Trustwave SpiderLabs Exposes Unique Cybersecurity Threats in the Public Sector. Learn More

Trustwave SpiderLabs Exposes Unique Cybersecurity Threats in the Public Sector. Learn More

Services
Capture
Managed Detection & Response

Eliminate active threats with 24/7 threat detection, investigation, and response.

twi-managed-portal-color
Co-Managed SOC (SIEM)

Maximize your SIEM investment, stop alert fatigue, and enhance your team with hybrid security operations support.

twi-briefcase-color-svg
Advisory & Diagnostics

Advance your cybersecurity program and get expert guidance where you need it most.

tw-laptop-data
Penetration Testing

Test your physical locations and IT infrastructure to shore up weaknesses before exploitation.

twi-database-color-svg
Database Security

Prevent unauthorized access and exceed compliance requirements.

twi-email-color-svg
Email Security

Stop email threats others miss and secure your organization against the #1 ransomware attack vector.

tw-officer
Digital Forensics & Incident Response

Prepare for the inevitable with 24/7 global breach response in-region and available on-site.

tw-network
Firewall & Technology Management

Mitigate risk of a cyberattack with 24/7 incident and health monitoring and the latest threat intelligence.

Solutions
BY TOPIC
Offensive Security
Solutions to maximize your security ROI
Microsoft Exchange Server Attacks
Stay protected against emerging threats
Rapidly Secure New Environments
Security for rapid response situations
Securing the Cloud
Safely navigate and stay protected
Securing the IoT Landscape
Test, monitor and secure network objects
Why Trustwave
About Us
Awards and Accolades
Trustwave SpiderLabs Team
Trustwave Fusion Security Operations Platform
Trustwave Security Colony
Partners
Technology Alliance Partners
Key alliances who align and support our ecosystem of security offerings
Trustwave PartnerOne Program
Join forces with Trustwave to protect against the most advance cybersecurity threats
SpiderLabs Blog

Spammed JScript Phones Home To Download NemucodAES And Kovter

Contributed by: Gerald Carsula, Rodel Mendez and Nicholas Ramos

Last June, we reported that Kovter was being spammed together with Cerber ransomware that used a fake email delivery notification. For the last few weeks another set of fake UPS delivery notification spam has emerged again but instead of Kovter leading the payload attack, it was a PHP-based ransomware.

Infection Vector

The initial email spam is purportedly about a failed delivery of an item or a parcel. It asks the user to review the details of the delivery through the attached ZIP file which holds a malicious JS file.

9209_4e79fe3e-3509-4aa5-a26c-7cbb9771a2fe

Figure 1: Email Sample - Fake UPS Delivery Notification

BSL_11282_b185552e-3803-47be-923a-1a033bc24588

Figure 2: Email Sample - Fake UPS Delivery Notification

The curious victim can be enticed to extract and execute the (*.JS) file from the attached ZIP archive. On execution, the malicious JavaScript will build a set of URLs from different hostnames on one of its variable arrays.

10673_9401eae4-fb78-4f89-9dfb-48025957ad47

Figure 3: Email Attachment - JS file

Once connected to one of the URLs, an obfuscated JS file will be downloaded. A sample JS file is shown below and consists of several hardcoded stings. To de-obfuscate it, we replaced these strings with the character "a" and performed a concatenation with the rest of the other variables.

8830_3c3cbff2-84f3-4e4f-8ae3-baca5fc5414e

Figure 4: Obfuscated downloaded JS file

Once properly de-obfuscated, the JS file will immediately create a dummy WORD document file with random characters. It will open the document which serves as a decoy or to trick the user that it has executed a WORD document instead of a JS file.


7980_1115ad90-5bee-4a6f-86b2-dc47e8f9cad4

Figure 5: De-obfuscated downloaded JS file - Word Document Dummy Creation

Then, the downloaded JS file will build another distinct set of URLs based from a separate set of domain/hostnames and URIs. Take note that the variable "n" is crucial to properly determine what file will be download. A table below shows the URL and the equivalent file that will be downloaded.

8659_33bd700c-83fc-499e-8a33-5ee8168a3d96

Figure 6: De-obfuscated downloaded JS file - Downloading the Payloads

var n 3
URL http://{array[item]}/counter/?{hardcoded}0fals3
Filepath %TEMP%/1D2PpPKZcJURTNwSHSFwLCU9Rtm8qb4tk8.exe
Description PHP Executable
MD5 7A962AFC3D437A5046C3ADE4ED6E2696
SHA-1 521FD3420A3939CFD10B181A41D6334728F41CD1

 

var n 4
URL http://{array[item]}/counter/?{hardcoded}0fals4
Filepath %TEMP%/php5.dll
Description PHP DLL
MD5 91660C94F9F3283785FEBCB51CADBA4C
SHA-1 242200D2AF9CDFABEDC8BD382F575AD9CFABDBFD

 

var n 2
URL http://{array[item]}/counter/?{hardcoded}0fals2
Filepath %TEMP%/1D2PpPKZcJURTNwSHSFwLCU9Rtm8qb4tk82.exe
Description Kovter Malware
MD5 ED3421FF73709830C46B31188FE0D73E
SHA-1 8E53AB396DBC806765FDD52EE01C3D6C9DDEAA62

 

Next, if both the PHP executable and PHP DLL have been downloaded, or are already existing in the system, the downloaded JS file will create an obfuscated PHP script in the %TEMP% folder.

