{"id":87408,"date":"2019-01-21T13:07:49","date_gmt":"2019-01-21T07:37:49","guid":{"rendered":"https:\/\/blogs_admin.quickheal.com\/?p=87408"},"modified":"2023-09-25T16:22:56","modified_gmt":"2023-09-25T10:52:56","slug":"malspam-email-jack-malware-master-none","status":"publish","type":"post","link":"https:\/\/www.quickheal.com\/blogs\/malspam-email-jack-malware-master-none\/","title":{"rendered":"Malspam email – Jack of all malware, master of none."},"content":{"rendered":"

Malspam email or malicious spam emails are considered to be one of the favorite malware delivery channels for the attackers to deliver the malware to targeted victims. Attackers also run spam email campaigns to distribute their malware to a large number of users.<\/p>\n

For attackers to succeed, two things are important \u2013 first is to get through the installed security product\u2019s spam email filters and secondly, the attachment should be opened by the user. To accomplish the second task, attackers use different tactics to make their malicious email look as attractive or legitimate as possible in order to trick users into opening such attachments.<\/p>\n

In earlier incidents, such spam campaigns were observed delivering the Monero (XMRig) cryptocurrency miner, Phorpiex spambot and Gandcrab ransomware through <\/em>zipped \u2018.js\u2019 attachments having names which start with \u201cLove_You_\u201d.<\/p>\n

How these attacks happen<\/u><\/strong><\/p>\n

Let us have a look at the below attack chain which depicts the execution sequence observed in this attack.<\/p>\n

 <\/p>\n

\"\"<\/p>\n

Fig: 1<\/strong> Attack chain<\/p>\n

The targeted victim will receive an email with subject name such as \u201cJust for You\u201d or \u201cLove You\u201d. Email contains attachments having names that start with \u201cLove_You_\u201d.<\/p>\n

\"\"<\/p>\n

Fig 2:<\/strong> Email with zip attachment.<\/p>\n

In the above screenshot, the attached\u00a0zip file<\/strong>\u00a0contains js file having the same name as the zip file.<\/p>\n

\"\"<\/p>\n

Fig 3:<\/strong>\u00a0 JavaScript File<\/p>\n

As shown in fig. 3 The highlighted command which downloads the initial exe file with random_number as the name of the file through a bitsadmin command from the malicious link \u201chxxp:\/\/slpsrgpsrhojifdij.ru\u201d and drops the downloaded file at %temp%.<\/p>\n

This random_number.exe drops a copy of itself at \u201cC:\\Windows\u201d with name \u201cwinsvcs.exe\u201d which further acts as a malware downloader and downloads the exe files at %temp% as shown in the highlight below in the Wireshark traffic snippet.<\/p>\n

\"\"<\/p>\n

Fig 4:<\/strong>\u00a0 Malware downloader downloads exe files.<\/p>\n

Dropped Random_number.exe file performs Monero (XMRig) cryptocurrency miner activity. Below fig. shows traffic for Monero (XMRig) cryptocurrency miner.<\/p>\n

\"\"<\/p>\n

Fig 5<\/strong>: Traffic for Monero (XMRig) cryptocurrency miner<\/p>\n

Again it drops random_number.exe file at %temp% which is responsible for Phorpiex spambot malware. This Random_number.exe drops \u201cwincfg32svc.exe\u201d at \u201cC:\\Windows\u201d location. \u201cwincfg32svc.exe\u201d file tries to send spam emails from the infected host as shown in the below procmon snapshot.<\/p>\n

\"\"<\/p>\n

Fig 6:<\/strong> Phorpiex spambot send spam mail from infected host.<\/p>\n

Malware<\/a> downloader then drops another random_number.exe which is a payload for Gandcrab V5.0.4 at %temp% which starts encryption activity on the victim\u2019s computer with AES encryption, and appends \u2018. random letters\u2019 extension to encrypted files.<\/p>\n

We found that it encrypts only NON-PE files from the victim\u2019s machine. It drops the below ransom note:<\/p>\n

\"\"<\/p>\n

Fig 7:<\/strong>\u00a0 Ransom note<\/p>\n

\"\"<\/p>\n

Fig 8: <\/strong>\u00a0Encrypted file pattern<\/p>\n

Quick Heal proactively protects its users from this threat:<\/strong><\/p>\n

\"\"<\/p>\n

Fig 9: Email protection.<\/strong><\/p>\n

\"\"<\/p>\n

Fig 10:<\/strong>\u00a0 Behavior Detection<\/p>\n

\"\"<\/p>\n

Fig.11:<\/strong> Anti Ransomware<\/p>\n

How to stay safe from ransomware attacks<\/strong><\/p>\n