Malspam Campaign Distributing Cerber Ransomware

The LookingGlass Cyber Threat Intelligence Group (CTIG) observed a malspam campaign distributing the Cerber ransomware. The attachment in this campaign, which is being touted as a “new report” intended for the victim, is a malicious .dot (document template) file that natively opens with Microsoft Word. The .dot file contains a malicious macro, which upon execution, fetches and runs the Cerber payload. Cerber has been analyzed in detail here and here, so the scope of this blog will be limited to the indicators observed in this campaign.

Below is a screenshot of what an example of this malspam campaign looks like:

Screen Shot 2016-05-10 at 12.45.49 PM

Below are the details in the SMTP headers that can be used for identification and blocking on SMTP gateways:

Received: from tp-exch-v01.corpnet.asus ([])
  by with ESMTP; 10 May 2016 20:46:31 +0800
From: Moses Contreras <>
Subject: =?UTF-8?Q?Moses_Contreras?=
Date: Tue, 10 May 2016 07:46:02 -0500
MIME-Version: 1.0
X-mailer: Opera Mail 9.12.292
X-Originating-IP: []

The CTIG observed an attachment “” (MD5: 3D367E6774D1501EAF1B7632E099C1FB) that contained a VB Script macro “29212.vbs” (MD5: B5D1D7BA47D363620168DDD39ECF1EE2). The macro retrieved an encoded payload from the following URI:

hxxp://pompe-distribution[.]com/h.jpg?BkKSelC1CS=53 (188.165.242[.]106)

The payload (MD5: 6519603249EF66224BADF63A6D4DBF5A) can be seen being downloaded in an encoded form below:

Screen Shot 2016-05-10 at 10.16.49 AM

Before encrypting specific files on the victim machine, once the Cerber payload is decoded (MD5: 63688AB0D343B66FBBFBCECBBD62FFDF) and executed it starts communicating with a wide range of IP addresses 85.93.0[.]0 – 85.93.63[.]255 ( via UDP on port 6892:

Screen Shot 2016-05-10 at 10.21.06 AM

The CTIG recommends blocking all of the below mentioned IOCs in your environment to proactively protect yourself from this threat. LookingGlass ScoutVision has observed the initial UDP communication address of 85.93.0[.]0 as being associated with Cerber ransomware as early as April 13, 2016.

Summary of IOCs:


Moses Contreras <>

IP Addresses:

85.93.0[.]0 - 85.93.63[.]255 (



Malware MD5s:




C:\Documents and Settings\Administrator\Application Data\{19CF59F6-0800-788E-D3A1-D46836652FD8}\