9348_54f0e0fa-41aa-4e11-b802-ea476ef288ab

Figure 7: De-obfuscated downloaded JS file - Creating the PHP Script

Then using the PHP executable, the JS file executes the newly created PHP script with the following arguments:
Bitcoin Address, Bitcoin Price, and the Public Key

9612_631d11de-4668-42ff-8b2e-6546d644a171

Figure 8: De-obfuscated downloaded JS file - Executing the PHP Script

A flowchart below shows the full infection flow from e-mail up to the payloads.

9117_4acc255f-4d88-48b6-9f74-bb27d646c951
Figure 9: Flowchart - Infection Vector

Main Payload – PHP Ransomware

Since the PHP script is obfuscated, a simple string replacement and gzinflate method should be performed. There is free online tool that could perform gzinflate. Once properly de-obfuscated, it recursively searches for files with specific extension names starting from root of C:\ drive up to root of Z:\ drive.

9486_5c087e62-8ed2-4dbc-8c22-729c71ef0ecb
Figure 10: PHP Script - Drive Enumeration and Recursive File Searching

It then searches for files the following file extension:

lnk|123|602|dif|docb|docm|dot|dotm|dotx|hwp|mml|odg|odp|ods|otg|otp|ots|ott|pot

potm|potx|ppam|ppsm|ppsx|pptm|sldm|sldx|slk|stc|std|sti|stw|sxc|sxd|sxm|sxw|txt

uop|uot|wb2|wk1|wks|xlc|xlm|xlsb|xlsm|xlt|xltm|xltx|xlw|xml|asp|bat|brd|c|cmd

dch|dip|jar|js|rb|sch|sh|vbs|3g2|fla|m4u|swf|bmp|cgm|djv|gif|nef|png|db|dbf|frm

ibd|ldf|myd|myi|onenotec2|sqlite3|sqlitedb|paq|tbk|tgz|3dm|asc|lay|lay6|ms11

ms11|crt|csr|key|p12|pem|qcow2|vmx|aes|zip|rar|r00|r01|r02|r03|7z|tar|gz|gzip

arc|arj|bz|bz2|bza|bzip|bzip2|ice|xls|xlsx|doc|docx|pdf|djvu|fb2|rtf|ppt|pptx|pps

sxi|odm|odt|mpp|ssh|pub|gpg|pgp|kdb|kdbx|als|aup|cpr|npr|cpp|bas|asm|cs|php

pas|class|py|pl|h|vb|vcproj|vbproj|java|bak|backup|mdb|accdb|mdf|odb|wdb|csv

tsv|sql|psd|eps|cdr|cpt|indd|dwg|ai|svg|max|skp|scad|cad|3ds|blend|lwo|lws|mb

slddrw|sldasm|sldprt|u3d|jpg|jpeg|tiff|tif|raw|avi|mpg|mp4|m4v|mpeg|mpe|wmf

wmv|veg|mov|3gp|flv|mkv|vob|rm|mp3|wav|asf|wma|m3u|midi|ogg|mid|vdi

vmdk|vhd|dsk|img|iso

But also avoids folder names that starts with the following strings:

winnt|boot|system|windows|tmp|temp|program|appdata|application|roaming

msoffice|temporary|cache

9710_683157f2-dc99-4ea9-a2df-a03fd2c5fe69

Figure 11: PHP Script - Searching for Files to Encrypt

All the files that matched the criteria above will be listed on a buffer that will be encrypted after it has setup the ransom note. The ransom note needs to be inflated using the same gzinflate method.

12591_f03cbd06-3daa-40ad-a33d-d7ca08792f1a

Figure 12: PHP Script - Inflate - Ransomnote

Once inflated, some HTA code will be revealed, giving details of the bitcoin payments.

12225_e09f9088-01d3-4801-b95f-be5d5faa0d36

Figure 13: PHP Script - HTA - Ransomnote

This PHP ransomware uses AES encryption. It will encrypt the first 100000 bytes of a file using a randomly-generated 128 characters long key. Every file has its own unique key. It saves the filename, encryption key and the 100000 encrypted bytes of the said file on a single "database" file.

8430_28c2b66f-af0a-48ee-9f53-bdc21fc54088

Figure 14: PHP Script - File Encryption

Lastly, the PHP script will hash details of computer name, username, OS version, and send it to a CnC server including other information like public key and statistical information on how many name files were searched and encrypted.

