Contributed by: Gerald Carsula, Rodel Mendez and Nicholas Ramos
Last June, we reported that Kovter was being spammed together with Cerber ransomware that used a fake email delivery notification. For the last few weeks another set of fake UPS delivery notification spam has emerged again but instead of Kovter leading the payload attack, it was a PHP-based ransomware.
The initial email spam is purportedly about a failed delivery of an item or a parcel. It asks the user to review the details of the delivery through the attached ZIP file which holds a malicious JS file.
Figure 1: Email Sample - Fake UPS Delivery Notification
Figure 2: Email Sample - Fake UPS Delivery Notification
The curious victim can be enticed to extract and execute the (*.JS) file from the attached ZIP archive. On execution, the malicious JavaScript will build a set of URLs from different hostnames on one of its variable arrays.
Figure 3: Email Attachment - JS file
Once connected to one of the URLs, an obfuscated JS file will be downloaded. A sample JS file is shown below and consists of several hardcoded stings. To de-obfuscate it, we replaced these strings with the character "a" and performed a concatenation with the rest of the other variables.
Figure 4: Obfuscated downloaded JS file
Once properly de-obfuscated, the JS file will immediately create a dummy WORD document file with random characters. It will open the document which serves as a decoy or to trick the user that it has executed a WORD document instead of a JS file.
Figure 5: De-obfuscated downloaded JS file - Word Document Dummy Creation
Then, the downloaded JS file will build another distinct set of URLs based from a separate set of domain/hostnames and URIs. Take note that the variable "n" is crucial to properly determine what file will be download. A table below shows the URL and the equivalent file that will be downloaded.
Figure 6: De-obfuscated downloaded JS file - Downloading the Payloads
var n | 3 |
URL | http://{array[item]}/counter/?{hardcoded}0fals3 |
Filepath | %TEMP%/1D2PpPKZcJURTNwSHSFwLCU9Rtm8qb4tk8.exe |
Description | PHP Executable |
MD5 | 7A962AFC3D437A5046C3ADE4ED6E2696 |
SHA-1 | 521FD3420A3939CFD10B181A41D6334728F41CD1 |
var n | 4 |
URL | http://{array[item]}/counter/?{hardcoded}0fals4 |
Filepath | %TEMP%/php5.dll |
Description | PHP DLL |
MD5 | 91660C94F9F3283785FEBCB51CADBA4C |
SHA-1 | 242200D2AF9CDFABEDC8BD382F575AD9CFABDBFD |
var n | 2 |
URL | http://{array[item]}/counter/?{hardcoded}0fals2 |
Filepath | %TEMP%/1D2PpPKZcJURTNwSHSFwLCU9Rtm8qb4tk82.exe |
Description | Kovter Malware |
MD5 | ED3421FF73709830C46B31188FE0D73E |
SHA-1 | 8E53AB396DBC806765FDD52EE01C3D6C9DDEAA62 |
Next, if both the PHP executable and PHP DLL have been downloaded, or are already existing in the system, the downloaded JS file will create an obfuscated PHP script in the %TEMP% folder.
Figure 7: De-obfuscated downloaded JS file - Creating the PHP Script
Then using the PHP executable, the JS file executes the newly created PHP script with the following arguments:
Bitcoin Address, Bitcoin Price, and the Public Key
Figure 8: De-obfuscated downloaded JS file - Executing the PHP Script
A flowchart below shows the full infection flow from e-mail up to the payloads.
Figure 9: Flowchart - Infection Vector
Since the PHP script is obfuscated, a simple string replacement and gzinflate method should be performed. There is free online tool that could perform gzinflate. Once properly de-obfuscated, it recursively searches for files with specific extension names starting from root of C:\ drive up to root of Z:\ drive.
Figure 10: PHP Script - Drive Enumeration and Recursive File Searching
It then searches for files the following file extension:
lnk|123|602|dif|docb|docm|dot|dotm|dotx|hwp|mml|odg|odp|ods|otg|otp|ots|ott|pot potm|potx|ppam|ppsm|ppsx|pptm|sldm|sldx|slk|stc|std|sti|stw|sxc|sxd|sxm|sxw|txt uop|uot|wb2|wk1|wks|xlc|xlm|xlsb|xlsm|xlt|xltm|xltx|xlw|xml|asp|bat|brd|c|cmd dch|dip|jar|js|rb|sch|sh|vbs|3g2|fla|m4u|swf|bmp|cgm|djv|gif|nef|png|db|dbf|frm ibd|ldf|myd|myi|onenotec2|sqlite3|sqlitedb|paq|tbk|tgz|3dm|asc|lay|lay6|ms11 ms11|crt|csr|key|p12|pem|qcow2|vmx|aes|zip|rar|r00|r01|r02|r03|7z|tar|gz|gzip arc|arj|bz|bz2|bza|bzip|bzip2|ice|xls|xlsx|doc|docx|pdf|djvu|fb2|rtf|ppt|pptx|pps sxi|odm|odt|mpp|ssh|pub|gpg|pgp|kdb|kdbx|als|aup|cpr|npr|cpp|bas|asm|cs|php pas|class|py|pl|h|vb|vcproj|vbproj|java|bak|backup|mdb|accdb|mdf|odb|wdb|csv tsv|sql|psd|eps|cdr|cpt|indd|dwg|ai|svg|max|skp|scad|cad|3ds|blend|lwo|lws|mb slddrw|sldasm|sldprt|u3d|jpg|jpeg|tiff|tif|raw|avi|mpg|mp4|m4v|mpeg|mpe|wmf wmv|veg|mov|3gp|flv|mkv|vob|rm|mp3|wav|asf|wma|m3u|midi|ogg|mid|vdi vmdk|vhd|dsk|img|iso |
But also avoids folder names that starts with the following strings:
winnt|boot|system|windows|tmp|temp|program|appdata|application|roaming msoffice|temporary|cache |
Figure 11: PHP Script - Searching for Files to Encrypt
All the files that matched the criteria above will be listed on a buffer that will be encrypted after it has setup the ransom note. The ransom note needs to be inflated using the same gzinflate method.
