A spam campaign is using a Tor2Web proxy service in an attempt to infect users with Cerber ransomware without raising any red flags.
Researchers at Cisco Talos are accustomed to coming across malicious spam campaigns that leverage email attachments and professionally written emails to trick unsuspecting users. They’ve seen it with Locky and lots of other ransomware.
But not so with a new offensive, as the research team explains in a blog post:
“This campaign looked different in that the messages didn’t contain an attachment and were extremely short and basic. What we found was a potential next evolution for ransomware distribution that relies more heavily on Tor to obfuscate their activity and hinder the ability to shut down servers that are hosting the malicious content.”
Here’s how the attack works.
A user receives an email containing a hyperlink claiming to be a file of interest such as a picture or transaction logs. Some of the emails’ subject lines contain the recipient’s first names, a technique which enhances the spam message’s claim to legitimacy.
Even so, the campaign’s spam is quite simplistic.
As you can see in the image above, the campaign is making use of Google redirection. But it’s not linking to any normal site. It’s redirecting the victim to a malicious payload that’s hosted on the Tor network.
The researches at Cisco Talos elaborate on that point:
“The use of the ‘onion.to’ domain in the initial redirect enables the attacker to make use of the Tor2Web proxy service, which enables the access of resources located on Tor from the internet by proxying web requests through an intermediary proxy server. Using proxy services like Tor2Web enables access to the Tor network without requiring a Tor client to be installed locally on the victim system.”
Why is that important?
By hosting their malicious payloads on the Tor network, there is less of a chance that deny-listing services or other traditional detection tools will pick up on them. That means a victim’s AV software won’t block the redirect locations and that the payloads could remain active for quite some time.
Following the initial redirection, users are prompted to download a Microsoft Word document that – you guessed it! – contains malicious macros.
Enabling content activates a downloader that invokes Powershell, which in turn downloads the executable for the Cerber ransomware.
Cerber, as you might recall, is the ransomware that speaks to its victims and that has quite a lucrative affiliate system powering its distribution.
To protect yourself against this campaign, including the US $1,000 ransom fee it demands, users should securely and regularly backup their files, keep their systems up to date, and not click on suspicious links.
And PLEASE, don’t ever enable content from a suspicious source. In fact, it’s a good idea to disable macros in Word documents outright. Here’s a guide.
See? There’s no excuse for not doing it. So do it. NOW.