Ahmed Sonbol

Sage Ransomware Campaign

Blog Post created by Ahmed Sonbol Employee on Oct 20, 2017

During the week of October 16th 2017, RSA FirstWatch observed a new malspam campaign delivering Sage 2.2 ransomware. The delivery documents come embedded with malicious macros that download the ransomware upon execution. 

 

31119.doc is one example. It uses the usual social engineering tricks to convince the user to run the embedded macro:

 

 

Submitting the delivery document to RSA pre-release What's This File service reveals more information about it including the obfuscated VBA code:

 

 

 

The VBA code runs a powershell command that downloads a binary to the victim machine and executes it:

 

 

NetWitness Packets shows the following information for the download session:

 

 

Analysis results indicate that the downloaded binary is a Sage ransomware variant. The following post infection screenshots are from hybrid-analysis.com:

 

 

If you zoom out a little bit, you can notice a pattern:

 

 

 

Here is a list of delivery documents (SHA256):

274d7b79f5e9645c1192b8b9cbbfea851eb1704b531e68b6f864163abe1caee2
7dd90e639ffd672072eae5d050d15612e436f34842de8ecb404ccf927bda0957
58082d7a63df4293a22857ce33cff839cb8b6f9466eb32768cef7c9f354bd951
c2ed3b0d50459a3cc715de6c73015f002b87ce46a7f436b7cc492366ca11f498
c7cdd0f0f43b86f47e9d028627923a346a47dd2bccf036fdf6d4dedba8acc03a
7256bbcf4f1050f49d892d40cd8b52f2e8de5b987840a5b484beb1e66d7a509b
4c0207af91ae4160c422d7e316e814d5631661f2c9dc7bb9df21a0fb48c0a71b
7e42322134c241490cc2c4fdaa4c980fd365374ea704d6a91617719ddf1c79e0
e2eabf1c99c7d359b03b79c6f022d99e6e38577358eb7f33ca4e0a54936ec3e9
6d330792ae0a0f1e59696dc2bb7316c21fea4661d3054af6adca535f8e0279a2
9a447796eb2248134e06bf51f747b439221f87d14144a4f562f256f46ee2f5dc
25eec5ca8ffe1befcb946df90efac6de4e8d95ec1c1eccbc08a6d841d2df90f4
f1a72a50b3bf1d2c54a00192581a42656ab04aae52c44a0257663f147c81bb0c
773b7c6a0f4ecfdc2be76523407297f14b535edf4ea6d61b695a81cc1a2ba71f
31c2272c8cfc19b86ef0284c697337da944c389499426de7f3aed42a994fe454
063de7be700f6e07690446b0a96c6abfcec5f4ce35fbddede606a05e13a9f6b5
b0140c6f1ca5acad0c27b7fe32e8585bd263b3c7eda60a9c8af3b3f730993ddc
47c9ea2259b47c7db9bb59f909ab7512843841f2317cf461a6ebb9adb46ca6ee
9f004a50d6430155d120bb9085ed243153ba1c787fa39cdbe938cab243b067e5
9fad95c40b8240145b1e5222f245cf5d72647e91b1ced0992128d76d9fb1bf41
7703541357104e4e8ddb5e3e236f18f2edbc52833e918ed52af1fb2bb807f5e6
8c66095047f58b334064d350667326b61930ac0223adb39d4c2220f89129e66a
216efe9357dbd9d692ce05a1d979308765d4c3af53c517b3e948d37f08b757b6
7ca4f9cd2f4cc01c6148a0d349938b5a9835378ec4947f02af67a53cbf40a87e
149adaeda8b6d891f60350d6155eaa268bf058c0ed38e06a536cf24455d3cc98
2727a8727557f65c1650c2262b5fb4b4d48b847c5165d768e90af327dfbd1755
0daf7b17550da58f9b3ba07a85f6e186137143addfe049e35debd09c99db53fb
45b6403cdd91f73171a4f35065a2e8b28cb03182477d70c7c8bac9e190e0e051
e9040610f48117f0e4cd6114a5a6ff54781cb9439ef1d8d5e0543b4ed34e595f
e0b453143994314bab03c94c9344b0eaa53a466bb793c27277bc4f129e9c8422
43dbbc9e7bb826932b2242e3f7e5f378e0a866727d606616369c3e668874c4df
8daf66ea9005f2a651ffd03a7b2c0d23612946330578239beb863f4c6f3a3ddb
db218309da397d978722a990674168a359e1ad5118fb1b2cad0108e75abfe3cb
56bc350e23bba845d247fb0e276cf92792269f7d564d0a703f56552794f95ea5
a5e43b1519b231a5fe102a259f497ddb914aab63c1208afe96d9023dd140b778
c9b301c9bc45966885bd62d3d93addad9cc12386c1832121c64cb7a1dab86f02
a43b418e168e5802bc7f01eed1600517c812b946ef1b106227519dcf1f7daa6f
d87f31c39b7b0109f8c6e7ce540365adcecec3a28e557becb0649ab977ae8d8c
23a83b57bce9910ecac56869f4cbf8df4f6098019f5489c972a9bdcfdcf37192
1178fcc82a63b9e2795f9371fc951a03255c8fcd2e073fd9a0a981cec91b6657
895b74a6f511b4ea6b506e481e9b53e06c6b8241331af2bc809b3431d62df2fc
74ee87ac9f148d1f63f70deb854b70e7085a35b6606c4ed88a5421e141816247
b23b7be8a8c68efa5383846f09564da83b250bc4422911fcb6a09690cdaf634a
3036029b079f4628452cec4de9fc2e1c58f5db61b872a4b1fa8a4cf34cbe503d
b216b77ce9d3f8dabc110e046a8e9fb21ea16b48e16d31405609d1fa806fff42
71ab6b255621bedb8f7f30c2abdaa87b65057364ea4626d43cbb513c30e9205a
dacb4d816a1c47bc60c03127de674e45ce2951fa46a21c978bd9340c8be6068b
183a31aedf13df11a6c1d7bcf8b8a8efa5d8fb91c5c5c6a35f3cbf439bf61b03
34de727c753aec40af9e8201116ade27f52e24cd7d228f56d48935672b3606dc

 

And below is a list of Sage ransomware variants (SHA256):

ea3e84e499373f8044b013a2d844605ff1460b20a24e5ad9ffb161d310a142ce
1b9973b12c1b3dc87903ed62eb271804df543df063e1214469fc2bb0e6dc657e
96801c5f7bf6751622b42cd5ad6abd114eff276437e6873aedaacd3c5e6d62d3
c31ebfbdbb676fd2def375aea3cde05f9b4ac71058cd88eba7ff1009c1d05efb
62bc59d787dc76471ed07c6a04f25aa76e98033ba2cd37134d1f6f248c338dc5
3c098a2c6a471cecaa768edd01309d47a6b4a8725e0b4ba3d0f5668d1318586c
f028edcbac147e401699ac8c129d46b0fb2c2d3e0af089616e324230024361de
c1aa68e448657911273a98e6492a425b8341650541ff3857ecfc303cab09c779
0ddc0f51f16a49c6ea129b63eecbd2001ddcaac050f595fca5eede491f7a7693
ee9714df6487b57dd0ee6a108f5ad01dc617b8d6d03c8e05854dbec8f4803d2b

 

All the IOC from those HTTP sessions were added to RSA FirstWatch Command and Control Domains on Live with the following meta:

  • threat.source = ‘rsa-firstwatch’
  • threat.category = ‘malspam’
  • threat.description = ‘delivery-domain’

 

Outcomes