Email scams – very sloppy Cerber dropper

Timestamps – February 2017 to March 9-3-2017 + older ones on the same pattern from May 2016

Continuing the line on sloppy email scams, a specific type is hitting one of my addresses. Spam is received regularly from the same addresses, having the same format. The attachments are created Matryoshka style, like in a previous post (archive in archive , finally containing a JS or DOC file).

sloppy-cerber-deliverer

The surprising things is that, even though they are very poorly executed :

  1. The spam filter is very bad at identifying it though. All of this is getting in my inbox.
  2. Over a 10 months period i’ve receiving the same kind of things from the same email address (different IPs though)

montenapoleoneluxury.com-timeline

Sender email

customerservice@montenapoleoneluxury.com

Sender IP address (from 2017)

31.162.17.160
31.163.135.36
111.240.129.119

Sender IP address (from 2016)

104.233.89.240
176.36.28.239
91.232.91.185
188.244.179.23

Sha256

25be33f20611b78b69f3960a8825f62300c875e8b09425c931074b2fd58f7c18
fe05f8e94d195e25700ff8d249ebd8656fa57f4e9855dc3a7b327962f33de208
1964357938fbc743634289137ec7838df33f593251e9730c887e89f599c5ee8b

After sandbox analysis, one of them seems to be still working as a Cerber dropper, the other seems defunct

https://www.hybrid-analysis.com/sample/1964357938fbc743634289137ec7838df33f593251e9730c887e89f599c5ee8b?environmentId=100

https://www.hybrid-analysis.com/sample/fe05f8e94d195e25700ff8d249ebd8656fa57f4e9855dc3a7b327962f33de208?environmentId=100

Full IOC list on https://otx.alienvault.com/pulse/58c43ad8eda0e40f34ddb8c1/