Necurs botnet seems to be coming up with a fresh wave of malspam delivering GlobeImposter ransomware. The malspam comes in the form of a quasi-blank email with little to no message content, a short subject line and an attached 7z archive containing a VBScript that downloads the ransomware.
Looking at spam mail that has already been gathered and comparing it to other samples seen on VirusTotal in the last few days, the spam mail samples seen so far show mostly blank mail with little to no content and malicious attachments in the form of 7z archive, containing VBScript files with a naming scheme that looks either numerical like 10006000420.7z or like FL_386828_11.30.2017.7z. Other attachment naming schemes have also been seen.
The VBScript file is somewhat obfuscate. It stores a hard-coded string that it parses to obtain various sub-strings, which it then uses to figure out the objects it needs to create for network communication, the file name to use for the ransomware to be downloaded and so on. The format of this string looks like the example below, delimited by the character “>”, and is present in the reverse form, which the malware reverses before extracting the necessary substrings.
The VBScript file has a hardcoded list of URLs, as shown in the below snapshot, to download the ransomware from. It. then loops through the list of URLs until it is successful. Various attachments from multiple spam emails were analyzed and showed a largely non-intersecting list of URLs in each attachment. Below left is the obfuscated code looping through the URL list trying to download the malware. Below right is the corresponding simplified pseudocode.
The VBS file saves the payload to the “C:\Users\user\AppData\Local\Temp\” folder and executes as seen below.
While the attachment itself is compressed, the VBScript file inside the archive, seen across various attachments samples, shows a recurring pattern in the code that can be leveraged by an IDS/IPS or YARA engine that can decompress the archive and match on the VBScript file.
Common patterns seen across the VBScript attachments include:
“krapivec\s*=\s*Array(“ -> Regex
“CUA ="Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:57.0) Gecko/20100101 Firefox/57.0"”
The ransomware payload is in the form of an NSIS installer. When spawned, it unpacks itself, spawns a copy of itself in suspended mode and injects its code into the child using process hollowing technique.
When the malicious payload is executed, the malware encrypts all files adding the “..doc”extension. Previous and other versions of the ransomware are known to use other extensions.
The malware ensures persistence by putting a run entry key of “UpdateBrowserCheck” with the path to the ransomware executable under HKCU\Software\Microsoft\Windows\RunOnce.
It writes a temporary batch file to the system, as shown below, with commands to delete any shadow volume copies in order to prevent restoration of encrypted files. It also clears all event logs from the system to cover its tracks.
Strings from the unpacked sample:
The ransom file name and the ransom note.
Batch commands run by the malware:
The ransomware note, “Read__ME.html” is dropped into every directory where files are encrypted, asking the user to connect to the TOR network for the decryptor. Upon clicking the “Buy Decryptor” button, it redirects the user to an onion link, mentioning the ransom amount, starting a timer for 48 hours and, doubling the ransom amount when the timer expires.
It is interesting to note the difference from other ransomware - the start of the timer is not tied to the encryption time and the ransom amount is not known at the time the victim is notified of what just happened. Both require a victim’s action to visit the TOR web address before triggering the timer and finding out the ransom amount.
Akin to other ransomware, this variant of GlobeImposter allows the victim to decrypt one file of their choice to gain assurance that the decryption is possible prior to paying the ransom. Many victims indeed refuse to pay the ransom because they do not believe there is a guarantee of recovering their files. The ransomware criminal gangs are having to recover from the damage to their image done by wipers disguised as ransomware.
Both Cyphort (now a Juniper company) and Juniper Sky ATP detect the email attachment and the ransomware payload.
Many thanks to Abhijit Mohanta form the Threat Reserach Team for co-authoring this blog.