Sponsored by..

Friday 4 September 2015

Malware spam: "RE:resume" aka "What happened to your files?" / Cryptowall 3.0

This fake résumé spam leads to ransomware:

From:     fredrickkroncke@yahoo.com
Date:    5 September 2015 at 03:50
Subject:    RE:resume
Signed by:    yahoo.com

Hi my name is Teresa Alexander attach is my resume
Awaiting your prompt reply

Kind regards

Teresa Alexander
The attached document in this case is Teresa_Alexander_resume.doc, which upon opening asks you to enable active content:



Protected Document
This document is protected by Microsoft Office.
Please enable Editing and Content to see this document.

Can’t view? Follow the steps below.
Open the document in Microsoft Office. Previewing online does not work for protected documents.
If you downloaded this document from your email, please click “Enable Editing” from the yellow bar above.
Once you have enabled editing, please hit “Enable Content” on the yellow bar above.
Following these steps would be a Very Bad Idea as the malware would encrypt all your files on the disk. This malicious DOC file itself has a VirusTotal detection rate of 4/56.

The Hybrid Analysis report shows pretty clearly what is going on. An infection sequence begins, with the following domains and IPs contacted:

46.30.46.117 [Eurobyte LLC, Russia)
186.202.153.84 (gaiga.net)
192.186.235.39 (satisgoswamicollege.org)
52.88.9.255 (entriflex.com)
23.229.143.32 (eliasgreencondo.com)

Blocking those domains and IPs may be enough to stop the ransomware working. The malicious macro in the document drops a file carved_0.exe which has a detection rate of 4/56.

Once the machine is infected, various "What happened to your files?" messages pop up, such as this one (from the Hybrid Analysis report)


This further references another bunch of domains that you might want to block, especially in a corporate environment:

namepospay.com
optiontosolutionbbs.com
optionpay2all.com
democraticash.com


This further Hybrid Analysis report on the dropped binary also identifies the following malicious site:

68.178.254.208 (erointernet.com)

Incidentally, it is worth noting that the malware attempts to identify the IP address of the infected system by visiting ip-addr.es - although this is not a malcious site, you can consider it to be a potential indicator of compromise.

The payload here is Cryptowall 3.0 and as is typical, removing the malware is easy.. but decrypting the files without paying the ransom is fearsomely difficult.

Recommended blocklist:
46.30.46.0/24
gaiga.net
satisgoswamicollege.org
entriflex.com
eliasgreencondo.com
erointernet.com
namepospay.com
optiontosolutionbbs.com
optionpay2all.com
democraticash.com

MD5s:
d6b3573944a4b400d6e220aabf0296ec
5b311508910797c91cc9c9eb4b4edb0c


No comments: