Globe Imposter Ransomware Makes a New Run

Demands_Ransomware_Blog_1-1.jpgIn the world of cyber security, there are some threats that seem to have been specifically designed to wreck your day.

Ransomware is one of those threats.

Even if you have secure backups, and they’re kept safely away from the rest of your network, the time it takes to restore from them and remove all traces of the offending trojan is sure to get your blood boiling.

So when a new ransomware threat arises, it pays to make sure your house is in order, and your users are on high alert.

Be sure your organization is prepared for targeted phishing attacks. Check out this article on Security Awareness Training: A Recipe for Success

Ransomware: Spotted

On August 8th 2017, our threat analysts at PhishLabs identified a new spam campaign being used to transmit the Globe Imposter ransomware trojan via trojan downloader Nemucod.

Globe Imposter, which was first spotted during the last months of 2016, is a fairly typical ransomware trojan, encrypting files with common extensions, and deleting all system restore points to prevent victims from recovering their files using standard Windows backup procedures. As we previously mentioned, Globe Imposter is often delivered by a loader which works by communicating with the command and control infrastructures to receive secondary execution instructions and/or to download additional functional modules

Once an infection has taken place, victims are treated to the dreaded “Your files are encrypted” screen, and README files containing instructions on how to pay a ransom using Bitcoins are added to their desktop and any directories containing encrypted files.

Globe Imposter 1.png

In what has become a standard move for all but the most basic ransomware trojans, Globe Imposter victims will also be given the opportunity to decrypt a single file before paying their ransom, as a means of communicating good faith.

The Lure

As is most often the case with ransomware, the Globe Imposter campaign detected is a phishing campaign. And from first impressions, it doesn’t look terribly sophisticated… here’s the subject line:

“Message from "RNP002673C00499."

Unsurprisingly the numbers following RNP are unique to each email, but the format is consistent.

Once a victim opens the email, however, things are a little more interesting. While there is little (if anything) in the way of email “content” each lure contains a fake system notification designed to make it appear as though the attachment has been sent from an address within the victim’s network.

For example:

“This E-mail was sent from "RNP002673C03941" (Aficio MP C305). Scan Date: Tue, 08 Aug 2017 18:30:24 +0700 Queries to: no-reply@local”.

Or:

“This E-mail was sent from "RNP002673C11360" (Aficio MP C305). Scan Date: Tue, 08 Aug 2017 18:04:18 +0530 Queries to: no-reply@local”

As with the email subject, the scan date and “Queries to:” address are unique to each email. The attachment name, meanwhile, appears to be a date/time stamp which is unique to each email, but retains a consistent format:

“20170808182240.zip”

“20170808183024.zip”

The Payload

Naturally, the campaign is designed to convince victims to open the mystery attachment: a JavaScript file.

Once the file is launched, it immediately attempts to communicate with its command and control (C2) server via one of several URLs. Examples include:

fly2.com[.]tw/jhYGUhjb6t??kjgFvAWuoYW=kjgFvAWuoYW

microsom[.]com/jhYGUhjb6t??dRsnFW=dRsnFW

When a successful C2 connection is made, the real payload is downloaded and dropped onto the victim’s machine. Again, the precise download locations appear to change with each script, and have been observed using hosting services in Taiwan (203.74.203.14) and Turkey (37.230.110.87). The payload download URLs are hosted on compromised websites, so the hosting location is likely opportunistic rather than planned.

Once the file has finished running, and the victim’s files have been encrypted, a “Read Me” Internet Explorer shortcut is created on the victim’s desktop.

And when the victim opens the Read Me? They find out just how bad their day is going to be.

Globe Imposter 2.png

As with most ransomware scams, victims are instructed to visit a TOR-hosted onion site to make their ransom payment, ostensibly in return for the decrypter software and key.

The payment site associated with this sample was:

hxxps://n224ezvhg4sgyamb.onion.link/efwdaq.php.

Thankfully, at the time of posting, there do not appear to have been any payments made to the Bitcoin wallet at that address.      

And, if everybody remains watchful, we hope it will stay that way.

Find out how susceptible your employees are to ransomware attacks. Request a free assessment today. 

Request Assessment

Article Link: https://info.phishlabs.com/blog/globe-imposter-ransomware-makes-a-new-run