Recently, we’ve spotted Zepto ransomware spreading through spam email containing fake invoices (see image below). These attachments contain a Macro-Enabled word document file known as Donoff, which downloads the Zepto executable that encrypts all your files and will later ask for payment of the decryption key.
We decided to take a closer look on the Donoff macro used in downloading the Zepto ransomware. Here’s what we found:
The VBA Macro code
At first glance, the code is fully commented in Spanish and uses some random generated variable names.
Here a look at the code:
Retrieving Zepto
The Word document contains two macro functions, autoopen and ActualizarEntrada.
Here are more snips of code showing the processing of obfuscated text.
These are the strings revealed after deobfuscation.
- XMLHTTP
- streaM
- Application
- shell
- Process
- GeT
- TeMP
- Type
- open
- write
- responseBody
- savetofile
- \sysdrubpas.exe
This VBScript uses Microsoft.XMLHTTP and Adodb.Stream Objects to download Zepto.
The Microsoft.XMLHTTP object is one of Microsoft’s XML DOM (Document Object Model) modules that is intended to deliver client-side access to XML documents on remote servers through the HTTP protocol. This object is used to request or send any type of document.
The ADODB.Stream Object is used to read, write and manage a stream of binary data or text.
The following code decrypts to
Here’s the code that downloads the encrypted Zepto executable file.
The encrypted file is stored to the file system as TempWFDSAdrweg. It then uses this key Aw3WSr7dB3RlPpLVmGVTtXcQ3WG8kQym to decrypt and stores the decrypted binary to the file sysdrubpas.exe in the %temp% folder. %temp% folder is usually the C:\Users\<username>\AppData\Local\Temp folder.
Decryption code
Encrypted Zepto (Displayed here in Hexadecimals):
Decrypted Zepto (now in Executable form):
The script then executes sysdrubpas.exe infecting the system of the user.
ThreatAnalyzer – Malware Sandbox Analysis
When executed in our malware analysis sandbox ThreatAnalyzer, here’s the process tree caused by the malicious Word document
The ThreatAnalyzer Behavioral Determination Engine flags this as 100% malicious file and was able to find dozens of suspicious behaviors.
One notable common behavior of ransomware is how it deletes shadow copies to prevent easy restoration from Windows backup.
Other behaviors are very similar to our previous post about Zepto ransomware: https://blog.threattrack.com/ransomware-packed-into-wsf-spam/.
Prevent Ransomware Infections?
To prevent ransomware, we recommended you block it early from the root of its infection chain. Here are some tips:
- Always keep your operating system, applications and security products patched and up to date
- Take precaution when opening attachments, especially when sent by an unknown sender
- Never enable VBA macros by default for any Microsoft Office application. Some macro malwares even tell you how to enable macros or may mislead you in doing so.
- Deploy solutions that protect you from sophisticated and pervasive threats like ransomware, including advanced endpoint protection like VIPRE Endpoint Security, a malware behavior analysis tool like ThreatAnalyzer, and solutions to detect and disrupt active cyber attacks like ThreatSecure
- Regularly back up your data
HASHES
e98aee56175daaa96f259d04077d820f – malicious DOC attachment (Trojan-Downloader.O97M.Donoff.by (v))
837a5b0dbd5850634bfecadadc751cdd – Zepto executable (Trojan.Win32.Generic!BT)
Analysis by Wilmina Elizon
The post Donoff Macro Dropping Ransomware appeared first on ThreatTrack Security Labs Blog.