Tony Cole

Level 27
Well-known
May 11, 2014
1,639
Spora-spreading.jpg



The new Spora ransomware strain has now been dissected by more malware researchers and the team from G Data discovered that Spora uses an "innovative" way to spread itself via USB sticks. This strain is highly sophisticated and could become the "New Locky".

Spora has well-implemented encryption procedures that do not need a Command & Control server, a user-friendly payment site, choice of different “packages” that victims can opt for including immunity from future attacks, and Ransomware-as-a-Service capability.

Infection vector is email attachment with HTA file
Spora uses an HTA file with obfuscated VBScript code, and arrives in an email attachment with a ZIP file. Once the user falls for the social engineering tactic and double-clicks the ZIP, the HTA file writes a JScript file called close.js to disk and executes it.

The JScript file in turn is a dropper for a Word document and an .exe file that are both written to disk and opened by close.js, with the result the document will be opened by Word or WordPad, but an error message is shown because the file is corrupt. Meanwhile back at the ranch, the .exe that was run has a seemingly random name hardcoded by the dropper but contained the actual payload.

Spora_word_document.png



Spora Exhibits Worm-like Behavior Using .LNK files

Ransomware that behaves like a worm has been spotted before with the ZCryptor strain, which uses the old autorun.inf, but Spora goes further than that, borrowing new technology from other malware which uses Windows shortcuts (.LNK files) instead. Spora adds the hidden .LNK attribute to files and folders on the desktop, in the root of USB drives and the system drive.

These hidden files and folders are, with the standard folder options, not visible anymore. Spora then replaces Windows shortcuts with the same name and icon as the hidden files and folders. Those .LNK files open the original file to avoid raising any suspicion but at the same time execute the malware and the worm copies itself as hidden file alongside the .LNK files.

spora_shortcuts_system_drive.png


Spora ransomware goes global

Data gathered by the ID-Ransomware service shows what was expected; Spora has started to spread to new territories outside former Soviet states. It was first spotted in the wild during the first week of the year, and its first version featured a ransom note only in Russian, meaning its distributors were only targeting territories with Russian-speaking users.

Last week, things changed, when Spora was identified in multiple ransomware distrubtion campaigns. ID-Ransomware started registering uploads of Spora-encrypted files from users outside the former Soviet territory. Countries like Saudi Arabia, Austria, or the Netherlands, became hotspots of Spora infections. Treat this like a heads-up, America will follow shortly.

Spora now spreads via exploit kits and spam waves

A new development is that security researchers Brad Duncan and Malware Breakdown have now spotted RIG-v exploit kits spreading Spora, and it's only the start of things.

MalwareHunterTeam is keeping an eye on a malware distribution server that had been used to host multiple ransomware strains in the past few days, such as Cerber, Locky and Spora. This server had been used combined with spam floods, not exploit kits, which shows two different Spora distribution methods being used at the same time. Users would receive emails with malicious attachments that contained code that downloaded the Spora binary from the distribution server.

Spora includes support for a "campaign ID," a parameter used to track both the effectiveness of different spam runs, but also different groups renting Spora from its creators. The jury is out if Spora has been made available as a Ransomware-as-a-Service offering, but what is sure is that this malware has now become a global threat.

Anyone bringing a USB stick to the office is now a possible ransomware infection vector.
Simply navigating through the folders on your system or desktop using double-click will execute the worm. Using this strategy, it will not only spread to USB thumb drives, it will also encrypt newly created files on the system. Anyone getting infected at the house with Spora and bringing their USB sticks to the office is now an infection vector.

The GData team noted that Spora deletes shadow volume copies and disables Windows error recovery and startup repair, but does not bypass User Account Control (UAC) yet, meaning at this point the user will be asked whether the malware is allowed to make changes. Wait for that to be fixed in a coming release.

Did you know? On average 45% of your users will plug in USBs
Find out now what your user’s reactions are to unknown USBs, with KnowBe4's new Free USB Security Test.

