The Spam, JavaScript and Ransomware Triangle
Authors: Dr. Fahim Abbasi and Nicholas Ramos
Introduction
Our global spam honeypot sensors detected a pervasive email campaign that was leveraging a zipped attachment containing a malicious JavaScript. When opened, the JavaScript was used to infect victims with ransomware. This campaign started in the late hours of 17th July 2017, and after peaking at over 1.2 million messages, ended on the 19th of July, 2017. Similar burst was observed a couple of days later on the 25th of July, that ended on the 27th of July 2017, as illustrated by the timeline in Figure 1 and Table 1.
|
|
Analysis of the Email Body
Last May, we reported a spam campaign distributing both FakeGlobe and Cerber ransomwares. While the campaign lasted a few days, we recently observed similar malware being spammed out in a different campaign. This campaign used the same blank subject and body, but had a different attachment of a compressed JavaScript (JS) file. There were two different sets of Zip files used in this campaign, each containing a distinct set of JavaScript code. Both JS files appeared to be using the same code template, but contained different URLs pointing towards different malware. Anonymized screenshots of the two spam messages, with the attachments are illustrated in Figure 2 and 3. Here in both messages, the Subject field and body was blank or empty. It has been a common technique to use blank subject and body to make it hard for anti-spam signature-based detections, and serves as a simple template for spammers.
Analysis of the Attachment
The Malicious JavaScript (JS)
Saving the attachment to disk and unzipping it reveals a JavaScript file. Double-clicking on this JavaScript file may execute it, which is the aim of the spammers. This JavaScript sample is unique as it is embedded inside paragraphs of readable text, apparently copied from Wikipedia articles about different countries. We believe the paragraphs have been placed at the top of the script to give the appearance of a benign-looking text file to evade both automated scanners and any human expert who might preview it in any text editor. A screenshot of one such sample is illustrated here in Figure 4 and Figure 5. Apparently, in this case, the text passage has been copied across from a Wikipedia article about China.
There are over 30 obfuscated JS functions crafted by the attackers in this malicious JavaScript sample. These functions perform their malicious activities once they get run by a trigger function call as illustrated in Figure 6.
The trigger function first de-obfuscates URLs and then uses them to download the malicious payload. The script employs a simple de-obfuscation method by removing commas from the obfuscated URLs. As a failsafe method, the attackers have embedded five different URLs in this function to force the victim to download at least one malicious payload, in case any others have been taken offline. A code snippet is illustrated in Figure 7.
These malicious URLs are then supplied to a downloader function. The downloader function uses a Microsoft ActiveX object namely MSXML2.XMLHTTP. This object is used to send an arbitrary HTTP request, receive the response, and have the Microsoft XML Document Object Model (DOM) parse that response. Here the Open method is used to Initialize an MSXML2.XMLHTTP request and specifies the method, and URL as shown in Figure 8. The use of Microsoft ActiveX Objects indicate that the spammers are targeting Microsoft Windows victims. The script could be executed simply by double-clicking on it in a Windows OS. This is facilitated by the Microsoft Windows Scripting Host (WSH), which is a framework for running and automating scripts from the GUI using WScript.exe or from the command line using CScript.exe. The WSH supports scripting engines like Jscript and VBScript. Additionally, this script could be interpreted and executed by web browsers, especially Microsoft Internet Explorer and Edge. Other browsers running the IE extensions that support ActiveX objects may also be vulnerable.
Next, the attackers leverage the ActiveX stream and filesystem object to save the downloaded file to the temp folder as a randomly named JPG and then rename it to an EXE as illustrated in figure 9, 10 and 11.
Finally, the malicious payload is executed using the ActiveX WScript Shell object that executes the downloaded malware payload sample as illustrated in Figure 12. In summary, this JavaScript sample is a downloader and executor.
Analysis of the Malicious Payload dropped by the JS
We had two different JavaScript samples, which were packaged with the same code template but were configured using different URLs. This results in downloading two different ransomware families namely "FakeGlobe" ransomware and "Cerber" ransomeware.
Payload – IOC
FakeGlobe Ransomware
This was hosted on the embedded URLs ending with *.dat extension. An example URL extracted from the JS file is listed here:
URL: hxxp://astromfghqmo.com/error.php?f=1.dat
Hash of the Downloaded Files:
- MD5:D885A811324370FD2CA8ED9075A71652
- SHA1:DF799BC0225C5391DAE2F0044AAAE745A2C64E14
Encrypted Files and Ransom Note for FakeGlobe:
After execution, the FakeGlobe ransomware samples encrypts and renames files. The encrypted files are renamed using the *.crypt extension name as shown in figure 13 and a ransomware note is setup as a HTML shown in figure 14.
Cerber Ransomware
The Cerber ransomware was hosted on URLs ending with the *.doc extension. A few URLs extracted from the JS file are listed here:
URLs:
- hxxp://asopusforums.date/1.doc
- hxxp://ariadnerevolution.date/1.doc
- hxxp://asbetosgem.trade/1.doc
- hxxp://phaennabazaar.trade/1.doc
- hxxp://dolopolesasz.com/1.doc
Hash of Downloaded Files:
- MD5: FE1BC60A95B2C2D77CD5D232296A7FA4
- SHA1: C07DFDEA8DA2DA5BAD036E7C2F5D37582E1CF684
Encrypted Files and Ransom Note:
After execution, the Cerber ransomware sample encrypts and renames files. Files encrypted by Cerber ransomware use random filename and extensions, for this sample it used random files with this extension "*.ab22" as shown in Figure 15. The usual Cerber will drop ransom note on both "*.hta" and "*.txt" formats as shown in figure 16 and 17.
Aside from the files it will also change the wallpaper to display a ransom note, a typical behavior of Cerber.
Conclusion
Attackers are leveraging the simplicity provided by email to distribute ransomware to global victims. We detected one such campaign where attackers sent millions of spam messages detected by our distributed honeypot sensors. These spam messages contained a blank Subject line and had an empty message body. The messages could be categorized into two different sets, each serving a different zip attachment, that contains a similar obfuscated JavaScript file. The JS files contain the same code template, but are configured with a distinct set of URLs that point to different ransomwares. Once executed the ransomware infects and encrypts files on the victim's computer for ransom. As a mitigation measure, customers should consider blocking JS files at the email gateway, as recently much malware we are seeing is being distributed via such scripts. Trustwave's Secure Email Gateway effectively detects and deters this campaign, thus protecting our customers from the threats posed by cyber criminals.
ABOUT TRUSTWAVE
Trustwave is a globally recognized cybersecurity leader that reduces cyber risk and fortifies organizations against disruptive and damaging cyber threats. Our comprehensive offensive and defensive cybersecurity portfolio detects what others cannot, responds with greater speed and effectiveness, optimizes client investment, and improves security resilience. Learn more about us.