Last week, Netskope Threat Research Labs blogged about the resurgence of Locky Ransomware encrypting files to the LUKITUS extension. Since then, we have seen a surge of spam emails delivering several types of ransomware including Locky on a daily basis. While tracking the campaigns, Netskope Threat Research Labs observed over 600+ spam emails delivering GlobeImposter ransomware that encrypts the victim’s files and adds “..txt” extensions. Netskope detects the malicious VBS file as “Backdoor.VB.downloadr.adr” and the payload as “Backdoor.generckd.5942787” respectively.
Spam Campaign
The attackers behind this campaign crafted spam emails by not only attaching a malicious archive file but also inserting a malicious link inside the email body. The attachment contains malicious VBScript code which downloads the ransomware payload, similar to the delivery mechanism of Locky ransomware. An example of the spam email spreading GlobeImposter Ransomware is shown in Figure 1.
Figure 1: Spam email spreading GlobeImposter Ransomware.
As shown in Figure 1, the email has an attachment with the name “Invoice INV-000993.7z” which contains malicious VBScript named “INV-000695.vbs” which on execution downloads GlobeImposter ransomware. The attacker deliberately included a malicious link along with the attachment. This tactic was employed as an alternate measure to make the victim click the hyperlink in case the attachments were detected by the security solution. Hovering over the hyperlinks from the spam email we analyzed revealed the malicious URL downloading a similar 7-ZIP file as shown in Figure 2.
Figure 2: Email not only contains attachment but also includes a malicious link.
At the time of writing this blog, the malicious link was down.
Analysis of the VBScript
As mentioned earlier, the 7-ZIP archives contain a malicious VBScript code as shown in Figure 3.
Figure 3: Malicious script code to download and execute GlobeImposter.
As shown in Figure 3, an interesting point to note is that the attackers have named the variables on a character from the famous Game of Thrones television series. This malicious code first downloads the encrypted payload from the attacker’s controlled or compromised domain as shown in Figure 4.
Figure 4: Malicious script downloading encrypted payload.
The encrypted payload is downloaded in %TEMP% folder with a random name and “.exeA” extension, for example, inCzr.exeA. The VBScript then decrypts this custom encrypted payload using XOR into an executable file (removing A from .exe extension) as shown in Figure 5.