Fake COVID-19 survey hides ransomware in Canadian university attack – Malwarebytes Labs

Fake COVID-19 survey hides ransomware in Canadian university attack – Malwarebytes Labs

Universities are a scorching goal for malware proper now. On this newest assault, a menace actor was focusing on the College of British Columbia with the objective of distributing ransomware.

This put up was authored by Jérôme Segura with contributions from Hossein Jazi, Hasherezade and Marcelo Rivero.

In latest weeks, we’ve noticed numerous phishing assaults towards universities worldwide which we attributed to the Silent Librarian APT group. On October 19, we recognized a brand new phishing doc focusing on workers on the College of British Columbia (UBC) with a pretend COVID-19 survey.

Nevertheless, this assault and motives are totally different than those beforehand documented. The survey is a malicious Phrase doc whose objective is to obtain ransomware and extort victims to get better their encrypted recordsdata.

On discovery, we obtained in contact with UBC to report our findings. They have been already conscious of this phishing marketing campaign and have been variety sufficient to share extra data with us concerning the incident. Finally, this assault was not profitable because of the speedy response of the UBC cybersecurity staff.

Obligatory COVID-19 survey distributed to focused recipients

The attacker created an e mail tackle with the mailpoof.com service to be able to register accounts with Field.web and DropBox. Quite than straight sending the pretend survey by way of e mail, the attacker uploaded the doc onto Field and DropBox and used the share performance from these platforms to distribute it.

This was most likely finished to evade spam and phishing filters that might have blocked messages coming from a newly registered e mail tackle with a low popularity. Compared, it’s rather more tough to detect spam from file sharing companies with out creating numerous false positives.

The attacker claimed to be a supervisor and added the next remark within the file sharing invitation (shared with us by UBC):

Good night gals and guys! [redacted] right here, [redacted] supervisor for [redacted]. I’m sharing a compulsory survey with you that have to be accomplished by Monday. It asks just a few questions on the way you imagine our firm responded to the pandemic relating to distant working and rather more. Please fill it out ASAP!

Additionally, you will discover a kind on the finish you could fill out should you want any requirements! Requirements embrace: gloves, hand sanitizer, masks, or disinfectant spray. We will probably be offering it to these staff who fill out the shape at no cost! Merely signal your initials and put what you want in addition to the amount! Prematurely, we admire your suggestions! Thanks all! Keep robust! I perceive instances like this may be tough!

Fake COVID-19 survey hides ransomware in Canadian university attack – Malwarebytes LabsDetermine 1: The phishing doc focusing on UBC workers

In response to UBC, lower than 100 individuals inside a particular division acquired the hyperlink to entry the shared doc. A Field or Dropbox account was required to be able to obtain the file because it was shared privately, as an alternative of publicly. This may occasionally have been an effort to evade detection or maybe the attacker anticipated the goal group to already be utilizing considered one of these two sharing companies.

Phishing doc evaluation

The phishing doc makes use of template injection to obtain and execute a distant template (template.dotm) weaponized with a malicious macro. That file was uploaded to a free code internet hosting web site (notabug.org).

Fake COVID-19 survey hides ransomware in Canadian university attack – Malwarebytes LabsDetermine 2: Template injection and a view of the macro

When the macro is executed, it does the next:

  • Will get the %APPDATA% listing
  • Creates the Byxor listing in %APPDATA%
  • Downloads a file from the next url and writes it as Polisen.exe
  • notabug[.]org/Microsoft-Workplace/Phrase-Templates/uncooked/grasp/lamnarmighar/polisen.exe
  • Downloads a file from the next url and writes it as Killar.exe
  • notabug[.]org/Microsoft-Workplace/Phrase-Templates/uncooked/grasp/lamnarmighar/killar.exe
  • Calls shell operate to execute killar.exe
  • Checks the output of shell operate and whether or not it was profitable (return worth could be process Id of executed software)
    • If profitable, it sends a GET http request to:
      canarytokens.com/about/d4yeyvldfg6bn5y29by4e9fs3/put up.jsp
    • If it isn’t profitable, it sends a GET http request to:
      canarytokens.com/articles/6dbbnd503z06qitej1sdzzcvv/index.html
Fake COVID-19 survey hides ransomware in Canadian university attack – Malwarebytes LabsDetermine 3: Code repository containing ransomware payloads

We have been capable of establish 4 different variants of the distant templates and payloads. In among the folders, we discovered a number of artifacts utilizing Swedish phrases, which may point out that the menace actor is acquainted with the language.

