Threat Level: green Handler on Duty: Rob VandenBrink

SANS ISC: InfoSec Handlers Diary Blog - Internet Storm Center Diary 2018-07-27 InfoSec Handlers Diary Blog


Sign Up for Free!   Forgot Password?
Log In or Sign Up for Free!

Sextortion - Follow the Money

Published: 2018-07-27
Last Updated: 2018-07-28 03:20:35 UTC
by Rick Wanner (Version: 1)
2 comment(s)

With the latest Sextortion campaign still in the wild, a couple of us at the ISC decided to try to follow the money. Starting very early in the campaign, we started collecting  Bitcoin addresses from the sextortion emails and, using the blockchain.com API  Didier used in his diary, all it took was a simple script to be able to monitor payments coming into the BTC addresses associated with this campaign. Initially I was just interested in how long after the campaign began would the bad guys move the money out of these addresses, but it soon became obvious there was much more to be gleaned from this data.

Within a couple of days, we were able to cobble together nearly 20 BTC addresses to monitor. We were happy with that. Then contacts far and near bought into the project and it took on a life of its own to the point where are now monitoring 334 BTC Addresses that we are reasonably confident are part of this campaign.

What sort of things has the monitoring revealed?

~17% - percentage of the BTC addresses with payments. (56 out of 334)

123 – number of payments received on the 56 BTC addresses with payments.

~$235,000 USD - Total value of all the payments stored in the 56 BTC Addresses. The 334 addresses we are tracking are thought to be an insignificant subset of those involved in the campaign, so the overall value of this campaign will be many times higher.

9 – Most number of payments on one BTC address. While most BTC addresses have zero or one payment, there is definitely BTC address reuse in the campaign.

~$1900 USD – average payment.

~$700 USD – lowest payment. (I did see one campaign email requesting $600 USD)

~$4900 – highest payment

$0 – amount of money the bad guys have moved out of these addresses. (although there appears to be a double payment and a refund on one address)

This campaign started a little over two weeks ago (July 10th), and the bad guys still haven’t collected the money. Campaign emails, and payments appear to have slowed substantially, so maybe soon. With the amount of press this sextortion campaign has gotten I believe the bad guys will soon reach the point of diminishing returns.

-- Rick Wanner MSISE - rwanner at isc dot sans dot edu - http://namedeplume.blogspot.com/ - Twitter:namedeplume (Protected)

Keywords:
2 comment(s)

Malspam with password-protected Word docs pushes Hermes ransomware

Published: 2018-07-27
Last Updated: 2018-07-27 18:17:39 UTC
by Brad Duncan (Version: 1)
0 comment(s)

Introduction

Malicious spam (malspam) with password-protected Word docs continues to be an issue.  Here's a recent password-protected Word doc that shows a 0 / 59 detection rate in VirusTotal as I write this:  SHA256 hash 4e5f6a6e8c073828af55c830fad5ce7496313083f42f5bc655c90a9a1314cbb2.  This type of malspam was recently seen from emails with sending addresses ending in anjanabro.com.  Today's diary reviews an example from Thursday 2018-07-26.


Shown above:  Flow chart for an infection on Thursday 2018-07-26.


Shown above:  Screenshot from one of the emails.


Shown above:  To open the attached Word doc, you need a password from the email.


Shown above:  After opening the Word doc, you're asked to enable macros.

The infection

After successfully opening the attached Word document and enabling macros, I only saw one HTTP request that returned a malware binary.  This was Hermes ransomware, and it didn't generate any post-infection traffic.  It merely encrypted my lab host's files, then it presented an HTML file with instructions on how to pay the ransom and email the criminals.


Shown above:  Macro from password-protected Word doc showing URL for follow-up malware.


Shown above:  HTTP GET request for the follow-up malware.


Shown above:  Signs of ransomware activity on my infected lab host.


Shown above:  HTML document on my infected lab host showing this was Hermes ransomware.

Indicators for this infection

SHA256 hash: 4e5f6a6e8c073828af55c830fad5ce7496313083f42f5bc655c90a9a1314cbb2
File description: Password-protected Word doc with macro to retrieve malware

SHA256 hash: 8dcde14308b6a7edff44fa2ac0aa2e672104db6d35f37ac93452944323468e5e
File description: Follow-up malware - Hermes ransomware

Network traffic: hxxp://205.185.121.209/green.exe

Emails from the decryption instructions:

  • Primary email: decryptsupport@protonmail.com
  • Reserve email: decryptsupport1@cock.li

Final words

As usual, properly-administered and up-to-date Windows hosts are not likely to get infected.  System administrators and the technically inclined can also implement best practices like Software Restriction Policies (SRP) or AppLocker to prevent these types of infections.

A pcap of the infection traffic and associated malware for today's diary can be found here.

---
Brad Duncan
brad [at] malware-traffic-analysis.net

0 comment(s)
Diary Archives