Recent Spam Runs in Germany Show How Threats Intend to Stay in the Game

By Alice Decker, Jasen Sumalapao, and Gilber Sison

In early December, GoldenEye ransomware  (detected by Trend Micro as RANSOM_GOLDENEYE.A) was observed targeting German-speaking users—particularly those belonging to the human resource department. GoldenEye, a relabeled version of the Petya (RANSOM_PETYA) and Mischa (RANSOM_MISCHA) ransomware combo, GoldenEye not only kept to the James Bond theme of its earlier iteration, but also its attack vector.

Given ransomware’s likely outlook to reach a plateau, persistence in the threat landscape and diversification of target victims are the names of the game. GoldenEye exemplifies bad guys trying to gain scale, leverage, and profit with rehashed malware.

Apart from GoldenEye, we also saw spam runs and observed a surge in detections of Cerber (RANSOM_CERBER), Petya (RANSOM_PETYA), and Locky (RANSOM_LOCKY) in Germany. The social lures of these malware may be German, but the risks and impact are the same for everyone.

Recent ransomware incidents in Germany

Feedback from our Smart Protection Network™ cite Germany, Turkey, Italy, Spain, and France among top countries in Europen with high ransomware detections from January to November 2016.

In Germany, a little over one third came from malicious URLs, while spam emails made up most of the infection vector (63%). Malicious URLs associated with Locky peaked at over 700 during the second week of November. From the last week of November to mid-December, the URLs we blocked and monitored ranged between 50 and 400.

Like Petya and HDDCryptor, GoldenEye can overwrite the system’s master boot record. It was distributed through spam emails posing as missives from job applicants. They came with PDFs pretending to be resumés , as well as Excel spreadsheets (XLS) embedded with malicious macro.

Figure 1. Snapshot of the fake PDF (left), and spam email containing an XLS file (right) distributed by GoldenEye

Another recent campaign we espied in Germany used a one-two extortion punch to its would-be victims. Its operators tailored the spam emails and made it look like they came from the police’s cyber department in Cologne. Recipients are accused of fraud, and are compelled to open the attachment—a .ZIP file containing a Word® file (W2KM_CERBER.DLBZY) embedded with malicious macro that downloads and helps execute an imitation of Cerber (RANSOM_HiddenTearCerber.A). The copycat ransomware demonstrates how other strains impersonate user interfaces and build on the notoriety and seeming success of families such as CryptXXX, Locky, and Cerber to earn a fast buck.

The Cerber-mimicking malware is based on open source ransomware Hidden Tear, and comes in three different builds to avoid detection. It encrypts 128 file types, retrieves the infected system’s Volume Serial Number, and appends a .cerber extension to encrypted files.

Figure 2. Ransom note of Hidden Tear Cerber

Where there’s smoke, there’s fire

We also came across another campaign impersonating a telecommunications company. The spam email, which contained URLs of the spoofed organization, purported to be notifications of a mobile phone bill. Users are prodded to open a zipped PDF attachment, which ultimately leads to a variant of Sharik/Smoke Loader (TROJ_SHARIK.VDA) Trojan.

Sharik/Smoke Loader injects itself into legitimate processes and sends system information to its command and control (C&C) server. It can remotely control the system to conduct malicious activities such as downloading other malware (based on the system’s location) and stealing credentials of the system’s FTP, IM and email clients, and web browsers among others.

Figure 3. Snapshot of Sharik/Smoke Loader-toting spam email

Old but pervasive banking Trojans

Even fairly old banking Trojans seemed to have follow suit. EMOTET (TSPY_EMOTET), DRIDEX (TSPY_DRIDEX), and ZeuS/ZBOT (TSPY_ZBOT) also saw an increase in our detections in Germany during the same period. DRIDEX remained low-key until we detected a surge of around 250 active URLs  during mid-December, while EMOTET used over 100 URLs in November. Zeus/ZBOT, which began evolving since 2007, had a fair amount of active URLs in its employ, peaking at 250 from October to mid-December.