Opening the phishing doc will set off a notification by way of the canarytokens.com web site. Sometimes, individuals use one of these service to get alerted for a selected occasion.

This may be very helpful as an early warning notification system that an intruder has had entry to a community. On this case, the attacker might be thinking about how many individuals opened the doc and maybe the place they’re from.

Vaggen ransomware

After being deployed, the ransomware begins encrypting the person’s recordsdata and including the .VAGGEN extension to them. When the encryption course of is completed, it drops a ransom word on the Desktop, demanding a fee equal to 80 USD to be paid in Bitcoin.

Fake COVID-19 survey hides ransomware in Canadian university attack – Malwarebytes LabsDetermine 4: Ransom word

The ransomware seems to be coded from scratch and is a comparatively easy software written in Go which begins with the operate denoted as ‘main_main’.

Different capabilities belonging to the principle software have obfuscated names, corresponding to: main_FOLOJVAG, main_DUVETVAD, main_ELDBJORT, main_HIDDENBERRIES, main_LAMNARDETTA, main_SPRINGA.

main_LAMNARDETTA -> main_enumDir
main_ELDBJORT -> main_encryptFile
main_SPRINGA -> main_encryptAndRename
main_FOLOJVAG -> main_runCommands
main_DUVETVAD -> main_dropFile
main_HIDDENBERRIES -> main_xteaDecryptAndWriteToFile

A full record of the capabilities, together with their RVAs could be discovered right here.

Fake COVID-19 survey hides ransomware in Canadian university attack – Malwarebytes LabsDetermine 5: File enumeration

Among the strings utilized by the malware (i.e. the content material of the ransom word) are encrypted with the assistance of XXTEA (utilizing library: xxtea-go). Encrypted chunks are first decoded from Base64. The XXTEA secret is hardcoded (“STALKER”). On the finish of the execution, the ransom word is dropped on the Desktop.

Encrypting and renaming of the recordsdata is deployed because the callback of the usual Golang operate: path.filepath.Stroll.

Fake COVID-19 survey hides ransomware in Canadian university attack – Malwarebytes LabsDetermine 6: Callback operate to encrypt and rename

Recordsdata are encrypted with AES-256 (32 byte lengthy key) in GCM mode.

Fake COVID-19 survey hides ransomware in Canadian university attack – Malwarebytes LabsDetermine 7: AES-256 cipher

The encryption algorithm is much like the one demonstrated right here. Utilizing a hardcoded key and 12 bytes lengthy nonce, generated by CryptGenRandom. The file content material is encrypted with the assistance of the gcm.Seal operate.

Fake COVID-19 survey hides ransomware in Canadian university attack – Malwarebytes LabsDetermine 8: Encryption routine

The content material of the output file (with .VAGGEN extension) comprises:

  • the 12 bytes lengthy nonce
  • the encrypted content material
  • the 16 byte lengthy GCM Tag
Fake COVID-19 survey hides ransomware in Canadian university attack – Malwarebytes LabsDetermine 9: Highlighted half comprises encrypted content material

The hardcoded key “du_tar_mitt_hjart_mina_pengarna0” discovered contained in the malware code is Swedish for “you are taking my coronary heart my cash”. Utilizing this key, we are able to simply decrypt the content material.

Fake COVID-19 survey hides ransomware in Canadian university attack – Malwarebytes LabsDetermine 10: Encryption key discovered contained in the code

With all these components, we are able to really get better encrypted recordsdata with out having to pay the ransom. It seems that the malware writer has not acquired any fee to this point at this Bitcoin tackle.

Fake COVID-19 survey hides ransomware in Canadian university attack – Malwarebytes LabsDetermine 11: Bitcoin tackle exhibiting no fee

Unusually low ransom quantity

Based mostly on our findings, we imagine this isn’t a classy menace actor, nor affiliated with any of the massive ransomware gangs corresponding to Ryuk. The ransom quantity is unusually low, and in contrast to skilled ransomware, this assault could be recovered from pretty simple.

Nevertheless, the phishing assault was effectively conceived and the template appears effectively designed, with a pleasant contact of including canary tokens. It’s unclear at this level if the College of British Columbia was the only goal or not.

Crawling further repositories created by the menace actor, we discovered different Phrase template recordsdata which have used a really related macro to drop a coin miner. This casts extra questions concerning the motivation behind this phishing assault.

