Ransomware news: GlobeImposter gets a facelift, GandCrab is still out there
Introduction
I recently found a wave of malicious spam (malspam) that started as early as Monday 2018-03-05 at 18:28 UTC and lasted through at least Tuesday 2018-03-06 at 14:44 UTC. This wave of malspam had Word documents as file attachments, and these Word docs had macros designed to infect Windows hosts with ransomware. When I checked Monday evening, I infected one of my lab hosts with GlobeImposter ransomware. When I checked Tuesday morning, I saw GandCrab ransomware.
This is interesting, because in 2018, I've seen very few examples of mass-distribution malspam pushing ransomware. So far in 2018, such malspam has been pushing mostly information stealers, backdoors, and cryptocurrency miners. So it's always noteworthy when I find something like this.
Today's diary examines this wave of malspam, the infection traffic, and associated indicators.
Shown above: Flow chart for an infection from this malspam.
The emails
Patterns for these emails were consistent, but I couldn't match them to a specific campaign. Sending addresses, subject lines, email headers, and message text were all varied. The only consistent part of this malspam was the Word document attachments, which were all named " Resume.doc" with a space before the first letter. And even then, each attachment had a different file hash.
Shown above: Screenshot from the spreadsheet tracker with 24 email samples.
Shown above: Screenshot from one of the emails.
The attachments
The attachments were typical Word documents with malicious macros. They work similar to malicious macros seen in other malspam campaigns, using Powershell to retrieve a malware binary to infect a vulnerable Windows host.
Shown above: One of the attached Word documents.
The traffic
Infection traffic from Monday evening showed indicators of GlobeImposter ransomware. After the macro used Powershell to retrieve the ransomware binary from a server at 198.100.119.11, I saw an HTTP request to psoeiras.net for an IP address check. The URL to psoeiras.net was similar to what I've documented before with GlobeImposter ransomware infections.
Shown above: Traffic from an infection filtered in Wireshark on Monday evening (US time).
When I checked again Tuesday morning, I saw the same URL to 198.100.119.11 for a ransomware binary However, this time, the follow-up HTTP request for the IP address check went to nomoreransom.coin, with follow-up DNS queries for nomoreransom.bit and gandcrab.bit. These domains are typical for what I've previously documented with GandCrab ransomware.
Shown above: Traffic from an infection filtered in Wireshark on Tuesday morning (US time).
Forensics on an infected Windows host
The GandCrab ransomware sample didn't encrypt any files on my lab host, but the GlobeImposter binary did. All files encrypted by the GlobeImposter sample used a .gif file extension. Previous samples of GlobeImposter I'd tested in December 2017 used Read__ME.html for the decryption instructions, but this 2018 sample used Read__ME.txt. The GlobeImposter decryptor seen through my Tor browser had a visual upgrade with a nice background image, but it still had the same basic setup as before.
Shown above: Encrypted files on a Windows host infected with GlobeImposter.
Shown above: GlobeImposter decryption instructions.
Shown above: GlobeImposter decryptor viewed on a Tor browser.
The GlobeImposter infection stayed persistent on my infected lab host through the Windows registry. Like many malware samples I've seen, this one used the HKCU\Software\Microsoft\Windows\CurrentVersion\Run registry key. However, the binary used for persistence was not the same binary used during the initial infection. The persistent binary for this GlobeImposter infection was only 22,528 bytes.
Shown above: Malware made persistent on my host infected with GlobeImposter.
Indicators
See below for a list of URLs, domains, and file hashes associated with this malspam.
SHA256 hashes for all attachments named " Resume.doc":
- 02d9a2643082ee6751472cfbe4760a3d9afb00a263c698eca3b748d012fcb66a
- 05ec663bd1c8521f48affc6dfebf0a6fe410711b70096b5c4be2bac37c7f262b
- 4027d8bad7ae8b5f2a88f414417ced73a50ee5fa0d60bf4d5395dc8953037b3c
- 43d2c9efb6cc5907f7c04c719e83c3404b629bbf849c83fb053b6f23ddf84d81
- 4b4ade15d6ed8eba53d1064170dee191e07da1baafeeecc3b8fdb4803a44a628
- 50994124ce7d6ebc5b59b29e4278eb78997726d8e6cb902a8ccc437e4fda1a6d
- 5490b18af502fa3a576ff5612eefff34dd75edd7bd567519f2b25da1d885de60
- 56e6c1521070d58e525bad12d222c04952676c4b0d77136c9720a3263f9c557f
- 6242c95fed475bc708c49b2bb7ad292f43d42fbcbd0b68502db01ea4a44ae656
- 63f070add2cd6b6a6c212c82f1003b35fd45c4ae8787a2da2ec9e16c5e16c0e5
- 69e706c4ddcd8ea4e9f0745e5bdcef760b0e553549bf26526ef51746244f292c
- 6a193b0362506748a165b320f72bcd2d149760d66f287bc2271f30328a11181e
- 72d18a2df77c75fc3949f34c37e0339039a211e2086fab5c92d2b41064fb5030
- 75e92c7e36ff1cac3cff5b11426916d64b7956022cb668f4f675f3f2fc0e7fe7
- 767b6094e57e940540192fceb1fe31c8311588d998d6f71a4099623fec0d5488
- 92e56ae3f7f014ae8f348e0dc6c2a68936dc878d56e4c9b777202a9000fd6899
- 9d41bb0167c7a19d69be0eb29920054e9b8cfa132a89129b31ecaa3338887e1d
- a77afbcc935a6c0290e0a290f10913f343be31d955ce7f2f2446e605a0d89165
- a84730972266ee371c8a5b9906102842f9834b6bd36413f8e15808aa79d1c136
- a96c1911b31beaa2d6fedc654fb568e0ee82160d439e4ac38d53c24a441b0436
- b8ccfed35c590ab7bb1fd619eb085905515fde9c6dff7f592b391a516f8cc52a
- cb32fc84a036ab47b60569b3fdc718de9858555b349c90e188a8b7cd4602a264
- ee6b7d944abaec4cb3bc2780489f81d337724164d76c2056d37cc225ea57a6d5
The following are malware samples retrieved from my infected lab hosts:
- SHA256 hash: 61bed70b1568fce8dc67c91bab1884027631bdf2c8b8ba63d54ce32d7e429a76
- File size: 223,744 bytes
- File location: C:\Users\[username]\AppData\Local\Temp\41097.exe
- File description: GandCrab ransomware
- SHA256 hash: d6535b7caf79cc9b624e5f8878aa1d8717bdd84778fde47caad4ed75e322ef97
- File size: 867,840 bytes
- File location: C:\Users\[username]\AppData\Local\Temp\41097.exe
- File description: GlobeImposter ransomware
- SHA256 hash: 41056643ee135ac0fce3237d69b32370102887b22c0250e2e0b515b25f525183
- File size: 22,528 bytes
- File location: C:\Users\[username]\AppData\Roaming\Microsoft\wmon32.exe
- File description: Executable persistent for the GlobeImposter ransomware infection
The following are URLs and domains associated with these infections:
- 198.100.119.11 port 80 - 198.100.119.11 - GET /d1.jpg?rnd=53171 (returned ransomware binaries)
- 74.220.219.67 port 80 - psoeiras.net - GET /count.php?nu=103 (IP address check from GlobeImposter)
- 66.171.248.178 port 80 - nomoreransom.coin - GET / (IP address check from GandCrab)
- nomoreransom.bit (domain associated with GandCrab)
- gandcrab.bit (domain associated with GandCrab)
- hxxp://djfl3vltmo36vure.onion/sdlskglkehhr (GlobeImposter decryptor)
Final words
Although ransomware is down compared to last year, every once in a while we still see a wave of malspam like this, pushing recent ransomware families seen in prior mass-distribution campaigns. So far in 2018, GlobeImposter and GandCrab are the only ones I've seen in mass-distribution malspam. However, these recent samples don't seem to be any more dangerous now than they were before.
As always, properly-administered Windows hosts are unlikely to get infected. To infect their computers, users would have to ignore multiple warnings to retrieve and activate the malicious Word document, which includes bypassing Protected View. System administrators and the technically inclined can also implement best practices like Software Restriction Policies (SRP) or AppLocker to prevent these types of infections.
Pcap and malware samples for today's diary can be found here.
---
Brad Duncan
brad [at] malware-traffic-analysis.net
Comments
www
Nov 17th 2022
6 months ago
EEW
Nov 17th 2022
6 months ago
qwq
Nov 17th 2022
6 months ago
mashood
Nov 17th 2022
6 months ago
isc.sans.edu
Nov 23rd 2022
6 months ago
isc.sans.edu
Nov 23rd 2022
6 months ago
isc.sans.edu
Dec 3rd 2022
6 months ago
isc.sans.edu
Dec 3rd 2022
6 months ago
<a hreaf="https://technolytical.com/">the social network</a> is described as follows because they respect your privacy and keep your data secure. The social networks are not interested in collecting data about you. They don't care about what you're doing, or what you like. They don't want to know who you talk to, or where you go.
<a hreaf="https://technolytical.com/">the social network</a> is not interested in collecting data about you. They don't care about what you're doing, or what you like. They don't want to know who you talk to, or where you go. The social networks only collect the minimum amount of information required for the service that they provide. Your personal information is kept private, and is never shared with other companies without your permission
isc.sans.edu
Dec 26th 2022
5 months ago
isc.sans.edu
Dec 26th 2022
5 months ago