Ransomware – Undelivered Package
It’s soon Christmas and everyone is happy. I was waiting for some gifts from my grandma when I finally got an email from the norwegian post delivery system that the delivery adresse was incorrect. My grandma never gets the address right!
Luckily, I was able to download the delivery note so I could redeem the package later 🙂
Last year she did the same mistake as well, phishing-and-ransomware
The link I received by the email brought me first to http://samara-kosmopoisk.org/1fFZS6/0WPj1guLTp.php , which then redirected me to http://yhj.postnord24.com/r0gnqz.php?id=
It also appears that the hacked server samara-kosmopois had directory listing enabled, allowing us to get a more clear picture on what is happening here.
NEARLB835pc.dat = IP Geo Database
y2xDgnCq7MJ.inc = PHP script for IP Geo Database (made by maxmind.com)
0WPj1guLTp.php = PHP script that redirects you if you are from Norway.
So, in case you got an Norwegian IP address, you will be forwarded to Posten phishing page.
Once Captcha is filled out, you will be able to download Posten_adresselapp.zip.
This zipfile contains Posten_Adresselapp.js is a heavily obfuscated TrojanDownloader:JS/Nemucod, that relies on ActiveObject to download and run a binary file from http://intcentr.com/wp-includes/sql.uio. This file will then be renamed to <random>.exe under a temp folder, and executed.
Once executed, the ransomware will begin to several actions simultaneously in order to both survive, spread and encrypt your computer.
- It will attempt to send a similar phishing mail to everyone on your contact list.
- It will make itself persistent by adding a run key under the either, depending on privileges
- It will contact a C2 proxy server, in order to identify itself and retrieve the RSA encryption keys (last I checked, this was RSA 4096)
- Start encrypting Documents, pictures and other files on Harddrive, USB drives, mapped Shares, mapped cloud storages
I hope you got backup, else there is no way to access these files unless you pay up.
Indications of compromise
Email header: “Posten Norge ikke var i stand til å levere pakken ved din adresse. CT<RANDOMNR>NO”
Victim has clicked the link: http://<random>.postnord24.com/<random>.php?id=<base64 victim_email>
Victim has downloaded the Trojan/Downloader
Victim has executed Posten_Adresselapp.js:
.uio files downloaded
Encrypted files are named: <filename>.<6 random characters>
Example CV.docx.atxgja, profilepicture.png..ojumep