Spora Ransomware Infects ‘Offline’—Without Talking to Control Server

Spora is a ransomware family that encrypts victims’ files and demands money to decrypt the files. It has infected many computers in a short time due to a huge spam campaign. It has a very special feature—to work offline.

Propagation vector

The spam campaign carries a .zip file, which contains an HTA (HTML Application) file to evade detection from some email scanners and maximize its outreach. The contents of the email are carefully crafted to lure victims using social engineering techniques. This HTA file also tricks users by using the double extensions rtf.hta and doc.hta. If file extensions are hidden on victim’s machines, then they will see only the first extension and might be fooled into opening the file.

The spam email looks like this:

The contents of HTA file:

At runtime the HTA file drops a JavaScript file in the %Temp% folder. Further JavaScript extracts an executable with a random name (in this case: goodtdeaasdbg54.exe) in %TEMP% and executes.

The HTA file also extracts and executes a .docx file that is corrupted and returns an error to distract the victims:

Analysis

Goodtdeaasdbg54.exe is packed using the UPX packer and contains the payload (Spora). It first checks whether a copy of this file is running in memory. If not, it creates a mutex. Spora uses mutex objects to avoid infecting the system more than once.

Spora checks for the logical drives available in the system:

Once a resource is available, Spora searches for files to encrypt but avoids “windows,” “Program files,” and “games.”

Spora removes the volume shadow copies from the target’s system, thereby preventing the user from restoring the encrypted files. (A shadow copy is a Windows feature that helps users make backup copies (snapshots) of computer files or volumes.) To delete the shadow volume copies, Spora uses the command “vssadmin.exe Delete Shadows /All /Quiet.” This ransomware uses the vssadmin.exe utility to quietly delete all the shadow volume copies on the computer.

It also creates .lnk files along with .key and .lst files in the root drive.

Spora also deletes the registry value to remove the shortcut icons.

Encryption process

Step 1: It generates a random “per file AES” symmetric key for each file.

Step 2: Spora generates a local public-private key pair.

Step 3: The public key generated from Step 2 will encrypt the “per file AES” key and append it to the encrypted file.

Step 4: After encrypting all the files, Spora generates a unique AES symmetric key.

Step 5: The private key generated in Step 2 is copied into the .key file and encrypted by the unique AES key generated in Step 4.

Step 6: Finally the unique AES key is encrypted by decrypting the public key (explained below) and appending it to the .key file.

The malware author’s public key is embedded in the malware executable using a hardcoded AES key. The decrypted public key:

The decryption is possible only by the private key held by the malware author. Once the payment is done, the author may provide victims with the private RSA key to decrypt the encrypted AES key appended in the .key file. The decrypted AES key will decrypt the remaining .key file, which contains the user’s private RSA key.

The whole process is bit complex and lengthy but using this scheme Spora successfully avoids the dependency of obtaining a key from a control server and can work offline.

Key file

Spora encrypts six types of file extensions:

The .key filename contains information in the following format:

And encodes all this information with a substitution method.

In our case US736-C9XZT-RTZTZ-TRHTX-HYYYY.KEY translates to:

  • USA as locale.
  • The characters “736C9” for the beginning of the MD5 hash.
  • 10 encrypted office documents (Type 1).
  • Two encrypted PDF (Type 2).
  • Zero encrypted CorelDraw/AutoCAD/Photoshop files (Type 3).
  • Zero encrypted database files (Type 4).
  • 25 encrypted images (Type 5).
  • 15 encrypted archives (Type 6).

The decoding mechanism of .key file:

Ransom message

The ransom note is written in Russian, here with our translation:

The Spora payment site provides several packages for victims with different prices with a deadline.

The hashes used in the analysis:

  • a159ef758075c9fb64d3f06ff4b40a72e1be3061
  • 0c1007ba3ef9255c004ea1ef983e02efe918ee59

Intel Security advises users to keep their antimalware signatures up to date at all times. Intel Security products detect the malicious HTA file and Spora binary as JS/Spora.a and Ransom-Spora! [Partial hash], respectively, with DAT Versions 8435 and later.

This post was prepared with the invaluable assistance of Sourabh Kadam. 

 

2 comments on “Spora Ransomware Infects ‘Offline’—Without Talking to Control Server

  • Wow ! Nice information in very well planned template.

    But how vssadmin is worth using without admin privileges ?

    Reply
    • Intel Security says:

      In the case of Spora ransomware, when the file from the spam mail attachment is executed, it prompts the “UAC” to grant permission to proceed. If the user grants permission, only then will the malware continue. Vssadmin, which is executed by the parent file, will also get administrator privilege, leading to vssadmin deleting the snapshots.

      Reply

Leave a Comment

seventeen + fifteen =