Examining Recent Ransomware Infection Techniques (And Some Thoughts on Consuming Intelligence)

Even though ransomware is one of the threats du-jour, it’s not something I’ve closely studied. So I decided that this weekend was as good a time as any to conduct some research and develop a better understanding of this threat.

I wish I could say I identified novel features of what I discovered were large, multi-wave ransomware campaigns between May and August. But that didn’t happen. The reality is pretty mundane: I pulled together existing research and documented—in my own words—what others have already reported.

As an analyst, I’m okay with that. I’ve found this type of research to be typical. And it brings up thoughts (and tips!) I have on intelligence consumption. But more on those soon… First, let’s look at the recent ransomware activity.

Windows Script Files Seen in Multiple Ransomware Campaigns

Starting in May, ransomware distributors began using Windows Scripting Files (.wsf) to download and execute various ransomware payloads: Locky, Cerber, and CryptMIC. The script files are commonly contained in .zip email attachments but sources have also observed phishing messages with a URL pointing to a malicious .zip file.

“Windows Scripting File is a text document containing Extensible Markup Language (XML) code. It incorporates several features that offer [the user] increased scripting flexibility. Because Windows script files are not specific to a script language, the underlying code can have either JavaScript or VBScript, depending on language declaration in the file. WSF acts as a container.” – Microsoft Malware Protection Center, Threat Research and Response Blog

• Early May: actors behind the Cerber ransomware launch a phishing campaign relying on .wsf files contained in double-zipped email attachments. Forcepoint says that this was the first time it has seen Cerber delivered using .wsf files.

• Mid- to late-July: criminals use the .wsf method to push the Locky and Cerber ransomware, according to both Cloudmark and Microsoft. Unlike the early May Cerber campaign, the script files are not double-zipped. TrendMicro also spots widespread Locky phishing activity using the same installation technique: a .wsf file in a .zip archive.

• Early August: Invincea identifies an attempted CryptMIC infection. Delivery techniques mirror those seen in July. Additional details on this recent activity are provided below.

Recent August 2016 CryptMIC Ransomware Campaign

In early August, Invincea observed an attempted CryptMIC ransomware infection. Notable in the infection chain was the use of a Windows Script File (.wsf) to execute the malware.

The reported infection chain is as follows:

1. Via phishing or possibly via drive-by-download, a user receives a .zip archive containing a .wsf file.

2. The .zip and .wsf files both download to the users %TEMP% directory (Users\[User_Name]\AppData\Local\Temp\[mal_document.zip]\[mal_document.wsf]).

3. The Windows Script Host (wscript.exe) process executes the .wsf file.

4. The .wsf file a) writes a PHP script to the user’s Internet Explorer cache directory (this location will vary depending on the Windows OS version) and b) writes and executes radXXXXX.tmp to the current %TEMP% directory. The .tmp file is the ransomware identified as CryptMIC. The XXXXX characters will be a random hexadecimal value (e.g., E2610, 075AC). Lastly, the .wsf will c) create a malicious .dll and .job (i.e. scheduled task) file in the C:\Windows\System32\ directory.

See Appendix A for file and network indicators associated with this activity.

Some Thoughts on Consuming Intelligence

As I mentioned in the introduction of this post, I think this type of research is routine. I often encounter threats and TTP that I’m not familiar with, so I have to invest time into studying and absorbing the knowledge that already exists. I suspect this is the case for many analysts. I consider this process to be an important an aspect of intelligence consumption.

There are three points I want to raise about this process:

1. It’s impossible for analysts to understand every threat. No analyst is aware of, or can understand every threat or tactic. Analysts must be allowed the time to study threats they don’t understand and which are—or could be— relevant to the organization.

2. Intelligence consumption involves more than just ingesting IOC. I believe that the time that analysts spend studying threats is a part of intelligence consumption process—it’s not just about collecting IOC. It’s about consuming the knowledge that is available to develop an understanding of the threat. This often flows directly into the analysis process as analysts consider how and why the threat at hand is relevant.

3. Producing organization-specific intelligence should be a by-product of consumption. If analysts are taking the time to do the research, they should take the extra step to document and memorialize it for the benefit of their future selves, their intelligence customers, and their organization. The analyst should write a report (not just notes) with a title, summary, and research findings. More importantly, the analyst should include an organization-specific spin: why is the threat relevant to the organization? Are there opportunities to prevent or detect the threat? Answering these questions, even at a basic level, reinforces the practice of tying intelligence activities and reporting to requirements.

