MENUMenuIcon OUR STORY
SLASHNEXT LABS
THE KNOWLEDGE CENTER
BLOG
VIEW CATEGORIESHIDE CATEGORIES
SlashNext Labs SlashNext Labs

Return of Necurs with new Scarab Ransomware Campaign

December 22nd 2017

Return of Necurs with new Scarab Ransomware Campaign

The world’s largest spam botnet called “Necurs” generated over 10 million spam emails within just a few hours, as part of their campaign to spread “Scarab” ransomware. As you can see, the Necurs botnet targets “com and .co.uk-based email addresses. The SlashNext system is still seeing activity related to this malware, with the highest infection rates happening in the United States, United Kingdom, Australia, France and Germany.

What your employees need to know:

This attack comes on the heels of malware campaigns run in the last few months, including the “Trickbot” and “Dridex” banking trojans as well as “Locky,” “GlobeImposter” and “Jaff” ransomware. Attackers are using a specially-crafted email with a subject line that gives it the appearance to be coming from trusted companies. Subject lines include:

  • Scanned from HP
  • Scanned from Lexmark
  • Scanned from Epson
  • Scanned from Canon

These emails carry a 7zip archive containing a .vbs (Visual Basic Script) with a same name as archive: image{date}{randomnumber}.vbs. If this file is downloaded or opened, it kicks off the execution of Scarab Ransomware.

The SlashNext system will continue to monitor for additional attacks from this botnet and keep our customers updated.

What your IT/Security team needs to know:

Once the (.vbs) file is executed, the Windows Script (Wscript) host will execute code that tries to download the actual payload from following urls:

n this example, the executable was downloaded from the URL:xploramail[.]com/JHgd476?

The file downloaded into the %temp% directory is the malicious executable of Scarab ransomware. When it runs, it infects the computer with ransomware.

How it works: execution flow of Scarab Ransomware

Once executed, it:

  1. Copies itself in %AppData%/Roaming directory location with a name “sevnz.exe
  2. Adds a registry key to maintain its persistence
  3. Scans all drives looking for the any following file extensions

    Note: There are total 3,514 file extensions.
  4. Reads the files one by one and encrypts the file contents with an AES encryption mechanism
  5. Writes the encrypted data to a new file
  6. After that, it deletes all shadow copies, system backup and disables Windows recovery mode
    Please note: this is different from other ransomwares that left shadow copies intact.
  7. It also changes Windows Boot Status Policy to boot the system normally even if there are failures regarding previous shutdown.
  8. It appends following string to the encrypted filenames:
    . [suupport@protonmail.com].scarab

After encrypting files, it adds a text file “IF YOU WANT TO GET ALL YOUR FILES BACK, THEN READ THIS.txt” in each infected folder where the files are encrypted. That test file displays message to victim that “Your files are now encrypted!” along with personal unique identifier for ransom payment and provides instructions on how to recover the encrypted files. It also provides the victim the option to test decryption of three files.

After a successful encryption process, it deletes all downloaded files related to the ransomware and displays the ransomware message.

The debug screenshot (above) depicts the previously explained execution steps of the .vbs script and Scarab ransomware (sevnz.exe),

Reference to the Game of Thrones

As seen in previous Necurs campaigns, the VB Script internally contains references to the famous HBO Series “Game of Thrones”.

What SlashNext found

Indicators of Compromise embedded within the Archive and Executables

  • c527bc757a64e64c89aaf0d9d02b6e97d9e7bb3d
  • d31beec9e2c7b312ecedb594f45a9f5174155c68
  • 85dc3a0b833efb1da2efdcd62fab565c44f22718
  • 3f51fb51cb1b9907a7438e2cef2e538acda6b9e9
  • da1e2542b418c85f4b57164e46e04e344db58ab8
  • a6f1f2dd63d3247adb66bd1ff479086207bd4d2b
  • 14680c48eec4e1f161db1a4a990bd6833575fc8e
  • b4a671ec80135bfb1c77f5ed61b8a3c80b2b6e51
  • b0af9ed37972aab714a28bc03fa86f4f90858ef5
  • 6fe57cf326fc2434c93ccc0106b7b64ec0300dd7
  • af5a64a9a01a9bd6577e8686f79dce45f492152e
  • 7ac23eee5e15226867f5fbcf89f116bb01933227

URLs:

  • http://xploramail.com/JHgd476?
  • http://miamirecyclecenters.com/JHgd476?
  • http://hard-grooves.com/JHgd476?
  • http://atlantarecyclingcenters.com/JHgd476?
  • http://pamplonarecados.com/JHgd476?
  • http://hellonwheelsthemovie.com/JHgd476?
  • suupport@protonmail.com