There seems to be a new ransomware in the wild getting distributed through SPAM and engineered phishing web interface of fake online word Document.
Distribution technique used by attackers are Spam emails, malicious URLs, malicious attachments, exploit kits, freeware etc.
When a user clicks on the enclosed link, it will redirect to a fake Microsoft Word Online site that displays a supposedly unreadable document. This page then states that the document cannot be read in the browser and that the victim needs to download and install a plugin. You can see an example of the fake word online document below.
The campaign is very active and is using a lot of compromised websites to carry out the propagation. As of now, the ransomware has used three different compromised hyperlinks below
The parent url uspsbiluwzxb48370.ideliverys.com/u844 ( ideliverys.com was created only few days ago, with multiple random subdomains helping in infection) seems to be using meta refresh to create instant client side redirect
<meta http-equiv=”Content-Type” content=”text/html; charset=utf-8″>
<meta http-equiv=”Refresh” content=”0;hxxp://posof.bel.tr/counter/1.htm”>
The payload is fetched from hxxps://docs.google.com/uc?export=download&id=0B1uRRSEjN_hbbzhpQXVwVTF3aU0 and once dropped, the file deletes volume snapshots so as to make the system incapable of going back to restore or access backups, common ransomware characteristic. On execution, the file throws a fake calibration alert to persuade the victim to get to enable User Account Control for administrative privilege. (The popup did not appear when ran with administrative privilege )
When clicked OK, the UAC popup appears to give the payload administrative access.
Once clicked ok, and with administrative privileges the ransomware creates unique hexadecimal ID specific to the end user’s machine and contacts the remote server for public encryption key which is used to complete the encryption process.
The ransomware after moves itself in C:\Users\user1\AppData\Roaming location of user system so that it can execute every time the system is restarted as shown in below snapshot.
The ransomware identified as mole or CryptoMix Revenge encrypts files and renames them using the “[32_random_characters].MOLE” pattern for example, “abc.txt” is renamed to 6E4378562876FAA26EAFFCF2288FC616.MOLE extension then creates a text file (“INSTRUCTION_FOR_HELPING_FILE_RECOVERY.TXT“), placing it in each existing folder on the system. This text file contains a message informing victims of the encryption, stating that files are encrypted using RSA-1024 cryptography, and that they can only be restored by employing a unique private key.
Mole Ransomware Note:
The binary spawns a lot of processes, disables startup repair, and modifies auto-execute functionality by modifying registry.
Spawned process “5E797936.exe”
Spawned process “notepad.exe” with commandline “%USERPROFILE%\Desktop\INSTRUCTION_FOR_HELPING_FILE_RECOVERY.TXT” – drops under all folders after encryption of contained files.
Details of the remote webserver contacted as shown in below network capture image.
To be more persistent the ransomware creates custom Windows registry values in the following sub-keys:
Modifications in these registry keys allow .mole virus to run its malicious executable files every time when Windows is started.
Some sample variants also drops self deleting batch file removing the original payload.
del /F /Q “C:\plugin-office.exe”
if exist “C:\plugin-office.exe” goto d
del /F “C:\Users\3FXdxzR\AppData\Local\Temp\upd2aff3784.bat”
Indicators of Compromise
Filesize: 145.8 KB ( 149346 bytes )
Filesize: 368.0 KB ( 376832 bytes )
Filesize: 178.0 KB ( 182272 bytes )
Url ( Remote CNC) – 18.104.22.168
Infection Url – Ideliverys.com ( with randomly generated subdomains like uspsbiluwzxb48370.ideliverys.com/u844 )
Preventive Security Measures
Sequretek recommends the following measures to be taken to prevent infection and loss of data: