We’ve been tracking some more spam dropping Zepto ransomware variants. Like earlier posts, we’re seeing infected attachments with malicious macro scripts used as the entry point for the threat actor. (See images below of some recent spam samples.)
As we dig deeper into our analysis, we found out that these macro scripts are not crafted manually. The malware authors have automated the creation and obfuscation of their code. This type of random obfuscation is one way of evading antivirus engines. As outlined below, our research highlights several methods employed to dynamically evolve the attack vector to circumvent detection.
From the malicious emails we have gathered, we will examine the attachments to analyze key differences and common characteristics.
The malicious code was written and spread across the 3 sub modules:
5 sub modules are being used for the malicious code:
Examining the sub modules of the file shows that it has some common signatures that we can look for:
We were able to find blocks of code that shares common structures. Remember that these codes were found on a different part or index of the module. From programmer’s perspective, this may seem a little odd to see codes like this, but as the analysis continues, we can say that this is just one part of the malware author’s strategy to hide the code and confuse incident responders.
Notice the highlighted strings from both screenshots that are common across the two samples. At first glance, some significant strings can be formed only if the garbage strings such as:
were removed or replaced, they can be formed as:
Additionally, and maybe more significant, is the activity of these scripts. You will also notice the highlighted strings are surrounded by what we can now assume are garbage code for misdirection and to further obfuscate malicious code.
Basically, the usual flow of the scripts analyzed will go like this:
At this point, the payload of the downloaded Zepto ransomware will take over.
As observed with the Zepto downloaders, the scripts also varies with the encrypted URLs. Below are some of the URLs from which the monitored scripts attempted to download Zepto. Imagine how many of them are generated and how many various structured scripts are available in the wild. Zepto is not only distributed through macro scripts, there are also JavaScrip and wsf script downloaders.
With some twists of social engineering, creativity and advanced programming skills, cybercriminals are becoming increasingly adept at delivering Zepto and other ransomware payloads to both business and home users.
Prevent Ransomware Infections?
To prevent ransomware, we recommended you block it early from the root of its infection chain. Here are some tips:
VIPRE Antivirus Detections for this threat include:
Analysis by Daryl Tupaz