Threat Research
Stay on top of the latest threat research, information on in-the-wild cyber attacks and cyber operations from Juniper Threat Labs.
Juniper Employee , Juniper Employee Juniper Employee
Threat Research
Necurs Malspam Delivers GlobeImposter Ransomware
12.10.17

 

Introduction

Necurs botnet seems to be coming up with a fresh wave of malspam delivering GlobeImposter ransomware. The malspam comes in the form of a quasi-blank email with little to no message content, a short subject line and an attached 7z archive containing a VBScript that downloads the ransomware.

 

Indicators of Compromise (IOCs)

GlobeImposter Payload MD5sum: c99e32fb49a2671a6136535c6537c4d7

 

Technical Analysis

 

Mail Attachment VBScript Analysis

Looking at spam mail that has already been gathered and comparing it to other samples seen on VirusTotal in the last few days, the spam mail samples seen so far show mostly blank mail with little to no content and malicious attachments in the form of 7z archive, containing VBScript files with a naming scheme that looks either numerical like 10006000420.7z or like FL_386828_11.30.2017.7z. Other attachment naming schemes have also been seen.

 

The VBScript file is somewhat obfuscate. It stores a hard-coded string that it parses to obtain various sub-strings, which it then uses to figure out the objects it needs to create for network communication, the file name to use for the ransomware to be downloaded and so on. The format of this string looks like the example below, delimited by the character “>”, and is present in the reverse form, which the malware reverses before extracting the necessary substrings.

 

image6.png

 

The VBScript file has a hardcoded list of URLs, as shown in the below snapshot, to download the ransomware from. It. then loops through the list of URLs until it is successful. Various attachments from multiple spam emails were analyzed and showed a largely non-intersecting list of URLs in each attachment. Below left is the obfuscated code looping through the URL list trying to download the malware. Below right is the corresponding simplified pseudocode.

image14.png

 

The VBS file saves the payload to the “C:\Users\user\AppData\Local\Temp\” folder and executes as seen below.

image8.png

 

While the attachment itself is compressed, the VBScript file inside the archive, seen across various attachments samples, shows a recurring pattern in the code that can be leveraged by an IDS/IPS or YARA engine that can decompress the archive and match on the VBScript file.

 

Common patterns seen across the VBScript attachments include:

 

“krapivec\s*=\s*Array(“ -> Regex

“Williams”

”Kullipin”

“CUA ="Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:57.0) Gecko/20100101 Firefox/57.0"”

“elifotevas>ydoBesnopser>etirw>nepo>epyT>PmeT>TeG>ssecorP>llehs.tpircsW>noitacilppA.llehs>Maerts.bdodA>PTTHLMX.tfosorciM"”

 

And so on.

 

 Ransomware Payload Analysis

The ransomware payload is in the form of an NSIS installer. When spawned, it unpacks itself, spawns a copy of itself in suspended mode and injects its code into the child using process hollowing technique.

 

 image2.png

 

When the malicious payload is executed, the malware encrypts all files adding the “..doc”extension. Previous and other versions of the ransomware are known to use other extensions.

 

The malware ensures persistence by putting a run entry key of “UpdateBrowserCheck” with  the path to the ransomware executable under HKCU\Software\Microsoft\Windows\RunOnce.

image13.png

 

It writes a temporary batch file to the system, as shown below, with commands to delete any shadow volume copies in order to prevent restoration of encrypted files. It also clears all event logs from the system to cover its tracks.

 

image7.png

 

Strings from the unpacked sample:

 

The ransom file name and the ransom note.

image12.png

 

Batch commands run by the malware:

image5.png

 

 

 

Ransom Note

The ransomware note, “Read__ME.html” is dropped into every directory where files are encrypted, asking the user to connect to the TOR network for the decryptor. Upon clicking the “Buy Decryptor” button, it redirects the user to an onion link, mentioning the ransom amount, starting a timer for 48 hours and, doubling the ransom amount when the timer expires.

 

It is interesting to note the difference from other ransomware -  the start of the timer is not tied to the encryption time and the ransom amount is not known at the time the victim is notified of what just happened. Both require a victim’s action to visit the TOR web address before triggering the timer and finding out the ransom amount.

 

Akin to other ransomware, this variant of GlobeImposter allows the victim to decrypt one file of their choice to gain assurance that the decryption is possible prior to paying the ransom. Many victims indeed refuse to pay the ransom because they do not believe there is a guarantee of recovering their files. The ransomware criminal gangs are having to recover from the damage to their image done by wipers disguised as ransomware.

image11.pngimage3.pngimage9.png

Detection

 

Both Cyphort (now a Juniper company) and Juniper Sky ATP detect the email attachment  and the ransomware payload.

image1.pngimage10.pngimage4.pngimage15.png

 

Many thanks to Abhijit Mohanta form the Threat Reserach Team for co-authoring this blog.

Top Kudoed Authors