We’re grateful for the knowledge shared with us by the College of British Columbia. This allowed us to color a greater image of this assault and perceive who the targets have been.

Malwarebytes prospects have been already protected due to our signature-less Anti-Exploit layer.

Fake COVID-19 survey hides ransomware in Canadian university attack – Malwarebytes LabsDetermine 12: Phishing doc blocked by Malwarebytes Endpoint Safety

IOCs

Ransomware variants:

Variant1:
summerofficetemplate.dotm
634264996c0d27b71a5b63fb87042e29660de7ae8f18fcc27b97ab86cb92b6d4
notabug[.]org/arstidar/VARLDVINNA/uncooked/grasp/irving.exe
notabug[.]org/arstidar/VARLDVINNA/uncooked/grasp/alderson.exe
canarytokens[.]com/visitors/jnk5rpagi54vztro6tau6g1v6/index.html
canarytokens[.]com/visitors/articles/tags/z8yobwprmmopmyfyw8sb1fb0a/index.html
alderson.exe
34842eff9870ea15ce3b3f3ec8d80c6fd6a22f65b6bae187d8eca014f11aafa5
irving.exe
00c60593dfdc9bbb8b345404586dcf7197c06c7a92dad72dde2808c8cc66c6fe

Variant2:
UBC-COVID19-Survey-Obligatory.docx
e869e306c532aaf348725d94c1d5da656228d316071dede76be8fcd7384391c3
template.dotm
334531228a447e4dfd427b08db228c62369461bb2ccde9ab1315649efd0316b1
notabug[.]org/Microsoft-Workplace/Phrase-Templates/uncooked/grasp/lamnarmighar/polisen.exe
notabug[.]org/Microsoft-Workplace/Phrase-Templates/uncooked/grasp/lamnarmighar/killar.exe
canarytokens[.]com/about/d4yeyvldfg6bn5y29by4e9fs3/put up.jsp
canarytokens[.]com/articles/6dbbnd503z06qitej1sdzzcvv/index.html
polisen.exe
03420a335457e352e614dd511f8b03a7a8af600ca67970549d4f27543a151bcf
killar.exe
43c222eea7f1e367757e587b13bf17019f29bd61c07d20cbee14c4d66d43a71f

Variant3:
template1.dotm
225e19abba17f70df00562e89a5d4ad5e3818e40fd4241120a352aba344074f4
notabug[.]org/Microsoft-Templates/Template/uncooked/grasp/irving.exe
notabug[.]org/Microsoft-Templates/Template/uncooked/grasp/alderson.exe
canarytokens[.]com/photographs/tags/8pkmk2o11dmp1xjv5i9svji32/contact.php
canarytokens[.]com/articles/visitors/5ayx8tydzeuzhmq6y5u2lxhpa/put up.jsp

Variant4:
smoothtemplates.dotm
ada43ee41f70e327944121217473c536024cd9c90e25088a1a6c5cf895f59fe1
notabug[.]org/arstidar/VARLDVINNA/uncooked/grasp/irving.exe
notabug[.]org/arstidar/VARLDVINNA/uncooked/grasp/alderson.exe
canarytokens[.]com/visitors/jnk5rpagi54vztro6tau6g1v6/index.html
canarytokens[.]com/visitors/articles/tags/z8yobwprmmopmyfyw8sb1fb0a/index.html
alderson.exe
b4a1a0012abde1ae68f50fa1fe53df7a5d933ec5410731622ab0ad505915cfb6
irving.exe
00c60593dfdc9bbb8b345404586dcf7197c06c7a92dad72dde2808c8cc66c6fe

Variant5:
template.dotm:
7ad8a3c438f36cdfc5928e9f3c7c052463b5987055f583ff716d0382d0eb23b4
notabug[.]org/Microsoft-Workplace/Workplace-Templates/uncooked/grasp/mrclean.exe
notabug[.]org/Microsoft-Workplace/Workplace-Templates/uncooked/grasp/mrmonster.exe
canarytokens[.]com/photographs/suggestions/tags/0xu6dnwmpc1k1j2i3nec3fq2b/put up.jsp
canarytokens[.]com/visitors/about/photographs/ff6x6licr69lmjva84rn65hao/contact.php
mrmonster.exe
f42bbb178e86dc3449662b5fe4c331e3489de01277f00a56add12501bf8e6c23
mrclean.exe
71aadf3c1744f919cddcc157ff5247b1af2e2211b567e1eee2769973b2f7332a

trickbot malware covid-19,cyberattacks covid