#1243065: renamer destructive malware via fake inquiry email

Description: A slightly different malware than usual to report on this morning. I haven’t previously seen an out and out destructive malware like this sent in mass malspam for many years. It must be intended to act as some sort of ransomware but there is no ransom note or instruction. It initially copies itself to C:\Users\admin\AppData\Roaming\Paint.exe and then sets a startup for that file then it searches for & finds any .exe files, initially in downloads folder or desktop renames them to voriginalfilename.exe & copies itself to the original filename, so it runs when that file is opened by the victim. It then moves on to all .exe files in program files & then anywhere on the computer it can find a .exe except it appears to leave the windows/ system32 folder alone.

Each renamed file has a different MD5# to the original, and each renamed file has an individual MD5# although the files look identical in a hex editor. The malware must just change 1 or 2 unimportant bytes, which is just enough to throw some security tools off.

I can’t really see the purpose of it, except as a destructive program, intending to destroy the recipients computer. I suppose it might have been released early by mistake or as a test to see how it works in the wild. Most malware in this modern age is designed to steal something or ransom you. The criminals want to make money. Destroying the recipient’s computer won’t make any money, just cause immense annoyance.

I could only get this to run “properly” on W8.1 (32 bit) using Anyrun and it did almost nothing on W7 or W10. It does something on W8.1 (64 bit) but not as much as a on a 32 bit system. Hybrid analysis does show some of the renaming effect on W7 (32 bit). This is actually very well detected by VirusTotal. I am not sure whether this is a Virus, a Worm or a Trojan.

The email template style & the way the email uses broken .rar attachments wrongly named as .r00 means that most recipients should be safe from this, you need to rename the .r00 to .rar to be able to extract the malicious file in the first place.

I have been seeing these style of emails with broken .rar delivering a range of common malwares including Lokibot, fareit, Hawkeye, Remcos etc over recent weeks. I don’t know which bad actor is distributing them but a lot are coming from 37.49.225.24 AS199264 ESTOXY OU an Icelandic webhost.

These do not come from any AOL user . They are not sending the emails to you. They are just innocent victims in exactly the same way as every recipient of these emails and their address was simply spoofed.

One of the emails looks like:

From: AL-Amin Jameel <redacted@aol.co.uk>

Date: Thu 10/01/2019 09:17

Subject: Inquiry

Attachment: Doc7970337125-19012019-SHN2019000000003.pdf.r00

Body content:

Greetings and Compliments

This is AL-Amin Enterprises Trading Co.W.L.L, from Moroni, Comoros

We are in urgent need of your products as attached, Please send to us your best offer, CNF Moroni, Comoros.



Best regards,

AL-Amin Jameel

Purchasing Manager.

Screenshot:
Fake inquiry email



First Aid: IOC: 09d45cd62a59a818669097f4adcec966 d70586da1b038d77fadd4d69afe259fa13a3df06 37.49.225.24 AS199264 ESTOXY OU
More info: https://myonlinesecurity.co.uk/renamer-destructive-malware-via-fake-inquiry-email/

Date added Jan. 10, 2019, 11:41 p.m.
Source My Online Security
Subjects
  • All New Malware Alerts - New Reports / IOCs in
  • Phishing Alerts - Non-Banking
  • Scam/Fraud/Hoax Alerts
  • Spear Phishing / Angler Phishing / Whaling / CEO Fraud / W2 Fraud