Blank Slate: A Tale of Two Malware Servers

In March 2017, Palo Alto Networks Unit 42 published research on a new malicious spam campaign dubbed “Blank Slate.” Named as such because the malspam message is empty. Only the malicious attachment is present, as seen in Figure 1.

Figure 1: Blank Slate malspam e-mail

Recently, Blank Slate struck deploying Cerber ransomware once again, affording me the opportunity to obtain the latest samples courtesy of The malspam e-mails contained zipped JavaScript files, which, when executed, download Cerber ransomware.

In this specific attack, two malware-serving domains, or malware servers, were used:

  • Unityqueryzouneasty[.]pw
  • Momendfakol[.]top

As expected, the malicious JavaScript file connects to one of these malware servers, downloads and installs the ransomware, passing control to it. While it appears to be a typical malware installation there is a difference in how the malware is hosted from these servers.

The first, unityqueryzouneasty[.]pw, serves the malware directly as an executable file (Figure 2).

Figure 2: Traffic from unityqueryzouneasty[.]pw 

We can quickly identify the executable traversing the network from the TCP stream. This executable is the Cerber ransomware about to be installed on the target system.

The second malware-serving domain, momendfakol[.]top, behaves differently, as seen in Figure 3 and Figure 4.

Figure 3: Traffic from momendfakol[.]top

Figure 4: HTTP Object list

The TCP stream in Figure 3 shows that, instead of downloading a straight binary, it downloads chunks of data. These chunks are observed in Figure 4. There are 68 chunks, each around one kilobyte in size. Initially, I thought reassembling these chunks would result in the actual Cerber executable, but this proved not to be the case. Rather, this sample is an encrypted version of Cerber downloaded to a temporary location and then decrypted during the installation process. This is the same technique used in a recent Locky ransomware attack using HTA files as an infection vector I discussed in a previous blog.

The result of this latest Blank Slate campaign is the same as the earlier iterations of Blank Slate deployments, a system compromised by Cerber ransomware. It is unclear why this latest campaign utilizes two different methods, but it is possible the threat actors used two different malware-serving domains owned by different malicious hosting service providers. The first one serving malware in the traditional way while the second one operates in a paranoid mode.

Learn more about the different technologies used by a malware attack and the people or service providers behind them