Installation
This threat can be installed on your PC from a spam email attachment that tricks you into downloading and opening it. We have seen malware attacks using this threat in Russia. Examples of the email are shown below.
Here is an example of an email in Russian. It claims that you owe the sender money from a business transaction which has to be paid in three business days:
The following screenshot is another example, also written in Russian. It says that an order has been completed and that you must pay the sender money in three business days. The attachment includes an invoice and a virus encryptor. The sender warns you that it will cost you several hundred Euros if you attempt to delete the virus encryptor:
The attached file usually contains JavaScript files. Running the JavaScript files will download and install the ransomware and other files onto your PC. We detect these JavaScript files as variants of TrojanDownloader:JS/Xibow.
Payload
Encrypts the files on your PC
We have seen Xibow samples connect to the following sites to download malicious files:
- Collapseit.com/<removed>/day.btc
- Collapseit.com/<removed>/null.btc
- Collapseit.com/<removed>/sad.btc
- Collapseit.com/<removed>/keybtc.btc
- Collapseit.com/<removed>/document.btc
- earthlingsfilm.com/<removed>/null.btc
- earthlingsfilm.com/<removed>/sad.btc
- earthlingsfilm.com/<removed>/doc.btc
- earthlingsfilm.com/<removed>/day.btc
- mebelruss.com/<removed>/word
- mebelruss.com/<removed>/payc
- mebelruss.com/<removed>/svchost
- mebelruss.com/<removed>/genkey
- mebelruss.com/<removed>/secrypt
- mebelruss.com/<removed>/iconv
- mebelruss.com/<removed>/paycrypt
- mebelruss.com/<removed>/DEC01
- mebelruss.com/<removed>/DEC02
- www.metalrus.net/<removed>/day.btc
- www.metalrus.net/<removed>/null.btc
- www.metalrus.net/<removed>/sad.btc
- www.metalrus.net/<removed>/paybtc.btc
- www.metalrus.net/<removed>/document.btc
The ransomware payload batch script is usually downloaded and saved with the following file names:
It usually searches in drives B: to Z: for files with the following extensions:
- .1cd
- .accdb
- .ai
- .cd
- .cdr
- .doc
- .docx
- .dwg
- .jpg
- .jpeg
- .max
- .mdb
- .pdf
- .rar
- .slddrw
- .svg
- .xls
- .xlsm
- .xlsx
- .zip
This threat uses GNUPG, a free tool that encrypts data. Xibow can download this tool and install it with the following file names:
The public encryption key used to encrypt the files is dropped in any of the following folders. The key is imported through GNUPG options, and then deleted:
Some variants can leave the private encryption key on your PC. However, your files will be encrypted again and copied to these locations:
After the files are encrypted, they are usually renamed with the email contact as an extension.
For example:
- <encrypted_file name>.paycrypt@gmail_com
- <encrypted_file name>.keybtc@gmail_com
Instructions on how to retrieve the files are also dropped as a text file in the %TEMP% folder, usually with the following names:
- DECODE.txt
- KEYBTC_GMAIL_COM.txt
- KEYBTC.txt
- PAYCRYPT_GMAIL_COM.txt
We have seen them copied to the following locations:
The following screenshot is an example of a text file with payment instructions in Russian:
Sends spam emails
We have also seen this threat download other command line utility tools used to send malicious spam emails. These tools can:
- Collect your emails
- Send spam emails
- Steal your passwords
The spam templates in HTML format are also dropped in %TEMP% folder.
Related information
Analysis by Elda Tan Seng
