Installation
Threats in this family can be installed from malicious links in a spam email. For example, we have seen this family spread using a malicious link the following spam email written in German:
Sehr geehrte Frau,
durch meine mehr als 7-jährige Berufserfahrung und die kontinuierliche, selbständige Weiterbildung bin ich davon überzeugt, die mit der herausfordernden Stelle verbundenen Anforderungen zu Ihrer Zufriedenheit erfüllen zu können. Daher bewerbe ich mich hiermit gerne bei Ihrem Unternehmen.
Bereits während meiner Ausbildung hatte ich die Möglichkeit, Tätigkeiten der geforderten Tätigkeiten kennenzulernen.
Eine hohe Einsatzbereitschaft sowie sorgfältiges aber effektives Arbeiten ist für mich die Grundlage, um die dort gesteckten Unternehmensziele zu erreichen.
Mein Ziel ist es, die angeeigneten Fähigkeiten gewinnbringend in Ihrem Unternehmen einzusetzen und mich dabei selbst kontinuierlich weiterzuentwickeln, um stets ein leistungsfähiger Mitarbeiter in Ihrem Unternehmen zu sein.
Gerne überzeuge ich Sie bei einem persönlichen Vorstellungsgespräch von meinen Fähigkeiten.
Mit freundlichem Gruß
Anhang:
Bewerbungsunterlagen
https://www.dropbox.com/sh/<removed>/AAAwA0Psz1NFNrkJD1punU5Ja?dl=0
(Sie müssen sich nicht extra registieren um meine Bewerbung zu erhalten, Entschuldigen Sie bitte, mein Provider streikt!)
In English the message reads:
Dear Madam,
With more than 7 years of professional experience and continuous, self-training, I am confident I would be able to meet the requirements associated with the challenging position to your satisfaction. Thus, I am applying for this role.
During my training, I had the opportunity to experience many of these activities.
A high level of commitment and careful but effective work is the basis for me to achieve the corporate goals.
My goal is to successfully employ my appropriate skills in your company and to continually develop in order to always be an efficient employee in your company.
I would like to interview with you to further discuss my abilities.
With kind regards
Attachment:
Application
https://www.dropbox.com/sh/<removed>/AAAwA0Psz1NFNrkJD1punU5Ja?dl=0
(you don’t need to register to see my application, sorry, my provider is on strike!)
The malware is downloaded if you click the malicious link.
We have seen it use the following file names:
- Bewerbung.PDF.exe
- Bewerbungsunterlagen.PDF.exe
- BewerbungsmappeZeugnisseLebenslauf.exe
- UnterlagenBewerbung.pdf.exe
The malware can also inject its code into clean processes, such as explorer.exe or taskhost.exe.
Payload
Encrypts your files
This ransomware can search for files in all of the folders with the following extensions and then encrypt them:
.3dm
.3ds
.3fr
.3g2
.3ga
.3gp
.a2c
.aa
.aa3
.aac
.accdb
.aepx
.ai
.aif
.amr
.ape
.apnx
.ari
.arw
.asf
.asp
.aspx
.asx
.avi
.azw
.azw1
.azw3
.azw4
.bak
.bay
.bin
.bmp
.camproj
.ccd |
.cdi
.cdr
.cer
.cgi
.class
.cmf
.cnf
.conf
.config
.cr2
.crt
.crw
.crwl
.cs
.csv
.cue
.dash
.dat
.dbf
.dcr
.dds
.der
.disc
.dmg
.dng
.doc
.docm
.docx
.dvd
.dwg
.dxf
.eip
.emf
.eml |
.eps
.epub
.erf
.fff
.flv
.gfx
.gif
.gzip
.htm
.html
.iiq
.indd
.ini
.iso
.jar
.java
.jfif
.jge
.jpe
.jpeg
.jpg
.js
.jsp
.k25
.kdc
.key
.lit
.m3u
.m4a
.m4v
.max
.mdb
.mdf
.mef |
.mkv
.mobi
.mov
.movie
.mp1
.mp2
.mp3
.mp4
.mp4v
.mpa
.mpe
.mpeg
.mpg
.mpv2
.mrw
.msg
.mts
.nef
.nrg
.nri
.nrw
.number
.obj
.odb
.odc
.odf
.odm
.odp
.ods
.odt
.ogg
.orf
.p12
.p7b |
.p7c
.pages
.pdd
.pdf
.pef
.pem
.pfx
.php
.png
.pps
.ppt
.pptm
.pptx
.prf
.ps
.psd
.pspimage
.pst
.ptx
.pub
.py
.qt
.r3d
.ra
.raf
.ram
.rar
.raw
.rm
.rpf
.rtf
.rw2
.rwl
.sql |
.sqllite
.sr2
.srf
.srt
.srw
.svg
.swf
.tga
.tiff
.toast
.ts
.txt
.vbs
.vcd
.vlc
.vmdk
.vob
.wav
.wb2
.wma
.wmv
.wpd
.wps
.x3f
.xlk
.xls
.xlsb
.xlsm
.xlsx
.xml
.xps
.xsl
.yuv
.zip |
After the files are encrypted, the ransomware renames the files by appending ".crypt" to the affected file extension. For example:
- file.png is renamed to file.png.crypt
- file.bin is renamed to file.bin.crypt
The malware doesn't encrypt files in the following directories:
- \Local
- \LocalLow
- \Microsoft
- \Mozilla Firefox
- \Opera
- \$Recycle.Bin
- \Temp
- \Windows
- \Chrome
- \Internet Explorer
It creates the following file in every directory where files have been encrypted:
- YOUR_FILES_ARE_ENCRYPTED.HTML
It then shows a ransom note in Internet Explorer that threatens to expose and publish the encrypted pictures and documents online if you don't pay the ransom. We have seen it display the following message:
In English the message reads:
You are a victim of Chimera Malware.
Your private files/data were encrypted and without a special key file, you won’t be able to recover.
Some of your programs probably don’t work anymore.
You can pay with bitcoins to this address in order to receive your special key.
Address: <URL>
Cost: 1,03283901 Bitcoins
You can find where to get your key and other information you need to restore your files on the following website.
<URL>
If you don’t heed our warning, all your files and photos along with your personal information will be published on the internet.
If you don’t have any technical know-how, contact [someone who does] so that they can explain that this threat is legitimate.
Connects to a remote host
We have seen this malware connect to a remote host, including:
- 95.165.<removed>.168
- 158.222.<removed>.81
Analysis by Elda Tan Seng
