Ahmed Sonbol

Malspam delivers GandCrab ransomware 2-7-2017

Blog Post created by Ahmed Sonbol Employee on Feb 8, 2018

Malspam was observed on February 7th 2017 delivering GandCrab ransomware. GandCrab is a new ransomware family that was first reported in late January. This is the first time to see it being distributed via a malspam campaign [1].

 

This screenshot from myonlinesecurity.co.uk shows an example of e-mails used in the campaign [2]. They come with PDF attachments and a little bit of social engineering. If the user opens the attachment, it downloads a Word document ; opening the Word document in turn downloads the ransomware payload.

 

 

A similar infection chain has been used lately to deliver the Dridex banking trojan. RSA FirstWatch previously blogged on the resurgence of Dridex.

 

Scan-image001_070218.jpg is an example of one of those downloaded Word documents:

 

 

Submitting it to RSA pre-release What's This File service gives more information about its maliciousness:

 

 

 

The embedded code suggests that the actors are only targeting Windows 64 bits machines.

 

Upon opening the document with Microsoft Word on a 64 bits machine, an HTTP GET request is issued to sorinnohoun[.]com to retrieve a script:

 

 

 

 

It is a well-documented and publicly available script. It can reflectively load a DLL/EXE into a powershell process or it can reflectively load a DLL into a remote process. In this case, sct5 is being used to load the GandCrab ransomware into the powershell process:

 

 

 

Next, the malware connects to its C2 domain nomoreransom[.]coin to get the victim machine IP address:

 

 

 

This is followed by POST requests to the same domain with encoded/encrypted data:

 

 

 

 

On the host side, you can start seeing the files being encrypted. The ransomware adds gdcb extension to an encrypted file:

 

 

It drops a note in each directory with the instructions on how to pay the ransom and recover the files:

 

 

 

As of this writing, the actors are asking for 2.6 Dash coins to buy GandCrab decryptor in order to recover the files on this particular victim machine. If not paid in time, the ransom they are asking for simply doubles. 

 

 

Here is a recap of the network activity:

 

 

All the IOC from those HTTP sessions were added to RSA FirstWatch Command and Control Domains on Live with the following meta:

  • threat.source = ‘rsa-firstwatch’
  • threat.category = ‘malspam’
  • threat.description = ‘delivery-domain’

 

Feb-9523713.pdf (SHA256):

  • 3aabca6aa74d4499e07d8828be981e65d421603895dd8450a15b49f1113517ff

 

Scan-image001_070218.jpg (SHA256):

  • 8f9e12851b92fcc74f9c9ab6181aa3fd49eabcf789608f9986cb136141033213

 

sct (SHA256):

  • 6960a00da0069a5b1aa7e213962a65abe3b148ddb7ac508cda0f8f8492ef7eaf

 

References:

  1.  GandCrab Ransomware: Now Coming From Malspam - SANS Internet Storm Center 
  2. https://myonlinesecurity.co.uk/fake-receipt-malspam-delivers-gandcrab-ransomware-via-pdf-dropping-macro-dropping-exploit… 

Outcomes