Fake fax ushers in revival of a ransomware family

“Criminal case against you” is a message that may understandably cause panic. That’s what a recent spam campaign hopes happens, increasing the likelihood of recipients opening the malicious attachment.

We recently discovered a new threat that uses email messages pretending to be fax messages, but in truth deliver a ransomware downloader. The attachment used in this campaign, “Criminal Case against_You-O00_Canon_DR-C240IUP-4VF.rar”, is password-protected RAR archive file that, when extracted, is a trojan detected as TrojanDownloader:JS/Crimace.A.

Email message masquerading as a fax but carrying TrojanDownloader:JS/Crimace.A as attachment

Figure 1. Email message masquerading as a fax but carrying TrojanDownloader:JS/Crimace.A as attachment

The malicious email ticks all the boxes to fake a fax:

  • The subject is a simple “PLEASE READ YOUR FAX T6931”
  • The message body lists fax protocol, date and time, fax channel and number of pages
  • The attachment file name spoofs a popular fax machine brand
  • The attached archive file contains a file that has the fake meta-data “—RAW FAX DATA—“

The use of a password-protected RAR file attachment is a clear attempt to evade AV scanners. The password is provided in the email message body. The archive file contains no fax, but Crimace, a malicious Windows Script File (.WSF) developed in JScript.

When the recipient falls for the lure and opens the attachment, Crimace displays the following message to complete the fax pretense:

Crimace displays a message to signify the fake fax cannot be displayed

Figure 2. Crimace displays a message to signify the fake fax cannot be displayed

Unsuspecting victims might think that is the end of it. But Crimace goes ahead with its intention to download its payload, a ransomware detected as Ransom:Win32/WinPlock.B.

WinPlock is a family of ransomware that has been around since September 2015 but did not have significant activity until recently. The discovery of this new variant signals that it’s back to wreak havoc.

Ransom:Win32/WinPlock.B can search for and encrypt a total of 2,630 file types.

Ransom:Win32/WinPlock.B’s ransom note contains instructions to pay

Figure 3. Ransom:Win32/WinPlock.B’s ransom note contains instructions to pay

It asks for a ransom of .55 Bitcoin, which the ransom note indicates as converting to ~US$386. However, using current conversion rates, it converts a little higher:

Bitcoin to US Dollar conversion on November 11, 2016 shows a higher rate than what is indicated in the ransom note

Figure 4. Bitcoin to US Dollar conversion on November 15, 2016 shows a higher rate than what is indicated in the ransom note (data from Coinbase)

Interestingly, when this ransomware family was first discovered in September 2015, it asked for ransom of 1 Bitcoin, which at the time converted to ~US$300. The market has changed since then, with more and more ransomware families and better technologies to detect ransomware. The increase in ransom amount indicates the actors behind this ransomware family are tracking Bitcoin exchange rates, and aim for potentially bigger gain.

And, just like the fake fax that delivers Crimace, Ransom:Win32/WinPlock.B attempts to cause panic by setting a timer that gives a victim 120 hours to pay the ransom:

data:text/mce-internal,content,%3Cimg%20width%3D%22538%22%20height%3D%22118%22%20class%3D%22alignnone%20size-full%20wp-image-9515%22%20alt%3D%22Bitcoin%20to%20US%20Dollar%20conversion%20on%20November%2011%2C%202016%20shows%20a%20higher%20rate%20than%20what%20is%20indicated%20in%20the%20ransom%20note%22%20src%3D%22https%3A//msdnshared.blob.core.windows.net/media/2016/11/winplock-bitcoin-us-dollar-conversion.png%22%20/%3E

Figure 5. Ransom:Win32/WinPlock.B sets a timer

TrojanDownloader:JS/Crimace.A has a lot of functions to download and execute

TrojanDownloader:JS/Crimace.A arrives as a malicious .WSF file contained in a RAR archive attached to emails:

The attachment is a RAR archive containing a malicious .WSF file

Figure 6. The attachment is a RAR archive containing a malicious .WSF file

Inspecting the .WSF file shows that it is obfuscated script file:

crimace-obfuscated-script

Figure 7. The .WSF file before unobfuscated form

Decrypting the file reveals a lot of suspicious functions including download and execute capabilities:

  • function CheckWSFInAutorun()
  • function CheckWSFInFolder()
  • function CopyWSFToFolder()
  • function DecRequest()
  • function Download()
  • function EncRequest()
  • function Execute()
  • function GetCurrentFile()
  • function GetInstallPath()
  • function GetRandHASH()
  • function GetRandomName()
  • function GetStrHASH()
  • function GetWSFGuid()
  • function HTTPRequest()
  • function HTTPRequestRaw()
  • function IsUserAdmin()
  • function MakeAutorun()
  • function SelfDelete()
  • function UnitChange()
  • function UnitPing()
  • function UnitRequest()

The header of the file is its configuration code and is embedded on the file as an array:

The header of the decrypted script is the configuration code

Figure 8. The header of the decrypted script is the configuration code

When decrypted, the configuration includes data including campaign number, download links, and installation paths:

Decrypted configuration

Figure 9. Decrypted configuration

Ransom:Win32/WinPlock.B encrypts 2,620 file types

Ransom:Win32/WinPlock.B is downloaded by Crimace as a Nullsoft Scriptable Install System (NSIS) package. Once executed it may create the following desktop shortcut:

NSIS package icon used by malware

Figure 10. NSIS package icon used by malware

When the malicious file is extracted from the NSIS package, it uses the following icon:

Icon used by malware after extraction from package

Figure 11. Icon used by malware after extraction from package

The malware’s file information also shows campaign ID as internal name and version:

The malware file information

Figure 12. The malware file information

When successfully executed, Ransom:Win32/WinPlock.B encrypts files with extensions in its list of 2,630. Notably, the ransom note contains an email address to contact for support. It asks for ransom of .55 Bitcoins.

Ransom:Win32/WinPlock.B’s ransom note contains support information

Figure 13. Ransom:Win32/WinPlock.B’s ransom note contains support information

The ransom note also lists websites where victim can buy Bitcoins:

Ransom:Win32/WinPlock.B’s ransom note lists information for acquiring Bitcoins

Figure 14. Ransom:Win32/WinPlock.B’s ransom note lists information for acquiring Bitcoins

Clicking the “Show files” lists all the encrypted files. Unlike other ransomware, Ransom:Win32/WinPlock.B does not change the extension of the encrypted files:

List of encrypted files

Figure 15. List of encrypted files

It also creates additional files to remind users that their computer is infected:

The malware creates additional files to indicate that files have been encrypted

Figure 16. The malware creates additional files to indicate that files have been encrypted

Prevention and mitigation

To avoid falling prey to this new ransomware campaign, here are some tips:

For end users

  • Use an up-to-date, real-time antimalware product, such as Windows Defender for Windows 10.
  • Keep Windows and the rest of your software up-to-date to mitigate possible software exploits.
  • Think before you click. Do not open emails from senders you don’t recognize.  Upload any suspicious files here: https://www.microsoft.com/en-us/security/portal/submission/submit.aspx. This campaign uses a RAR archive file, which may be a common attachment type, but it contains a .WSF file. Be mindful of what the attachment is supposed to be (in this case, a fax) and the actual file type (a script).

For IT Administrators

Additional information

To learn more about how Microsoft protects you from ransomware, you can read the following:

 

Francis Tan Seng

MMPC

https://blogs.technet.microsoft.com/mmpc/feed/