I recently found a wave of malicious spam (malspam) that started as early as Monday 2018-03-05 at 18:28 UTC and lasted through at least Tuesday 2018-03-06 at 14:44 UTC. This wave of malspam had Word documents as file attachments, and these Word docs had macros designed to infect Windows hosts with ransomware. When I checked Monday evening, I infected one of my lab hosts with GlobeImposter ransomware. When I checked Tuesday morning, I saw GandCrab ransomware.
This is interesting, because in 2018, I've seen very few examples of mass-distribution malspam pushing ransomware. So far in 2018, such malspam has been pushing mostly information stealers, backdoors, and cryptocurrency miners. So it's always noteworthy when I find something like this.
Today's diary examines this wave of malspam, the infection traffic, and associated indicators.
Patterns for these emails were consistent, but I couldn't match them to a specific campaign. Sending addresses, subject lines, email headers, and message text were all varied. The only consistent part of this malspam was the Word document attachments, which were all named " Resume.doc" with a space before the first letter. And even then, each attachment had a different file hash.
The attachments were typical Word documents with malicious macros. They work similar to malicious macros seen in other malspam campaigns, using Powershell to retrieve a malware binary to infect a vulnerable Windows host.
Infection traffic from Monday evening showed indicators of GlobeImposter ransomware. After the macro used Powershell to retrieve the ransomware binary from a server at 126.96.36.199, I saw an HTTP request to psoeiras.net for an IP address check. The URL to psoeiras.net was similar to what I've documented before with GlobeImposter ransomware infections.
When I checked again Tuesday morning, I saw the same URL to 188.8.131.52 for a ransomware binary However, this time, the follow-up HTTP request for the IP address check went to nomoreransom.coin, with follow-up DNS queries for nomoreransom.bit and gandcrab.bit. These domains are typical for what I've previously documented with GandCrab ransomware.
Forensics on an infected Windows host
The GandCrab ransomware sample didn't encrypt any files on my lab host, but the GlobeImposter binary did. All files encrypted by the GlobeImposter sample used a .gif file extension. Previous samples of GlobeImposter I'd tested in December 2017 used Read__ME.html for the decryption instructions, but this 2018 sample used Read__ME.txt. The GlobeImposter decryptor seen through my Tor browser had a visual upgrade with a nice background image, but it still had the same basic setup as before.
The GlobeImposter infection stayed persistent on my infected lab host through the Windows registry. Like many malware samples I've seen, this one used the HKCU\Software\Microsoft\Windows\CurrentVersion\Run registry key. However, the binary used for persistence was not the same binary used during the initial infection. The persistent binary for this GlobeImposter infection was only 22,528 bytes.
See below for a list of URLs, domains, and file hashes associated with this malspam.
SHA256 hashes for all attachments named " Resume.doc":
The following are malware samples retrieved from my infected lab hosts:
The following are URLs and domains associated with these infections:
Although ransomware is down compared to last year, every once in a while we still see a wave of malspam like this, pushing recent ransomware families seen in prior mass-distribution campaigns. So far in 2018, GlobeImposter and GandCrab are the only ones I've seen in mass-distribution malspam. However, these recent samples don't seem to be any more dangerous now than they were before.
As always, properly-administered Windows hosts are unlikely to get infected. To infect their computers, users would have to ignore multiple warnings to retrieve and activate the malicious Word document, which includes bypassing Protected View. System administrators and the technically inclined can also implement best practices like Software Restriction Policies (SRP) or AppLocker to prevent these types of infections.
Pcap and malware samples for today's diary can be found here.
Mar 7th 2018
1 year ago