Intelligence Consumption Tips – Setting Yourself Up For Successful Production

I think that generating intelligence reports can go hand-in-hand with consuming intelligence. Generating reports also provides a consistent way of managing knowledge.

So, here are some consumption-to-production tips that have worked for me:

• Don’t under-value the importance of synthesizing multiple sources and creating a narrative in your own words. Don’t feel obligated to dig for ground-breaking information. Establishing what you know starts with figuring out what others already know.

• Establish a basic chronology of the threat activity you are studying. The chronology should be based on when the activity occurred, not when sources reported it. Be sure to cite your sources!

• If you don’t have time to create a full timeline, that’s okay. Just focus on capturing the information you can. When you return to the project it will be easier to continue building a timeline and broader context. When I started writing this post, I focused on the CryptMIC activity first. I wanted my synthesis of the .wsf TTP to stand on it’s own as a short report. It actually wasn’t until I was further into the research that I realized I could couch the CryptMIC activity into a more expansive timeline. But the timeline section could also stand on its own. Whether you start with the technical deep-dive or the high-level synthesis, be sure that you can eventually tie the two together.

• Practice taking your raw notes and massaging them into complete sentences. Then craft those sentences into paragraphs and build a narrative. We tend to jot down fragmented notes which remain like that on our desktops in CSV, TXT, and DOC files. This is a challenging way to manage your knowledge. Pull those notes and sources together and write a report!

I personally learned a lot from doing this exercise. Sure, I could have read all of the reports I reference above and left it at that, but there’s nothing like putting pen-to-paper to ingrain what you’ve learned—and to make it available for your customers.

These types of intelligence products generally aren’t glamorous. But I think they form an essential foundation of knowledge. This knowledge can drive prevention, detection, and hunting efforts.

Appendix A: Indicators for the .WSF-enabled Ransomware Campaigns

# Early May Forcepoint-reported file and network indicators
0x90_315_kspc.zip - 444FC88BB139F0729FD54542666AC95D33FAB7DE
4x94_182_qfx.wsf - 03D84211C2FA968B7737B37A5968B716259848A2
1x91_426_cedu.zip - D797EE6794769FD8520586DA844728CF2600D764
4x94_447_xih.wsf - 7BE42FFAAC461BB87B39098706A0A4022CC78517
4x94_300_l.zip - C08C59EF13874CDB23EC7EB4DE4CD76AF131DC7A
5x95_323_ofxh.wsf - 8A34DA2DB8A079C4CD5050EBD29A73A351EDE832
4x94_175_g.zip - 36AFE469B1CA6BC122414D94B814222B7887D80F
1x91_449_dcro.wsf - E69FD09F846C999C95CDF43A6CF114D73FE618F8
# Fake unsubscribe link
http://vetdoctor.su/go.php
# Malicious ZIP with WSF downloader
http://content.screencast.com/users/invoice1619/folders/Default/media/a21db752-f6f0-4389-9419-0c5040c54e61/0x90_170_cxz.zip

# Mid-July Cloudmark-reported file and network indicators
fax_scan_doc_607810.zip
pdf_letter-uBM_196204.zip
sales_scan_letter_709050.zip
spreadsheet_ed9b..wsf
profile-f98c..wsf
# Payload URLs
http://hiramteran.com/9av7cb
http://theblackrock.net/e86ry
http://237travellin.com/telo70

# Mid-July Microsoft-reported file and network indicators
profile-d39a..wsf
profile-e3de..wsf
profile-e7dc..wsf
profile-f8d..wsf
profile-fb50..wsf
spreadsheet_07a..wsf
spreadsheet_1529..wsf
spreadsheet_2c3b..wsf
spreadsheet_36ff..wsf
spreadsheet_3a8..wsf
# Payload URLs
http://right-livelihoods.org/rpvch
http://nmfabb.com/rgrna1gc
http://www.fabricemontoyo.com/v8li8

