Email scammers always seem to invent new ways of trickery to gain cash from their victims. We recently came across a case where the scammer reused some existing scripts to phish and scam - copy and paste style. With a bit of modification, the script works like ransomware, without the hassle of having to compile a portable executable. This screen locker ransomware variant locks the user's screen and demand a ransom rather than the typical file encryption style ransomware. The ransom demanded in this case was in the form of Google Play Cards.
Below is an overview of the process from the email hyperlinks, file downloads, to how these files are installed and work in the victim’s computer.
Figure 1. From Scripts to Scams
The scam starts with an email. Recently, have seen an email spam campaign pretending to be an important update for your computer. The email "From:" address is: help@supportwindows followed by some digits.
In the first email sample, the hyperlink provided will directly download a batch file, WindowsUpdate.bat
Figure 2. An email written in French, and translated in English, asking the user to update its computer.
In the second email sample, the hyperlink uses a short URL service that leads to a WordPress website.
Figure 3. Emails implying that a Windows OS License is expired.
Should the victim click the hyperlink provided by the second email sample will redirect to the WordPress web page below:
Figure 4. The WordPress website posing as Windows Support.
Clicking the ‘Microsoft’ image will download WindowsUpdate.bat and hitting the ‘Download Now’ button downloads the key.rar archive file. Should the victim decide to open the downloaded archive file, they will see two script files. Files named as License1.bat and License2.vbs.
Figure 5. The keys to scamming
In the first email sample, the hyperlink provided will download the WindowsUpdate.bat. The file in the archive, License1.bat is the same as the WindowsUpdate.bat. This is a modified script from an old one that was uploaded in pastebin.com way back in 2017. The script can be viewed here
Figure 6. Side by side comparison of the modified(Left Pane) and the original(Right Pane) script
The batch file serves as the installation file. Running this command batch file will drop another VBS and two batch files in the User Startup Folder. These scripts will automatically be executed when the computer starts.
Figure 7. Dropping files in User Startup folder yields the auto-run technique
The file from archive License2.vbs and the created file startup1.vbs are the same. This script will open a Microsoft Internet Explorer browser on full screen mode, hiding the address, menu and status bar and navigate to hxxp://whoawareness[.]com/?page_id=93.
Figure 8. It is like pressing F11 button in the keyboard. That is the trick.
Either the computer boots up and startup1.vbs is triggered, or License2.vbs is executed from the key.rar archive. The victim is now tricked into thinking that their computer is ‘blocked’.
Figure 9. Works a bit like a ransom note.
And a notification appears:
Figure 10. Message box appears, contact email provided.
Further down, the web page asks you to purchase a Google Play Store Card worth 100 Euros to activate a new license for your computer and provides a video on how to scratch off this card. The scammers list and provide a cellphone screenshot of stores where you can buy these cards.
Figure 11. How to scratch the purchased card.
Figure 12. List of retail stores where you can purchase the Google Play Card.
Finally, the scammers ask you to fill out the form with your personal information together with the Google Play Card Code.
Figure 13. Phishing and Scam
With a Google Play balance, you can buy Apps, Books, Movies, Music, Newsstand, and Subscriptions that are offered in Google Play Store. The other remaining two files created in the User Startup Folder:
startup1.bat – Since this script was reused and modified, it is intended to change each internet browsers home page for Microsoft Internet Explorer and Mozilla Firefox by modifying the registry. Both of the URLs listed in the script were already inaccessible at the time of analysis.
startup2.bat – Terminates Windows Explorer.
Figure 14. startup1.bat file adds new registries to change the home page following Internet Browser Programs
Figure 15. startup2.bat file terminates the process Windows Explorer.exe
As we were going to publish this, we noticed the WordPress site at whoawareness.com had changed. It is now using scare tactics, especially noticeable when your audio volume is on high. It has an image of the detected threats in your machine, where the window structure is evidently from Windows XP. Then there are two message boxes, a fake system alert, and the other a phishing form that asks you to key in your username and password.
Figure 16. Another lockscreen image replaced the landing site from the tinyurl hosted redirection.
Figure 17. The alarming audio sound with voice over informing that your machine is infected
Mitigation and Clean Up Procedures
Follow the steps below to clean up the process running, all dropped files, and any modified registry entries.
1. Open Task Manager, lookup for the process ‘wscript.exe’, right click mouse button, select ‘End Task’
2. Press F11 in the keyboard. This will exit the Full Screen mode of the IE Browser, then close the Browser.
3. Go to Run command or press Windows key + R Key at the same time, type ‘shell:startup’. This will show the User Startup folder. Delete the following files listed below:
4. Open Registry Editor.
Find the following keys in their respective location:
Delete these keys and subkeys tied to it.
Find the following key in their respective location:
You can change the value of the key Start Page from your original home page or simply delete this subkey
5. If you have Mozilla Firefox browser installed in your system, navigate to the folder location below and open the pref.js file in a Text Editor.
In the Text Editor lookup this line and delete it, then save the file:
Remember, updates for your computer never really arrive from email notifications, they just pop-up around your task bar waiting for you to click, install and restart. And if your Microsoft Windows Activation License is invalid, a text will appear on the right-hand bottom of your desktop window. Simply avoid or ignore these amateurish unsolicited emails that alert you that you need an update.
IOCs
URLS:
hxxp://whoawareness[.]com
hxxp://tinyurl[.]com/whoawareness
hxxp://whoawareness[.]com/?page_id=93
hxxp://whoawareness[.]com/WindowsUpdate.bat
hxxp://whoawareness[.]com/?smd_process_download=1&download_id=82
Files/Scripts:
FileName: key.rar
MD5: fb2efa0a781d7911556737768814f4ee
SHA1: 2ddb6a50937364386ddeffcf5bd2dfb53cf49d5
FileName: License2.vbs / startup1.vbs
MD5: 3df65471e9741d55084780b92719834f
SHA1: d32b802d542138ddb5f812d06077215dd82cbd98
FileName: License1.bat / WindowsUpdate.bat
MD5: 955bd1ee3b36e899fa441aaa29c7f985
SHA1: d5e30fbc7f9e7976be8c77682c0ae15fd08ad8dc
FileName: startup1.bat
MD5: f76e9acabae09d12c1221e56603c754d
SHA1: 094007daaa2854bf22f6fd2750caa33ce97fbcc3
FileName: startup2.bat
MD5: 2b7ff12f582c1137396461671dc229f7
SHA1: 9558fde1521e01f61fab82b51ce5be3162917e61
