made.

The latest Blank Slate campaign works by receiving malspam from a botnet. The victim opens the attachment, which is double zipped, and then downloads ransomware. 

Unit 42 believes that the ransomware is double zipped to avoid detection by antimalware systems, although the tactic may also encourage victims to get frustrated and abandon the attempted opening of the file. That file is a Microsoft Word document with a malicious macro, or a .js file. 

Unit 42 says the process works as below:

  • Attacker’s botnet sends malspam to the intended recipient.
  • User ignores security warnings and opens the zip archive included in the malspam.
  • User ignores security warnings and manually extracts either a Microsoft Word document or a JavaScript (.js) file.
  • User ignores warnings and manually enables macros for the Word document or user double-clicks the .js file.
  • Word macro or .js file retrieves a ransomware executable from a web server.
  • Word macro or .js file executes the ransomware on the user’s computer in the user’s security context.

The Word macro has a script that will execute once the victim has enabled macro, while the .js file uses malicious JavaScript content that will execute.  Both methods use PowerShell to then execute the ransomware. 

Unit 42 says the similarity between this campaign and other Word macro compromises has been ongoing for at least seven months. This is because the attackers continue to abuse more than 555 domains, with new ones popping up all the time.

Some of the domains have lasted more than seven days until hosting providers were notified. Because registering a domain is so easy for criminals, it can also be easy and cheap for them to use disposable credentials to set one up, Unit 42 says.

When one domain gets taken down, a ‘cycle of abuse’ continues as criminals set new domains and IP addresses up.

“With the current popularity of ransomware, we continue to see malspam daily in both targeted attacks and wide-scale distribution. We expect this trend will continue,” the blog says.

Story image
Interview: How cyber hygiene supports security culture - ThreatQuotient
We spoke with ThreatQuotient’s APJC regional director Anthony Stitt to dig deeper into cyber hygiene, security culture, threat intelligence, and the tools that support them.More
Story image
How are industrial enterprises faring with the rise of cyber threats?
The majority of industrial enterprises face an increase in cyber threats since the COVID-19 pandemic began, according to a new report from Claroty titled The Critical Convergence of IT and OT Security in a Global Crisis.More
Story image
Zoom to begin rolling out end-to-end encryption
Available starting from next week, it represents the first phase out of four of the company’s greater E2EE offering, which was announced in May following backlash that the company was lax on its security and privacy.More
Download image
Enterprise leaders discuss what makes up networking infrastructure
NFV is fast becoming the go-to method of simplifying corporate networks from planning, through deployment and management.More
Story image
Secureworks: Remote working exposes new security vulnerabilities
New vulnerabilities have been exposed as IT teams across the world respond to the ongoing COVID-19 pandemic.More
Story image
CrowdStrike targets Zero Trust blind spot with new offering
CrowdStrike has officially launched CrowdStrike Falcon Zero Trust Assessment (ZTA), designed to aid in overall security posture by delivering continuous real-time assessments across all endpoints in an organisation regardless of the location, network or user. More