Fill Out This Form To Receive Your FREE Report


Sign Me Up For
The Free Assessment


Just in: US Government Site Was Hosting Ransomware but got cleaned up

It has been reported that a US government website was hosting a malicious JavaScript downloader that led to the installation of Cerber ransomware to unsuspecting victims.

A researcher named Ankit Anubhav of NewSky Security discovered this issue last Wednesday and has tweeted it. And within hours the malware link had been removed from the website and it is unclear if tghe infection had infected anybody.

It is unknown how the said malicious JavaScript downloader was dropped onto the .gov website. As per Anubhav “either the site was hacked, or it possibly stores attachments from government officials’ emails and the downloader was archived. He even pointed out that there are similarities to the Blank Slate Spam Campaign that spread Cerber Emails.”

Department of Homeland Security did not any news update nor comment about the said issue.

The website was hosting a .zip file that had the JavaScript which included ran PowerShell, which in turn gets a GIF file that is a Cerber executable file.

Ransomware has been around quite a while and Cerber is one of the crypto-ransomware. It has been spread thru a number of channels like spam email campaigns, botnets, exploit kits and a lot more.

This is a pretty smart move which the attackers have done. They have targeted .gov websites since they are white-listed websites which made it by default supposedly a safe website. It would already be assumed clean so they are able to elude being detected that way.

Anubhav said a victim could be sent a link to the page hosting the .zip file and once they click on it and it’s executed, the obfuscated JavaScript is extracted and launches PowerShell which downloads the malware from a known misbehaving domain.

“This PowerShell downloads malware from a known malicious site and runs it,” Anubhav said. “All these steps of course happen automatically and end user wont see it.”

Cerber is the payload and before it encrypts files on the host machine, it checks for certain language packs for Commonwealth of Independent States (CIS) countries running on the compromised computer before proceeding.

Anubhav and Villafranca wrote that the gif executable was a NSIS installer which extracts the Cerber JSON file configuration. In March, researchers found that Cerber infections were finding success in bypassing detection by hiding inside NSIS installers before executing. Researchers at Deep Instinct told Threatpost that Cerber versions 4 and 5.1 and many versions of Locky were using this technique, along with different versions of Cryptolocker and Cryptowall.

NSIS, which is short for Nullsoft Scriptable Install System, is an open source system that’s used to build Windows installers.

When all this is said and done, Cerber is still a ransomware that demands Bitcoin as payment in return, the supposed decryption key to unlock the files.


Written by

No Comments Yet.

Leave a Reply


[contact-form-7 id="5555" title="Mobile Form"]