A spam campaign is using a Tor2Web proxy service in an attempt to infect users with Cerber ransomware without raising any red flags.
Researchers at Cisco Talos are accustomed to coming across malicious spam campaigns that leverage email attachments and professionally written emails to trick unsuspecting users. They’ve seen it with Locky and lots of other ransomware.
HOW IT WORKS…
A user receives an email containing a hyperlink claiming to be a file of interest such as a picture or transaction logs. Some of the emails’ subject lines contain the recipient’s first names, a technique which enhances the spam message’s claim to legitimacy.
Even so, the campaign’s spam is quite simplistic.
As you can see in the image above, the campaign is making use of Google redirection. But it’s not linking to any normal site. It’s redirecting the victim to a malicious payload that’s hosted on the Tor network.
Why is that important?
By hosting their malicious payloads on the Tor network, there is less of a chance that blacklisting services or other traditional detection tools will pick up on them. That means a victim’s AV software won’t block the redirect locations and that the payloads could remain active for quite some time.
Following the initial redirection, users are prompted to download a Microsoft Word document that – you guessed it! – contains malicious macros.
Enabling content activates a downloader that invokes Powershell, which in turn downloads the executable for the Cerber ransomware.
