Introduction Since 2017-05-11, a new ransomware named "Jaff" has been distributed through malicious spam (malspam) from the Necurs botnet. This malspam uses PDF attachments with embedded Word documents containing malicious macros. Victims must open the PDF attachment, agree to open the embedded Word document, then enable macros on the embedded Word document to infect their Windows computers.
Prior to Jaff, we've seen waves of malspam using the same PDF attachment/embedded Word doc scheme to push Locky ransomware. Prior to that, this type of malspam was pushing Dridex. With all the recent news about WannaCry ransomware, people might forget Jaff is an ongoing threat. Worse yet, some people might not know about it at all since its debut about 2 weeks ago. Jaff has already gotten a makeover, so an infected host looks noticeably different now. With that in mind, today's diary reviews a wave of malspam pushing Jaff ransomware from Tuesday 2017-05-23. The emails This specific wave of malspam used a fake invoice theme. It started on Tuesday 2017-05-23 as early as 13:22 UTC and lasted until sometime after 20:00 UTC. I collected 20 emails for today's diary.
As stated earlier, these emails all have PDF attachments, and each one contains an embedded Word document. The Word document contains malicious macros designed to infect a Windows computer.
The traffic Follow the entire infection chain, and you'll see minimal network traffic compared to other types of malware. The Word macros generate an initial URL to download an encoded Jaff binary, then we see one other URL for post-infection callback from an infected host. The initial HTTP request for Jaff returns an encoded binary that's been XORed with the ASCII string I6cqcYo7wQ. Post-infection traffic merely returns the string "Created" from the server after an infected host checks in.
The infected Windows host The encoded binary from this wave of malspam was stored to the user's AppData\Local\Temp directory as lodockap8. Then it was decoded and stored as levinsky8.exe in the same directory. These file names change every day with each new wave of malspam.
On Tuesday 2017-05-23, Jaff ransomware had a makeover. Prior to that, an infected Windows host looked like this:
The Windows host infected with a Jaff ransomware sample I saw on 2017-05-23 looked like this:
Encrypted files had been previously appended with the .jaff file extension. On Tuesday 2017-05-23, encrypted files from my infected host were appended with a .wlu file extension. My infected host asked for 0.35630347 bitcoin as a ransom payment.
Indicators of Compromise (IoCs) The following are examples of email subject lines and attachment names from Tuesday 2017-05-23:
The following are examples of spoofed email senders from Tuesday 2017-05-23:
The following are examples of SHA256 hashes for the PDF attachments from Tuesday 2017-05-23:
The following are examples of SHA256 hashes and file names for the embedded word documents from Tuesday 2017-05-23:
The following is the sample of Jaff ransomware I saw on Tuesday 2017-05-23:
The following are URLs generated by malicious macros from the embedded Word documents. They're used to download the encoded Jaff ransomware binary:
The following is post-infection traffic from my infected Windows host:
Final words Much of this malspam is easy to spot among the daily deluge of spam most organizations receive. However, this PDF attachment/embedded Word doc scheme is likely an attempt to bypass spam filtering. As always, if your organization follows best security practices, you're not likely to get infected. For example, software restriction policies that deny binary execution in certain Windows directories can easily stop this infection chain. Even without software restriction policies, the intended victim receives warnings from both Adobe reader and Microsoft Word during the infection process. So why do we continue to see this malspam on a near-daily basis? I suppose as long as it's profitable for the criminals behind it, we'll continue to see this type of malspam. If anyone knows someone who's been infected with Jaff ransomware, feel free to share your story in the comments section. Emails, malware samples, and pcaps associated with the 2017-05-23 Jaff ransomware malspam can be found here. --- |
Brad 433 Posts ISC Handler May 24th 2017 |
Thread locked Subscribe |
May 24th 2017 4 years ago |
Would this mean that the CVE-2017-0199 is related to both Jeff and the Hancitor malware family?
|
Anonymous |
Quote |
May 24th 2017 4 years ago |
CVE-2017-0199 is an exploit that allows someone to execute a binary immediately after opening an Office document. The Word documents embedded in these PDF files use malicious macros that people must enable. The Word documents associated with this Jaff malspam are -not- related to CVE-2017-0199. And Hancitor malspam only used CVE-2017-0199 for a few days before it went back to malicious Word macros.
|
Brad 433 Posts ISC Handler |
Quote |
May 25th 2017 4 years ago |
Sign Up for Free or Log In to start participating in the conversation!