2018-07-23 - MALSPAM USING PASSWORD-PROTECTED WORD DOCS CONTINUES TO PUSH RANSOMWARE

NOTICE:

• The zip archives on this page have been updated, and they now use the new password scheme.  For the new password, see the "about" page of this website.

ASSOCIATED FILES:

• 2018-07-23-password-protected-Word-doc-malspam-tracker.csv.zip   1.0 kB (992 bytes)
• 2018-07-23-password-protected-Word-doc-malspam-pushes-AZORult-and-Hermes-ransomware.pcap.zip   3.3 MB (3,312,993 bytes)
• 2018-07-23-emails-malware-and-artifacts-from-password-protected-Word-doc-malspam.zip   757 kB (756,806 bytes)

 

NOTES:

• This appears to be the same group using password-protected Word documents in malspam to push ransomware that I've blogged about before on 2018-05-09 and 2018-06-04.
• Today, running macros on the Word docs resulted in an AZORult and a Hermes ransomware infection.
• The MalwareBytes Blog did an in-depth write-up on Hermes ransomware back in March 2018 (link).
• The decryption instructions state Hermes ransomware is still the same version as back when MalwareBytes analyzed it: version 2.1.

Shown above:  Flow chart for today's infection.

 

MALSPAM

Shown above:  Example of the malspam.

 

DATA FROM 6 EMAIL EXAMPLES:

(Read: date received -- date listed in the email -- Sending mail server -- sending email address -- Subject line -- Attachment name -- Password for the Word doc)

• 2018-07-21 12:20 UTC -- 2018-07-20 07:16 UTC -- mta4.anjanabro[.]com (mta4.anjanabro[.]com [46.161.42[.]4]) -- Charla Berke =?UTF-8?B?wqA=?= <9614@anjanabro[.]com> -- Job Application -- Charla's Resume.doc -- 321
• 2018-07-21 12:20 UTC -- 2018-07-20 16:43 UTC -- mta16.anjanabro[.]com (unknown [46.161.42[.]16]) -- Lanelle Sigler =?UTF-8?B?wqA=?= <784@anjanabro[.]com> -- Job Application -- Lanelle's Resume.doc -- 321
• 2018-07-22 02:45 UTC -- 2018-07-21 16:14 UTC -- mta3.anjanabro[.]com (mta3.anjanabro[.]com [46.161.42[.]3]) -- Rose Carron =?UTF-8?B?wqA=?= <931@anjanabro[.]com> -- Job Application -- Rose's Resume.doc -- 321
• 2018-07-22 09:41 UTC -- 2018-07-21 23:10 UTC -- mta28.anjanabro[.]com (mta28.anjanabro[.]com [46.161.42[.]28]) -- Britney Paz =?UTF-8?B?wqA=?= <2082@anjanabro[.]com> -- Job Application -- Britney's Resume.doc -- 321
• 2018-07-23 14:22 UTC -- 2018-07-23 06:14 UTC -- mta19.anjanabro[.]com (mta19.anjanabro[.]com [46.161.42[.]19]) -- Dayna Guynn =?UTF-8?B?wqA=?= <398@anjanabro[.]com> -- Job Application -- Dayna's Resume.doc -- 321
• 2018-07-23 16:41 UTC -- 2018-07-21 12:54 UTC -- mta22.anjanabro[.]com ([46.161.42[.]22]) -- Shayne Husband =?UTF-8?B?wqA=?= <2136@anjanabro[.]com> -- Job Application -- Shayne's Resume.doc -- 321

 

Shown above:  Opening one of the Word doc attachments.

 

Shown above:  Word doc after entering the password: 321

 

TRAFFIC

Shown above:  Traffic from an infection filtered in Wireshark.

 

TRAFFIC FROM AN INFECTED WINDOWS HOST:

• 205.185.121[.]209 port 80 - 205.185.121[.]209 - GET /azo.exe   (AZORult)
• 47.254.202[.]63 port 80 - briancobert[.]com - POST /index.php   (AZORult post-infection traffic)
• 205.185.121[.]209 port 80 - 205.185.121[.]209 - GET /5.exe   (Hermes ransomware)

 

Shown above:  Initial HTTP request for AZORult.

 

Shown above:  AZORult post-infection traffic.

 

Shown above:  Follow-up HTTP request for Hermes ransomware.

 

Contact information to pay the ransom:

• primary email: decryptsupport@protonmail[.]com
• reserve email: decryptsupport1@cock[.]li

 

MALWARE

SHA256 HASHES:

• 9470538381d03905f4ecbc1e5e577e621d46d37d2a56786c0eb514634edb2b28 - Britney's Resume.doc
• 99a415c5bd03b71f959d825de43a6fce19ce3d83c61fa6cfbdd650bf437af3ad - Charla's Resume.doc
• 3bfeeffda7d7e122c18672b8d82d67e3407dec1febf898551ff860211dcc1b49 - Dayna's Resume.doc
• f7f3981761a359f252d0e742a02f014cd31bf283d722dbf30ef062975a44336c - Lanelle's Resume.doc
• b126c6087222f91c17ce6dd1160de724f5fe418b348fe54b8b4103c8f30b959e - Rose's Resume.doc
• 1fc2294c86e0aee50fdd516d3cd25b6e01d43f39dc01974cf949fd03b00b36a3 - Shayne's Resume.doc

• 600dbf6887dc29d6427cb52c8e7718190938457a80afe551f811a9e4d7d7f1fc - AZORult
• ca335c96ddba1c84ed5b67dacd6931e16adfbc0e890976da5db013a999ad6eae - Hermes ransomware

 

IMAGES

Shown above:  Files encrypted by Hermes ransomware didn't change their names or file extensions.

 

Shown above:  Decryption instructions from Hermes ransomware.

 

Click here to return to the main page.