ZeuS/ZBOT, EMOTET, and DRIDEX are old but prevalent, and were employed mainly for data theft (stealing login credentials) with slight differences in modus operandi and social engineering. Threat actors behind these malware directly siphon money off of their victim’s bank accounts or peddle the data in underground marketplaces.

Mitigation

End users can mitigate the risks with good security habits such as backing up data and disabling macros for files/attachments from unsolicited emails. Caution is advised when visiting phishing sites/pages as well as links on suspicious emails, as bad guys leverage these to deceive unwitting users into handing over personal information. Keeping the operating system and its software/applications up-to-date lessens the system’s exposure to these information-stealing and data-encrypting malware. Regularly updating online banking credentials can also mitigate the risk of getting them remotely hijacked and pilfered.

Dubious applications and processes, suspicious network activity, and system performance slowdown are just some of the red flags IT admins can be aware of when safeguarding their corporate network. Enterprises are also recommended to implement account restriction and/or management policies that can block emails from unknown sources.

Trend Micro Solutions

When addressing these kinds of threats, reacting as they occur isn’t enough. Strategic planning and a proactive, multilayered approach to security goes a long mile— from the gateway, endpoints, networks, and servers.

Trend Micro endpoint solutions such as Trend Micro™ Smart Protection Suites, and Worry-Free™ Business Security can protect users and businesses from these threats by detecting malicious files, and spammed messages as well as blocking all related malicious URLs Trend Micro Deep Discovery™ has an email inspection layer that can protect enterprises by detecting malicious attachment and URLs.

Trend Micro OfficeScan™ with XGen™ endpoint security infuses high-fidelity machine learning with other detection technologies and global threat intelligence for comprehensive protection against ransomware and advanced malware

Trend Micro Ransomware Solutions

Related Hashes/Indicators of Compromise (IoCs):
Malicious Excel attachments detected as X2KM_GOLDENEYE.A
2D667B894AFADA90310E932670418F34CA155037
46790D76765CE1A5E01DE1D619068670BD145A3B
958764CB5A5748711A6DBECF227A2CD307A7255D
B002B797966F9247D46B6A7888E39EE5B073B8F5
E617755A2504A912F13C077C6567F83F4EBE1199

Dropped executables (b64-encoded) detected as RANSOM_GOLDENEYE.A
2FFDBF08895C943CB77494FF29E1CF8621320EBC
3E1C62AC20A921C4D2CBF19A01E112FFBBCFB21B
5E592A17C7488B501A60C401FCB06165C012A885
80E0CFC85B7F157E2A758A5DA9A84CC8FEB94314
93E6C9D434D8D80288555F0B8A1314A9D8C1328D
EF3D2563FA3E29C1BE76A149FF91398AB9987775

Hidden Tear Cerber IoCs:
verfahren2016-3248882[.]doc – detected as W2KM_CERBER.DLBZY
6f0b1c63aa8e3ab57fe308d6c67c8413 (MD5)
71fa6f482f001922d75a2fba5eea6a36338aa2a3 (SHA1)

Detected as RANSOM_ HiddenTearCerber.A:
01BEDF18B1A7415F82F955C36FA0A975625746F1 (Themida)
79440D8B1E4B8FA222F1BE78435F43F86796F6DC (NSIS)
E89FB7405E242E359B652E5DD1276D4BA20C5AED (MSIL)

Sharik/Smoke Loader IoCs:
2016_12_19_Rechnung_Kundennr_[.]zip (SHA1):
e9be565ca629f2828be5dbe47c6c865e6dd3df12
21bacd8c51fab29c15c1df8f25f7e91697d3bba1 — TROJ_SHARIK.VDA

Post from: Trendlabs Security Intelligence Blog – by Trend Micro

Recent Spam Runs in Germany Show How Threats Intend to Stay in the Game

Read more: Recent Spam Runs in Germany Show How Threats Intend to Stay in the Game