Ransomware – Undelivered Package

It’s soon Christmas and everyone is happy. I was waiting for some gifts from my grandma when I finally got an email from the norwegian post delivery system that the delivery adresse was incorrect. My grandma never gets the address right!
Luckily, I was able to download the delivery note so I could redeem the package later 🙂

Last year she did the same mistake as well, phishing-and-ransomware

The link I received by the email brought me first to http://samara-kosmopoisk.org/1fFZS6/0WPj1guLTp.php , which then redirected me to http://yhj.postnord24.com/r0gnqz.php?id=
It also appears that the hacked server samara-kosmopois had directory listing enabled, allowing us to get a more clear picture on what is happening here.

NEARLB835pc.dat = IP Geo Database
y2xDgnCq7MJ.inc = PHP script for IP Geo Database (made by maxmind.com)
0WPj1guLTp.php = PHP script that redirects you if you are from Norway.

So, in case you got an Norwegian IP address, you will be forwarded to Posten phishing page.

landing

Once Captcha is filled out, you will be able to download Posten_adresselapp.zip.

This zipfile contains Posten_Adresselapp.js is a heavily obfuscated TrojanDownloader:JS/Nemucod, that relies on ActiveObject to download and run a binary file from http://intcentr.com/wp-includes/sql.uio. This file will then be renamed to <random>.exe under a temp folder, and executed.

Once executed, the ransomware will begin to several actions simultaneously in order to both survive, spread and encrypt your computer.

  1. It will attempt to send a similar phishing mail to everyone on your contact list.
  2. It will make itself persistent by adding a run key under the either, depending on privileges
    HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run
    HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run
  3. It will contact a C2 proxy server, in order to identify itself and retrieve the RSA encryption keys (last I checked, this was RSA 4096)
  4. Start encrypting Documents, pictures and other files on Harddrive, USB drives, mapped Shares, mapped cloud storages

infected

encrypted

 

What now?
I hope you got backup, else there is no way to access these files unless you pay up.

 

Indications of compromise

Email header: “Posten Norge ikke var i stand til å levere pakken ved din adresse. CT<RANDOMNR>NO”
Victim has clicked the link: http://<random>.postnord24.com/<random>.php?id=<base64 victim_email>

 

Victim has downloaded the Trojan/Downloader
Posten_adresselapp.zip
SHA256: 2ee43ceb462ea71e999e70877d22dcdb9e0c6831e634bd5ca7a5fe73fadfd7c7
SHA1: b7e5c6af6a08466a947da56fe8f22642b0eb5b56
MD5: bcb7b077369e789813fd1cac412dca2c

Posten_Adresselapp.js (Zipped)
SHA256: 4518f0152093de293d3c1f97e9f1b24017c3e0ce44554eacc3bd8561c08da634
SHA1: b3ebd07eb8b0b384eaeb7ff25338fbb610343af0
MD5: d1c7a9a83da1ebd9067f5d5a212fed09

Victim has executed Posten_Adresselapp.js:
.uio files downloaded
http://intcentr.com/wp-includes/sql.uio
http://tahograf52.com/manager/includes/form.uio

SHA256: f1557a6c5de8a257846c3b609c9490d78485b6e4a8229c44c19a50e1fb37ad53
SHA1: 09ef2366f5b7c7f48a2b32676c3b1ee1b6aacdc6
MD5: f0686683c261a2341a4ebe16f343d589

Encrypted files are named: <filename>.<6 random characters>
Example CV.docx.atxgja, profilepicture.png..ojumep

Leave a Reply

Your email address will not be published. Required fields are marked *