Malspam email – Jack of all malware, master of none.

Malspam email or malicious spam emails are considered to be one of the favorite malware delivery channels for the attackers to deliver the malware to targeted victims. Attackers also run spam email campaigns to distribute their malware to a large number of users.

For attackers to succeed, two things are important – first is to get through the installed security product’s spam email filters and secondly, the attachment should be opened by the user. To accomplish the second task, attackers use different tactics to make their malicious email look as attractive or legitimate as possible in order to trick users into opening such attachments.

In earlier incidents, such spam campaigns were observed delivering the Monero (XMRig) cryptocurrency miner, Phorpiex spambot and Gandcrab ransomware through zipped ‘.js’ attachments having names which start with “Love_You_”.

How these attacks happen

Let us have a look at the below attack chain which depicts the execution sequence observed in this attack.

Fig: 1 Attack chain

The targeted victim will receive an email with subject name such as “Just for You” or “Love You”. Email contains attachments having names that start with “Love_You_”.

Fig 2: Email with zip attachment.

In the above screenshot, the attached zip file contains js file having the same name as the zip file.

Fig 3:  JavaScript File

As shown in fig. 3 The highlighted command which downloads the initial exe file with random_number as the name of the file through a bitsadmin command from the malicious link “hxxp://slpsrgpsrhojifdij.ru” and drops the downloaded file at %temp%.

This random_number.exe drops a copy of itself at “C:\Windows” with name “winsvcs.exe” which further acts as a malware downloader and downloads the exe files at %temp% as shown in the highlight below in the Wireshark traffic snippet.

Fig 4:  Malware downloader downloads exe files.

Dropped Random_number.exe file performs Monero (XMRig) cryptocurrency miner activity. Below fig. shows traffic for Monero (XMRig) cryptocurrency miner.

Fig 5: Traffic for Monero (XMRig) cryptocurrency miner

Again it drops random_number.exe file at %temp% which is responsible for Phorpiex spambot malware. This Random_number.exe drops “wincfg32svc.exe” at “C:\Windows” location. “wincfg32svc.exe” file tries to send spam emails from the infected host as shown in the below procmon snapshot.

Fig 6: Phorpiex spambot send spam mail from infected host.

Malware downloader then drops another random_number.exe which is a payload for Gandcrab V5.0.4 at %temp% which starts encryption activity on the victim’s computer with AES encryption, and appends ‘. random letters’ extension to encrypted files.

We found that it encrypts only NON-PE files from the victim’s machine. It drops the below ransom note:

Fig 7:  Ransom note

Fig 8:  Encrypted file pattern

Quick Heal proactively protects its users from this threat:

Fig 9: Email protection.

Fig 10:  Behavior Detection

Fig.11: Anti Ransomware

How to stay safe from ransomware attacks

• Always take a backup of your important data in external drives like HDD and pen drives. Consider using a reliable Cloud service to store the data.
• Do not install any freeware or cracked versions of any software.
• Do not open any advertisement shown on websites without knowing that they are genuine.
• Disable macros while using MS Office.
• Update your antivirus to protect your system from unknown threats.
• Do not click on links or download attachments in emails from unexpected, unknown or unwanted sources.

Indicators of compromise: (SHA256)

 Js files:

• 3dd7d393c47e25f9c6136cf03d26af84aea4c918ed8e5ccb41f109004332c0c7
• 6d44af5f399d4630fae19014728af2f9225d3a5a5e40bbff5166f09e3cf49068

Malware Downloader:

• 4c0103c745fa6e173821035c304863d751bea9c073d19070d9ebf8685da95040

Monero (XMRig) cryptocurrency miner:

• b8bf5b607b305139db81c48e96010a67768488b01edc8c615306ed303c545b0d

Phorpiex spambot:

• 4b9d5841d38b8658466dcaf409c34c0f6d2d1f9ecb64254391a4621465daf79b

Gandcrab Ransomware:

• 035ae8f389e0a4cb58428d892123bc3e3b646e4387c641e664c5552228087285

Subject Matter Experts:
Priyanka Dhasade, Manish Patil | Quick Heal Security Labs

Shriram Munde