Netskope Threat Research Labs has detected a malicious campaign that uses a ransomware blended attack. A ransomware blended threat package includes malware such as credential stealers, backdoors, or revenue generation malware in addition to a ransomware payload. The purpose is to provide a second means of attack and revenue. Because of this, when remediating a ransomware blended attack, it is no longer adequate to simply wipe and restore an endpoint from backup.
Netskope Threat Research Labs has recently detected an uptick in ransomware blended threats including a variety of payloads. In this analysis, we will detail a case that blended Locky ransomware with the Kovter click-fraud malware.
In the current iteration of this ransomware blended campaign, attackers mated Locky ransomware with a fileless and persistent click-fraud malware called Kovter. This particular campaign was carried out via malicious WSF (Windows Script File) script files embedded in archive file email attachments. As we blogged earlier, cloud services can also deliver Locky ransomware. The campaign uses enticing file names such as “Delivery-Receipt-[NUMBER].zip” or “Undelivered-Parcel-ID-[NUMBER].zip” etc. for archive files and uses double extensions like “.doc.wsf” for file names inside to lure victims into opening and executing script files. The campaign also uses a chain of attacks to deliver its final payloads where the first malicious script downloads other malicious JavaScript code from attacker-controlled domains, where the Locky/Kovter dual head payload resides.
Figure 1. High-level Diagram of Ransomware Blended Attack
To summarize the high-level diagram in Figure 1:
1) Victim receives archive attachment either from SPAM email or cloud services, if forwarded
2) Victim executes malicious script file inside the archive
3) First script executed by the victim then downloads second obfuscated JavaScript from the compromised or attacker-controlled domains, which will be altered and executed by the first script
4) Second JavaScript code then downloads two payloads, one for ransomware and one for click-fraud malware, and executes them one by one
5) Ransomware payload encrypts victims’ important files, displays ransom message, and waits for ransom to be paid
6) Other malware remains hidden inside Windows Registry and executes its code in memory; malware starts click-fraud activities by visiting ad or affiliates websites in background without victim knowing
7) Even if victim pays ransom or restores files from backup, persistent and fileless malware remains on victim’s machine if not detected by security solutions
8) Either way, attackers get paid
Malicious Archive File
One of the malicious files (MD5 – 8EBE75D82F77764ECE51CF1ECE191602 detected by Netskope Threat Protection as JS:Trojan.Downloadr.H) we analyzed contains tiny script, as shown in Figure 2.
Figure 2: Malicious script code using double extensions
The formatted script explaining its operation is shown in Figure 3.
Figure 3: Formatted script for better readability
The script shown in Figure 3 tries to download contents with hard-coded parameters from one of the domains from the domain array. The contents downloaded include secondary malicious JavaScript code. Once it receives an HTTP 200 response from the domain, it replaces occurrences of hard-coded string “9408721” (variable m at line 9) present inside the response code with character “a” using JavaScript split-join method making the second payload dependent on the first script. The packet capture of the response is shown in Figure 4.
Figure 4: Another malicious obfuscated JavaScript code arrives in response
As shown in the above figure, we can see that the response contains multiple occurrences of the string, “9408721.” The full JavaScript is shown in Figure 5.
Figure 5: Obfuscated JavaScript code before it is modified by original script
To deobfuscate this script, we need to replace occurrences of “9408721” with “a.” The result is shown in Figure 6.
Figure 6: JavaScript code after substitution of character “a”
The resulting script is still obfuscated, but some program fragments are beginning to emerge. The final deobfuscated script is shown in Figure 7.
Figure 7: Final decoded JavaScript, which downloads multiple payloads
Below are the steps summarizing how the final script works:
- The script defines hard-coded variables
- The script first creates empty file, “a.txt” under system %TEMP% folder if not found
- The script then sends an HTTP GET request with hard-coded parameters and one modified parameter, “&r=01,” to list of domains to check payload response
- If 200 responses found, the script checks for the size of the response, saves the first payload as “a1.exe” under %TEMP% folder, and executes it
- The script then sends a similar request to the same domain with slight change in “r” parameter such as “&r=01” for the second payload
- If 200 response found for the second payload, the script checks for size of response, saves the second payload as “a2.exe” under %TEMP% folder, and executes it
The screenshot of system %TEMP% folder, which contains all the dropped files by this variant, is shown in Figure 8.
Figure 8: Multiple payloads dropped by this campaign under %TEMP% folder
Payload a1.exe — Locky
The payload “a1.exe” (MD5: 3DDDF9A48C9B44FDB1E68E0120833398 detected by Netskope as Backdoor.Generckd.4179958) is a Locky ransomware variant. The main behavior of Locky remains the same as covered in our previous analysis, hence we will just highlight a couple of points. This variant uses the “OSIRIS” extension for encrypted files, as shown in Figure 9.
Figure 9: Files are encrypted with OSIRIS extensions
The information and key exchange sharing with its command and control (C&C) server happens using a POST request to the new URI, “/checkupdate,” for this variant, as shown in Figure 10.
Figure 10: The C&C communication of this OSIRIS variant
And the final ransom message by this variant, as shown in Figure 11.
Figure 11: OSIRIS ransom message
At this stage, the user’s files with extensions (as mentioned in our previous blog) will be encrypted while the second payload – Kovter – is still running.
Payload a2.exe — Kovter
The payload a2.exe (MD5: 8ec67740b1e648654427267b3e7bbdce detected by Netskope Threat Protection as Backdoor.Generckd.4180231) arrives as an installer. Once executed, this installer executes the Kovter payload using PowerShell executed by the legitimate Windows “mshta.exe” creating the Kovter persistence as“regsvr32.exe,” as shown in Figure 12.