You can download our special, "beaconized" file onto any USB drive. Then label the drive with something enticing and drop the drive at an on-site high traffic area. If an employee picks it up, plugs it in their workstation and opens the file, it will "call home" and report the "fail" to your KnowBe4 console. And for Office documents, if the user also enables macros (!), additional data is tracked and geomapped.
 

spaceoctopus

Level 16
Verified
Top poster
Content Creator
Well-known
Jul 13, 2014
766
Spora - the Shortcut Worm that is also a Ransomware
A sophisticated threat with interesting business model - more encrypted files = higher ransom

Spora spreads via USB drives like Gamarue and Dinihou aka Jenxcus whilst also encrypting files. The sophistication of this threat could easily make it the new Locky. We discuss its infection and encryption procedure and show how it uses statistical values about encrypted files to calculate the ransom amount.


HTA email Attachment as common infection vector

Spora's ransom note was first spotted by the ID Ransomware maintainers and announced via Twitter by MalwareHunterTeam. Several malware researchers and Twitter users were amazed by the good-looking, professional ransomware website and ransom note. Experience showed that most of these websites are in a bad shape. The first sample was provided by a member of Bleepingcomputer and discussed in their Spora support topic.

This sample is an HTA application with obfuscated VBScript code. According to Bleepingcomputer it arrived in a ZIP archive via email attachment. Submissions on VirusTotal show the filename Скан-копия _ 10 января 2017г. Составлено и подписано главным бухгалтером. Экспорт из 1С.a01e743_рdf.hta.

The HTA file writes a JScript file to %TEMP%\close.js and executes it. The JScript file in turn is a dropper for a Word document that is written to %TEMP%\doc_6d518e.docx and a PE file that is saved to %TEMP%\81063163ded.exe. Both files are opened by close.js, the Word document with a parameter to show and focus the window, and the PE file with a parameter to hide it. As a result the document will be opened by the set default application for .docx files, e.g., Word, but an error message is shown because it is corrupt. The PE file 81063163ded.exe has a seemingly random name, but it is actually hardcoded by the dropper. The PE file is UPX packed and contains the actual payload.



Error message, appears after opening the corrupt document
Worm-like behavior similar to Dinihou and Gamarue
While ZCryptor had already been deemed a combination of ransomware and worm due to its usage of autorun.inf, Spora goes some steps further using the same techniques as Gamarue and Dinihou. The functionality of autorun.inf had been removed in Windows 7 and was patched on Windows XP and Windows Vista more than seven years ago, thus making it an ineffective technique for worms to spread via removable drives. The trick is: Gamarue, Dinihou and now also Spora use Windows shortcuts (.LNK files) instead.

Spora adds the hidden attribute to files and folders on the desktop, in the root of removable drives and the system drive. These hidden files and folders are, with the standard folder options, not visible anymore. Spora then puts Windows shortcuts with the same name and icon as the hidden files and folders as a visible replacement. Those .LNK files open the original file to avoid raising any suspicion and simultaneously execute the malware. An example: the folder C:\Windows will be hidden and a file named C:\Windows.lnk will be created; it looks exactly like the original folder if the standard folder options on Windows are set.

The .LNK files use the following command to execute the worm and open the original file. If the original file is a folder it will open Windows Explorer to show its contents:

/c explorer.exe "<originalfile>" & type "<worm>" > "%%tmp%%\<worm>" & start "<originalfile>" "%%tmp%%\<worm>"

The worm copies itself as hidden file alongside the .LNK files, its filename is generated by calculating the CRC32 checksum for the VolumeSerialNumber. The result is put into the pattern %08x-%04x-%04x-%02x%02x-%02x%02x%02x%02 (see address 0x405492). This means, the name for the malware file can be, e.g., a277a133-ecde-c0f5-1591-ab36e22428bb.exe.


This function calculates the CRC32 based on the VolumeSerialNumber of the disk

.LNK files and a copy of the malware have been created in the root of the system drive.
The worm deletes the registry value HKCR\lnkfile\isShortcut with the effect that the shortcut icons don't show the characteristic bent arrow in the lower left corner, which would be telltale sign to the user that something is wrong.

Simply navigating through the folders on your system and desktop using double-click will execute the worm. Using this strategy, it will not only spread to removable drives like USB thumb drives, it will also encrypt newly created files on the system. This renders the system unusable, for storing or working on any pictures or documents, until it is disinfected.

