Feb 27 2017

Shamoon: Multi-staged destructive attacks limited to specific targets

Recent attacks involving the destructive malware Shamoon appear to be part of a much wider campaign in the Middle East and beyond.

Feb 22 2017

Spora Ransomware Infects ‘Offline’—Without Talking to Control Server

Spora is a ransomware family that encrypts victims’ files and demands money to decrypt the files. It has infected many computers in a short time due to a huge spam campaign. It has a very special feature—to work offline.

Propagation vector

The spam campaign carries a .zip file, which contains an HTA (HTML Application) file to evade detection from some email scanners and maximize its outreach. The contents of the email are carefully crafted to lure victims using social engineering techniques. This HTA file also tricks users by using the double extensions rtf.hta and doc.hta. If file extensions are hidden on victim’s machines, then they will see only the first extension and might be fooled into opening the file.

The spam email looks like this:

The contents of HTA file:

At runtime the HTA file drops a JavaScript file in the %Temp% folder. Further JavaScript extracts an executable with a random name (in this case: goodtdeaasdbg54.exe) in %TEMP% and executes.

The HTA file also extracts and executes a .docx file that is corrupted and returns an error to distract the victims:


Goodtdeaasdbg54.exe is packed using the UPX packer and contains the payload (Spora). It first checks whether a copy of this file is running in memory. If not, it creates a mutex. Spora uses mutex objects to avoid infecting the system more than once.

Spora checks for the logical drives available in the system:

Once a resource is available, Spora searches for files to encrypt but avoids “windows,” “Program files,” and “games.”

Spora removes the volume shadow copies from the target’s system, thereby preventing the user from restoring the encrypted files. (A shadow copy is a Windows feature that helps users make backup copies (snapshots) of computer files or volumes.) To delete the shadow volume copies, Spora uses the command “vssadmin.exe Delete Shadows /All /Quiet.” This ransomware uses the vssadmin.exe utility to quietly delete all the shadow volume copies on the computer.

It also creates .lnk files along with .key and .lst files in the root drive.

Spora also deletes the registry value to remove the shortcut icons.

Encryption process

Step 1: It generates a random “per file AES” symmetric key for each file.

Step 2: Spora generates a local public-private key pair.

Step 3: The public key generated from Step 2 will encrypt the “per file AES” key and append it to the encrypted file.

Step 4: After encrypting all the files, Spora generates a unique AES symmetric key.

Step 5: The private key generated in Step 2 is copied into the .key file and encrypted by the unique AES key generated in Step 4.

Step 6: Finally the unique AES key is encrypted by decrypting the public key (explained below) and appending it to the .key file.

The malware author’s public key is embedded in the malware executable using a hardcoded AES key. The decrypted public key:

The decryption is possible only by the private key held by the malware author. Once the payment is done, the author may provide victims with the private RSA key to decrypt the encrypted AES key appended in the .key file. The decrypted AES key will decrypt the remaining .key file, which contains the user’s private RSA key.

The whole process is bit complex and lengthy but using this scheme Spora successfully avoids the dependency of obtaining a key from a control server and can work offline.

Key file

Spora encrypts six types of file extensions:

The .key filename contains information in the following format:

And encodes all this information with a substitution method.

In our case US736-C9XZT-RTZTZ-TRHTX-HYYYY.KEY translates to:

  • USA as locale.
  • The characters “736C9” for the beginning of the MD5 hash.
  • 10 encrypted office documents (Type 1).
  • Two encrypted PDF (Type 2).
  • Zero encrypted CorelDraw/AutoCAD/Photoshop files (Type 3).
  • Zero encrypted database files (Type 4).
  • 25 encrypted images (Type 5).
  • 15 encrypted archives (Type 6).

The decoding mechanism of .key file:

Ransom message

The ransom note is written in Russian, here with our translation:

The Spora payment site provides several packages for victims with different prices with a deadline.

The hashes used in the analysis:

  • a159ef758075c9fb64d3f06ff4b40a72e1be3061
  • 0c1007ba3ef9255c004ea1ef983e02efe918ee59

Intel Security advises users to keep their antimalware signatures up to date at all times. Intel Security products detect the malicious HTA file and Spora binary as JS/Spora.a and Ransom-Spora! [Partial hash], respectively, with DAT Versions 8435 and later.

This post was prepared with the invaluable assistance of Sourabh Kadam. 


The post Spora Ransomware Infects ‘Offline’—Without Talking to Control Server appeared first on McAfee Blogs.

Feb 22 2017

Android ransomware requires victim to speak unlock code

Latest Android.Lockdroid.E variant uses speech recognition instead of typing for unlock code input.

Feb 14 2017

Macro Malware Targets Macs

Macro malware has been spreading for years. New techniques arise all the time to hide malicious code and thus increase the difficulty of analysis. However, just targeting Microsoft Windows no longer seems to be enough for the malware authors. The Mac appears to be the new challenge, and attackers appear to be rising to this challenge.

In previous versions of macro threats, the malicious code was hidden in user forms and macros in Microsoft Office files. (See Macro Malware Associated With Dridex Finds New Ways to Hide.) The latest member of this family seems to have learned a new trick or two, as we now will see.

  • The malicious code is now hidden in the properties of Excel worksheet files:

A malicious Excel file ready to be executed.

When the file is opened we see this message.

If we access the file’s properties, we can read the Powershell script code.

The full content in Properties.

Location of hidden content.

An extract of the Powershell content.

  • The malicious code runs Powershell, which downloads malware after the victim enables macros.

  • The macro searches for the hidden code in Properties and runs it using Powershell, but this works only on Windows systems. How does the malicious code execute on the Mac? The malware developers use MacScript:

The macro code verifies whether WScript.Shell is present. In case of an error, the code executes the module macshell:

This script runs the code on the Mac. The script runs with the same permissions as Microsoft Office.

As we ran this analysis, the control server contacted by this malware sample was not running; so we were unable obtain the payload.

The MD5 hash for the samples we found:

  • 952A36F4231C8628ACEA028B4145DAEC

Full descriptions of the W97M and X97M malware families are available in our Threat Advisories:

During our analysis, the malware attempted contacted the following server (with URL modified for safety):

  • hxxp://ndur0.net

Intel Security advises users to keep their antimalware signatures up to date at all times. Intel Security products detect this malicious Office Trojan as X97M/Downloader.bf.

The post Macro Malware Targets Macs appeared first on McAfee Blogs.