Fake COVID-19 survey hides ransomware in Canadian university attack – Malwarebytes Labs
Universities are a scorching goal for malware proper now. On this newest assault, a menace actor was focusing on the College of British Columbia with the objective of distributing ransomware.
This put up was authored by Jérôme Segura with contributions from Hossein Jazi, Hasherezade and Marcelo Rivero.
In latest weeks, we’ve noticed numerous phishing assaults towards universities worldwide which we attributed to the Silent Librarian APT group. On October 19, we recognized a brand new phishing doc focusing on workers on the College of British Columbia (UBC) with a pretend COVID-19 survey.
Nevertheless, this assault and motives are totally different than those beforehand documented. The survey is a malicious Phrase doc whose objective is to obtain ransomware and extort victims to get better their encrypted recordsdata.
On discovery, we obtained in contact with UBC to report our findings. They have been already conscious of this phishing marketing campaign and have been variety sufficient to share extra data with us concerning the incident. Finally, this assault was not profitable because of the speedy response of the UBC cybersecurity staff.
Obligatory COVID-19 survey distributed to focused recipients
The attacker created an e mail tackle with the mailpoof.com service to be able to register accounts with Field.web and DropBox. Quite than straight sending the pretend survey by way of e mail, the attacker uploaded the doc onto Field and DropBox and used the share performance from these platforms to distribute it.
This was most likely finished to evade spam and phishing filters that might have blocked messages coming from a newly registered e mail tackle with a low popularity. Compared, it’s rather more tough to detect spam from file sharing companies with out creating numerous false positives.
The attacker claimed to be a supervisor and added the next remark within the file sharing invitation (shared with us by UBC):
Good night gals and guys! [redacted] right here, [redacted] supervisor for [redacted]. I’m sharing a compulsory survey with you that have to be accomplished by Monday. It asks just a few questions on the way you imagine our firm responded to the pandemic relating to distant working and rather more. Please fill it out ASAP!
Additionally, you will discover a kind on the finish you could fill out should you want any requirements! Requirements embrace: gloves, hand sanitizer, masks, or disinfectant spray. We will probably be offering it to these staff who fill out the shape at no cost! Merely signal your initials and put what you want in addition to the amount! Prematurely, we admire your suggestions! Thanks all! Keep robust! I perceive instances like this may be tough!
Determine 1: The phishing doc focusing on UBC workers
In response to UBC, lower than 100 individuals inside a particular division acquired the hyperlink to entry the shared doc. A Field or Dropbox account was required to be able to obtain the file because it was shared privately, as an alternative of publicly. This may occasionally have been an effort to evade detection or maybe the attacker anticipated the goal group to already be utilizing considered one of these two sharing companies.
Phishing doc evaluation
The phishing doc makes use of template injection to obtain and execute a distant template (template.dotm) weaponized with a malicious macro. That file was uploaded to a free code internet hosting web site (notabug.org).
Determine 2: Template injection and a view of the macro
When the macro is executed, it does the next:
Will get the %APPDATA% listing
Creates the Byxor listing in %APPDATA%
Downloads a file from the next url and writes it as Polisen.exe
We have been capable of establish 4 different variants of the distant templates and payloads. In among the folders, we discovered a number of artifacts utilizing Swedish phrases, which may point out that the menace actor is acquainted with the language.
Opening the phishing doc will set off a notification by way of the canarytokens.com web site. Sometimes, individuals use one of these service to get alerted for a selected occasion.
This may be very helpful as an early warning notification system that an intruder has had entry to a community. On this case, the attacker might be thinking about how many individuals opened the doc and maybe the place they’re from.
After being deployed, the ransomware begins encrypting the person’s recordsdata and including the .VAGGEN extension to them. When the encryption course of is completed, it drops a ransom word on the Desktop, demanding a fee equal to 80 USD to be paid in Bitcoin.
Determine 4: Ransom word
The ransomware seems to be coded from scratch and is a comparatively easy software written in Go which begins with the operate denoted as ‘main_main’.
Different capabilities belonging to the principle software have obfuscated names, corresponding to: main_FOLOJVAG, main_DUVETVAD, main_ELDBJORT, main_HIDDENBERRIES, main_LAMNARDETTA, main_SPRINGA.
A full record of the capabilities, together with their RVAs could be discovered right here.
Determine 5: File enumeration
Among the strings utilized by the malware (i.e. the content material of the ransom word) are encrypted with the assistance of XXTEA (utilizing library: xxtea-go). Encrypted chunks are first decoded from Base64. The XXTEA secret is hardcoded (“STALKER”). On the finish of the execution, the ransom word is dropped on the Desktop.
Encrypting and renaming of the recordsdata is deployed because the callback of the usual Golang operate: path.filepath.Stroll.
Determine 6: Callback operate to encrypt and rename
Recordsdata are encrypted with AES-256 (32 byte lengthy key) in GCM mode.
Determine 7: AES-256 cipher
The encryption algorithm is much like the one demonstrated right here. Utilizing a hardcoded key and 12 bytes lengthy nonce, generated by CryptGenRandom. The file content material is encrypted with the assistance of the gcm.Seal operate.
Determine 8: Encryption routine
The content material of the output file (with .VAGGEN extension) comprises:
the 12 bytes lengthy nonce
the encrypted content material
the 16 byte lengthy GCM Tag
Determine 9: Highlighted half comprises encrypted content material
The hardcoded key “du_tar_mitt_hjart_mina_pengarna0” discovered contained in the malware code is Swedish for “you are taking my coronary heart my cash”. Utilizing this key, we are able to simply decrypt the content material.
Determine 10: Encryption key discovered contained in the code
With all these components, we are able to really get better encrypted recordsdata with out having to pay the ransom. It seems that the malware writer has not acquired any fee to this point at this Bitcoin tackle.
Determine 11: Bitcoin tackle exhibiting no fee
Unusually low ransom quantity
Based mostly on our findings, we imagine this isn’t a classy menace actor, nor affiliated with any of the massive ransomware gangs corresponding to Ryuk. The ransom quantity is unusually low, and in contrast to skilled ransomware, this assault could be recovered from pretty simple.
Nevertheless, the phishing assault was effectively conceived and the template appears effectively designed, with a pleasant contact of including canary tokens. It’s unclear at this level if the College of British Columbia was the only goal or not.
Crawling further repositories created by the menace actor, we discovered different Phrase template recordsdata which have used a really related macro to drop a coin miner. This casts extra questions concerning the motivation behind this phishing assault.
We’re grateful for the knowledge shared with us by the College of British Columbia. This allowed us to color a greater image of this assault and perceive who the targets have been.
Malwarebytes prospects have been already protected due to our signature-less Anti-Exploit layer.
Determine 12: Phishing doc blocked by Malwarebytes Endpoint Safety