Deep Instinct’s Research team has spotted a new wave of Spora ransomware, which is known for its flawless encryption scheme. Previous versions of Spora mostly relied on Zip attachments containing HTA or Java Script files sent in email campaigns. The most recent wave of attack, active in the last 48 hours, is based on Microsoft Word documents which contain two different versions of embedded Java Script.
The attack flow of is as follows:
Let’s go into further details concerning the different stages.
The malicious Word documents, believed to be sent through phishing emails, contain a blurred image, which supposedly shows an invoice related to a previous agreement, and the user is prompted to double click it.
Once the user double clicks the image, a security warning is shown, asking the user if a windows script file should be run.
Once the user allows the script file to run, there are two possible options, depending on the dropper variant:
- Earlier variants which started to surface 36-48 hours ago, contain a slightly obfuscated Java Script (.wsf file) which in itself contains an obfuscated version of the payload PE as a resource. Since the script is short, it is quite easily understood. The script will de-obfuscate the resource, drop it to disk and execute. The PE’s obfuscation is quite basic- it is merely reversed in order byte wise.
- In later variants, the Java Script downloads yet another obfuscated script, which contains the Spora executable (this time not obfuscated), from hxxp://giorno-notte[.]ru/login. This URL resolves to the Russian IP 126.96.36.199 which appears to be used as a web host.
Overall the payload’s behavior is similar to previous versions of Spora analyzed in recent months since its appearance. Once the executable is run, it carries out the encryption (without adding/changing their extension) and deletes files’ shadow copies using WMI. Before WMI is used to delete the shadow copies, the user is again asked to run cmd.exe. This is one of Spora’s drawbacks – as in previous versions, there is no UAC bypass mechanism. Allowing cmd.exe will execute the following command:
‘C:\Windows\System32\wbem\WMIC.exe’ process call create ‘cmd.exe /c vssuser.exe delete shadows /quiet /all’.
Interestingly, these Spora variants also collect browsing information and credentials (form history, cookies). Spora also has the ability to capture the clipboard and record keystrokes. This behavior has recently been seen in other ransomware families’ new version such as Cerber.
During execution, the malware communicates with a known Spora onion site, active since at least the end of July. However, at the time of writing no response was seen from it.
Finally, as always, the ransom note will be created. It is dropped as an HTML file after mshta.exe is called. The ransom note contains the Gmail address, used previously by Spora – spora[.]help@gmail[.]com.
Samples of Word documents used as droppers in this latest wave of attack have been surfacing continuously over the past 48 hours, and almost all are initially undetected according to multi-scanners results. This is especially the case with the droppers containing the full payload.
However, since Spora’s attack vector relies on user interaction, users’ awareness can play a significant role in stopping the threat. The basic thumb rule of paying special attention to unsolicited emails, attachments and avoiding from running or allowing any kind of content from an untrusted source.
Deep Instinct customers are fully protected against all stages of Spora’s attack vector. All new, unknown variants of the dropper files, malicious scripts and payload are detected and prevented by our deep-learning based solution.
Droppers (PE download):
Droppers with embedded PE: