Here are actual emails featuring familiar social engineering tactics:
The zip attachments contain the WSF.
An Interactive Analysis with ThreatAnalyzer
To see what we’re dealing with, we turned to ThreatTrack’s malware analysis sandbox ThreatAnalyzer.
We extracted the WSF, submitted it to ThreatAnalyzer and generated the following threat analysis:
Since this is a script, we are more concerned with the call tree from WScript.exe. One notable result, encircled above, is the number of modified files. This most indicates a high likelihood that this could either be a virus or ransomware. And considering the proliferation of ransomware attacks lately, that’s our biggest concern.
There are two captured screen shots from our analysis.
Expanding the MODIFIED FILES shows this result.
The files affected are renamed with a “.zepto” filename extension.
Given the screenshot and Modified Files artifacts, we can confidently say that this is a variant of the Zepto ransomware.
The WSF Script Behavior
Selecting C:\Windows\System32\WScript.exe (3388) shows results of the behaviors done by the WSF alone.
It shows that the script created two files and made an HTTP connection to mercumaya.net.
Let’s look at the two files in the Temp folder.
This is the binary view of UL43Fok40ii file
This is the UL43Fok40ii.exe file. A complete PE file format.
Having only a difference of 4 bytes in size of 208,008 bytes and 208,004 bytes suggests that the file without the .exe filename extension was decrypted to form the PE executable file. Afterwards, the PE executable was run by the WSF script with the argument: “321”.
Expanding the Network connections.
With the com.my suffix from the resolved host, the server seems to be located in Malaysia.
The HTTP header also indicates that the Content-Length was 208,008 bytes. This is the same file size of the encrypted file.
The WSF file executed by the WScript.exe simply downloaded then decrypted a Windows PE file then executed it.
The Downloaded Executable PE file
Now we turn our focus on the behavior of the executable file UL43Fok40ii.exe.
The data posted to the Ukraine site is encrypted. Most likely this contains the id and key used to encrypt the files.
TA displays the raw data in hexadecimal form. A partially converted version of the raw data is shown below:
This malware also renamed a lot of files. This is the behavior that encrypts files while renaming the file using a GUID filename with a “.zepto” filename suffix.
In the manner of searching files, it primarily targets the phone book file before traversing from the root directory of the drive.
Also some notable files that were created. The captured screenshot is the contents of the _HELP_instructions.bmp file.
This malware sample attempts to move its running executable to a file in the Temp folder.
With Chrome set as the default browser, the malware opens the file _HELP_instructions.html that it previously created in the Desktop. It also, deletes the malware copy from the Temp folder probably a part of it’s clean up phase.
Here’s what _HELP_instructions.html looks like when opened in a browser.
The process call tree under Chrome.exe are most likely invoked by the browser and not part of this malware.
Syndicates behind today’s ransomware like Zepto are aggressively finding various ways of infiltrating businesses and government organizations alike. In this case, they attacked by using Windows Scripting Files in hopes to pass through email gateways that don’t block WSF files in attachments.
To protect your organization, deploy solutions that protect you from sophisticated and pervasive threats like ransomware, including advanced endpoint protection like VIPRE Endpoint Security, a malware behavior analysis tool like ThreatAnalyzer, and solutions to detect and disrupt active cyber attacks like ThreatSecure. And regularly back up all your critical data.
VIPRE antivirus detections for this threat include Trojan.Locky.AX and Trojan.Win32.Generic!BT.