{"id":84308,"date":"2017-05-23T17:00:45","date_gmt":"2017-05-23T11:30:45","guid":{"rendered":"https:\/\/blogs_admin.quickheal.com\/?p=84308"},"modified":"2017-05-23T17:08:33","modified_gmt":"2017-05-23T11:38:33","slug":"pdf-files-embedded-docm-files-now-deliver-jaff-ransomware","status":"publish","type":"post","link":"https:\/\/www.quickheal.com\/blogs\/pdf-files-embedded-docm-files-now-deliver-jaff-ransomware\/","title":{"rendered":"PDF files with embedded docm files now deliver Jaff Ransomware"},"content":{"rendered":"

Adding to the havoc created by the recent outbreak of the WannaCry Ransomware is a new entry to the list of encrypting ransomware called \u2018Jaff\u2019. Reportedly, this variant has been created by the authors of the Locky ransomware. The source of this ransomware is the Necurs botnet which is using PDF files with embedded docm <\/strong>to distribute this malware.<\/p>\n

Read more about WannaCry Ransomware<\/a><\/p>\n

Although its occurrence was overshadowed by the WannaCry – known to be the world’s biggest ransomware attack, the Jaff ransomware has successfully kept its persistence in the wild. In this attack, spam emails are sent to victims that contain nm.pdf <\/strong>[file name then changed to randomNo.pdf in later mails] <\/em>as attachments with embedded docm files.<\/p>\n

In earlier incidents, such unprecedented spam campaigns were observed delivering the Dridex Banking malware and then Locky ransomware.<\/p>\n

How the Jaff ransomware attack happens<\/u><\/strong><\/p>\n

1) The targeted victim will receive an email attachment. This may have keywords such as \u2018document\u2019, \u2018copy\u2019, \u2018scan\u2019, etc., in the subject line as shown below.<\/p>\n

\"jaff_ransomware_1\"
\nFig 1<\/p>\n

2) In the above screenshot, the attached nm.pdf<\/strong> contains embedded objects with names such as \u201cU3JPCNQ.docm\u201d, TZLEHYM.docm, etc.<\/p>\n

\"jaff_ransomware_1a\"Fig 2<\/p>\n

3) Once the victim opens the PDF file, the system\u2019s Adobe reader will throw a warning message stating that the file contains an attachment which may contain viruses or macro.<\/p>\n

\"jaff_ransomware_2\"
\nFig 3<\/p>\n

4) If the user selects \u2018Open this file\u2019, the docm file with \u2018enable content\u2019 option will get open.<\/p>\n

\"jaff_ransomware_3\"
\nFig 4<\/p>\n

5) Once the macro is enabled, it tries to communicate with hosts stored in an array as shown below (fig 4). It will try to communicate with the hosts one by one. And if it gets any response from any host, it will download malicious content and infect the system with the Jaff ransomware. Otherwise, it will try to connect to the other hosts until it gets any response.<\/p>\n

\"jaff_ransomware_4b\" \"jaff_ransomware_4a\"
\nFig 5<\/p>\n

Command and control server communication<\/strong><\/p>\n

\"jaff_ransomware_5\"<\/p>\n

Fig 6<\/p>\n

6) The downloaded malicious executable starts encrypting the files stored on the victim\u2019s computer with AES encryption, and appends \u2018.JAFF\u2019 extension to these files before displaying a ransomware note as shown below. Reportedly, Jaff demands a ransom of $3,300 which is 10 times as much as the ransom demanded by WannaCry ransomware – $300.<\/p>\n

\"jaff_ransomware_6a\"
\nFig 7<\/p>\n

\"jaff_ransomware_6\"<\/p>\n

Fig 8<\/p>\n

\"jaff_ransomware_7\"
\nFig 9<\/p>\n

Currently, files encrypted by the Jaff ransomware cannot be decrypted.<\/p>\n

Malicious URLs observed<\/strong><\/p>\n