CSIS has been informed about a number of targeted spear phishing attacks against Danish chiropractors. The attacks have been carried out by means of well-drafted emails that were written in flawless Danish and that were sent to carefully selected targets.
Note that the e-mail has been written making use of a high degree of social engineering in order to entice this target group to click on the web link provided in the email. At the same time, the content of the email suggests that it might have been written by a Dane.
We have chosen to categorize this as “high” risk, even if the attack has been specifically targeted. This is partly due to the degree of social engineering that underlies the attack and partly to the destructive code that attempts to be installed on the victim’s machine. This type of attack is likely to be successful with many other industries in Denmark and can thus be a threat to most businesses and public authorities.
In the unwanted e-mail, a link to dropbox is provided, which contains a new ransomware variant that has been dubbed “ransomware-Pacman” by the author of the code. This is obvious from the compile leftover in the binary code: “L:x00[ransomware]PacmanPacmanobjx86ReleasePacman.pdb”.
The code is ‘binded’ and consists of several layers that should make it more difficult to analyze and detect the malicious code.
The main component can be extracted from the resources in the file and is unsurprisingly called “pacman.exe”. Even from the file properties it becomes obvious that this is the name that the author wants us to know:
0000350C Pacman.exe
0000352A LegalCopyright
00003548 Copyright
0000355E 2014
00003572 LegalTrademarks
00003594 Pacman Tour
000035B2 OriginalFilename
000035D4 Pacman.exe
000035F2 ProductName
0000360C Pacman Tour
The code has been developed in .NET and it thus needs to have the .NET package installed. However, the vast majority of Microsoft Windows installations have it available nowadays.
When run, it will copy itself to the system via “NtCreateFile”:
C:DOCUME~1[%brugerkonto%]LOCALS~1Tempimg_5672.exe.config
C:DOCUME~1[%brugerkonto%]LOCALS~1Tempimg_5672.exe
From there, “pacman.exe” is extracted and dropped on to the system while initializing the encryption of files on the local hard disk. The code searches the disk for data files that are then encrypted. To all files, a new file extension “.ENCRYPTED” is added. The process continues by replacing the desktop of the infected machine with instructions on how to regain access to the data. This is a typical ransomware strategy. See the attached screenshot. The ransom should be paid using Bitcoins.
Besides containing ransomware, the code also carries keylogging capabilities.
After a system has been compromised it will call home to the central C&C server (sanitized by CSIS)
http://myplacehome[.]comuv.com/crypted.php
http://myplacehome[.]comuv.com/locked.php
We have blocked this domain in CSIS Secure DNS and Heimdal PRO/Corporate to prevent data leakage.
One of the malicious functions constantly carried out by the code is a “kill process” terminating the following legitimate system tools:
taskmgr
cmd
regedit
msconfig
sdclt
rstrui
powershell
Clearly, this can complicate the removal of “pacman” from an infected system.
The main component has the following antivirus detection (20/57):
https://www.virustotal.com/en/file/68931ef9cf810d5a69d8ebf33155db7845fffcc685b1ae9f0670803bb97228cc/analysis/