IOC :: https://t.co/Thoyom3PTF pic.twitter.com/OjX9M7OzDU
— Ankit Anubhav (@ankit_anubhav) August 30, 2017
The downloader was spotted on Wednesday, and within hours, the malicious code was removed.
It is not clear how the attackers installed the malicious code onto the .gov site and how many visitors have been infected.
Anubhav believes that the site was compromised, another possibility is that the site was used as a storage for email attachments from government officials’ emails and probably the malware was attached to one of the messages.
“Blank Slate has pushed different types of ransomware. However, the vast majority of ransomware from this campaign has been Cerber.”
According to an analysis published by Anubhav along with the malware analyst at Spanish telco Telefonica, Mariano Palomo Villafranca, high reputation websites like the US one hosting the malware represent a privileged attack vector for crooks.
“Often security solutions blacklist an entire range of IP addresses and the potential target is saved from such attack (because the site is blocked before they visit it). To counter this measure, attackers focus on hosting malware in legitimate places, such as Google documents, or websites which are “known/proven clean”. As it turns out, one ideal scenario for an attacker would be to host malware on a government site.” states the analysis published by the security duo.
According to the analysis, the gif executable was a NSIS installer which was used to extract the Cerber JSON file configuration.
“The link is down as of now. However, when we analysed archived data, we found that this particular payload was Cerber ransomware with a SHA256 1f15415da53df8a8e0197aa7e17e594d24ea6d7fbe80fe3bb4a5cd41bc8f09f6.”