# Mid-July TrendMicro-reported file indicators (with TrendMicro AV detections)
# JS_LOCKY.DLDVEF
0A17D419461F2A7A722F4E15C2760D182626E698
0B4396BD30F65B74CE38F7F8F6B7BC1E451FBCCC
0C82F9EBC4ACE5D6FD62C04972CF6A56AA022BFD
21DCA77E6EF9E89C788EE0B592C22F5448DE2762
288C7C4FA2FC2A36E532F938B1DC18E4918A0E36
69DA16CB954E8E48CEA4B64A6BBC267ED01AB2B3
6A9B6AE21C5F5E560591B73D0049F6CA2D720122
752AB2146016BCAFBFE17F710D61D3AD3822F849
8BDC38B005E09B34C1BCE94529158DE75408E905
B8B79E8BAF39E0E7616170216B25C1505974F42C
5994eb7696e11818d01bc7447adcf9ec5c1c5f13
936ac2f42a1a641d52ba8078c42f5879e2dd41a0
0b7b2ba3c35e334bf5bc13929c77ecaf51758e2b
3bc8656186ee93d25173ba0f3c07a9cced23e7cd
08f1565514122c578da05cbf8b50ee9dcfa41af6
4641fb72aaf1461401490eaf1916de4103bbece5
3790c8bc8e691c79d80e458ba5e5c80b0b12a0c8
91762a5406e5291837ed259cd840cf4d22a2ddfa
005cc479faa2324625365bde7771096683312737
eb01089b3625d56d50e8768e94cfef1c84c25601
# JS_LOCKY.DLDVEJ
812FBF9E30A7B86C4A72CCA66E1D2FC57344BB09
AE78A7B67CB5D3C92406CFA9F5FB38ADC8015FDF
0e76d8fd54289043012a917148dacda0730e4d88
c76222e1206bad8e9a4a6f4867b2e235638a4c4c
# JS_LOCKY.DLDVEL
A2420F7806B3E00DB9608ABF80EE91A2447F68AD
A94CE98BCC9A130AA88E9655672497C701BDA4A5
fc591d83cdebe57b60588f59466ec3b12283cc2c
719f0d406038b932805d338f929d12c899ec97e1
# JS_LOCKY.DLDVEP
DA0FD77C60A2C9A53985A096BDAE1BEF89034A01
56dd1d2b944dae25e87a2f9b7d6c653b2ece4486
# RANSOM_LOCKY.DLDVEO
180BDD12C3EE6D8F0A2D47DDAAD5A2DAA513883E
2C62F7B01DD423CEF488100F7C0CA440194657D9
6DECCBB36F4E83834985FE49FC235683CF90F054
E2D94F69134D97C71F2B70FC0A3558B30637E46D
E3E49BF06CD03FB0EA687507931927E32E0A5A1C
# RANSOM_LOCKY.DLDVEF
22DE960D38310643C3E68C2BA8EC68D855B43EBD
# RANSOM_LOCKY.DLDVEL
5A044104A6EED7E343814B3E0FC2DB535C515EA2
9BA7499C98E2B52303912352E1ACA694552E0E86
9F48FA841FC8B0E945C43DB5B18B37BDF2DA8F5B
# RANSOM_HPLOCKY.SM2
3329FB8FD5E664CCDE59E12E608E0BCE3EF95225
5BE1DE4A018B746953381EA400278D25E7C3D024
B2D1E7860F617014E0546B9D48450F221FE118EC
BB8ABA09BC9B97C7358B62F2FF016D05955A5967
# RANSOM_HPLOCKY.SM3
1A46C45A443B1C10EAA9AA317CD343B83160828F
A2899353B237E08A7570C674D05D326D43173231
D8FF29CFF5341B361CA3CEE67EABBD22698DAA2B
# RANSOM_LOCKY.F116GT
565951232E4A1D491D932C916BC534E8FB02B29B
# RANSOM_LOCKY.F116GS
E362B04FE7F26663D7D43DD829D3C4310B2FC699
# RANSOM_LOCKY.SMA6
6014A6AFDF09EDEB927A9A6A4E0DF591D72B1899
DCDB228D515F08673542B89ABB86F36B3B134D72

# Early-August Invincea-report file and network indicators
f547e9d8fb5060918f969895a2d486e201fd36d43c13229a5c90ceef42dd8759
3999639544117d532f83eebd74e1d4816e301a9cd7a3e651ce9dcbf337f7a22c
5b0dba45e0c32c706c78238d8c2b2fb3
35b4b5b28211f7d8a7cd83dc43730fe56b3cba17ff6e01675f2df4a358e0bdb2
c70a777f00920cda8fbf248ecab229b0
1aacd87f9b200a2f13667db9626034522ac79a42f7ba041d41acd4d1831c71b0
8260e3742d4c59aedc54dc934c853d19
94.156.35.71
# Domain resolutions for 94.156.35.71 (last checked August 20, 2016)
land.fastfashiongroup.com
sale.armageddonarms.net
185.139.2.66
# Domain resolutions for 185.139.2.66 (last checked August 20, 2016)
forward.coffeeandteagetaway.com