When we think of Greek-themed malware, the trojan family generally comes to mind. Not anymore, Sigma is a new ransomware delivered via phishing email.
On November 8, 2017, threat actors sent a phishing email warning of impending charges to the recipient’s MasterCard if he or she did not open the attached encrypted Word document.
Figure 1 – Phishing email that deliver the malicious Word document.
Unsurprisingly, this document contained a macro that downloaded a payload from hxxp://6vt4gbkwnjfnyo6g.onion.link/svchost.exe.
Figure 2 – Prompt to enable macros after opening attachment
Leveraging svchost.exe, it drops Sigma onto the host. Once the payload is launched on the machine, it performs several techniques to ensure it is not in an analysis environment and begins to ping 220.127.116.11 and scouring for virtualization signatures. When satisfied with its environment, Sigma downloads the component to connect to Tor. Sigma, then establishes several connections to different Tor exit nodes and begins encrypting files on the host with a .6Tdp extension. After successfully encrypting the files, a ransom message is displayed with instructions on how to navigate to the payment site.
Figure 3 – Ransom message displayed after successfully encrypting files
If a user navigates to the payment site, they will be given instruction on how to pay the ransom. The threat actors also give the user the option to chat with them in exchange for decrypting one of their files.
Figure 4 – Sigma payment site with instructions on how to pay the ransom
With the threat landscape constantly evolving, analysts and network defenders must employ both their skills and advanced technology to overcome adversaries. In the Phishing Defense Center, our threat analysts were able to quickly discover and escalate this threat for in depth analysis thanks to the visibility provided by PhishMe Triage™.
Don’t ever miss another threat – sign up for PhishMe® Threat Alerts today and receive updates on new and emerging phishing and malware threats, completely free.