9788_6c86cdc2-efdb-49e5-8b65-a2378dffdbbb

Figure 15: PHP Script - Sends out Information

11889_ce671d8a-41d6-4e3a-a306-8fed1762056c

Figure 16: Network Traffic - Information send out

The flow chart below gives a full overview of the PHP Ransomware behavior:

10300_82a67169-7178-4173-aaa8-2f9dc1cd76d5

Figure 17: Flowchart - PHP Ransomware

Possible Secondary Payload: KOVTER Malware - IOC

Kovter is a secondary payload and the actors behind this campaign chose to disable the download and execution of this file. The Kovter executable however was still alive on the web host at the time of analysis so we took a quick look of its behavior. Once, executed it drops a couple of files in %LocalAppData%.

11682_c55f38fd-9615-452b-bb64-0e2f9374643f

Figure 18: Kovter - Dropped File

These consist of a batch file and an encrypted JavaScript file. The batch file loads the encrypted JavaScript.

start "T8OVa8EVZT2kXEVqShD6l" "%LOCALAPPDATA%\b6bee4f9\d2f4b4bf.f80c91052"

Here is the content of the encrypted Javascript script.

8068_162ec53e-153a-497c-a85f-8f34d2ff8581

Figure 19: Kovter - JavaScript

The encrypted JavaScript's file extension .f80c91052 was actually registered by the malware in the infected Windows registry as a valid file extension

11500_bc40a231-32cd-4b99-9024-811ff2f85078

Figure 20: Kovter - Registered File Extension

This file extension points to a6005236, a handler that points to yet another registry key that contains the JavaScript decryption and loading of the main malware:

HKEY_CLASSES_ROOT\a6005236\shell\open\command

11508_bca54301-9e52-4712-a3c8-0c3d95798262

Figure 21: Kovter - Spawn Shell

This registry shell entry will execute a JavaScript that loads another obfuscated JavaScript stored in the registry key HKCU\\software\\mecyuvs\\rrattu

Content of the registry key:

"C:\Windows\system32\mshta.exe" "javascript:Sqq8J="kYTJpUP";

s0Y=new ActiveXObject("WScript.Shell");Fm5baD="dxEb";

QF2xm=s0Y.RegRead("HKCU\\software\\mecyuvs\\rrattu");ine7HS9="V";

eval(QF2xm);iDxKR9="2TyRLeos";"

The registry key HKCU\\software\\mecyuvs\\rrattu, is another obfuscated Javascript that loads an obfuscated PowerShell script

10860_9d20ac51-1c44-4d77-9554-d2f15779de1c

Figure 22: Kovter - PowerShell Script on Registry

This PowerShell will spawn a regsvr32.exe process where the Kovter module is injected.

9933_72c60cea-619f-4bbd-bb4b-d07da85e6f6e

Figure 23: Kovter - PowerShell Spawn regsrv32.exe

Once Kovter is running in the injected process, it starts its infamous behavior, the Click-fraud traffic.

12375_e7b1d6f7-2699-43bc-932f-961b95f6f6ac

Figure 23: Kovter - Click-fraud traffic

Conclusions

This spam campaign has proven that old tactics are still effective and reliable but also need to be varied from time to time. The same thing that the threat actors behind this spam campaign has been doing. The campaign has used the same old fake notification with an archived JS file. It uses almost the same algorithm of creating multiple sets of URLs which allows it to download the malicious payload. What did vary this time, is the type of payload that was downloaded and executed. Although not new, the attack used PHP based ransomware instead of the common binary ones. The PHP script will not properly work without downloading the non-malicious PHP interpreter binaries but this is something not everyone would expect given it is somewhat hidden beneath all those obfuscation and inflating methods.

Also, it is critical to highlight that having PHP script based ransomware could be potentially dangerous for webservers. Attackers can look for vulnerable upload scripts on these webservers and leverage them by uploading the ransomware onto the server. Thus, this kind of attack is not just only for a client-side but also potentially the server-side of the Internet infrastructure.

Lastly, this campaign also shows us that the Kovter malware is also lurking around in the background awaiting to be triggered by just a simple update in the JS file.

The Trustwave Secure Email Gateway can recognize and block this threat campaign.

 

Latest SpiderLabs Blogs

2024 Public Sector Threat Landscape: Trustwave Threat Intelligence Briefing and Mitigation Strategies

Trustwave SpiderLabs’ 2024 Public Sector Threat Landscape: Trustwave Threat Intelligence Briefing and Mitigation Strategies report details the security issues facing public sector security teams as...

Read More

How to Create the Asset Inventory You Probably Don't Have

This is Part 12 in my ongoing project to cover 30 cybersecurity topics in 30 weekly blog posts. The full series can be found here.

Read More

Guardians of the Gateway: Identity and Access Management Best Practices

This is Part 10 in my ongoing project to cover 30 cybersecurity topics in 30 weekly blog posts. The full series can be found here.

Read More