Last Updated: 2015-12-18 01:09:30 UTC
by Brad Duncan (Version: 1)
Since late November 2015, malicious spam (malspam) distributing TelsaCrypt ransomware has surged in a recent attack offensive . This offensive is on-going. Criminal groups are sending out massive amounts of emails containing attachments with zipped .js files. These zipped .js files--called Nemucod by ESET and some other security vendors --download and install the TeslaCrypt ransomware.
This is no different from other zipped .js file downloaders that I've already posted diaries about [3, 4]. The only difference is the payload. Below is a flow chart for TeslaCrypt infections caused by this malspam.
As the malspam continued, other sources began reporting about it [for example: 5, 6, 7, 8, 9]. Two of my favorite sites for malspam analysis have good information on this campaign: Dynamoo's Blog [references 10 through 18] and TechHelpList.com [references 19 through 28]. Every day or two, these two blogs have reported on these waves of TeslaCrypt malspam.
Reviewing my organization's spam filters, I've found a few of these emails spreading TeslaCrypt; however, I've heard a great deal more about it from other security professionals. Let's review an example from Thursday 2015-12-17.
Thursday's wave of emails had Required your attention as the subject line as shown in the image below.
The zip attachment contains a .js/nemucod file downloader.
The extracted .js file is quite obfuscated. For me, the quickest way to find out what it downloads is to run it in a test environment.
Running this malware on an unpatched Windows 7 host quickly gave me a TeslaCrypt infection.
Encrypted files are given the suffix .vvv which indicates this was version 2.2 of TeslaCrypt . Below are images of the files dropped on the desktop of my infected Windows 7 host.
Traffic is pretty straight-forward for a .js file downloader infecting a host with TeslaCrypt ransomware.
First is the HTTP GET request caused by the .js file downloader to retrieve the TeslayCrypt binary.
Next we see a connectivity check by the infected host as it calls out to determine its public IP address.
Finally, the infected host calls back to a command and control server.
I read a pcap of the traffic using snort on a Debian 7 host running Snort 126.96.36.199 with the Snort subscriber ruleset. That gave me alerts for the TeslaCrypt binary being downloaded to the host right before it was infected.
I also used tcpreplay on a pcap of the infection traffic in Security Onion with the EmergingThreats (ET) Pro ruleset. The ET alerts still show the malware as AlphaCrypt, which is what TeslaCrypt ransomware was calling itself earlier this year.
This is a notable trend, but it's not a serious threat. Properly-administered Windows hosts and a decent mail filtering system should protect users from getting infected by the malspam. However, this type of campaign is apparently profitable for the criminals behind it. Why? Somewhere, people's computers are getting infected because of the TeslaCrypt malspam. Otherwise, why would it continue?
Pcap and malware samples used in this diary are available here.