Spam campaign dropping Cerber ransomware moving away to Sage ransomware

A spam outbreak, which has been hitherto proliferating Cerber ransomware, recently moved onto one fresh payload right when one fresh ransomware-as-a-service became available. And though the two developments have little relation with each other they depict the persistent investment and enhancement going on with ransom software as also the continuing hurdles security professionals encounter.

When Brad Duncan handler at SANS Internet Storm Center spotted traffic flowing out of the spam outbreak, January 20, 2017, it was found that the spam mails were no longer related to Cerber but were currently installing Sage name of another ransomware. There's no subject line alternatively content in the message body of the spam mails. The malware arrives within dual zipped attachments in the e-mails. If a potential victim unzips the attachments he would find one Word document harboring malevolent macro else one .js file. Either of the files would pull down the ransomware onto computers they infect. ThreatPost posted this, January 23, 2017.

According to Brad Duncan, Sage is CryLocker ransomware's other variant. The discoverer of the variant was MalwareHunterTeam a researcher who made the discovery in September 2016 and stated the malware disseminated through e-mails that Central Security Treatment Organization a fake government organization distributed. The encrypted files were labeled with .cry extension, with the attacker seeking 1.1 Bitcoin. There was also transmission of system info of the infected computer onto the hacker via UDP.

Duncan posted that at the time Sage's callback domains did not get solved in DNS; UDP packets got dispatched from the contaminated PC to more than 7,000 IP addresses. He wrote that he thought the traffic was UDP-based P2P traffic while the same looked encrypted.

He continues that he wasn't sure about the wide distribution of Sage for, he had just seen it within the spam outbreak in discussion and he had just observed it for a single day also. He wasn't further sure about the efficacy of the particular outbreak. Apparently, the spam mails could be easily blocked; therefore, hardly any end-user possibly really noticed Sage 2.0. Yet Sage is an existing ransomware group, depicting the lucrative nature of ransom software for cyber-crooks.

» SPAMfighter News - 1/25/2017