Last Updated: 2017-08-09 00:05:00 UTC
by Brad Duncan (Version: 1)
Many security professionals often review malicious spam (malspam) as part of their daily work. If you fall in this category, every once in a while you run across an email so obviously malicious, you wonder how people could be fooled by it. I saw one such email on Tuesday 2017-08-08.
The link in this email led to a zip archive containing Sharik/Smoke Loader malware. Sharik/Smoke Loader then retrieved TeamViewer to use as a backdoor on the infected host. It also downloaded ransomware calling itself "Diamond Computer Encryption."
In today's diary, I investigate that malspam and its associated malware.
The email consists of an image from img.hambersandp02.host that links to inf.hambersandp02.host. The image is followed by a random string on numbers barely visible in the message, because the text is a very light shade of grey. Of note, the domain name hambersandp02.host was registered through NameCheap on the same day I saw the email (2017-08-08).
Just look at it. The recipient was not someone in any position of authority to sign a contract. The email sender is named "Contract" and uses some random email address. And there is absolutely no context to the message. I always ask myself how someone could be fooled by this, and the answer is apparently "you'd be surprised."
Clicking on the image from the message sent a zip archive. The zip archive came from an Amazon Web Services (AWS) server, and it contained an executable file (barely) disguised as a contract for the recipient to sign.
After the malware was download from an AWS server, the infected Windows host generated post-infection traffic that included HTTP requests to support.microsoft.com (a legitimate domain) and controlek01.asia (a malicious domain). Network traffic triggered alerts for Sharik/Smoke Loader as I monitored it using Security Onion running Suricata with the EmergingThreats open ruleset. I also saw TeamViewer traffic from the infected Windows host.
The infected Windows host
Signs of a ransomware infection were apparent in the infected Windows host. All encrypted files had random extensions appended to their file names, and the decryption instructions call the ransomware "Diamond Computer Encryption." This ransomware was first reported by @PolarToffee on Monday 2017-08-07 on Twitter, but it appears to be a complete scam without any way to decrypt your files. The bitcoin address from the decryption instructions doesn't change. No email address or other contact info is available. The instructions state all files will be automatically decrypted after making the bitcoin payment, but that apparently does not happen.
I noticed two things about this ransomware. First, it causes no post-infection traffic, except for a URL in the decryption instructions. That URL causes an HTTP request for an image of a diamond from www.tiffany.com (a legitimate website). Second, you must have version 4.0.30319 or higher of the .NET Framework installed, or the ransomware doesn't encrypt your files.
The Diamond ransomware was stored in a folder under the user's AppData\Roaming directory, and it used a Visual Basic (.vbe) file in the Startup folder to ensure persistence. However, the ransomware deleted itself after encrypting files in my lab host, so that .vbe file generated an error after rebooting.
Although the Diamond ransomware deleted itself, the Sharik/Smoke Loader stayed persistent on the infected host through an entry in the Windows registry. It had moved itself to a folder under the user's AppData\Roaming\Microsoft directory.
Indicators of Compromise (IOCs)
The following are email headers from the malspam:
- Date: Tue, 2017-08-08 12:36 UTC
- From: Contract <Nicolas@chambersandp141411.info>
- Subject: Please sign the contract.
- X-PHP-Originating-Script: 0:class.phpmailer.php
- Message-ID: <email@example.com>
The following are IOCs for network traffic related to this infection. First is the link from the email and redirect to the AWS download:
- 220.127.116.11 port 80 - inf.hambersandp02.host - GET /
- 18.104.22.168 port 443 - s3.us-east-2.amazonaws.com - GET /contrac9821/Sign_Contract_18727712.zip
Next is post-infection traffic during the infection to legitimate domains. None of these are inherently malicious on their own:
- www.bing.com - GET /
- support.microsoft.com - POST /kb/2460049
- Various IPs over TCP ports 443 and 5938 - TeamViewer domains - TeamViewer traffic
Finally, we have Sharik/Smoke Loader doing check-in traffic and downloading the Diamond ransomware executable:
- 22.214.171.124 port 80 - controlek01.asia - POST /
- 126.96.36.199 port 80 - controlek01.asia - GET /mariconets.exe
SHA256 hashes related to this infection are:
- SHA256 hash: 6790d73656b873ca3e44c9fd1f49e15c0aafafac1b55e5e81c4cd7c2d3f9cdd2
- File size: 54,482 bytes
- File name: Sign_Contract_18727712.zip
- Description: Downloaded zip archive after link in email redirected to AWS server.
- SHA256 hash: 431a9e9b1007257833cce1276bf50947e57eb67db02c539460aa05eac109ee06
- File size: 552,960 bytes
- File name: Sign_Contract_18727712.exe
- Location after infection: C:\Users\[username]\AppData\Roaming\Microsoft\agusbjct\dritbbst.exe
- Description: Sharik/Smoke Loader executable
- SHA256 hash: 5d82b3125eabf1a75cb15bd9b76bf398f829a41bf8e1ef2fd74825aed58e31c6
- File size: 442,368 bytes
- Location: C:\Users\[username]\AppData\Local\Temp\CB69.tmp.exe
- Location after infection: C:\Users\[username]\AppData\Roaming\winmgr322.exe\winmgr322.exe
- Description: Diamond ransomware
I saw some Twitter traffic stating Diamond ransomware also downloads TeamViewer. However, in this case TeamViewer appears to have been downloaded by Sharik/Smoke Loader. I tried the Diamond ransomware executable on its own, and it didn't generate any TeamViewer traffic.
Once again, I can't stress how obviously malicious I find this email. Furthermore, any organization following best security practices shouldn't have anything to worry about. But this example provides a somewhat interesting infection chain, and we must remain vigilant. There's still a possibility this malspam might actually infect someone.
Email, artifacts, and a pcap of the network traffic for today's diary can be found here.
brad [at] malware-traffic-analysis.net