Threat Intelligence Report: GlobeImposter Ransomware

Written By: SecureLink Cyber Defence Center

A new strain of GlobeImposter Ransomware has been seen and it is most likely distributed through emails. Malicious code is compressed into a zip archive and sent to the end-user. Once the code is executed, the malicious payload will be collected from a variety of different domains, and it will start encrypting files on the victim’s endpoint. Logs and Windows restore points will be deleted, which makes a restoration attempt much more difficult. Once the files have been encrypted, the victim is asked to pay a ransom fee of 0.3 bitcoins, which is around $1000 to retrieve the encryption key. The ransom fee must be paid within 48 hours or the ransom fee will get doubled.

Threat Description

The malware is assessed to be another strain of the GlobeImposter Ransomware family and it will infect the files on the victim’s drive. Looking at the activity in PassiveTotal, it indicates that the strain was first released first of August 2017, and hosted on a variety of different IPs. Similar to most of the different Ransomwares out there, the system files are left alone and only documents and other end-user valuable files are encrypted. The malware has the ability to remove windows backups and will clean up the logs post infection. The new strain is most likely distributed through an email with an attached zip archive containing a malicious java script. The javascript will contact a variety of different domains to collect the malicious payload.

Analysis Details

Once the obfuscated javascript which is found in the compressed archive is executed, it tries to download the payload from preset domains specified in the javascript. The payload is saved in the user’s temp directory and executed directly after the download. Specified domains and IPs mentioned in the IOC section below are collected from two different active samples, but reviewing the activity for ”trombositting[.]org” in PassiveTotal, it indicates that the domain has been hosted on several different IPs since the first of August 2017.

A simple .bat script is built from the payload used to clean up the machine before and after the encryption is started. RDP history, Windows shadow copies, and logs will be removed from the infected endpoint. The extension ”.726” is added to all the encrypted files and ”RECOVER-FILES-726.html”, which is a help document on how to decrypt your files, and will be placed in all the directories with encrypted files. The user is given 48 hours to pay the ransom consisting of 0.3 bitcoins, which are around $1000. If the ransom is not paid within the 48 hours, the fee will be doubled. The victim could send one file for decryption to the criminals to verify that the decryption works.

Indicators of Compromise

The following indicators of compromise (IOC) have been identified in this campaign.

Files:

  • IMG_6214.js
    • ff34e601e6ffef100ce9171094bf291502c5e05f7b63de0b5e861a45cd9f6874
  • JnqxSiUgE3.exe
    • 9e95f90c8bdd43f2ba0ec4a48ea56270d688e99d17a1b8a03a79807d2745515e
    • Stored:%USER%\AppData\Local\Temp
  • __t85D2.tmp.bat
    • 1a6f73b5c28d1c10f63f2056068c1de61487b8cf8f1dcf7516548df144b3e9ea
    • Stored:%USER%\AppData\Local\Temp
  • RECOVER-FILES-726.html
    • 9ad35a2ab3e7aabdd63752c02317158f2843a1cd18fd4b30752980c91e84b097

Payload:

  • cipemiliaromagna.cateterismo[.]it
    • 85.235.131[.]55 HTTP 309 GET/hg65fyJHG??sJBLmSYWLW=sJBLmSYWLW
  • promultis[.]it
    • 185.81.1[.]156 HTTP 288 GET/hg65fyJHG??JnqxSiUgE=JnqxSiUgE
  • trombositting[.]org
    • 91.214.114[.]209 HTTP 295 GET /af/hg65fyJHG?JnqxSiUgE=JnqxSiUgE

Links:

  • hxxps://n224ezvhg4sgyamb.onion[.]link/efwdaq.php

Bitcoin Address:

  • 1MVMkqWS66JySLtkCdkmq9Hg4Y2TibR19N5

Recommended Actions

The payload domains will most likely not be active very long but should be blocked immediately to avoid infection. Compressed files/java scripts should not be allowed to be sent to end users within the organization, which could be controlled by the exchange server.

Additional Resources

 

2017-10-16T13:33:49+00:00 August 10th, 2017|

Leave A Comment

SecureLink