Introduction
Last month, I wrote a diary about malicious spam (malspam) using password-protected Word documents to distribute Sigma ransomware. The campaign has remained active since then, with emails as recent as Wednesday 2018-04-18. I investigated it again this week, and found this campaign was pushing GlobeImposter ransomware. It was also using a password-protected Windows executable, which I assume is an attempt to avoid detection.
Shown above: Flow chart for this infection chain.
Most users are well-protected against this threat. Spam filters will generally catch these emails. Furthermore, Protected View in recent versions of Microsoft Office should prevent users from accidentally getting to the macros in these malicious Word documents. Default security settings for Windows Defender in Windows 10 should also prevent these infections.
However, people running previous versions of Windows might be affected, depending on their security settings. Today's diary reviews what we've seen from this malspam campaign so far this week.
The emails
Malspam from this campaign follows the same general patterns reported last month, as shown in the images below. This week, these Word documents used 123456 as the password.
Shown above: Spreadsheet tracker for some of this week's malspam.
Shown above: Screenshot from one of the emails.
Shown above: Each of these attached Word documents asks for a password.
Shown above: After the password is entered, I had to enable macros to get infected.
The infection traffic
Infection traffic consists of HTTP requests to onlinedocuments.ir, which is the same domain I reported last month. This time, it's using update.bin instead of email.bin. Since this is GlobeImposter ransomware, no post-infection traffic was noted.
Shown above: Traffic from an infection as seen in Wireshark.
The infected Windows host
When I monitored a test host in my lab environment, I enabled macros and saw a file named taskwgr.exe appear in the user's AppData\Roaming directory. I grabbed a copy and found it required a password to execute.
Shown above: The password-protected executable for GlobeImposter ransomware.
People have removed the password protection from these Word documents and have submitted samples to hybrid-analysis.com. Do a Google search for "onlinedocuments.ir/update.bin" site:www.hybrid-analysis.com and you'll find several examples. I checked a recent sample and found a password in the process list. In this case, the password for the executable was 252589.
Shown above: Finding the password for taskwgr.exe.
My lab host showed signs of infection from GlobeImposter ransomware. All encrypted files were appended with ..txt as the file extension. And I found a decryption instructions in a file named Your files HERE.txt.
Shown above: Examples of encrypted files on my lab host.
Shown above: The message I got from Your files HERE.txt.
I accessed the decryptor through a Tor browser, and it asked for roughly $1000 US dollars as the ransom payment.
Shown above: GlobeImposter decryptor.
Final words
This trend is somewhat troubling, because I can find hundreds of examples from this campaign using VirusTotal Intelligence that show zero detection. In the image below, I searched VirusTotal Intelligence with the following parameters and found 183 examples of Word documents from this most recent wave:
tag:attachment tag:doc positives:0 fs:2018-04-18+ size:39424
Shown above: 183 examples with zero detection on VirusTotal.
I've seen this trick before, where a malicious macro, VBS, or JS file retrieves follow-up malware that's password-protected. In these cases, the password is stored and implemented by the macro, VBS, or JS code. I'm not sure how effective this is, because I was still unable to infect a Windows 10 host with default security settings. And as usual, any properly-administered Windows host in an environment that follows best security practices should be well-protected against this threat.
I expect we'll see more examples of this malspam in the coming weeks.
---
Brad Duncan
brad [at] malware-traffic-analysis.net
Back to Basics: Backups and Data Recovery “The Home Office Edition”
The Point of the Matter
On the subject of backups, here it is 2018…. The Information Technology professional has had the subject pushed hard and backups ‘should’ be axiomatic. It started with a simple question on our team Slack channel “Hey, <blah blah> backup home lab, blah blah” and come to find out? We as knowledge professionals may not *cynical humor with serious undertones* be doing the best of jobs at backing up our ‘underground lair’ [1] so to speak.
This then lead down a path of asking other handlers more questions, finding out what colleagues were doing, asking some clients what they do at home. The deeper I examined, the more it became apparent that data may not be backed up effectively (if at all!).
Observations
One of the major anecdotal observations is we may not be doing the best job at backing up our personal data, me included. Using myself as a (bad) example, with over 30 terabytes (TB) of data in various arrays, I have been falsely comfortable with RAID. I can still hear Dr. Eric Cole’s (Mr. Back then) voice “RAID is not a backup solution” yet, here I am. Laptops are backed up via TimeMachine to one of the array’s and that has proven effective and saved me a couple of times. The Windows devices in the house are not really backed up, however, cloud storage (e.g., Box, DropBox, etc) is used heavily.
Another anecdotal piece of evidence comes from a client meeting today (thanks guys for answering me honestly, you know who you are :)). Some built in backups, RAID array of drives, and that’s about it. We shared a good chuckle, and agreed that we need to get better about it.
Reported Solutions
Disclaimer: The Internet Storm Center does not endorse products or solutions. The following are listed as what was in use at the time of investigation.
- A good combination of Crashplan [2] + Apple TimeMachine [3]
- Only TimeMachine [3]
- Drobo Storage Arrays [4] + Apple TimeMachine [3] + A False Sense of Security [10] (this is me :))
- QNAP Array (RAID) [5] + TimeMachine
- QNAP Array (RAID) [6] + “Ignoring the problem”
- Borg Backup [7] (reported to compress virtual machines excellently) + Apple TimeMachine [3] + Wasabi Cloud [8]
- DropBox [9] + External USB Hard Drive
Conclusion
Protecting our ‘Secret Underground Lairs’ seems to be an area that needs some attention. PC Magazine has a pretty good article reviewing cloud backup solutions of 2018 [11] and worth a review. The heart of the matter is, how ‘backed up’ is your data at home, from family photo’s, to hours of work on virtual machines. Ask yourself what needs to be done to protect yourself @home. We all do risk management and attack surface reduction at $dayjob, and seems that we could do a better job with our personal stuff.
Please hit me up @packatalien and or here on the forums if you have any ideas, suggestions, things that work, still use tape drives, or any other Back to Basics topics that need review. Short of it, I'm not done with this topic! Please send ideas as I plan to expand on this.
[1] https://www.youtube.com/watch?v=SW0Q0IQydAg
[2] https://www.crashplan.com/en-us/
[3] https://support.apple.com/en-us/HT201250
[4] http://www.drobo.com/storage-products/
[5] https://www.qnap.com/en-us/how-to/tutorial/article/time-machine-support
[6] https://www.qnap.com/en-us/
[7] https://github.com/borgbackup
[10] https://www.sciencedirect.com/science/article/pii/S0747563210000373
[11] https://www.pcmag.com/article2/0,2817,2288745,00.asp
[12] http://tvtropes.org/pmwiki/pmwiki.php/Main/TheCobblersChildrenHaveNoShoes
(c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.
