Cyber Incident Victim: National Wildfire Coordinating Group
Date:
Aug 2017
Location:
United States of America
Summary
A U.S. government website was found hosting a malicious JavaScript downloader linked to Cerber ransomware, which was promptly removed after discovery. The compromised site hosted a .zip archive containing obfuscated PowerShell scripts that downloaded a disguised Cerber executable from a malicious domain, executing automatically upon user interaction. Cerber ransomware encrypted victim files after checking for specific language settings and demanded Bitcoin payments for decryption. Researchers noted similarities to earlier spam campaigns using multi-layered archives to evade detection and highlighted the site's whitelisted reputation as a potential factor in bypassing security measures. The incident's origin remained unclear, though possible compromises included unauthorized access or archived email attachments.
| CIA Posture | Motives | Tactics, Techniques & Procedures |
|---|---|---|
| Available to members | 1 motive | 1 technique |
| Threat Actors | Type | Location |
|---|---|---|
| 0 actors | Available to members | Available to members |
Description
On August 30, 2017, security researcher Ankit Anubhav of NewSky Security identified a malicious JavaScript downloader hosted on the U.S. government website dms[.]nwcg[.]gov. The downloader, contained within a .zip archive, employed obfuscated PowerShell scripts to retrieve and execute a Cerber ransomware payload disguised as a GIF file from a known malicious domain. The attack chain operated automatically upon user interaction with the hosted link, with no visible indicators to end users. Cerber, a well-established ransomware family active since at least 2016, performed pre-execution checks for Commonwealth of Independent States (CIS) language packs on victim machines before encrypting files. The payload utilized a Nullsoft Scriptable Install System (NSIS) installer to extract Cerber's configuration, a technique previously observed in March 2017 campaigns involving Cerber versions 4 and 5.1. Researchers noted similarities to the "Blank Slate" spam campaign that distributed Cerber earlier that year via double-zip archives containing malicious JavaScript or Word documents.
Anubhav publicly disclosed the compromise via Twitter, prompting the removal of the malicious link within hours. The Department of Homeland Security did not respond to media inquiries regarding the incident. No confirmed infections stemming directly from the government-hosted malware were reported. Analysis by Anubhav and Telefonica malware analyst Mariano Palomo Villafranca highlighted the exploitation of .gov domains' typically whitelisted reputation status to evade security detection. The incident exposed vulnerabilities in the site's content management, with potential compromise vectors including unauthorized access or archival storage of malicious email attachments. Cerber's operational characteristics remained consistent with established patterns, including Bitcoin ransom demands and the use of exploit kits, spam campaigns, and Dridex botnet infrastructure for distribution. The removal of the downloader constituted the only confirmed remediation action documented in available reports.