Fake Order Malspam Campaign – JavaScript Downloading TeslaCrypt

The LookingGlass Cyber Threat Intelligence Group (CTIG) observed two waves of a new malspam campaign pretending to be from a representative of a company who claims to have paid an advancement to the recipient and is asking for repayment, with an attached “invoice”. The attachments from both waves of the campaign were actually variations of an obfuscated JavaScript downloader that retrieves TeslaCrypt ransomware.

Below is a screenshot of what an example of this malspam campaign looks like:

Screen Shot 2015-12-14 at 1.38.10 PM

Below are the details of the emails that can be used for identification and blocking at your SMTP gateways:

Senders:
DuncanMary6778@forrestfieldfootballclub[.]com
RiceAntony432@kis[.]lt
Subjects:
Your order #08188585
Your order #19789119
Attachments:
invoice_08188585_scan.zip -> invoice_copy_XFVgos.js (MD5: FC6B9BCC4DFFECCB632EC9CBA82D755B)
invoice_19789119_scan.zip -> invoice_copy_lIdT8p.js (MD5: 594A6D5ECBF499573E16766179CE68CD)

A snippet of the obfuscated JavaScript can be seen below:

Screen Shot 2015-12-14 at 1.26.02 PM

Upon opening each of the attachments, the malicious JavaScript would execute and download the TeslaCrypt payloads from one of the following locations:

URI: hxxp://miracleworld1[.]com/80.exe?1
IP Resolution: 83.69.233[.]102
Payload MD5: 3414AFA0CC6E5676287BC9751702151C
URI: hxxp://firstwetakemanhat[.]com/91.exe?1
IP Resolution: 84.200.69[.]60
IP Resolution: 193.150.0[.]78
Payload MD5: AAD51084114E03B39CFF54DE292D6D93

Once a payload has been downloaded, the JavaScript runs it, which performs a series of network communications with the C&Cs before encrypting files on the victim machine that look like the following:

Screen Shot 2015-12-14 at 12.35.17 PM

Communication to the below compromised servers being used as C&Cs was observed:

hxxp://athomegirl[.]com/wp-content/plugins/theme-check/misc.php? (192.185.52[.]150)
hxxp://austartupchallenge[.]org/wp-content/plugins/theme-check/misc.php? (50.87.149[.]43)
hxxp://awarenessandchoice[.]com/wp-content/plugins/theme-check/misc.php? (50.87.150[.]117)
hxxp://awaken-now[.]com/wp-content/plugins/theme-check/misc.php? (192.185.52[.]150)

Ultimately, the victim is presented with the following ransom message and encrypts the files on the machine:

Screen Shot 2015-12-14 at 12.13.45 PM

Opening one of the links in a normal web browser or opening the onion address in Tor leads the victim to the following page:

Screen Shot 2015-12-14 at 12.44.42 PM

Screen Shot 2015-12-14 at 12.45.22 PM

These screens are very much borrowed from CryptoWall, presumably attempting to piggyback off of its successes. As can be seen in the below screenshot, it even calls itself CryptoWall:

Screen Shot 2015-12-14 at 12.46.12 PM

The attackers have continued to use a $500 ransom. The two Bitcoin addresses that were observed by the CTIG are 1PVKcRKS4oLGvHU133cZoukkRxBGnz6Qef and 1Er3Xmk18RFk13fe9HdXHdrwY39QzqTaQu.

Interestingly enough, two of the C&Cs used in this campaign is currently returning a legitimate and signed Avira AV Launcher (MD5: CDA21B84D5711462D5B1B40491422CFD) instead of the expected response:

Screen Shot 2015-12-14 at 12.33.40 PM

Screen Shot 2015-12-14 at 1.03.52 PM

This is the same behavior we recently observed during a CryptoWall 3.0 campaign in early November: https://lgscout.com/fake-abuse-policy-cryptowall-3-0-campaign-domain-suspension-notice/

We have concluded that this activity is indicative of anonymous security researchers or a rival actor group trying to stop the spread of the ransomware.

The CTIG recommends blocking all of the above mentioned IOCs in your environment to proactively protect yourself from this threat. LookingGlass ScoutVision has observed 192.232.251[.]79 (athomegirl[.]com) as a C&C as early as December 12, 2015.

Summary of IOCs:

Sender addresses:
DuncanMary6778@forrestfieldfootballclub[.]com
RiceAntony432@kis[.]lt
IP Addresses:
83.69.233[.]102
84.200.69[.]60
193.150.0[.]78
192.232.251[.]79
50.87.149[.]43
50.87.150[.]117
192.185.52[.]150
URIs:
hxxp://miracleworld1[.]com/80.exe?1
hxxp://firstwetakemanhat[.]com/91.exe?1
hxxp://athomegirl[.]com/wp-content/plugins/theme-check/misc.php?
hxxp://austartupchallenge[.]org/wp-content/plugins/theme-check/misc.php?
hxxp://awarenessandchoice[.]com/wp-content/plugins/theme-check/misc.php?
hxxp://awaken-now[.]com/wp-content/plugins/theme-check/misc.php?
Malware MD5s:
FC6B9BCC4DFFECCB632EC9CBA82D755B
594A6D5ECBF499573E16766179CE68CD
3414AFA0CC6E5676287BC9751702151C
AAD51084114E03B39CFF54DE292D6D93
Filenames:
invoice_copy_XFVgos.js
invoice_copy_lIdT8p.js
80.exe
91.exe