Products
Products
Detection
Response
Intelligence
About Cofense
About Cofense
Leadership
Free Tools
Free Tools
Build Resilience
Create Transparency
Speed Response

Welcome to the Cofense Blog

Get the latest information on phishing threats and trends, BEC, ransomware and credential phishing, plus Cofense product updates.

Follow us on Social Media

Spooky Ransomware Steals Past SEGs in Under 15 Minutes

By Harsh Patel and Zachary Bailey, Cofense Phishing Defense Center

Dealing with a ransomware attack on any businesses, organizations – or individuals – can turn into a nightmare scenario quickly. Ransomware typically has a two-pronged attack style. It not only denies the target access to their own computer, but it also attacks targets monetarily by demanding some form of payment to relinquish control.

This type of malware attack can be carried out through various methods with one of the most popular being through phishing emails. Over the past year with the rise in ransomware attacks, Cofense has observed threat actors delivering reconnaissance and data exfiltrating tools ahead of the final ransom attack. In early November, the Cofense Phishing Defense Center (PDC) intercepted and analyzed such an email that made its way into the inbox of targets using a secure email gateway (SEG), and it delivered a Halloween-themed MIRCOP ransomware.

Figure 1: Email Body

Figure 1 shows that the email contains a lot of suspicious indicators such as a generic “from” domain and a subject saying “undisclosed-recipients.” In the email body itself, the threat actor is trying to suggest communication was lost for a previous arrangement and wanted support for a “DWG following Supplies List” that is hyperlinked to a Google Drive URL. Once clicked, the infection URL downloads an MHT file.

Figure 2: MHT File

MHT file extensions are commonly used by web browsers as a webpage archive. Figure 2 shows that after opening the file the target is presented with a blurred out and apparently stamped form, but the threat actor is using the MHT file to reach out to the malware payload (hXXps://a[.]pomf[.]cat/gectpe.rar).

 Figure 3: RAR File

 Figure 4: EXE File

As shown in Figure 3, the downloaded RAR file contains an EXE file. The executable is a DotNETLoader that uses VBS scripts to drop and run the MIRCOP ransomware in memory.

Figure 5: MIRCOP Ransomware Activated

After a few minutes, the ransomware starts the process of taking a screenshot, locking files, changing the background and running a program to find stored passwords in web browsers. MIRCOP ransomware is fully activated when the screen flashes, and the home screen is changed into the ransom note featured in Figure 5. The image dropped is extremely gory and will most likely deliver a shock to the user when coupled with the ransom message. The use of Skype as a medium to negotiate is uncommon, as most organized ransomware gangs have dedicated sites or mobile chat apps.

The MIRCOP ransomware, also known as Crypt888 ransomware, encrypts users’ files to hold them hostage. After the payment demand is met, the threat actor promises to provide the decryption method. For this attack, the threat actor gives a set of instructions on the wallpaper. The user is also unable to open any applications besides a few web browsers that can give them access to their email address which is used to contact the attacker. The email address is then used to set up the payment required to gain access to the decrypting tool the threat actor claims will unlock the files and applications.

Figure 6: Files Saved in Temp Folder

The file named Pl2.exe was originally named “Web Browser Pass View,” which is a tool known for retrieving passwords from the vaults of common web browsers. The executable’s icon shows Internet Explorer, Google Chrome, Firefox, and Opera, referencing its targets. Looking up the SHA256 hash of this executable on Virus Total, it can be linked to dozens of malicious executables going back to June of this year.

The files stored in the Temp folder associated with the malware:

  • Gbr.jpg – The screenshot that was taken after running the malware
  • 888.vbs – VBS scripts to automatically detonate the ransomware
  • MILKXC_LUCK COMPUTER.exe & x.exe – used to lock the files
  • Pl2.exe – The password utility known as “Web Browser Pass View”
  • PI2.txt – Where the passwords get stored
  • UYNHIJ.vbs – The VBS script that’s run by the DotNETLoader
  • Wl.jpg – Original image that replaces the current background

The MIRCOP ransomware poses a threat to medium-sized organizations as it can lock the files on critical computer systems. Its opening lure is business-themed, making use of a service – such as Google Drive – that enterprises employ for delivering files. The rapid deployment from the MHT payload to final encryption shows that this group is not concerned with being sneaky. Since the delivery of this ransomware is so simple, it is especially worrying that this email found its way into the inbox of an environment using a SEG.

In this case, a well-conditioned user quickly reported this email. They used Cofense Reporter, allowing the PDC to quickly identify the threat, allowing the organization to mitigate a potential incident. With Cofense Managed Phishing Detection and Response, provided by the PDC, enterprises can have our complete view of threats. Contact us to learn more.

Indicators of Compromise:

File Name: DWG FOLLOWING SUPPLIES LIST_xcod..mht

MD5: 9fee0de10d34f9e4fd53d5ef5e606b39

SHA256: 2eaa031bae075d1c703c706383bef403ddcb94d332bfe6c1622a76f2d4c9f572

File Size: 707213 bytes

File Name: gectpe.rar
MD5: c32d544fe375c3ecf031bdf53f479e26
SHA256: fe42dc8d01dba7f857a3d9468856e3e177fc87111b2d779e1daeb5f5f4f43546
File Size: 808853 bytes
File Name: ##% DWG FOLLOWING SUPPLIES LIST.exe
MD5: 4b5742ff803d73c6a6b8301e4031ac4a
SHA256: afd06217edd6cb3d1cbb7510ad26987ba3f7587d5f9d679ba06c587758622e9a
File Size: 1182021 bytes
File Name: Pl2.exe
MD5: 8104093918B6F2D2004535B24B1533BA
SHA256: 337A646E6F1A641D9471B840EE21BFF858E6BA24538A4F815191BE85E5003E70
File Size: 227840 bytes
File Name: BTVTLU_LUCK COMPUTER.exe
MD5: 6BFBD5CEC2A29ED6FB0780D0007F84B9
SHA256: F5D7586ECDECAF6E85C0B5865D1BD8280824B5D41A7A93833F8FB7BEFD50FDBE
File Size: 781722 bytes
File Name: 888.vbs
MD5: 8BE57121A3ECAE9C90CCE4ADF00F2454
SHA256: 35D7204F9582B63B47942A4DF9A55B8825B6D0AF295B641F6257C39F7DDA5F5E
File Size: 280 bytes
Infection URL hXXps://drive[.]google[.]com/file/d/1gm_jkT6Fga7F9m_0dzPcWBg3bXZMiiQC/view?usp=drive_web
Payload URL hXXps://a[.]pomf[.]cat/gectpe.rar
All third-party trademarks referenced by Cofense whether in logo form, name form or product form, or otherwise, remain the property of their respective holders, and use of these trademarks in no way indicates any relationship between Cofense and the holders of the trademarks. Any observations contained in this blog regarding circumvention of end point protections are based on observations at a point in time based on a specific set of system configurations. Subsequent updates or different configurations may be effective at stopping these or similar threats.
The Cofense® and PhishMe® names and logos, as well as any other Cofense product or service names or logos displayed on this blog are registered trademarks or trademarks of Cofense Inc.