Authors: Dr. Fahim Abbasi and Nicholas Ramos
Figure 1: Timeline of the spam campaign showing the spam peaks
Table 1: Spam by country of origin for this campaign.
Analysis of the Email Body
Figure 2: Sample Email message with the zipped attachment
Figure 3: Sample Email message with a similar zipped attachment
Analysis of the Attachment
Figure 6: Trigger function that recursively calls all the other malicious JS functions
The trigger function first de-obfuscates URLs and then uses them to download the malicious payload. The script employs a simple de-obfuscation method by removing commas from the obfuscated URLs. As a failsafe method, the attackers have embedded five different URLs in this function to force the victim to download at least one malicious payload, in case any others have been taken offline. A code snippet is illustrated in Figure 7.
Figure 7: URLs hosting malicious payload are de-obfuscated
These malicious URLs are then supplied to a downloader function. The downloader function uses a Microsoft ActiveX object namely MSXML2.XMLHTTP. This object is used to send an arbitrary HTTP request, receive the response, and have the Microsoft XML Document Object Model (DOM) parse that response. Here the Open method is used to Initialize an MSXML2.XMLHTTP request and specifies the method, and URL as shown in Figure 8. The use of Microsoft ActiveX Objects indicate that the spammers are targeting Microsoft Windows victims. The script could be executed simply by double-clicking on it in a Windows OS. This is facilitated by the Microsoft Windows Scripting Host (WSH), which is a framework for running and automating scripts from the GUI using WScript.exe or from the command line using CScript.exe. The WSH supports scripting engines like Jscript and VBScript. Additionally, this script could be interpreted and executed by web browsers, especially Microsoft Internet Explorer and Edge. Other browsers running the IE extensions that support ActiveX objects may also be vulnerable.
Figure 8: The Downloader function, that initiates the file download over HTTP, along with some inline comments
Next, the attackers leverage the ActiveX stream and filesystem object to save the downloaded file to the temp folder as a randomly named JPG and then rename it to an EXE as illustrated in figure 9, 10 and 11.
Figure 9: Save the malicious payload in temp folder as a JPG, code along with some inline comments shown
Figure 10: Stream object used to save the downloaded file to disk
Figure 11:Malicious file extension is changed from .JPG to .EXE, code along with some inline comments shown
Figure 12: Payload execution via WScript Shell ActiveX Object, code along with some inline comments shown
Analysis of the Malicious Payload dropped by the JS
Payload – IOC
This was hosted on the embedded URLs ending with *.dat extension. An example URL extracted from the JS file is listed here:
Hash of the Downloaded Files:
Encrypted Files and Ransom Note for FakeGlobe:
After execution, the FakeGlobe ransomware samples encrypts and renames files. The encrypted files are renamed using the *.crypt extension name as shown in figure 13 and a ransomware note is setup as a HTML shown in figure 14.
Figure 13: Files renamed with *.crypt extension
Figure 14: FakeGlobe Ransomware Note
The Cerber ransomware was hosted on URLs ending with the *.doc extension. A few URLs extracted from the JS file are listed here:
Hash of Downloaded Files:
- MD5: FE1BC60A95B2C2D77CD5D232296A7FA4
- SHA1: C07DFDEA8DA2DA5BAD036E7C2F5D37582E1CF684
Encrypted Files and Ransom Note:
After execution, the Cerber ransomware sample encrypts and renames files. Files encrypted by Cerber ransomware use random filename and extensions, for this sample it used random files with this extension "*.ab22" as shown in Figure 15. The usual Cerber will drop ransom note on both "*.hta" and "*.txt" formats as shown in figure 16 and 17.
Figure 15:Encrypted files with random name and *.ab22 extension
Figure 16: Ransom note Text file contents
Aside from the files it will also change the wallpaper to display a ransom note, a typical behavior of Cerber.
Figure 17: Ransom note HTML file contents
We would like to thank Gerald Carsula for his helpful contributions and Phil Hay for his valuable feedback and advice.