Introduction Since late November 2015, malicious spam (malspam) distributing TelsaCrypt ransomware has surged in a recent attack offensive [1]. This offensive is on-going. Criminal groups are sending out massive amounts of emails containing attachments with zipped .js files. These zipped .js files--called Nemucod by ESET and some other security vendors [2]--download and install the TeslaCrypt ransomware. This is no different from other zipped .js file downloaders that I've already posted diaries about [3, 4]. The only difference is the payload. Below is a flow chart for TeslaCrypt infections caused by this malspam. As the malspam continued, other sources began reporting about it [for example: 5, 6, 7, 8, 9]. Two of my favorite sites for malspam analysis have good information on this campaign: Dynamoo's Blog [references 10 through 18] and TechHelpList.com [references 19 through 28]. Every day or two, these two blogs have reported on these waves of TeslaCrypt malspam. Reviewing my organization's spam filters, I've found a few of these emails spreading TeslaCrypt; however, I've heard a great deal more about it from other security professionals. Let's review an example from Thursday 2015-12-17. The email Thursday's wave of emails had Required your attention as the subject line as shown in the image below. The zip attachment contains a .js/nemucod file downloader. The extracted .js file is quite obfuscated. For me, the quickest way to find out what it downloads is to run it in a test environment. The infection Running this malware on an unpatched Windows 7 host quickly gave me a TeslaCrypt infection.
Encrypted files are given the suffix .vvv which indicates this was version 2.2 of TeslaCrypt [1]. Below are images of the files dropped on the desktop of my infected Windows 7 host. The traffic Traffic is pretty straight-forward for a .js file downloader infecting a host with TeslaCrypt ransomware.
First is the HTTP GET request caused by the .js file downloader to retrieve the TeslayCrypt binary.
Next we see a connectivity check by the infected host as it calls out to determine its public IP address.
Finally, the infected host calls back to a command and control server.
I read a pcap of the traffic using snort on a Debian 7 host running Snort 2.9.8.0 with the Snort subscriber ruleset. That gave me alerts for the TeslaCrypt binary being downloaded to the host right before it was infected.
I also used tcpreplay on a pcap of the infection traffic in Security Onion with the EmergingThreats (ET) Pro ruleset. The ET alerts still show the malware as AlphaCrypt, which is what TeslaCrypt ransomware was calling itself earlier this year.
Final words This is a notable trend, but it's not a serious threat. Properly-administered Windows hosts and a decent mail filtering system should protect users from getting infected by the malspam. However, this type of campaign is apparently profitable for the criminals behind it. Why? Somewhere, people's computers are getting infected because of the TeslaCrypt malspam. Otherwise, why would it continue? Pcap and malware samples used in this diary are available here. --- References: [1] http://www.symantec.com/connect/blogs/major-teslacrypt-ransomware-offensive-underway |
Brad 350 Posts ISC Handler |
Subscribe |
Dec 18th 2015 3 years ago |
Here's my virustotal link to one of the .js files.
I added some of the debfuscated javascript, as well as one of the malicious domains in the comments. https://www.virustotal.com/en/file/dde710ed0e8c2e015359738d098dc46acedf1595e4fd85a5ae3da430342ba281/analysis/ |
Anonymous |
Quote |
Dec 18th 2015 3 years ago |
I don't understand how including zipped Javascript in an email attachment causes the Javascript code to get run automatically, which seems like the only way this infection vector would ever work. Can someone explain this to me?
|
whurlitzer 13 Posts |
Quote |
Dec 19th 2015 3 years ago |
It is not a 'JavaScript' file it is a 'JScript' file (https://en.wikipedia.org/wiki/JScript).
Windows boxes can execute such scripts using their scripting engine. (Presumably, the user has to double click on it first) |
Anonymous |
Quote |
Dec 21st 2015 3 years ago |
Thanks for the clarification, anon.
|
whurlitzer 13 Posts |
Quote |
Dec 21st 2015 3 years ago |
Sign Up for Free or Log In to start participating in the conversation!