Last Updated: 2017-01-09 00:15:27 UTC
by Brad Duncan (Version: 1)
On Tuesday 2017-01-03, BleepingComputer published an article about "Merry X-Mas Ransomware" . This ransomware was first seen by people like @PolarToffee, @dvk01uk, and @Techhelplistcom. Merry X-Mas Ransomware was first reported as distributed through malicious spam (malspam) disguised as FTC consumer complaints .
By Sunday 2017-01-08, I saw an updated version of the Merry X-Mas Ransomware distributed through malspam disguised as court attendance notifications.
It seemed odd to find Christmas-themed ransomware two weeks after Christmas; however, Orthodox Christian communities celebrate Christmas on January 7th . Ultimately, such Christmas-themed ransomware isn't odd if it's from a Russian actor.
With that in mind, let's review the characteristics of Sunday's Merry X-Mas ransomware.
The malspam was a fake notification to appear in court. Email headers indicate the sender's address was spoofed, and the email came from a cloudapp.net domain associated with Microsoft.
- Date/Time: Sunday, 2017-01-08 15:40:24 UTC
- Received from: rcp-drools.rcp-drools.a10.internal.cloudapp.net
- Message-Id: <201701081540.v08FeOZU013692@rcp-drools.rcp-drools.a10.internal.cloudapp.net>
- From: Court Agent
- Subject: Notice of court attendance
The link from malspam downloaded a zip archive. The zip archive contained a Microsoft Word document with a malicious macro. If macros were enabled on the Word document, it downloaded and executed the ransomware.
On Sunday 2017-01-08, the infected Windows host had a ransom notification with text identical to the message seen on Tuesday 2017-01-03 [1, 2]. Sunday's image featured Robot Santa Claus from the TV show Futurama , which is appropriate, since that character is quite evil.
The ransom notification was dropped to various directories on the computer as YOUR_FILES_ARE_DEAD.HTA, including the desktop. The file extension for all encrypted files was .RMCM1 when I checked my infected host.
The ransom notification was set in the registry for persistence as shown in the image below.
Traffic remained consistent with last week's Merry X-Mas Ransomware example. After downloading the zip archive and extracting Word document, I enabled macros. That retrieved the ransomware binary from onion1.host over TCP port 443 as HTTP (not HTTPS). The ransomware was stored as C:\Users\[username]\AppData\Roaming.eXe on the local host and deleted itself after running. Post-infection callback sent information about the infected host to onion1.pw over TCP port 443 also as HTTP (not HTTPS).
Indicators of Compromise (IoCs)
I submitted a pcap of the infection traffic to VirusTotal to see what alerts should trigger . Two EmergingThreats rules triggered on the callback traffic as MRCR1 Ransomware. MRCR1 is one of the file extensions seen for the encrypted files from last week's sample. That might be a good name for this ransomware, especially if we see it again later using some other theme.
A full list of IoCs follow:
- 220.127.116.11 port 80 - neogenomes.com - GET /court/PlaintNote_12545_copy.zip [initial zip download]
- 18.104.22.168 port 443 - onion1.host:443 - GET /temper/PGPClient.exe [ransomware binary]
- 22.214.171.124 port 443 - onion1.pw - POST /blog/index.php [post-infection callback]
- YOUR_FILES_ARE_DEAD.HTA [ransom notification]
- @comodosecurity [Telegram POC from ransom notification]
- firstname.lastname@example.org [email POC from ransom notification]
- File name: PlaintNote_12545_copy.zip
- SHA256 hash: 86e98f1ddbb2953a5de8b3d550ac2fb45fd20d1305a12dfebc2ccb6e80717631
- File description: Zip archive from link in malspam
- File name: PlaintNote_12545_copy.doc
- SHA256 hash: 244b4205acb416700bec459c8b36be379c0b7e3d2a21a57c4a121ba95d229bc4
- File description: Word document with malicious macro
- File name: C:\Users\[username]\AppData\Roaming.eXe
- SHA256 hash: 78cc9626bb8d6f9d8ddf8236c197894a86f9d54a294b38c9c0b82744496b3fae
- File description: Merry X-Mas Ransomware
Malspam with links to malware is a common threat. This is not an unusual method of malware distribution, and its holiday theme also fits the season. So why draw your attention to Merry X-Mas ransomware, you ask?
Such information emphasizes the ever-present threat of ransomware. It also shows that despite the protective measures an organization might have in place, some people will click their way through warnings and infect their computers. We wouldn't continue to see this type of activity if it wasn't profitable for the criminals involved.
I trust that most people reading this diary are aware of the threat, and most would not fall for this type of malspam. Furthermore, some organizations already have protective measures in place that prevent these kind of ransomware infections.
Still, we need to keep an ongoing dialog to promote awareness of this and other ransomware threats. Too many people continue to fall for it.
Pcap and malware for this diary can be found here.
brad [at] malware-traffic-analysis.net