Ahmed Sonbol

Malspam delivers GlobeImposter ransomware 7-26-2017

Blog Post created by Ahmed Sonbol Employee on Jul 27, 2017

Malspam activity was noted on July 26 2017 delivering GlobeImposter ransomware. This threat advisory will shed some light on the activity from the perspective of NetWitness Packets and NetWitness Endpoint.

 

Scan results of a delivery document can be found here. Submitting the file to RSA pre-release What's This File service shows the highest threat score with different suspicious characteristics:

 

 

Upon running the embedded VBA code, traffic was observed to a delivery domain to download an obfuscated payload:

 

 

 

This network behavior was shared among multiple infected machines:

 

 

The download sessions were tagged with the following meta values in NetWitness Packets: 

 

 

The downloaded payload is de-obfuscated and saved to the user's %Temp% directory as hurds8.exe:

 

 

VirusTotal scan results of that executable can be found here. Here is the analysis report from hybrid-analysis.com.

 

The binary starts by copying itself to a new directory and by modifying the registry to gain persistency on the system:

 

 

 

It also drops and runs a batch script in the %TEMP% directory with typical instructions for ransomware:

 

 

The screenshot below shows part of the tracking history of an infected machine:

 

 

The following screenshot shows the module IIOC's for hurds8.exe as well as its tracking information:

 

 

Notice in the tracking data how the ransomware is using .707 extension to rename the newly encrypted files. This GlobeImposter variant drops the following ransom note:

 

 

GlobeImposter delivery documents (SHA256):

  • 5d0eb492f4f36bfd871f6399dc777b9abb1436d18fdf7f1e737ff36ab86fb5b1
  • 4e4ded4a9aa9122594389adba17f4b6ad6ad5f37b1353274a69a09f737c03789

 

GlobeImposter ransomware variant (SHA256):

  • a1cde05bb37cecfecc2ccfb57807d2db66393d73c6e88e129507ffcb70f0ba2e

 

All the IOC from those HTTP sessions were added to FirstWatch Command and Control Domains feed on Live with the following meta values:

  • threadt.source = 'rsa-firstwatch'
  • threat.category = 'malspam'
  • threat.description = 'delivery-domain'

 

Outcomes