Figure 12: PHP Script - Inflate - Ransomnote
Once inflated, some HTA code will be revealed, giving details of the bitcoin payments.
Figure 13: PHP Script - HTA - Ransomnote
This PHP ransomware uses AES encryption. It will encrypt the first 100000 bytes of a file using a randomly-generated 128 characters long key. Every file has its own unique key. It saves the filename, encryption key and the 100000 encrypted bytes of the said file on a single "database" file.
Figure 14: PHP Script - File Encryption
Lastly, the PHP script will hash details of computer name, username, OS version, and send it to a CnC server including other information like public key and statistical information on how many name files were searched and encrypted.
Figure 15: PHP Script - Sends out Information
Figure 16: Network Traffic - Information send out
The flow chart below gives a full overview of the PHP Ransomware behavior:
Figure 17: Flowchart - PHP Ransomware
Possible Secondary Payload: KOVTER Malware - IOC
Kovter is a secondary payload and the actors behind this campaign chose to disable the download and execution of this file. The Kovter executable however was still alive on the web host at the time of analysis so we took a quick look of its behavior. Once, executed it drops a couple of files in %LocalAppData%.
Figure 18: Kovter - Dropped File
These consist of a batch file and an encrypted JavaScript file. The batch file loads the encrypted JavaScript.
start "T8OVa8EVZT2kXEVqShD6l" "%LOCALAPPDATA%\b6bee4f9\d2f4b4bf.f80c91052"
Here is the content of the encrypted Javascript script.
Figure 19: Kovter - JavaScript
The encrypted JavaScript's file extension .f80c91052 was actually registered by the malware in the infected Windows registry as a valid file extension
Figure 20: Kovter - Registered File Extension
This file extension points to a6005236, a handler that points to yet another registry key that contains the JavaScript decryption and loading of the main malware:
HKEY_CLASSES_ROOT\a6005236\shell\open\command
Figure 21: Kovter - Spawn Shell
This registry shell entry will execute a JavaScript that loads another obfuscated JavaScript stored in the registry key HKCU\\software\\mecyuvs\\rrattu
Content of the registry key:
"C:\Windows\system32\mshta.exe" "javascript:Sqq8J="kYTJpUP"; s0Y=new ActiveXObject("WScript.Shell");Fm5baD="dxEb"; QF2xm=s0Y.RegRead("HKCU\\software\\mecyuvs\\rrattu");ine7HS9="V"; eval(QF2xm);iDxKR9="2TyRLeos";" |
The registry key HKCU\\software\\mecyuvs\\rrattu, is another obfuscated Javascript that loads an obfuscated PowerShell script
Figure 22: Kovter - PowerShell Script on Registry
This PowerShell will spawn a regsvr32.exe process where the Kovter module is injected.
Figure 23: Kovter - PowerShell Spawn regsrv32.exe
Once Kovter is running in the injected process, it starts its infamous behavior, the Click-fraud traffic.
Figure 23: Kovter - Click-fraud traffic
This spam campaign has proven that old tactics are still effective and reliable but also need to be varied from time to time. The same thing that the threat actors behind this spam campaign has been doing. The campaign has used the same old fake notification with an archived JS file. It uses almost the same algorithm of creating multiple sets of URLs which allows it to download the malicious payload. What did vary this time, is the type of payload that was downloaded and executed. Although not new, the attack used PHP based ransomware instead of the common binary ones. The PHP script will not properly work without downloading the non-malicious PHP interpreter binaries but this is something not everyone would expect given it is somewhat hidden beneath all those obfuscation and inflating methods.
Also, it is critical to highlight that having PHP script based ransomware could be potentially dangerous for webservers. Attackers can look for vulnerable upload scripts on these webservers and leverage them by uploading the ransomware onto the server. Thus, this kind of attack is not just only for a client-side but also potentially the server-side of the Internet infrastructure.
Lastly, this campaign also shows us that the Kovter malware is also lurking around in the background awaiting to be triggered by just a simple update in the JS file.
The Trustwave Secure Email Gateway can recognize and block this threat campaign.