Authors: Dr. Fahim Abbasi and Nicholas Ramos
Analysis of the Email Body
Analysis of the Attachment
The trigger function first de-obfuscates URLs and then uses them to download the malicious payload. The script employs a simple de-obfuscation method by removing commas from the obfuscated URLs. As a failsafe method, the attackers have embedded five different URLs in this function to force the victim to download at least one malicious payload, in case any others have been taken offline. A code snippet is illustrated in Figure 7.
These malicious URLs are then supplied to a downloader function. The downloader function uses a Microsoft ActiveX object namely MSXML2.XMLHTTP. This object is used to send an arbitrary HTTP request, receive the response, and have the Microsoft XML Document Object Model (DOM) parse that response. Here the Open method is used to Initialize an MSXML2.XMLHTTP request and specifies the method, and URL as shown in Figure 8. The use of Microsoft ActiveX Objects indicate that the spammers are targeting Microsoft Windows victims. The script could be executed simply by double-clicking on it in a Windows OS. This is facilitated by the Microsoft Windows Scripting Host (WSH), which is a framework for running and automating scripts from the GUI using WScript.exe or from the command line using CScript.exe. The WSH supports scripting engines like Jscript and VBScript. Additionally, this script could be interpreted and executed by web browsers, especially Microsoft Internet Explorer and Edge. Other browsers running the IE extensions that support ActiveX objects may also be vulnerable.
Next, the attackers leverage the ActiveX stream and filesystem object to save the downloaded file to the temp folder as a randomly named JPG and then rename it to an EXE as illustrated in figure 9, 10 and 11.
Analysis of the Malicious Payload dropped by the JS
Payload – IOC
This was hosted on the embedded URLs ending with *.dat extension. An example URL extracted from the JS file is listed here:
Hash of the Downloaded Files:
Encrypted Files and Ransom Note for FakeGlobe:
After execution, the FakeGlobe ransomware samples encrypts and renames files. The encrypted files are renamed using the *.crypt extension name as shown in figure 13 and a ransomware note is setup as a HTML shown in figure 14.
The Cerber ransomware was hosted on URLs ending with the *.doc extension. A few URLs extracted from the JS file are listed here:
Hash of Downloaded Files:
- MD5: FE1BC60A95B2C2D77CD5D232296A7FA4
- SHA1: C07DFDEA8DA2DA5BAD036E7C2F5D37582E1CF684
Encrypted Files and Ransom Note:
After execution, the Cerber ransomware sample encrypts and renames files. Files encrypted by Cerber ransomware use random filename and extensions, for this sample it used random files with this extension "*.ab22" as shown in Figure 15. The usual Cerber will drop ransom note on both "*.hta" and "*.txt" formats as shown in figure 16 and 17.
Aside from the files it will also change the wallpaper to display a ransom note, a typical behavior of Cerber.
We would like to thank Gerald Carsula for his helpful contributions and Phil Hay for his valuable feedback and advice.