Spam campaign tiptoes via Tor to deliver Cerber ransomware

Ugh… again with the malicious macros?!

David bisson
David Bisson

Spam campaign tiptoes via Tor to deliver Cerber ransomware

A spam campaign is using a Tor2Web proxy service in an attempt to infect users with Cerber ransomware without raising any red flags.

Researchers at Cisco Talos are accustomed to coming across malicious spam campaigns that leverage email attachments and professionally written emails to trick unsuspecting users. They’ve seen it with Locky and lots of other ransomware.

But not so with a new offensive, as the research team explains in a blog post:

“This campaign looked different in that the messages didn’t contain an attachment and were extremely short and basic. What we found was a potential next evolution for ransomware distribution that relies more heavily on Tor to obfuscate their activity and hinder the ability to shut down servers that are hosting the malicious content.”

Here’s how the attack works.

A user receives an email containing a hyperlink claiming to be a file of interest such as a picture or transaction logs. Some of the emails’ subject lines contain the recipient’s first names, a technique which enhances the spam message’s claim to legitimacy.

Even so, the campaign’s spam is quite simplistic.

Spam campaign
Source: Cisco Talos

As you can see in the image above, the campaign is making use of Google redirection. But it’s not linking to any normal site. It’s redirecting the victim to a malicious payload that’s hosted on the Tor network.

The researches at Cisco Talos elaborate on that point:

“The use of the ‘’ domain in the initial redirect enables the attacker to make use of the Tor2Web proxy service, which enables the access of resources located on Tor from the internet by proxying web requests through an intermediary proxy server. Using proxy services like Tor2Web enables access to the Tor network without requiring a Tor client to be installed locally on the victim system.”

TorWhy is that important?

By hosting their malicious payloads on the Tor network, there is less of a chance that deny-listing services or other traditional detection tools will pick up on them. That means a victim’s AV software won’t block the redirect locations and that the payloads could remain active for quite some time.

Sign up to our free newsletter.
Security news, advice, and tips.

Following the initial redirection, users are prompted to download a Microsoft Word document that – you guessed it! – contains malicious macros.

Word doc
Source: Cisco Talos

Enabling content activates a downloader that invokes Powershell, which in turn downloads the executable for the Cerber ransomware.

Cerber, as you might recall, is the ransomware that speaks to its victims and that has quite a lucrative affiliate system powering its distribution.

Cerber ransomware demand
Source: Cisco Talos

To protect yourself against this campaign, including the US $1,000 ransom fee it demands, users should securely and regularly backup their files, keep their systems up to date, and not click on suspicious links.

And PLEASE, don’t ever enable content from a suspicious source. In fact, it’s a good idea to disable macros in Word documents outright. Here’s a guide.

See? There’s no excuse for not doing it. So do it. NOW.

David Bisson is an infosec news junkie and security journalist. He works as Contributing Editor for Graham Cluley Security News and Associate Editor for Tripwire's "The State of Security" blog.

One comment on “Spam campaign tiptoes via Tor to deliver Cerber ransomware”

  1. VforVendetta

    Who do you think is attacking Tor it's the Government. They are attacking anyone and everyone that tries to hide from their spying. But make it look like its some Hacker doing it.

What do you think? Leave a comment

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.