8bit 0 Posted April 18, 2017 Share Posted April 18, 2017 We are currently being infected with the Spora Ransomware. ESET NOD 32 does not pick up the infections after scanning. it has not been able to hold our PC's ransom but has corrupted MS office files. The file names were not changed nor encrypted. it has affected windows 8 and 10 machines without admin rights. decrypt.txt or similar files have not been found on any of these systems. the infection stored an exe file within the Startup folder and I will add to this thread as we learn more. We did find an HTML file that contained the spora Ransomware name, RSA info, and Russian characters. Has anyone else run into this or similar viruses as of late? Link to comment Share on other sites More sharing options...
itman 1,755 Posted April 18, 2017 Share Posted April 18, 2017 (edited) Below are a couple of links on Spora. The G-Data article indicates it can arrive on an infected USB drive and it has worm characteristics. In any case, it appears someone "let it in" since it repeatedly asks to elevated privileges via UAC prompt. https://blog.malwarebytes.com/threat-analysis/2017/03/spora-ransomware/ https://blog.gdatasoftware.com/2017/01/29442-spora-worm-and-ransomware Here's the bleepingcomputer.com thread on the bugger: https://www.bleepingcomputer.com/forums/t/636975/spora-ransomware-support-and-help-topic/page-1 Also your files might be encrypted since Spora doesn't generate a unique file extension. Edited April 18, 2017 by itman Link to comment Share on other sites More sharing options...
itman 1,755 Posted April 19, 2017 Share Posted April 19, 2017 17 hours ago, 8bit said: ESET NOD 32 does not pick up the infections after scanning. Forgot to mention that most ransomware and I assume also for Spora will delete all ransomware malware files after the second stage of the infection is accomplished. That is, the first boot after all files have been encrypted where the malware will delete all shadow volume copies, etc. to ensure any local file recovery is impossible. Hence, any subsequent scanning by an AV will find no malware traces of the ransomware. However, current ransomware are delivering secondary malware payloads. So AV scanning after a ransomware incident is mandatory to detect and remove those infections if they exist. Hopefully, you have backups of your network files you can recover from? Link to comment Share on other sites More sharing options...
8bit 0 Posted April 19, 2017 Author Share Posted April 19, 2017 Thank you for your response and help itman. Per ESET support via phone, they added Spora to their database of definitions back in January of this year. We are currently restoring files from backups but are looking to prevent future infections. Another odd thing is that the online scanner from ESET has identified it while our local copy does not and that will updated virus definitions. We have yet to find an infection with our local copy of ESET. Also, we don't currently use a malware application on our desktops but Malwarebytes didn't find any infections either. Makes sense what you said in your second reply regarding the scanning for infections. We are just doing what we can to prevent future infections. Many thanks! Link to comment Share on other sites More sharing options...
itman 1,755 Posted April 19, 2017 Share Posted April 19, 2017 (edited) Per the G-Data write up: This sample is an HTA application with obfuscated VBScript code. According to Bleepingcomputer it arrived in a ZIP archive via email attachment. Submissions on VirusTotal show the filename Скан-копия _ 10 января 2017г. Составлено и подписано главным бухгалтером. Экспорт из 1С.a01e743_рdf.hta. The HTA file writes a JScript file to %TEMP%\close.js and executes it. The JScript file in turn is a dropper for a Word document that is written to %TEMP%\doc_6d518e.docx and a PE file that is saved to %TEMP%\81063163ded.exe. Both files are opened by close.js, the Word document with a parameter to show and focus the window, and the PE file with a parameter to hide it. As a result the document will be opened by the set default application for .docx files, e.g., Word, but an error message is shown because it is corrupt. The PE file 81063163ded.exe has a seemingly random name, but it is actually hardcoded by the dropper. The PE file is UPX packed and contains the actual payload. Although I use Smart Security 10, I additionally added the HIPS rules Eset recommended to their Endpoint users. One of those rules is to block/monitor any cs/wscript plus Powershell program startup from System32/SysWOW64 mshta.exe. This rule would have prevented the above .js based Spora payload from executing. Edited April 19, 2017 by itman Link to comment Share on other sites More sharing options...
8bit 0 Posted April 19, 2017 Author Share Posted April 19, 2017 itman, Can you kindly point me to the HIPS rules that ESET recommends? I'll put them into place asap! Again, thank you for your help! Link to comment Share on other sites More sharing options...
itman 1,755 Posted April 19, 2017 Share Posted April 19, 2017 (edited) 24 minutes ago, 8bit said: itman, Can you kindly point me to the HIPS rules that ESET recommends? I'll put them into place asap! Again, thank you for your help! This article is a "best practices" recommendation for ransomware protection: https://support.eset.com/kb3433/ This article contains the specific anti-ransomware HIPS rules: http://support.eset.com/kb6119/ Also as a FYI in regards to script delivered malware. In most cases, the malware is packed and obfuscated to avoid AV signature detection. On Win 10, Eset uses the AMSI interface to scan those scripts after they decrypt but prior to being loaded into memory and executed. One of a number of reasons to upgrade to Win 10. Edited April 19, 2017 by itman Link to comment Share on other sites More sharing options...
Recommended Posts