G_DATA_spora_del_isshortcut_78168w466h695.png

Function that deletes the isShortcut value in the registry
Encryption
Spora actually does not rename encrypted files and targets a comparably small set of extensions. The encryption procedure is shown in the diagram below.

.backup, .7z, .rar, .zip, .tiff, .jpeg, .jpg, .accdb, .sqlite, .dbf, .1cd, .mdb, .cd, .cdr, .dwg, .psd, .pdf, .odt, .rtf, .docx, .xlsx, .doc, .xls

G_DATA_spora_encryption_infographic_web_78175w894h615.jpg

The Spora encryption shown in an info graphic
Spora generates a pair of RSA keys, C1 and C2 (1024 bit). This newly generated public RSA key C2 is used to encrypt the per-file AES keys which are also generated by Spora. The generated private RSA key C1 on the other hand is stored in the .KEY file. That file is encrypted using a newly generated AES Key B (256 bit). The attacker's public RSA key A2 is used to encrypt AES key B. The encrypted key B is appended to the .KEY file. The figure below shows the code that writes the .KEY file's content including the encrypted AES key B to disk.

A second important file is the .LST file which contains a list of all encrypted files. Its encryption works analogous to the .KEY file encryption. A new AES key is generated, used to encrypt the .LST contents, encrypted by the public RSA key A2 of the attacker and appended to the .LST file in encrypted form (see screenshot below):


The encrypted content of the .KEY file and the encrypted AES Key are written to disk

AES key F is encrypted by public RSA key A and the .LST file contents are encrypted using AES key F (256 bit).
Using this encryption scheme, Spora does not have to obtain a key from a command and control server and can work offline. The user has to upload the .KEY file to the payment site.

The .KEY file is only decryptable by the ransomware authors. Using their private RSA key A1 they could decrypt the AES Key B that was appended to the .KEY file. They could decrypt the remaining .KEY file contents including the user's private RSA key C1 using AES key B. Then they may put the private RSA key C1 into a decrypter that they send to the user after they have received the payment. This handling ensures that the attackers' private RSA key A1 is not exposed and that the decrypter only works for one user.However, this also means that there is only one private RSA key A1 for several infections. If that key is leaked or obtained by law enforcement, it can be used to decrypt all files that were encrypted by this variant of Spora and as such we can consider it a master key.

Read more: Spora - the Shortcut Worm that is also a Ransomware - G DATA
 
Last edited by a moderator:

Nikos751

Level 17
Verified
Feb 1, 2013
912
Great article. I quickly took a look on it and I have one question. The author says:
"Once the user falls for the social engineering tactic and double-clicks the ZIP, the HTA file writes a JScript file called close.js to disk and executes it".
Does this mean that once the user opens the rar archive, the malware executes? I remember that such thing is rare and the user needs to actually double click the malicious file into the archive.
 

soccer97

Level 11
May 22, 2014
511
First thought: Conficker on steroids. If you use HitmanPro (scanner), if you click in the settings there is a box you can check that says "Protect me from the LNK vulnerability CVS 2010-2568.

Some companies forbid the use of USB drives and use mandatory Single write/ CD-R or DVD-R secure discs. I think they can block USB ports from recognizing things (and of course everyone should disable auto-play) - please.

MMPC Virus Encyclopedia: Win32/Conficker

MMPC post: SIRv12: The obstinacy of Conficker
 
  • Like
Reactions: spaceoctopus
W

Wave

The GData team noted that Spora deletes shadow volume copies and disables Windows error recovery and startup repair, but does not bypass User Account Control (UAC) yet
Wait until they've finished collecting some of their profits from the innocent people who got infected but had no choice but to pay to retrieve their important documents, then they'll hire someone with the skill-set to completely bypass UAC from the dark web - people have bypassed it before for free, they can do it for £200,000+ for sure.

It's not good news but it's just how it is :(

Either the developer of this is extremely skilled or they are collaborating in a team; this threat is becoming larger and more deadly, which means their risk of getting caught is increased and it also means the consequences for getting caught will be increased. They better bail out now or hope they don't get caught because all factors including: how many people they infected, the damage costs overall, how much money they made, etc. Will play a part in their sentence for getting caught. Probably looking at a very long time.
 
Last edited by a moderator:
Top