Spoof US District Court emails spreading Sigma ransomware
Today, NCC Group researchers noticed an interesting spam campaign purporting to be from the United States District Court. The email has a Word document attached which contains a malicious payload. The email body contains an image, as shown in figure 1, which contains an ominous message as well as a password to enable the opening of the document.
Figure 1 - Email body
The document itself (shown in Figure 2) is encrypted and will only be decrypted when the password from the email body has been entered. This serves a few purposes:
- To hinder automated analysis. The document will not run until the password has been entered, which means automated analysis systems will not be able to open the document to analyse the contents.
- Attempt to evade static detection from antivirus software.
- A poor attempt at making the email and its attachment look legitimate.
Figure 2 - Malicious Word document
Once the document has been opened the victim will see instructions on how to enable the macro as well as a security warning that the document contains macros. Once the macro has been enabled, it will execute. The code for the macro is shown below in Figure 3.
Figure 3 - Document Macro
The macro code may look a little complicated but in essence all it’s doing is downloading and executing an executable file. The file background.png is downloaded from the IP address shown in the macro code and is saved to %TEMP%\svchost.exe. svchost.exe is actually the name of a legitimate Windows component but the real copy is actually located in the System32 directory. The spammers are obviously hoping than an unsuspecting victim will not notice!
A nice finishing touch to the macro is that after the malware has been downloaded and executed a message box pops up (Figure 4) informing the victim that the document could not be opened and they should try a different computer instead. This is a sneaky way of getting the victim to perform lateral movement for the malware!
Figure 4 - MessageBox from the Macro
Finally, once the malware has finished performing its malicious tasks, an html file (Figure 5) is dropped and opened informing the victim that all their files have been encrypted. At this point all the files have been encrypted and the damage has been done.
Figure 5 - Ransom Note
With the dominance of crypto miners in current spam campaigns, one would be forgiven for thinking that ransomware has been put on the cyber crooks back burner. This proves that ransomware is very much alive. It is, therefore, important to remain vigilant and try to mitigate these threats before they get a chance to do any real damage.
For more information on ransomware and how to protect your organisation, please click the following link: https://www.nccgroup.trust/uk/about-us/newsroom-and-events/blogs/2017/july/frequently-asked-questions-about-ransomware/
Published date:  11 May 2018
Written by:  Ben Humphrey