Recent Spam Runs in Germany Show How Threats Intend to Stay in the Game

By Alice Decker, Jasen Sumalapao, and Gilber Sison

In early December, GoldenEye ransomware (detected by Trend Micro as RANSOM_GOLDENEYE.A) was observed targeting German-speaking users—particularly those belonging to the human resource department. GoldenEye, a relabeled version of the Petya (RANSOM_PETYA) and Mischa (RANSOM_MISCHA) ransomware combo, GoldenEye not only kept to the James Bond theme of its earlier iteration, but also its attack vector.

Given ransomware’s likely outlook to reach a plateau, persistence in the threat landscape and diversification of target victims are the names of the game. GoldenEye exemplifies bad guys trying to gain scale, leverage, and profit with rehashed malware.

Apart from GoldenEye, we also saw spam runs and observed a surge in detections of Cerber (RANSOM_CERBER), Petya (RANSOM_PETYA), and Locky (RANSOM_LOCKY) in Germany. The social lures of these malware may be German, but the risks and impact are the same for everyone.

Recent ransomware incidents in Germany

Feedback from our Smart Protection Network™ cite Germany, Turkey, Italy, Spain, and France among top countries in Europen with high ransomware detections from January to November 2016.

In Germany, a little over one third came from malicious URLs, while spam emails made up most of the infection vector (63%). Malicious URLs associated with Locky peaked at over 700 during the second week of November. From the last week of November to mid-December, the URLs we blocked and monitored ranged between 50 and 400.

Like Petya and HDDCryptor, GoldenEye can overwrite the system’s master boot record. It was distributed through spam emails posing as missives from job applicants. They came with PDFs pretending to be resumés , as well as Excel spreadsheets (XLS) embedded with malicious macro.

Fig1

Figure 1. Snapshot of the fake PDF (left), and spam email containing an XLS file (right) distributed by GoldenEye

Another recent campaign we espied in Germany used a one-two extortion punch to its would-be victims. Its operators tailored the spam emails and made it look like they came from the police’s cyber department in Cologne. Recipients are accused of fraud, and are compelled to open the attachment—a .ZIP file containing a Word® file (W2KM_CERBER.DLBZY) embedded with malicious macro that downloads and helps execute an imitation of Cerber (RANSOM_HiddenTearCerber.A). The copycat ransomware demonstrates how other strains impersonate user interfaces and build on the notoriety and seeming success of families such as CryptXXX, Locky, and Cerber to earn a fast buck.

The Cerber-mimicking malware is based on open source ransomware Hidden Tear, and comes in three different builds to avoid detection. It encrypts 128 file types, retrieves the infected system’s Volume Serial Number, and appends a .cerber extension to encrypted files.

fig2

Figure 2. Ransom note of Hidden Tear Cerber

Where there’s smoke, there’s fire

We also came across another campaign impersonating a telecommunications company. The spam email, which contained URLs of the spoofed organization, purported to be notifications of a mobile phone bill. Users are prodded to open a zipped PDF attachment, which ultimately leads to a variant of Sharik/Smoke Loader (TROJ_SHARIK.VDA) Trojan.

Sharik/Smoke Loader injects itself into legitimate processes and sends system information to its command and control (C&C) server. It can remotely control the system to conduct malicious activities such as downloading other malware (based on the system’s location) and stealing credentials of the system’s FTP, IM and email clients, and web browsers among others.

fig3

Figure 3. Snapshot of Sharik/Smoke Loader-toting spam email

Old but pervasive banking Trojans

Even fairly old banking Trojans seemed to have follow suit. EMOTET (TSPY_EMOTET), DRIDEX (TSPY_DRIDEX), and ZeuS/ZBOT (TSPY_ZBOT) also saw an increase in our detections in Germany during the same period. DRIDEX remained low-key until we detected a surge of around 250 active URLs during mid-December, while EMOTET used over 100 URLs in November. Zeus/ZBOT, which began evolving since 2007, had a fair amount of active URLs in its employ, peaking at 250 from October to mid-December.

ZeuS/ZBOT, EMOTET, and DRIDEX are old but prevalent, and were employed mainly for data theft (stealing login credentials) with slight differences in modus operandi and social engineering. Threat actors behind these malware directly siphon money off of their victim’s bank accounts or peddle the data in underground marketplaces.

Mitigation

End users can mitigate the risks with good security habits such as backing up data and disabling macros for files/attachments from unsolicited emails. Caution is advised when visiting phishing sites/pages as well as links on suspicious emails, as bad guys leverage these to deceive unwitting users into handing over personal information. Keeping the operating system and its software/applications up-to-date lessens the system’s exposure to these information-stealing and data-encrypting malware. Regularly updating online banking credentials can also mitigate the risk of getting them remotely hijacked and pilfered.

Dubious applications and processes, suspicious network activity, and system performance slowdown are just some of the red flags IT admins can be aware of when safeguarding their corporate network. Enterprises are also recommended to implement account restriction and/or management policies that can block emails from unknown sources.