2017-10-13 - BLANK SLATE MALSPAM STOPS PUSHING LOCKY, STARTS PUSHING SAGE 2.2 RANSOMWARE

ASSOCIATED FILES:

SOME BACKGROUND:

 

INTRODUCTION

Attachments from Blank Slate malspam have been pushing the ".asasin" variant of Locky ransomware, since that variant first appeared on Tuesday 2017-10-10.  However, sometime on Friday 2017-10-13, Blank Slate malspam stopped pushing Locky.  The most recent Locky I found from Blank Slate is SHA256 hash 51c73af1811c47fca69ea1de7d794d07090b4c892632529ea86ea9cee73779ce originally submitted to VirusTotal on 2017-10-13 at 09:57 UTC.

Since then, Blank Slate has been pushing Sage 2.2 ransomware.  The 2.2 version has been around for months now.  For example, here is a documented case of Sage 2.2 ransomware from March 16, 2017.

Why did Blank Slate stop pushing Locky ransomware?  Maybe it's related to recent Necurs botnet activity.  Wednesday 2017-10-11 was the last time I saw Necurs botnet malspam pushing Locky, and all those emails on the 11th had bad formatting.  Maybe there's some sort of correlation there, but I cannot say for sure.

Other notes:

 

EMAILS


Shown above:  Screenshot from the spreadsheet tacker.  Some have .zip attachments, while other have .doc attachments.

 


Shown above:  Screen shot from one of the emails.

 

EMAILS NOTED:

 

ZIP ATTACHMENT INFO:

 


Shown above:  If the attachment is a zip archive, it contains another zip archive with a malicious JavaScript (.js) file inside.

 


Shown above:  If the attachment is a Word document, it has malcious macros.

 

TRAFFIC


Shown above:  HTTP traffic from an infection filtered in Wireshark.

 


Shown above:  UDP traffic from an infection filtered in Wireshark.

 

TRAFFIC GENERATED BY .JS/.DOC FILES TO DOWNLOAD SAGE RANSOMWARE:

SAGE POST-INFECTION TRAFFIC:

DOMAINS FROM THE DECRYPTION INSTRUCTIONS:

 

ASSOCIATED FILES

ATTACHMENTS:

EXTRACTED .JS FILES:

FOLLOW-UP MALWARE (SAGE 2.2 BINARIES):

PATHS TO MALWARE:

 

IMAGES


Shown above:  Desktop of an infected Windows host.

 


Shown above:  When trying to view the decryptor, you first see a CAPTCHA screen to confirm you are not a robot.

 


Shown above:  Selecting your language after the CAPTCHA screen.

 


Shown above:  The Sage decryptor showing today's ransom cost.

 

FINAL NOTES

Once again, here are the associated files:

ZIP files are password-protected with the standard password.  If you don't know it, look at the "about" page of this website.

Click here to return to the main page.